Executive Summary

Security organizations purchase modern SIEM and EDR tools but fail to change their fundamental processes – a critical failure that reduces cyber investments to mere product upgrades. The Google Cloud Security Podcast episode featuring Danny Lyman (VP Threat Detection and Response at Fiserv) reveals: without process optimization, teams remain trapped in outdated work patterns, even when technology enables subsecond searches and AI-driven analysis. The problem: many CISOs and executives conflate technological innovation with operational transformation – thereby missing the actual opportunity for scaling and efficiency.

Contributors

Topics

  • SOC transformation vs. tool migration
  • Federated SOC models and coordination
  • EDR obsession and multistack security
  • Mean Time to Respond (MTTR) as success metric
  • AI in detection and data availability

Clarus Lead

The central promise fails at implementation: organizations invest millions in modern SIEM and EDR technologies, yet continue operating according to playbooks from 2005. The reason is organizational, not technical. Tim Peacock and Anton Zhivakin criticize on the Google Cloud Security Podcast that teams do not adapt their detection and response processes to modern technology – even though new tools would enable subsecond searches and AI-driven correlation. The result: no new capabilities, no scaling, only faster old processes. Particularly problematic is the EDR obsession: many security leaders believe a top-tier EDR can cover everything – a misconception that overlooks critical attack layers (routers, appliances, network, IAM).

Detailed Summary

The Process Problem is the Real Problem

Danny Lyman articulates the central promise precisely: "If we don't have the right process in place, then it becomes a challenge to do things correctly." While investments are typically divided among people, processes, and technology, organizations predominantly gravitate toward the technology component. This leads to a classic scenario: a company purchases modern SIEM/SOAR solutions, decommissions legacy appliances, introduces new SaaS tools – and calls that "SOC transformation." In reality, it's merely a product upgrade without operational realignment. Workflows remain identical, decision-making unchanged, specialization unaltered. Even if the new technology enables subsecond searches (versus 2–5 hours previously), this leads to no new capabilities, because teams haven't learned to leverage this speed.

EDR Obsession: The Silver Bullet That Doesn't Exist

A particularly urgent point: many security leaders view Enterprise Detection and Response (EDR) as a universal solution and are surprised to learn that a "compromised router" or hacked security appliance is not monitored by EDR. Anton Zhivakin explicitly debunks this myth: EDR is valuable, but it is not everything. More problematic still: some leaders publicly claim they can "abandon SIEM" because EDR "detects everything." This is factually wrong. Attacks traverse all seven OSI layers. An EDR-only approach relies on endpoint visibility – and thereby ignores network-based attacks, identity attacks, application logs, and critical infrastructure logs.

The reasons for this obsession are economic: organizations have made substantial EDR investments, must justify them, and cannot admit that the investment is insufficient. This is a classic sunk-cost fallacy problem, exacerbated by strong marketing messaging.

Federated SOC Models and the Coordination Problem

Lyman then introduces a more subtle concept: federated SOCs. This does not mean centralized vs. decentralized technology, but rather specialized teams that each work in EDR, NDR (Network Detection and Response), and IAM tools – with central coordination. The critical point: when an IAM anomaly must be correlated with a network event, this connection is often missed because teams work in isolation. These coordination gaps are frequently attack routes that slip between specializations.

AI and the Data Problem

On the topic of AI-driven detection, the hosts issue clear warnings: AI can only see what is accessible to it. If critical logs (application logs, legacy systems, isolated data silos) are not centrally available, no AI rule can address these blind spots. A classic example: Java application logs contain gold-standard intelligence about attack intent, but are notoriously difficult to normalize. Many SOCs give up and don't capture these logs – thereby losing valuable attack signals.

The Metrics Confusion: MTTR over MTTD Obsession

Lyman clarifies an important point: Mean Time to Respond (MTTR) is the universal metric. Detection Time (MTTD), Containment Time (MTTC), and others are subsets thereof. Many organizations obsess over detection speed and underestimate response speed – although the fastest response to an undetected attack has zero value. The practical benefit lies in rapid response, not merely rapid detection.

Key Takeaways

  • Process beats technology: Modern tools without process optimization are merely faster old processes – not transformation.
  • EDR is necessary, not sufficient: Multistack security (network, identity, application, endpoint) is required; EDR-only approaches miss critical attack layers.
  • Coordination is the lever: Federated teams with central coordination close blind spots created by specialized teams.
  • Data is the AI boundary: No AI can see what isn't captured; isolated data silos sabotage modern technology.
  • MTTR beats MTTD: Response speed is more critical than detection speed.

Critical Questions

  1. [Evidence/Source Validity] Lyman claims that most organizations don't change processes during tool upgrades – are there available industry studies (Gartner, Forrester) or ISACs that can quantify this rate?

  2. [Conflicts of Interest] Why do security leaders publicly claim EDR is sufficient when they privately admit it doesn't cover everything? Is this reputation management or budget protection?

  3. [Causality] Do teams with better processes automatically become more efficient, or are there confounding variables (team size, budget, vendor lock-in) that overlay the effect?

  4. [Implementability/Side Effects] What concrete process changes should a SOC make when migrating from EDR-only to multistack? What training costs arise?

  5. [Data Quality] Application logs are difficult to normalize – are there established standards (CEF, OCSF) or must each SOC solve this problem independently?

  6. [Causality] Can AI really bring together all these isolated data sources, or is this wishful thinking as long as legacy systems lack APIs?

  7. [Conflicts of Interest] Are SIEM vendor recommendations for "federated SOCs" truly technology-neutral, or is there a business interest underlying them (more tools, higher licensing costs)?

  8. [Implementability] Sebastian Junger's "In My Time of Dying" draws parallels to intrusion response – but are medical diagnostic processes transferable to cybersecurity, or is the analogy oversimplified?

Additional News

  • Cloud Data Center Boom: Tech companies (Amazon, Google, Meta, Microsoft) are investing massively in data centers for AI; 2025 saw 400 billion USD – with massive impacts on rural communities.
  • BAKOM Newsletter 486: Federal Office of Communications publishes current media policy updates; regulatory developments in Switzerland in focus.

Sources

Primary Source: [Cloud Security Podcast Episode 263: Detection and Response with Danny Lyman (FISERV)] – https://traffic.libsyn.com/secure/cloudsecuritypodcast/EP263_not259_CloudSecPodcast.mp3

Supporting Sources:

  1. Danny Lyman, VP Threat Detection and Response, FISERV
  2. Tim Peacock, Senior PM Google Cloud SecOps
  3. Anton Zhivakin, Senior Staff Google Cloud CISO Office
  4. Sebastian Junger, In My Time of Dying (2023) – medical-philosophical perspective on diagnostics and decision-making under uncertainty

Verification Status: ✓ 2026-02-17

This text was created with the support of an AI model. Editorial Responsibility: clarus.news | Fact-Check: 2026-02-17