Setting up your SIEM for success – Pitfalls to preclude and tips to take – Geoff Cairns, Neil Desai – ESW #400
Full Audio
View Show IndexSegments
1. Setting up your SIEM for success – Pitfalls to preclude and tips to take – Neil Desai – ESW #400
A successful SIEM deployment depends on a lot more than implementing the SIEM correctly. So many other things in your environment have an impact on your chances of a successful SIEM.
- Are the right logs enabled?
- Is your EDR working correctly?
- Would you notice a sudden increase or decrease in events from critical sources?
- What can practitioners do to ensure the success of their SIEM deployment?
This segment is sponsored by Graylog. Visit https://securityweekly.com/graylog to learn more about them!
Sponsored By
Announcements
Security Weekly listeners save $100 on their RSAC Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac25 and use the code 5U5SECWEEKLY! We hope to see you there!
Guest
With 25 years of experience in cybersecurity, I have dedicated my career to defending organizations against evolving threats. I spent my first 11 years securing U.S. financial institutions, designing resilient, monitorable security architectures. Transitioning into consulting, I guided numerous organizations in building and optimizing Security Operations Centers (SOCs) and Security Information and Event Management (SIEM) systems. Over the past seven years, I have focused on the product side, shaping solutions that empower customers to enhance their security posture. My expertise spans the entire defensive spectrum, from configuration and architecture to continuous monitoring.
Hosts
2. The Top Trends Shaping Identity and Access Management in 2025 – Geoff Cairns – ESW #400
In this interview, we feature some research from Geoff Cairns, an analyst at Forrester Research. This is a preview to the talk he'll be giving at Identiverse 2025 in a few months.
We won't have time to cover all the trends, but there are several here that I'm excited to discuss!
- Deepfake Detection Difficult
- Zero Trust Agentic AI
- Phishing resistant MFA adoption
- Identity Verification
- Machine Identity
- Decentralized Identity
- Post Quantum
- Shared Signals
Segment Resources:
- The Top Trends Shaping Identity And Access Management In 2025 - (Forrester subscription required)
Announcements
Identiverse 2025 is returning to Las Vegas, June 3-6. Hear from 250+ expert speakers and connect with 3,000+ identity security professionals across four days of keynotes, breakout sessions, and deep dives into the latest identity security trends. Plus, take part in hands-on workshops and explore the brand-new Non-Human Identity Pavilion. Register now and save 25% with code IDV25-SecurityWeekly at https://www.securityweekly.com/IDV2025
Guest
Geoff Cairns is a principal analyst at Forrester, advising security and risk professionals on identity and access management (IAM). His research focuses on workforce IAM, including topics such as multifactor authentication (MFA), privileged identity management, identity governance and lifecycle, and identity as a service (IDaaS). He guides clients on IAM technologies and services as well as associated integrations and operational processes to address the business and security needs of the evolving workforce environment.
Hosts
3. The toughest decisions CISOs have to make, MCP servers, Napster’s comeback – ESW #400
In this week's enterprise security news,
- Big funding for Island
- Is DLP finally getting disrupted? By something that works?
- We learn all about Model Context Protocol servers
- Integrating SSO and SSH!
- Do we have too many cybersecurity regulations?
- Toxic cybersecurity workplaces
- Napster makes a comeback
- this week, we’ve got 50% less AI and 50% more co-hosts
All that and more, on this episode of Enterprise Security Weekly.
Announcements
I'll be running an panelcast with Fastly, titled Security Without Speed Bumps: Using WAF Simulator to Transform DevSecOps Workflows. Join me for this exciting webcast on April 16th. To register for this panelcast, go to securityweekly.com/WAF
Hosts
- 1. FUNDING: Courtesy of the Security, Funded newsletter, issue #186 – GWiz II (This Time it’s Personal)
The vibe check, as always, is thought-provoking! Last week, Mike asked, "as a security leader, what's the toughest decision you have to make?"
The results were close, which is not surprising - CISOs have to make a LOT of tough decisions. On top was "Balancing security and business needs", followed by "Adopting new tech vs reducing complexity" and then "when to push back on leadership". Notably, a distant fourth was "deciding where to invest budget", which also makes sense - there's no lack of options for using budget with > 4000 product and services vendors out there (not to mention staff training options, certs, etc)!
Funding for this week:
- Island secures $250M as valuation continues to soar to nearly $5B. By far, the largest funding is Island's series E, which didn't make this issue of Security, Funded because it happened just a day or two after it was published.
- VulnCheck, a threat/vuln/exploit intelligence platform, raised a $12M Series A from Ten Eleven Ventures.
- Orion Security raised a $6M Seed from FXP and PICO Venture Partners. This one is interesting - most of the DSPM vendors have been acquired or have reached late-stage rounds - but this isn't DSPM. Orion is labeling itself as DLP 2.0, a label I once jokingly applied to DSPM vendors. It makes sense - I recently heard someone describe DLP as "the single biggest disappointment" they've ever seen in they cybersecurity market. DSPM discovered and classified data, but didn't attempt to protect against misuse or exfiltration. There will be some overlap for sure (classification is always necessary), but my fingers are crossed for DLP that doesn't suck, for once. NO PRESSURE, ORION ;)
- HITRUST raised an undisclosed private equity round from Brighton Park Capital. At this stage (HITRUST is nearly 20 years old), deals like this are often acquisitions, but there's no mention of the amount of equity Brighton got for its investment.
- 2. ACQUISITIONS: W is for Wiz: Alphabet’s Audacious Acquisition
A very well put together analysis of the Google/Wiz deal. It's a remarkable deal in so many ways:
- Fastest security vendor to $100M
- Fastest to become a unicorn
- First security startup to break a $10M valuation
- First to turn down an acquisition offer of > $20 Billion
- First to accept an acquisition offer > $30 Billion
- Highest multiple on a security deal ever (nearly 46x)
And those are just the acquisition target and deal details!
Cole Grolmus goes much deeper into the real meat of the conversation: the deal rationale
- 3. NEW PRODUCTS: Build and deploy Remote Model Context Protocol (MCP) servers to Cloudflare
TIL what an MCP server was. It sounds like they're recommending making these accessible to the public Internet, so this is potentially new attack surface practitioners need to be aware of!
From Ayman - some MCP rabbit holes:
- 4. VULNERABILITIES: Ingress-nginx CVE-2025-1974: What You Need to Know
Along with MCP servers, this is the first I hear of ingress controllers - I don't have any large scale experience with container tech. Based on what I can gather, these should not be exposed to the public Internet, but should be at least one hop back, behind load balancers.
However, I'm not certain whether these vulnerabilities can be indirectly exploited, since they're still handling input from the public Internet - much like Log4Shell and blindSQL were able to exploit things the attacker couldn't directly access.
Wiz discovered these 4 vulnerabilities and their writeup can be found here.
- 5. OPEN SOURCE: Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH
A step in the right direction for centralizing IAM governance and management!
- 6. REGULATION: Regulatory Harm or Harmonization? Examining the Opportunity to Improve the Cyber Regulatory Regime – Committee on Homeland Security
I don't usually get into regulation, but there's a lot going on with this new administration. This hearing discussed streamlining regulations requiring incident reporting. I didn't get through all the testimony, but I was concerned that things like filing a SAR report were considered duplicative alongside reporting a data breach to the SEC. To be fair, there were many examples where reporting overlaps were high, even 100% (filing the same report twice to the same agency). Often, the duplication was similar/same reports to multiple agencies, who want them for different reasons.
The interest I have in all this is that detailed incident reports don't make their way to the general public, so there are a lot of lessons learned that, as an industry, we can't learn/build/grow from. Here's hoping some good comes out of all this.
- 7. ESSAYS: Toxic Cybersecurity Workplaces: How to Identify Them and Fix Them
A great roll-up of many layer 8 and other people-centric issues in security teams.
- 8. SQUIRREL: Napster makes $207M comeback
Where have I heard of this company before?
