The Right Roles for SIEM and EDR

Hosted by

Sam Curry - Chief Security Officer, Cybereason

Tom Field - SVP Editorial, Information Security Media Group

Agenda

3:30pm - Introductions and Opening Remarks

3:45pm - Roundtable Discussion

4:45pm - Closing Remarks and Questions

5:00pm - Program Concludess

Executive Roundtable Series

Sponsored by Cybereason

Introduction

Cybersecurity leaders know that if they haven’t already, they need to get

into the incident response and threat hunting business with a Security

Operations Center. Still, many are uncertain about how to do so with little

risk, high efficiency and with confidence in a safer future for the IT stack.

In particular, the wisdom of “just get a SIEM” rings hollow, and the current

wave of hype around EDR is leading to cognitive dissonance.

What are the complementary uses of SIEM and EDR technologies? What are the unique use cases

for each, and how can they coexist without either being thrown out or used incorrectly? Ultimately,

what is an autonomous SOC?

This exclusive executive roundtable on The Right Roles for SIEM and EDR will provide answers to

these and other important questions.

Guided by insights from Sam Curry, chief security officer at event sponsor Cybereason, this

invitation-only virtual roundtable will also draw upon the experiences of the attendees. Attendees

will learn the essential components of a successful strategy to address complementary roles for

SIEM and EDR and create a truly autonomous SOC.

Among the discussion topics:

• What are the qualities of an autonomous SOC?

• What are the unique use cases both for SIEM and EDR?

• How can they be optimized in a complementary fashion?

• What role does security orchestration, automation and response play?

You’ll have the opportunity to discuss SOC strategies with a handful of senior executives and

market leaders in an informal, closed-door setting, from which you will emerge with new strategies

and solutions you can immediately put to work.

The Right Roles for SIEM and EDR2

Discussion Points

Among the questions to be presented for open discourse:

• What are the foundations of your incident response and threat hunting operations?

• Do you have either or both: SIEM and EDR?

• How do you currently use these tools?

• What role does security orchestration, automation and response play?

• What are your biggest current gaps in incident response and threat hunting?

• How will you look to fill these gaps in 2020?

The Right Roles for SIEM and EDR 3

About the Expert

Joining our discussion today to share the latest insights and case studies:

Sam Curry

CSO, Cybereason

Curry has over 25 years of experience in security with a focus on deep

technology and solving practitioner problems. He was previously CTO

and CSO at Arbor Networks, senior vice president of engineering and

CISO at Microstrategy and held senior roles at RSA, the Security Division

of EMC as general manager, senior vice president of products and CTO.

He has done work on national defense, public policy and establishing

standards and protocols in security. He also held a number of senior,

leadership roles at McAfee and CA, founded two successful startups

and now serves on three security organization boards. He is a frequent

speaker on BBC, CNN, MSNBC and other media outlets, a published

author and a patented inventor.

About Cybereason

Cybereason gives the advantage back to the defender through a completely new approach to

cybersecurity: the Cybereason Defense Platform. Cybereason offers managed, as-a-service,

and on-premise prevention, detection and response solutions. Cybereason technology delivers

multi-layer endpoint prevention by leveraging signature and signatureless techniques to prevent

known and unknown threats in conjunction with behavioral and deception techniques to prevent

ransomware and fileless attacks. Cybereason is privately held and is headquartered in Boston,

MA with offices around the globe.

The Right Roles for SIEM and EDR4

About the Moderator

Leading our discussion today is:

Tom Field

Senior Vice President, Editorial, ISMG

Field is an award-winning journalist with over 30 years of experience

in newspapers, magazines, books, events and electronic media. A

veteran journalist with extensive business/technology and international

reporting experience, Field joined ISMG in 2007 and currently oversees

the editorial operations for all of ISMG’s global media properties. An

accomplished public speaker, Field has developed and moderated

scores of podcasts, webcasts, roundtables and conferences and has

appeared at the RSA Conference and on various C-SPAN, The History

Channel and Travel Channel television programs.

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely

to information security and risk management. Each of our 28 media properties provides education,

research and news that is specifically tailored to key vertical sectors including banking, healthcare

and the public sector; geographies from the North America to Southeast Asia; and topics such

as data breach prevention, cyber risk assessment and fraud. Our annual global summit series

connects senior security professionals with industry thought leaders to find actionable solutions

for pressing cybersecurity challenges.

The Right Roles for SIEM and EDR 5

Sam Curry

CSO, Cybereason

Autonomous SOC

TOM FIELD: Define your vision of an autonomous SOC

SAM CURRY: This is not about an automatic SOC, since that would

introduce vulnerabilities and weaknesses and is not really achievable

yet. One day, we will get there. However, an autonomous SOC is one

that uses automation in silicon to help the real, existing carbon-based

intelligence: the men and women doing the job. Autonomy here is a

place holder for ever-improving efficiency around analysis, decision

making, communication and taking actions. It is, in essence, about the

results of a SOC post telemetry collection or the “D” and the “R” in XDR.

The SOC is a machine for catching Malops sooner and more completely.

This is about making the true positives of detection and wrap up as high

as possible and as soon as possible as a repeatable business process

given the right telemetry (which incidentally is behavioral starting with

but limited to the endpoint).

Wrong Roles for SIEM and EDR

FIELD: We’re talking about the right roles for SIEM and EDR. What are

some of the wrong roles?

CURRY: Take the list of use cases for the SOC, which are currently

squarely on the SIEM. Some should be on the SIEM and some should be

on EDR. SIEM is not the lynchpin for all SOC use cases, nor is EDR.

In advance of this event, ISMG’s Tom Field spoke about SIEM and EDR

with Sam Curry of Cybereason. Here is an excerpt of that conversation.

The Right Roles for SIEM and EDR

Q&A WITH THE EXPERT

The Right Roles for SIEM and EDR6

Failing to Maximize Investments

FIELD: In what ways are enterprises failing to get the most out of their

SIEM and EDR investments?

CURRY: They are still approaching SOC functions as a checklist, even

when they have SOC operations. The opponents are adaptive, which

means simple operations expose weaknesses due to the mirror chess

problem. It’s time to get good in a second order chaos world. See this

blog and its precedent for more.

Cybereason’s Approach

FIELD: How is Cybereason approaching this SOC challenge with

customers?

CURRY: We provide best-in-class EDR and MDR with a vision for

new endpoint types (mobile and IoT/OT to start) and more behavioral

instrumentation in general (like applications, cloud, network and log-

derivation). We have demonstrably the highest ratio of endpoints to

analysts, least lag in detection, no mechanical turks, the best hunting

platform and the least impact on customer environments, employees and

business processes. n

“It’s time to get good in a second order chaos world.” Sam Curry, Cybereason

The Right Roles for SIEM and EDR 7

Notes

The Right Roles for SIEM and EDR8

Notes

The Right Roles for SIEM and EDR 9

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security

and risk management. Each of our 28 media properties provides education, research and news that is specifically

tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to

Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global Summit

series connects senior security professionals with industry thought leaders to find actionable solutions for pressing

cybersecurity challenges.

Contact

(800) 944-0401 • sales@ismg.io

CyberEd