Back in my analyst years, I rather liked the concept of NDR or Network Detection and Response. And, despite having invented the acronym EDR, I was raised on with NSM and tcpdump way before that. Hence, even though we may still live in an endpoint security era, the need for network data analysis has not vanished.

As we discussed during this recent webinar, this is not about competing with endpoint or endlessly arguing about what security telemetry is “better.” This is about reminding the security leaders and technologists that network telemetry matters today! …


What are you not detecting?

OK, what threats are you NOT detecting?

Still didn’t help?

What I mean here is: are you thinking about these:

  1. Threats that you don’t need to detect due to your risk profile, your threat assessment, etc.
  2. Threats that you do need to detect, but don’t know how.
  3. Threats that you do need to detect and know how, but cannot operationally (e.g. your SIEM will crash if you inject all the cloud logs).
  4. Threats that you do need to detect and know how, but do not (yet?) for some other reason.
  5. Threats that you do need…


One thing I did not expect to see in 2021 is a lot of people complaining about how difficult their SIEM is to operate.

Let’s explore this topic for the (n+1)-th time. And let me tell you … that “n” is pretty damn large since my first involvement with SIEM in January 2002 (!) — examples, examples, examples.

Anton’s old SIEM presentation from 2012

(source, date: 2012)

Before we go, we need to separate the SIEM tool operation difficulties from the SIEM mission difficulties. To remind, the mission that the SIEM is aimed at is very difficult in today’s environments. The mission also evolved a lot…


Sometimes great old blog posts are hard to find (especially on Medium…), so I decided to do a periodic list blog with my favorite posts of the past quarter or so.

Here is my second. The posts below are ranked by lifetime views and topic. It covers both Anton on Security and my posts from Google Cloud blog [and now our Cloud Security Podcast too!]

Top 3 most popular posts of all times (same posts as last time, all happen to be on security operations):


For a reason that shall remain nameless, I’ve run this quick poll focused on the use cases for threat intelligence in 2021. The question and the results are below.

Antons Threat Intel Poll 2021

Here are some thoughts and learnings based on the poll and the discussion, as well as other things.

While running this poll my fear was that the detection use case will win. Namely, people naively dropping lots of threat intel feeds into a SIEM (or EDR or NDR or … a firewall?) and then hoping for the best. I am happy to report this did not win. …


This is a quick “let’s think about it together” post focused on the future of cloud security.

Our logical starting point is: “Through 2025, 99% of cloud security failures will be the customer’s fault.” (source: Gartner) My experience in my analyst days and perhaps today mostly confirms it. I’d say that “it feels right.” So, let’s agree that it describes today’s reality correctly.

Next point: now that we agree that this model describes reality in a useful manner, may I suggest that it indicates a problem. In other words, this means something needs to be changed or fixed. Why? …


This is about the Security Operations Center (SOC). And automation. And of course SOC automation.

Let’s start from a dead-obvious point: you cannot and should not automate away all people from your SOC today. Or, as my esteemed colleague said, “Stop Trying To Take Humans Out Of Security Operations.”

Despite this point being dead-obvious today, I want to present a few arguments to further support it — it will be clear why in the end…

We need humans because the attackers are humans with their own creativity, irrationality, weirdness, etc. As one vendor once said, “you have an adversary problem…


Those who follow me on social media already knows this, but we have launched THE Cloud Security Podcast.

TL;DR:

Find this on Google Podcasts, Apple Podcasts, Spotify, Stitcher and wherever else podcasts can be found. You can also download the episodes directly here. Follow @CloudSecPodcast.

The whole story from our GCP blog is cross-posted below:

Security continues to be top of mind for large enterprises as well as smaller organizations and businesses. Furthermore, cloud security continues to puzzle many security leaders and technologists. That is why we are excited to announce the launch of the Cloud Security Podcast by Google.


As I mentioned in Detection Coverage and Detection-in-Depth, the topic of threat detection coverage has long fascinated me. Back in my analyst days, we looked at it as a part of a security use case lifecycle process. For example, we focused on things like number and quality of alerts per SIEM use case, false/useless alert (“false positive”) numbers and ratios (to useful alerts), escalations to incident response, tuning, etc.

But what about a more comprehensive look at detection coverage inside each tool? Is there a way to assess the net threat coverage represented by the aggregate detection coverage inside each…


Here is another very fun resource we created (jointly with Andrew Lance from Sidechain), a paper on designing and running data security strategy on Google Cloud.

— —

William Gibson said it best: “The future is already here — it’s just not evenly distributed.”

The cloud has arrived. Data security in the cloud is too often a novel problem for our customers. Well-worn paths to security are lacking. We often see…

Anton Chuvakin

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store