Maybe it’s just me, but many market analysts tend to be skeptical about the latest shiny new thing promising the “complete solution” in security and other technology initiatives. Skepticism is fueled by the constant stream of overlapping tools, enhancements and nuanced products promising to do something “more;” but with functionality that ultimately may become features in other products. Some organizations want and need to stay ahead of the adoption curve and pay attention to market moves by new and established vendors.
Security skepticism is found in security monitoring consoles that have been described in derogatory terms as “Yet Another Console/Yet Another Monitor (YAC/YAM).” These assessments require security analysts to sit at monitors, eyeballing the red, green and gray spinning meters, indicators and alarms, looking for trouble. Such technical talent is in short supply. The enterprise is relying on the sensitive, intuitive capabilities of security operations and threat management professionals who essentially “know” a problem when they see it. But many worrisome events go unnoticed, unreported and unresolved. And then there are the false indicators that may be perfectly fine, but look “funny” and require further time consuming analysis.
Consoles and monitors eventually evolved into Security Information and Event Management (SIEM) solutions. SIEM products themselves are the result of the merger of Security Information Management (SIM) and Security Event Management (SEM) products. SIM software provides after-the-fact reports on things that have happened (often for compliance and forensic requirements.) SEM software works to provide near-time or real-time warnings of abnormalities that may indicate a viral infection, an attempted denial of service attack or other nasty work by nasty digital criminals. SIEMs are fed data from anti-malware, firewalls, authentication gateways, endpoints and other sources to help security analysts make sense of things. Correlating something bad happening “over here” with something bad happening “over there” may not be easy or even possible.
There have been disappointing SIEM deployments and project restarts. In some cases, the flaws lie upstream. Anti-malware products that feed the SIEM can miss viral infections, Trojans and Advanced Persistent Threats (APTs) that lodge and spread within the network-computing infrastructure until they launch with a loud and expensive “gotcha!” Malware can invisibly collect user IDs and passwords, or support industrial espionage by stealing proprietary data, and then sending it out under the cover of other intra- and inter-enterprise communications.
The market knows something is missing with SIEM. While security professionals are reluctant to go public about their projects, under the protection of anonymity, we’ve come across some telling tales that validate a market need for something more. One financial services security manager told us:
“We have a bit of a challenge because SIEM is very much an infrastructure monitoring tool. We’re simply getting data from routers, switches, firewalls, servers, authentication servers, authentication databases and the like and collecting them. We have done some level of correlation, but I would say it’s still pretty much a first generation level. We haven’t gone into any correlation other than suspicious network traffic. We haven’t built any complex use cases yet. This is something we’re looking at either doing ourselves or bringing in a 3rd party.”
And another:
“The SIEM promise is seen as nirvana but doesn’t seem achievable. It’s a lot of work to support the SIEM. We don’t expect the SIEM rules to come from the vendors. Most of the things important to the company and the things to look for must come from people inside the company.”
A number of vendors including Splunk, headquartered in San Francisco, CA, HP/ArcSight, based in Cupertino, CA, and early stage start-ups are working to address the next stage of enterprise security intelligence, based on the idea that there is “big data” within the computing and networking environment that needs to be evaluated for threats and vulnerabilities. Two fairly new vendors are Click Security, in Austin, TX and SMAARTS in San Mateo, CA.* These companies propose to add value to some of the existing approaches, finding flaws in how older solutions handle unstructured data. For example, some use log storage and search to detect and ideally prevent bad things from happening. But because older techniques use stored data and search, there is the opportunity for malware to infiltrate the infrastructure before it can be detected and neutralized. There are necessary limits on what data can be analyzed in a timely fashion. But the market seems to be heading towards streaming, real-time analytics and automated system responses to identified attacks while avoiding both false positives and false negatives.
It may be too early in the game for start-ups to credibly demonstrate that their promises, based on proprietary technology and algorithms, are ready for commercial use. But there does seem to be a market need for solutions that supplement the skills of security analysts who “know it when they see it.” A recent SANS survey found that many organizations are collecting far more information than they can analyze, and that the associations among logged security events are not easily done.
No organization has an unlimited budget. The security “wish list” can be very long and difficult to prioritize. Technologically aggressive organizations and those that cannot tolerate much risk should keep an eye on this evolutionary trend. By instantaneously examining much more transactional and operational data than is handled currently by today’s commercially available SIEM solutions, organizations should be able to advance in their ability to defend their data – and reputations – in the continually evolving threat environment.
*Disclosure: The author is a market development advisor to SMAARTS.