Presented at
Black Hat USA 2021,
Aug. 5, 2021, 10:20 a.m.
(40 minutes)
At Two Sigma, we had sunk over $1 million in licensing for a popular third-party SIEM product and were paying an additional $200,000 in annual maintenance. We were limited on what data sources we could leverage as our license was restricted to a low daily ingestion rate. As our company began to explore cloud transformation broadly, we in Security began investigating competitive options for our event collection and analysis platform. We wanted to know if we could roll our own cloud-native SIEM more efficiently while providing greater access to our data, and be as effective as the vendor's solution.<br><br>To figure that out, we asked:<br>1. Does the vendor SIEM product cover enough of our threat landscape to make it worth the cost? <br>2. If not, has our organization made strategic investments in alternate platforms which could be leveraged instead? <br>3. If yes, does our team have the skills required to implement and mold these platforms to our needs?<br><br>The answers led us to roll our own SIEM. In our presentation, we'll dig into these questions and decisions in-depth, as well as describe our architecture and several use cases. At the end of the day, we've been running our GCP SIEM for over a year and have moved off the vendor platform. To get started, we wrote less than 6,000 lines of code across a handful of simple tools. We ingest 5TB of data per day and have over 2PB of historical data stored and instantly searchable. In the end, we spent ~$500,000 to build our own SIEM that would have cost us $4 million if we used our third-party vendor. We're also saving an estimated $600,000 year over year in maintenance and subscription fees, plus reducing hardware capital expenditure.
Presenters:
-
Bret Rubin
- Security Engineer, Two Sigma Investments
Bret Rubin is a Security Engineer at Two Sigma Investments, where he works on reliability engineering and incident response capabilities under the Security team. Bret previously worked as a contractor for Palantir's Cyber practice, embedding with a variety of commercial customers to build security operations and detection solutions. Before that, Bret worked as an analyst, computer forensic analyst, and special investigator for a law enforcement agency, working on a variety of complex multi-agency investigations and prosecutions, testifying at Grand Jury and trial proceedings, and working to expand agency-wide capabilities. A recovering liberal arts major, Bret enjoys slowly filling in gaps in his technical knowledge at the expense of his employers.
-
Ethan Christ
- VP, Security, Two Sigma Investments
Ethan Christ is a Vice President and the head of the Security Identity, Monitoring, and Response team at Two Sigma Investments where he has worked for the past 10 years. Ethan's teams are responsible for Security infrastructure operations and engineering, as well as Incident Response and eDiscovery functions. Prior to joining Two Sigma, Ethan worked as a Systems Engineer primarily focused on Windows platforms. Ethan holds an MA in Biotechnology and a BA in Biology both from Columbia University.
Links:
Similar Presentations: