Mathias Palmersheim

Better Together: Leveraging Your Observability Tools as a SIEM

A security scan tanks app performance, but your teams can't connect the dots. See how a unified observability and SIEM platform prevents this.

Better Together: Leveraging Your Observability Tools as a SIEM
#1about 6 minutes

Defining and comparing observability and SIEM practices

Observability and SIEM share core functions like telemetry collection, proactive alerting, and data abstraction, and incidents in both domains have similar negative business impacts.

#2about 7 minutes

The high cost of maintaining separate toolchains

Running separate observability and SIEM tools leads to agent fatigue, duplicated effort in data storage, and tool sprawl during incidents.

#3about 4 minutes

Why historical separation and workflow inertia persist

Tools remain separate due to their different origins, user resistance to changing familiar workflows, and the technical complexity of migration.

#4about 4 minutes

Building a business case for tool consolidation

Frame the migration to leadership by focusing on cost savings from reduced storage, improved availability, meeting compliance requirements, and lowering labor costs.

#5about 2 minutes

The operational benefits of a unified platform

A single platform provides unified management, reduces friction between teams, and creates a single source of truth for faster incident resolution.

#6about 4 minutes

Navigating the challenges of a unified approach

Consolidating tools presents challenges like a lack of turnkey integrations, the difficulty of porting domain knowledge, and achieving stakeholder consensus.

#7about 4 minutes

Introducing ShiftMon for unified observability and security

ShiftMon is an open-source project that uses VictoriaMetrics to provide pre-canned dashboards and alerting for both infrastructure and security monitoring.

#8about 2 minutes

Use case: Monitoring host compliance with Ansible

ShiftMon can monitor systemd services to alert on failed Ansible Pull jobs, providing immediate visibility into configuration drift.

#9about 2 minutes

Use case: Investigating incidents with correlated data

By combining firewall metrics, DNS queries, and Sysmon process data, you can quickly investigate incidents and identify suspicious network activity.

#10about 1 minute

Use case: Using anomaly detection to de-escalate blame

Anomaly detection on metrics can help teams objectively determine if their activities, like a security scan, impacted system performance.

#11about 2 minutes

Use case: Debugging an OpenTelemetry implementation

Correlating network flow logs from Suricata with trace data helps distinguish between network connectivity problems and application misconfigurations.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Articles

View all articles

From learning to earning

Jobs that call for the skills explored in this talk.