I’ve long admired the work of Dr. Anton Chuvakin, head of solution strategy at Google Chronicle. Anton really knows security analytics and operations so now that he’s no longer a Gartner analyst, it was great to have him participate in the SOAPA video series. In part 1, Anton and I discuss:
- Detection as code. In a recent blog, Anton proposes, "detection as code." The thought here is that you want to “devops” your detections to keep up with threats and strive for constant improvement. This is an intriguing concept that may be especially useful for large organizations in specific industries under attack. We have focused industry ISACs, why not focused industry detection code?
- SOC nuclear triad progression. Anton’s nuclear triad concept combines logs (SIEM), endpoint telemetry (EDR), and network traffic analysis (NTA/NDR) into a SOC architecture like ESG’s SOAPA. In this era where everything runs on software, Anton believes the triad may be supplemented with specific application visibility telemetry in the future.
- New data sources. Anton believes that deeper application visibility is the biggest missing link in security analytics today but perhaps we’ll add more logging sources as well. We both anticipate more use of deception technology as a new telemetry source in an auxiliary role.
- My colleague Dave Gruber and I are knee deep in research in this area, but I wanted to ask an old hand like Anton what he thinks about this new trend. In the past, Anton had a log-centric view of SOC technology, but he is now open to an endpoint-oriented architecture a la XDR. In the short-term, XDR must coexist with SIEM, but the two models are bound for a collision course.
Dr. Chuvakin and I have lived in the same neighborhood for years so it’s great to finally spend some time together. More from Anton on SOAPA and Google Chronicle in part 2 of our video soon.