What are SIEM, SOAR, EDR, XDR?

Start listening

Are you doing all you can to stop ransomware attacks before they happen, or kill them the moment they show up? Have you looked into this and found yourself swimming in alphabet soup (SIEM, SOAR, EDR, XDR)? Have you looked at some of these tools and found them to be prohibitively expensive or too complex? This is the episode for you. We have Dez Rock, CEO of SIEMonster, a SIEM/SOAR/XDR as a service company. She helps us weed our way through these acronyms, and then tells us about how SIEMonster (pronounced sea-monster) is bringing this important technology to companies of all sizes.

[00:00:54] W. Curtis Preston: hi, and welcome to Backup Central’s Restore All podcast. I’m your host, w Curtis Preston, AKA Mr. Backup. And I have with me my senior H D M I consultant, Prasanna Malaiyandi.

How’s it going? Prasanna.

[00:01:07] Prasanna Malaiyandi: I’m good. Curtis. I’m I, by the way, my bill is in the mail, so, or invoice

[00:01:12] W. Curtis Preston: Alright, I’ll, because once again, once again, you ended up having a fountain of knowledge about a random technical topic that ended up being very useful. I mean, the fact that you just were like, oh no, I think that’s the, the H G M I 1.7 spec that came out in 2009 or. Um, and they’re like, and then when I, so, so basically, yeah, so I have a new Apple TV and meaning the, the little box, and I was trying to connect it to my 2009 plasma television.

And, uh, it uses, uh, HDMI-CC.

[00:02:01] Prasanna Malaiyandi: Yep.

[00:02:02] W. Curtis Preston: Yeah, to control the power off and power on and it wasn’t working for me. And uh, I was just talking to Prasanna about that. And then once again, you were like, oh, well if you checked the setting and such, watch a macall it. And you, you solved my problem.

[00:02:22] Prasanna Malaiyandi: Yeah, and I solved your problem that Apple support couldn’t even solve for you.

[00:02:28] W. Curtis Preston: Yeah, yeah, apple support was worthless. Uh, and this is all just a process of getting towards my new big giant TV that will at some point arrive. Um, I’m just, I’m just waiting for that moment to buy the big, the big giant tv.

But, um, I bought the soundbar first, so I have this old

[00:02:49] Prasanna Malaiyandi: And was your wife happy

[00:02:51] W. Curtis Preston: My wife was so happy that she could turn the television off, you know? I mean, it was so, it was such a burden for her to have to get up and turn on the TV when she first starts watching television. Uh, and

[00:03:03] Prasanna Malaiyandi: well, and I think, I think just to clarify, I think off work, turning off the TV work,

[00:03:07] W. Curtis Preston: off.

[00:03:07] Prasanna Malaiyandi: turning on.

[00:03:08] W. Curtis Preston: Which is what made it so confusing off worked, but on did not. And, um, but now they both work and my wife can watch television without, you know,

[00:03:20] Prasanna Malaiyandi: Cursing your name

[00:03:22] W. Curtis Preston: Exactly.

[00:03:23] Prasanna Malaiyandi: being like Curtis, why do

[00:03:24] W. Curtis Preston: and now, now, once again, she will, she will give you credit for it. Uh, and I

will get no credit, but, Such is life. So, um, let’s move on to our guest.

I found her her background, fascinating. She has degrees in both business and law and she finished her M B a while actually running the company that we’re talking about today, which is, uh, SIEMonster, that’s s i e. Monster, an affordable security monitoring software solution. She’s now their c e o and you can find her on Twitter as @deztraction

so that’s d e z traction.

Uh, welcome to the Pod Dez Rock.

[00:04:07] Dez Rock: Thank you. Thank you for

having me


[00:04:09] W. Curtis Preston: So, uh, you, so you’ve been, you’ve been all over the globe and you are now currently. I think just a few miles where I lived

for a

while. Where, where, where exactly? You’re in Delaware

[00:04:20] Dez Rock: I am, I just gimme a minute. I want ’em to announce it like the locals. No. Uh,

[00:04:28] W. Curtis Preston: Are you in Newark?

[00:04:31] Dez Rock: No, no, exactly where


[00:04:34] W. Curtis Preston: yeah. So that’s actually where I got my start. In backups back in 1993, I was fresh out of the Navy. I was, I had, the Navy had sent me to Philadelphia, so my ship was in dry dock up there in Philadelphia. And um, so I got out and immediately went into, uh, backups, uh, because it was like many people, it was the job I could get.

No one, no one wakes up, you know, no one dreams of being a, a backup

[00:05:04] Prasanna Malaiyandi: Hey, don’t shatter people’s hopes. You know, I’m just saying, Curtis, maybe there

[00:05:09] W. Curtis Preston: you wanna be a backup person, there is demand. Trust me. Uh, there’s just not a line. and, but yeah, I got my start there on Christiana Road. The, that was where, uh, bank of America was. Uh, I have a, I have a daughter who’s now 28, who was born on Christiana Road at Christiana Hospital. So I’m feeling very close to you right now, even though you’re all the way on the other side of the country.

[00:05:33] Dez Rock: That’s lovely to hear. Cause I know you’re in


[00:05:36] W. Curtis Preston: absolutely. The, the, the complete opposite corner of the country. Um, now clearly based on how I’m hearing you speak, uh, you were raised in, in a different part. Uh, probably a, probably a different hemisphere, I’m guessing.

[00:05:50] Dez Rock: Do you


[00:05:50] W. Curtis Preston: Oh,

[00:05:51] Prasanna Malaiyandi: This is Curtis’s favorite thing. Yeah.

[00:05:53] W. Curtis Preston: It’s, it’s not fair because I, I looked at your LinkedIn page and I knew that you went to Victoria. Uh, so, uh, that’s not fair, but I, I would’ve gotten it either way. I, I definitely, uh, my favorite is trying to, trying to, within a few phrases, trying to

distinguish whether or not I’m talking to a Kiwi or a, or an Aussie.


[00:06:14] Dez Rock: And Aussie, so my accent is not the one that the Americans are used to. And I, and I can drop it down to what you guys would most people think I’m from England and when I come to the us right? Unless, unless I start talking a bit like this. And then, then they’ll, they’ll really know then it’s

[00:06:32] W. Curtis Preston: Exactly.

[00:06:33] Dez Rock: And so what’s really, what’s really hard to fathom, most Americans

I’ve, that accents can differ in a country. It’s remarkably

[00:06:44] W. Curtis Preston: they should, it shouldn’t, uh,

surprise them. I mean, we have like 20 in this country. Yeah.

[00:06:50] Dez Rock: know. I know. I know.

[00:06:52] W. Curtis Preston: Yeah. And, and what’s more amazing to me is how much accents can vary in England, right?

[00:06:59] Prasanna Malaiyandi: I was just gonna bring

[00:07:00] W. Curtis Preston: little country. And, you know, you have a different accent between north and South London, right? I I, and it’s just, and, and then you have accents, accents vary based on class, right?

On education and, and

all of that,


Um, so yeah.

[00:07:17] Dez Rock: That’s

[00:07:17] W. Curtis Preston: yeah,

I, I, I enjoy.

[00:07:19] Dez Rock: But the same can be said in New York, New York, right? I mean, a New York accent depends on how they, you could tell literally where, whereabouts they’re from because of that, and that’s just one

[00:07:28] W. Curtis Preston: That is true.

[00:07:29] Dez Rock: So it is just the inability to apply the exact same rule to other


[00:07:35] W. Curtis Preston: We, we, um, Yeah, we, I don’t know. I don’t know what to say. America. Um, so, so, but you’re, you’re here now, so, uh, you’re, you actually live in Dallas. The company is headquartered in Delaware. I’m seeing

New York also. Where, what is, how does New York figure into it?

[00:07:55] Dez Rock: so we were in New York Post, uh, pre pandemic with the headquarters, and I used to be, I, I’ve transferred from New York. I, I used to live in New York as well, and uh, New York is where we went through Techstars in 2018 as well. So that’s why, uh, that’s why we have a presence or had a presence in New York.

I’m about to pull out of New York. Um, stick to, um,


[00:08:17] W. Curtis Preston: Nice. All right. Well, I’ve been in all those places. I love all those places. Let’s, let’s talk about, um, by the way, Dallas, uh, clearly

wins, uh, from a barbecue perspective, um, unless you’re,

[00:08:31] Dez Rock: Right? Yes. Well, you don’t,

they’ll let


[00:08:36] W. Curtis Preston: Yeah. Yeah. yeah. Although of the, of the three cities they win. Although if I’m in, if I, if I get to choose my Texas cities based on barbecue, Dallas wouldn’t be it. Sorry folks. Sorry. Dallas folks. I’m a bit of a Austin Barbecue fan, but

anyway, I’ve had great, but I’ve had great barbecue in, in,

in Dallas.

Uh, my favorite was at Terry Blacks. but anyway, we.

[00:09:00] Dez Rock: Yeah, that’s exactly what I’ve

heard as

[00:09:02] W. Curtis Preston: we could easily have an entire podcast about

[00:09:05] Prasanna Malaiyandi: But we’re not. Yes,


[00:09:07] W. Curtis Preston: not. That’s not why we’re here to talk. So, did you see the way he’s reining me in Des so let, let’s go back to 2016. When you, you got this idea to, to, you know, start this new company,

what problem did you see that you were trying to.

[00:09:27] Dez Rock: Well, at the time we were Kustodian with a K and we were professional hackers, so we were pen testers, um, working all over the world, a small elite bespoke group, um, with clients all over the world. One of our Australian clients, um, BlueScope Steel, fourth largest steel manufacturing in the world, uh, had some issues with some ransomware.

I know that’s a topic that. You guys were Yeah. Wanna touch on. But, um, had some issues with that and, um, instead of, uh, that, that we would be testing them every year for their compliance, you know, for penetration testing. So they actually asked us, well, are there no tools for this? Uh, is there no way that we can support or, you know, protect our data?

And we are red team, right? So we. I don’t know. Let have a look.

[00:10:16] W. Curtis Preston: You’re like, we don’t do that. We don’t do protect. We do

[00:10:19] Dez Rock: we, we don’t do that. We, we know, we know how to get

in and we we get in real, like we know that we know how to penetrate very well. Right. Um, there isn’t a area, and that’s one of the, like, there isn’t a customer, a location, a challenge that we have not risen to by the way.

Right. So, Badge of honor that we wear. Um, so these clients are, so they asked for software to be Blue team, right? Like protect, and um, to which we said, let’s have a look. And the one name at that time that came up was Splunk. They can handle really big data and they can do this. And so we said you wouldn’t believe this cuz that Splunk is now, we said, let’s just let you know we’re happy to bro.

Like let’s introduce you to Splunk. Right? So we did and, and Splunk gave them a quote.

And it was at that point, to cut a story short, it was at that point that BlueScope said to us, is there no way that we could perhaps solve this any other way? And we said, you know what? Let’s have a look at some open source tools, right?

And so, the need was affordable security for big data. Um, and that was the, uh, field in which we went into. And at the time we went with open source tools, right. And we patched them to, you know, like we basically stitched them up. We made, you know, like put a cover on it, made it easier to use, made it easier to roll out.

And that’s how SIEMonster started. And SIEMonster was always, we thought at the time, an annex to what we already. I mean, we were pen testers, we’re hackers. We thought this is just this cute little project that was happening on the side. One off. Well, our, what started like a very small snowball got bigger and bigger.

Uh, the Australian government, including us, Aus Cyber backed us. Um, to come to San Francisco to rsa, which we were now nominated product of the year back then as well. So we started to track momentum. Uh, we saw that then that’s where we saw further needs. Okay, so this wasn’t just a one off.

There really is a need for big data to be secured down at a far more affordable price. Right? Um, because we vehemently believe that, uh, security should not be gate kept by price. Right. So, uh, that’s a fundamental that that’s, by the way, that’s harks back to the days of when we were hackers as well, because we, uh, participated in the DEFCON culture way back when as well.

So we were always giving back to community and feeling this way. So that hasn’t changed. So that is the, uh, origin story

of SIEMonster.

[00:12:54] Prasanna Malaiyandi: So just a quick question. I know you mentioned a couple times big data. So did you feel that in the big data space there weren’t any tools available that were simple? There weren’t tools available that were

affordable or all the above?

[00:13:07] Dez Rock: If we go back to the origin story, the original, uh, thing was it wasn’t affordable, right? By the way, the SIEM space was not as crowded as what it’s now. Right. Um, so it’s quite different now. And I know a lot of people are doing a lot of things and that’s, that’s really great to see that we’re all that, that give, people are giving Splunk a run for their money.

Um, but I dunno how many people. Attacking the big data spaces. You know, there’s a lot that will go small, medium. And the other thing that a lot of, um, people are doing, if you know this space really well, is they will charge by node or by, you know, they, they’ll charge by endpoint. And when you do that, you are asking your security operators to pick and choose what they wanna cover.

Now that’s vehemently against. Belief system too, because if you do not put locks on all your doors, then your house is not secured. It’s a zen. It’s as simple as that, right? So, uh, we thought, well, that’s a design flaw. Again, this is red hat, like red team thinking about blue, right? Because we know how to get in.

So if you leave a door open, we already know that we’re gonna, like, that’s the best way to get in. So if you’re not covering all your end points, then your system is not secure. Period. End of story right there. That’s why we decided big data is. Where we need to aim for. Right. And it doesn’t mean big data, big organizations.

It just means any data, all data, all encompassing.


[00:14:32] W. Curtis Preston: interesting. So I heard, I heard you say two things that to me sound like they conflict and they probably don’t. So I just need you to help me understand. One was you said that you, you, you agree with. Me that you know, you know, you need to protect everything, right?

If you’re not protecting everything. And then it sounds like you have a solution that’s aimed specifically at Big Data. So does that mean there’s other parts of the organization that

you’re not protecting?

[00:14:57] Dez Rock: No, what I’m trying to say is that our solution is, uh, is scalable. Right. And that’s part of the story of our success. We’re scalable. So it doesn’t matter what you throw at us, we will put a circle around your entire organization. And if you, if you grow, we grow with you. It’s as simple as that. Um, and without hesitation, and no one can do the EPS that we do, like the events per second, the challenges that that requires, like we excel at that.

So when we started, like what started off. Helping one client. Let’s face it. Like helping one client then started to become like, how do we, and it was always with the red, uh, red team, uh, vision, right? We need to protect everything clearly, right? We all agree in that if you’re not protecting everything, you’re not protecting the entire organization.

So if that’s the case, then how do we do that? But do it really fast as well, because you do not wanna slow the network down as well. You see how they all, it’s all hand in hand and it all comes down to, again, the way we do things cause of who we are. Right, and so that’s why big data and all encompassing

[00:16:05] Prasanna Malaiyandi: So just pushing back on what Curtis had said, right. I think probably Curtis, what you were confused about was probably the big data word, right. And phrase, right. I think it’s really like Des, like you had said, right? You scaled depending on if you are a small shop and growing or if you’re a big shop, right?

It’s a single solution that you could use. That scales as you grow versus a lot, I’m guessing in this space there’s a lot of people where it’s like, Hey, if you have a small solution, you’re probably not gonna use

[00:16:33] Dez Rock: They

[00:16:34] Prasanna Malaiyandi: They won’t use the exact same implementation because either it’s too expensive to deploy like your enterprise wide, and we see this in other software stacks as well.

Right? You have an enterprise-wide solution, which is more complex and has all the bells and whistles, but, uh, sort of a small medium company, it’s too complex because they may not have the dedicated IT resources to use. And then you have the opposite problem, where if you have a solution for small, medium businesses, when you get to enterprise, it

doesn’t quite meet the scale and the security requirements and other

[00:17:03] Dez Rock: You have hit the nail right on the head there. So we are a solution that can be used by small, medium businesses and can scale all the way up to enterprise without a blink of an eye. Immediately, you don’t have to do anything. It just does it. So that’s part of the technology that we’ve built in.

and by the way, if you’re small, medium, you actually get the benefit of enterprise grade security. So there’s that too.

[00:17:24] W. Curtis Preston: Our audience is primarily data protection focused folks

who might not actually know what a SIEM solution is. So, uh, and by the way, is, is that, by the way, is

that how it’s generally pronounced? Cuz I’ve always said SIEM solution.

[00:17:41] Dez Rock: I think, um, I think it’s pronounced different in different countries. And when we saw it, we, in Australia, we saw it as SIEM. Right. In fact, we didn’t even know what a SIEM was. We were like something held your pants up. No idea. That’s where we started.

Right. Um, uh, it was only later. Once we named the company SIEM Monster, right? The way we named it, then we realized that a lot of people call it SIEM. So, uh, and then we were stubborn about it and we started calling it, right? Um, that’s that too. SIEM stands for s, it’s s i e M, right? Uh, security info Information event management. It’s another way of saying monitoring software that SOCs will use, for example, right? Or any security analyst will use. Uh, so it’s to give you a God view of your entire organization and the events that happen in there. Now there is a lot of things, and the definition of SIEM is a really good one because there’s a lot of confusion out there.

People think that are such a searchable database is a SIEM, it’s not. So you need to add some context around.

Prasannas laughing. Cause I think, you know, it’s Right. So, right. Um, so you, a SIEM ought to have some enrichment into as well.

And that happens when, um, with recognition that this needs to be an event. And then of course we have certain factors like SOAR capabilities and XDR capabilities, which is the newest version of SOAR, let’s say. And so SOAR, and I’m gonna give a very basic, uh, analogy here, is when we. Have a rule set apply to events that always happen.

And I like to use the logging, you know, like putting in the wrong password over and over again. So when that happens, or someone logs in, like you guys are a Delaware based company and you’re all in Delaware and yet somebody in a different country is starting to log in, it’s flagged from, you know, the location.

Right? So things like that that you would say these as a ruleset, This is something that I need to know about. So it needs to turn into an event to alert me for, right? So you can write rules about that. And that’s called SOAR, right? That’s S O A R. So then the next iteration of that in the industry is called xdr.

And what XDR does is a lot of automation of that. So then it not only picks out the events, it tells you what’s happening. It actually tells you that this is something that you need to do and sometimes can shut it down as well. And I. I do have a story about that. Uh, when a ransomware tried to get into one of our clients, a large hospital and the XDR component literally shut it down before anyone could do anything.

Oh, it before it was infiltrated and saved that company. Yeah.

[00:20:16] W. Curtis Preston: So you threw out a couple of, uh, acronyms there, and we always ask our guests to, to spell out the acronyms,

uh, that, that they use. So what SOAR and xdr.

[00:20:29] Dez Rock: Certainly SOAR is security

orchestrated automation and response. So as I mentioned, it automates and responds, so it’ll give you, you know, it’ll actually run a script and then give you a response as an alert on your Slack email, however you like to have it. So something has been done and alerted, certainly helps your.

SOC team or your an analyst have a better idea, you know, so they’re not literally, because what usually happens with any SIEM is that events come in. You need a way to prioritize them to say what is urgent, what is not. SOAR will actually handle a lot of the very similar uh, events that need to be action.

For you, that’s what a SOAR is. XDR or E D R is a extended detection and response. So it basically builds on that. And what that is, is, um, uh, the newer, um, technology, which again involves automation. As well. So that will not only tell you that something has actually

[00:21:43] W. Curtis Preston: Okay, so, so if I were to summarize these threes tools, the SIEM tool is the thing that notices that something bad happened. A SOAR tool will tell you that something bad happened and an XDR e d r tool will actually respond, uh, that like

it can actually do things to stop the thing from happening. Does that sound about.

[00:22:04] Dez Rock: So a SOAR will tell you true, but a SOAR will actually respond as well because running on script, you can build custom made scripts as well, right? So in your organization, you only, you know your organization the way you, you know, it’s, it’s, everyone’s quite unique in that fashion. So what. You can’t have out of the box rules.

You definitely need your own set of rules to match your organization. That’s what a SOAR will do. The XDR or E D R will actually action to take down commonly. For example, if it’s a known attack vector coming in, right, it will actually shut down that IP and say no more from here. So that is not just saying, Hey, if this happens, let me know.

This is like, if this happens, let me know and also shut it down before I even get there. So it’s an. It’s, it’s not, before that, it was the ANA analysis or analyst doing the action. This is now the program actioning,

[00:22:58] W. Curtis Preston: But it sounded like you said Soar can do some actions as well. That’s why I was, um, So, and it’s, I’m just, again, help me understand, like with the, with the SOAR tool, the, the main action

that I think it’s doing is, is letting you know, right? It’s sending you messages, whatever it is that you want do.

[00:23:19] Dez Rock: That’s the

[00:23:20] W. Curtis Preston: That’s,

[00:23:20] Dez Rock: So just to clarify, that’s the action it’s

doing. Exactly.

[00:23:24] W. Curtis Preston: to actually shut down something or block

ports or whatever, that’s where a, an XDR e D R tool.

[00:23:33] Dez Rock: Correct. That’s when you start to get into that automation side of things where it’s starting to think for you. It’s starting to, and that’s where the ai, the exciting part of, you know, the AI can come into, it’s starting to think for you. It’s starting to get to know patterns. That’s where, by the way, there’ll be another iteration of this.

So we have, if we can imagine, SIEM would be the core, right? The core that is protecting all of your data. SOAR would sit around that, but SOAR is kinda like version one, let’s say. And then you’ve got xdr, which encompasses all of SOAR Does that make? So it does everything that SOAR does, but a little bit more.

And I can imagine that as the future goes on, we’ll have another version of that, which will then


[00:24:13] W. Curtis Preston: So are these three separate tools then,

or there are tools that encompass all three aspects.

[00:24:20] Dez Rock: I’m certain that there are companies saying that they are three separate tools, but that’s not what we think. Should happen. We think security should have be able to do all of that. So even though, you know, we are titled a SIEM uh company, we actually have SOAR and XDR capabilities and quite quietly working on the next,



[00:24:44] W. Curtis Preston: So the answer, uh, and at some point, Prasanna, I’ll let you speak, but I, this is, you’re the first person I’ve had that’s really been able to sort of lay all this out for me. Uh, So there probably are SIEM tools, SOAR tools, XDR tools, individual products that I can buy. Uh, there are probably hundreds of them, uh, but there are maybe a smaller set of

companies that like yours that can do all three

[00:25:13] Dez Rock: We’ll do all of them.

[00:25:14] W. Curtis Preston: Okay.

[00:25:15] Dez Rock: Correct. And even smaller that can handle the data volume that we


[00:25:19] W. Curtis Preston: Okay.

All right.

[00:25:21] Prasanna Malaiyandi: Yep.

[00:25:22] W. Curtis Preston: You, you may now speak for Prasanna.

[00:25:24] Prasanna Malaiyandi: Thank you Curtis. Uh, so Des, when you were talking earlier about sort of, okay, you need this automation with Soar, right? To be able to figure out and alert you properly, right? Um, I think a lot of our listeners may not necessarily realize sort of the volume of events that may come in. Right. Could you talk a little bit about sort of like what you see in some maybe like small, medium businesses, right?

Where they might be like, Hey, I just have an IT guy. They can just mi manually monitor,

right? All these events and why some of these things may not

work yet.

[00:25:58] Dez Rock: Well, first of all, let’s start

with what. Like, what is a SIEM? Remember I said there are some people thinking that a searchable database is a SIEM because it we’re collecting everything. But that’s just, for starters, that sounds like a nightmare because now it security guy literally has look for, that’s,

[00:26:19] Prasanna Malaiyandi: Yep.

[00:26:20] Dez Rock: that’s not telling, giving any ranking.

That’s, that’s a searchable database. That’s not a SIEM. So, um, So with a SIEM. With just a SIEM, the amount, and remember everything is an incident. It doesn’t know if it’s a good incident or a bad incident. It’s just an incident. Okay? Everything is creating, everything is, uh, giving you a trigger. So we need to then assess.

If it’s a good thing or a bad thing, is it an event? Right? So, by the way, if it’s an event, is it a good event? Is it a bad event? So we start ranking, right? So we start to say, ok, so when people are trying to break in bad, super bad, right? Someone turning on the printer. It’s an event.

We don’t need to do anything. There’s no alert there. But it’s still, you see, you’re still being, it’s an event. You’re still recording. But it’s not something that needs to be actioned. These are very basic examples, but I, I like working with really basic analogies and then building out, right? So, um, in that case, Their volume.

You’re talking about volume. Even the bad ones could, like you could have pages and pages, how like that makes it very difficult and like small to medium businesses usually have one guy, like you are the security guy, go do it. Right? So that’s a lot of pressure for one guy. So you need to make it easier for them.

So that’s why. You know, alerts to, uh, slack channels, alerts to phones, or, because they can’t be sitting there staring at a screen like this is not, uh, wall Street ticker. Do you know what I mean? You cannot have that, that you just, you cannot be doing that. So you need ways to put some, uh, framework around, well, human flaws like blinking, right?

So we need, uh, a system in which we can, first of all, rank. And then like I said, a SIEM was probably not enough because it depends on the volume of data coming in. Not enough. So you’d probably want some actionable items to say this usually happens and when this usually happens, I want if that, then this, right?

Then that’s basically what SOAR is, right? So, um, then I want these things to be done. Makes your IT security guys life so much easier and

[00:28:24] Prasanna Malaiyandi: would you say that that transition from just a normal SIEM to soar, does that happen at a certain employee count,

at a certain data set size count? Like what do you, or is it basically everyone should be thinking about

[00:28:39] Dez Rock: Everyone think, look, the way it’s going is everyone should be thinking about XDR way at the beginning. Everyone should, because I think that you right now, you do not need to run a SIEM, right? To run a SOC. You need highly specialized people, and that’s a cost point. Like small to medium organizations cannot be doing that.

So what they need is tools that will make a job easy for an IT person to say, this is something that needs to be actioned. The, the benefit of something, and I hate to, I hate shilling, but the benefit of our product is, is that you don’t make that decision. It’s there. It doesn’t matter. Like if you’re small, if you’re large from the start, it’s there.


[00:29:19] W. Curtis Preston: it.

[00:29:20] Dez Rock: It’s not a choice

[00:29:21] W. Curtis Preston: Yeah, and I think the. The worry. Right. Come, you know, there’s a lot of us that have been in it for a minute, right? That’s, that’s the kids say and um, The worry historically with automated things that are going to actually do things in my environment to help protect me is that they’re going to trigger too often, right?

That they’re gonna, it’s obviously, it’s the false question, and you, you know, you’ve decided that we’re under attack and so we shut down the network or, or whatever it is that, that we’ve decided that we’re gonna do that. How?

How do. Get to that level of comfort.

[00:30:04] Dez Rock: So well, we have professional services for that, where we actually rule out, and that’s the rule sets that we write to literally customize that stuff for your organization. So you’ve removed the false positives, right? Because we, you can’t imagine that people are going to be able to know how to do that off the bat.

It’s probably one to be left to the professionals, right, to set it up for you. Kinda like anything, almost like buying a new, um, apple TV and connecting it to your TV and needing a professional to come in and help you


[00:30:38] W. Curtis Preston: a, as a technical person, the fact that I needed professional assistance to set up my Apple TV is a, was a bit insulting. Okay, here’s another really important question. How does, I’m assuming that these tools and, and your tool of course, They manifest themselves in a couple of different ways, right? Like, so in, in the, the, you know, I live in the, the backup software space, right?

So either I buy a piece of software, I put it on an appliance, I buy an appliance, or I’m buying a service, right? That, uh, by the way, I should, I, I, I just realized I haven’t put out our disclaimer. So, uh, Prasanna and I work for different companies. He works for Zoom, I work for Druva. And, uh, this is not an official podcast either company.

And the opinions that you hear are ours. And also, please rate us at, uh, you know, just go to your favorite pod catcher and, uh, scroll down. Give us lots of stars, uh, and, and, and positive comments. And if you’d like to join the conversation, I’m w Curtis Preston at gmail or at WC preston on Twitter. So, um, how about, how does that manifest itself into your. The meaning how, how, how do people put these pro, how do put, put, buy these

products, put them in? And then how does your, how does your product work?

[00:31:58] Dez Rock: Okay, so this is a very pertinent question right now because we’re about to release version five and we’re the only SIEM product out there that’ll be available on AWS marketplace where you, if you’re technical enough, you can actually do it yourself with the support portal and go for it. You don’t need any help.

As done implementations, you’ll have it up and running within minutes. Again, unheard of if you know about any of this, right? Unheard of. But we’re here to break the, again, we’re here to make sure that, uh, security is not gate kept right? And that’s part of it. Um, now if that is outside of your technical scope, then we are here to help implement and, and put that in for you as well.

Um, so you have two


[00:32:39] Prasanna Malaiyandi: When you do talk about that second case or even the first case, right? Is it customer or you are deploying it in their infrastructure? In their environment on servers? Is it offered as like a SaaS service that they log into? Especially if you have multiple sites, so it’s

all managed centrally. Like what does that

deployment model look like?

[00:32:59] Dez Rock: Correct. So the, the unique part of our, um, product is, is that they all can hold tenants. So again, if say for example, you are, uh, a small business, you’re growing and now you have different, uh, locations. So you have different op, you can literally sit different tenants and have one panel of view, uh, and your system will grow with you.

That this is what I mean about highly customizable and uh, very, Incredibly scalable, so you could sit different tenants inside right now, off the bat, through AWS and it’s in the cloud. By way performance, we utilizes technology in order to make this happen as well.

[00:33:39] W. Curtis Preston: So you’re, you’re, you’re a service and I like that very much. Uh, I do think that that’s clearly the way it is going and, and it makes it so much simpler for a lot of people, especially SMBs. Um, but I don’t understand. So you’re up in the cloud, but you need to, uh, see things, right?

These events that you described, uh, you use that term events per second, right? E p s. So how are you able to see these things

that are going on inside my environment? How do we make that connection?

[00:34:10] Dez Rock: So during the implementation stage, you’ll be asked to input all of your data traffic into that to, to us. You’ll actually be told to, or you could actually even have a local agent. So a virtual local agent within, and then what happens is that acts as a, um, repository. So everything goes to that agent, and then it becomes one funnel up to the cloud that allows for, um, your, your guys are in backup, right?

That allows for two things as well. That means that if there’s a disconnection anywhere, you’ve actually got local storage of events, which is really good for forensic and anything else. It’s just due due diligence, right? And so when the connection is reestablished, it will. Uh, take all of that, um, events back up to

the cloud.

[00:34:54] W. Curtis Preston: That makes a lot of sense. Uh, you know, I, I just, I was wondering, uh, and then of course I will

need someone to monitor that, the service. Right. Um, or I can hire somebody to do that.

[00:35:06] Dez Rock: Correct it, it does depend on the, uh, on the skillset of your staff and your organization, what type of organization it is. If you’re looking for just compliance and just let me know if someone is trying to hack in. I think you’re good. Like I, I I think you’re good. Your It can do it. If your data is incredibly sensitive and you need 24 7 monitoring, then you would probably outsource that.

And I suppose it comes back to the actual value of having red team create blue team security. We think of every, every design element, we don’t put just funnels straight up because what happens if there’s a disconnect?

What happens if there’s a power failure? What happens if that, like even that needs a. That’s all been thought through. Right. Um, so the redundancy isn’t intended to be kept there. It’s, it’s intended to just in case there is a disconnection, a power internet, whatever. Right. Um, and these are all the things that have been thought through.

Uh, so the system is secure. It’s not just protecting you. The entire system is

secure at

[00:36:02] Prasanna Malaiyandi: Okay.

[00:36:03] Dez Rock: Yeah.

[00:36:03] W. Curtis Preston: it’s like, it’s like,

bank robbers that built a bank.

[00:36:09] Dez Rock: Exactly right. It’s just, you know, the other thing, the o the only thing, the other thing is, is like, it’s like, it’s like having a motorcycle gang as personal protection, right. It’s probably, you know, the outlaws that’s the trying image I’m trying to get. It’s like having outlaws and going, I’m, these are gonna be my security guards and you know,

you’ve got the best damn security guards on you could ever get.

Right. Because ain’t nobody’s gonna mess

with you. Because the p that’s exactly the, exactly. Um, the

[00:36:38] W. Curtis Preston: So do you, do you still do the red team

stuff or, or is it, this is going so well that you’re not. You’re not doing that.

[00:36:46] Dez Rock: Yeah. So we always keep a foot into the red team world. We still attend Defcon, um, in Las Las Vegas every year. Um, and. We, but unfortunately, um, the, this has overtaken everything and this has grown from what was a kind of side act to the main event. Yes.

[00:37:08] W. Curtis Preston: I like that, that, I mean, that, that’s, you know, you’re, you’re clearly meeting a need, uh, and. If you’re helping SMBs to have better security, I am. I am all for it.

[00:37:20] Prasanna Malaiyandi: Des, at the beginning you had alluded to a ransomware story that you think we might be interested in hearing about.

Um, maybe you want to talk about what happened.

[00:37:30] Dez Rock: Oh, okay. So that, that’s one of our clients who’s a large hospital. Most of our



[00:37:37] Prasanna Malaiyandi: We’re totally fine.


[00:37:39] Dez Rock: So just bear with me here. And, and I, and I’m in the, I’m in the Secret Keeper

business, okay? So a large

Hospital. Uh, was infiltrated, um, by an incident that was basically going to be an attempted, uh, ransomware.

Right. malware was attempt to lock down their system and it was our, um, including the SOAR and the XDR capabilities, and he, and the project was called Project Skynet. It was, it’s just, Phenomenal. Once you hear this guy’s story about it, I’ve literally got a, um, I was so interested. I had him interviewed right?

And wanted to get what his story out there. It’s a brilliant, brilliant story of exactly this. It’s exactly how, uh, attempt was made and the SIEM did its job. It literally did its job. It’s kind of like, are you. Fans of Harry Potter by any chance, you know, the last movie when all of the, uh, statues come to life and finally start protecting the, uh, castle, right?

So it’s a phenomenal SIEM, right? It’s like finally they sit there and, but they find that’s exactly what happened. The SIEM came to life and, and killed the ransomware. Identified it, knew what it was, shut it down before we could. This was then passed along to management to say, this is because it’s one thing to say, damn it, we’ve been hacked or dam it.

We’ve got ransomware to deal with. Right? That’s panic mode. But to hear, listen, they tried it. But they didn’t get anywhere because this was, we stopped. This was stopped. It’s you. That’s a different emotional journey. You’re not sure if it’s like, did it happen? Did it not happen? What happened? You know, like, like, you know.

Um, and so great story for that. So that’s exactly a story that’s happened that because ransomware, and here’s the other thing I gotta tell you. Alright. Just lean in boys. Every company that’s been hacked, Every company that’s had ransomware attacks, all of these guys have got security software too,


[00:39:39] W. Curtis Preston: Yep.

[00:39:40] Dez Rock: Just think about

[00:39:41] W. Curtis Preston: Yep. And, and every one of them that were unable to restore

their data had backup software. Right. Um, and yet, and yet sit.

[00:39:51] Dez Rock: because you know what they say.

[00:39:53] W. Curtis Preston: What do they say?

[00:39:54] Dez Rock: You know what they say

Nobody gets fired from, from buying a Gartner Quadrant product, right. Exactly well known, which means security people, and I’m guessing backup people or two are not doing their research on the technology and the advancements. They’re just doing what everyone else is doing.

They go to Google what is the best thing, what is the best backup pro, whatever, and going with that, not necessarily the best. So the companies out there that are being hacked, that are getting ran ransomware softwares, I guarantee you they’ve got really, really well known security software in. And they’re doing a phenomenal job, aren’t they?

Phenomenal. Absolutely brilliant.

[00:40:32] W. Curtis Preston: I, I sent, I sense a tad bit of sarcasm there.

Well, Des, you’ve been, you’ve been fascinating, you’ve been entertaining, uh, and, and very educational. Uh, I do not know as much about this space as, as I should. And, and I, I think, I think I’m, you know, I’m, I’m not alone in that. So, you know, you really helped us understand what that market does. I, I love this idea of a product that is, You know, I mean, the fact that your product sort of starts with affordable as, as your leading thing.

Uh, I, you know, I love that the idea that you said that, you know, your, your the customer that started this, they said they, they wanted Splunk and then they got a quote and they’re like, ha. Right. They had, uh, sticker shock. And, and I do think that that. Problem cost, right. Is a barrier for a lot of areas of technology, and I really agree with you that it should not, you shouldn’t have to be rich, uh, to, to have decent security.

Right? Um, and so I, I’m, I’m glad your company’s there. I’m glad you’re doing well. Uh, I wish upon you that you will have no time left for Red Team Business. Um,

And, uh, so tha thanks a lot for coming on the pod

[00:41:57] Dez Rock: Oh, thanks for having me. It’s

been a


[00:41:59] W. Curtis Preston: And

[00:41:59] Prasanna Malaiyandi: Des, just, uh, one question. If, uh, our listeners wanted to find out more information about SIEMonster, where can they go? Can

they, like, is there a website they could hit? Like what should they


[00:42:11] Dez Rock: SIEMonster spelled SIEMonster com. Um, that’s our home. And um, yeah, that’s where you can find out more about the product and um, get

[00:42:23] W. Curtis Preston: I like it. I, I wonder if, because of the way we pronounce it in the US I wonder

if people call your company SIEM Monster and they don’t understand

[00:42:35] Dez Rock: all the time.

They don’t understand the J the joke, because remember when we first started we were like, We, we heard it as SIEMonster. We were like, haha,


[00:42:45] W. Curtis Preston: Aren’t we


[00:42:46] Dez Rock: Lago. You know, like, you know, so that’s, aren’t we clever tongue? Right. Um, and we even had, our servers had different names, we had different code names, we had all had monster names.

Uh, we had Kraken, we had, we had had, we had so much fun coming up with all of that at the start, you know, when we were just re really start, you know, starting. So the SIEMonster stuck, had to get rid of, uh, but we still have them on Slack and they’re be private and they’re.

[00:43:20] W. Curtis Preston: Uh, don’t keep that character. Um, yeah. So, uh, Prasanna, thanks. Uh, thanks. You know, great conversation.

[00:43:28] Prasanna Malaiyandi: as always then thank you.

[00:43:31] W. Curtis Preston: All right. And, uh, thank again to our listeners. Remember to subscribe so that you can restore it all.

There was a file, but I deleted it to backup system.

Needed your backup. You had a chance. To fix instead. It’s all Jack. How? Alright. On Facebook about you. Don’t underestimate the things that I do.

System isn’t worth space


thinking that you could restore it all. You.

It didn’t work at all.

Maybe it would work if it wasn’t beta.

And rescue me.

Blow yourself into every back front, just for once. It’ll be completely done.


Join the discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: