EP263 SOC Refurbishing: Why New Tools Won't Fix Broken Processes (Even With AI)

Guest:

• Daniel Lyman, VP of Threat Detection and Response, Fiserv

Topics:

• What is the right way for people to bridge the gap and translate executive dreams and board goals into the reality of life on the ground?
• How do we talk to people who think they have "transformed" their SOC simply by buying a better, shinier product (like a modern SIEM) while leaving their old processes intact?
• What are the specific challenges and advantages you've seen with a federated SOC versus a centralized one? What does a "federated" or "sub-SOC" model actually mean in practice?
• Why is the message that "EDR doesn't cover everything" so hard for some people to hear? Is this obsession with EDR a business decision or technology debt?
• How do you expect AI to change the calculus around data centralization versus data federation?
• What is your favorite example of telemetry that is useful, but usually excluded from a SIEM?
• What are the Detection and Response organizational metrics that you think are most valuable?
• Is the continued use of Excel an issue of tooling, laziness, or just because it is a fundamentally good way to interact with a small database?

Resources:

• Video version
• "In My Time of Dying" book
• EP258 Why Your Security Strategy Needs an Immune System, Not a Fortress with Royal Hansen
• EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective
• The Gravity of Process: Why New Tech Never Fixes Broken Process and Can AI Change It? blog