Recently, a friend of mine marveled at how the SIEM, even a basic SIEM, can deliver surprising value outside the realm of cybersecurity.   Because we customize our SIEM to our Clients, over the years we’ve seen some interesting value propositions.  One of my favorite stories was way back in the days when a SIEM was merely intrusion detection.

Dateline: 2003

HIPAA turned out to be a nothingburger, but we had found a niche that might be more reliable than consulting with hospitals and doctors about how they should protect their patient’s privacy. Network monitoring. Recurring revenues. Defend our Clients.

Not only were we building a snort monitoring and reporting process, but we were also busy standing up bleedingsnort.com and only had a handful of Clients.   Yes, we were showing how many times people were scanning their firewall, in a new automated daily report, and we had called a few Clients in the middle of the night who had already developed the calling tree, and a decision tree.   But we were also looking for ways to add value, even in those days.

One of our Clients had seven locations: five in Indiana and two in Kansas City.  Our Data Security Analyst (DSA)… back then his title was actually NOC Associate… noted interesting language in the chat stream he was investigating (because using this particular chat application was not according to policy).

While our system didn’t automatically included the activity in the daily report, our DSA noticed language in the payload that seemed like a Kansas City office was “planning a mutiny.”  The DSA escalated, and the Client brought her attorney into the response team meeting.   Keep in mind, this was in 2003.  It’s not like the Client had a response team.  But we assembled one “ad hoc.”

We then continued to watch and archive the conversations held in that chat room, along with normal logging.  We then saw exfiltration of the Client’s customer list in email, which is when the Client contacted the police and negotiated the termination with the rogue employees.

The names have, of course, been changed to protect the company that does not even exist anymore, but this incident not only caught the attention of our Client, but also of my partners who were trying to understand what it was that we were proposing to do with our company.

And it sure happened at a good time.  For we all knew that in December there would be a meeting between myself and my three partners, where we decided whether we were going to

1. end “the experiment,”
2. become a local IT support firm serving the accounting firm’s 800+ clients, or
3. give Dan one more year to prove there’s a market for cybersecurity.

When we decided to go with option three, we used the phrase, “mutiny in Kansas City.”