Wednesday, November 26, 2008

SIEM: The Quickening Begins

Though unlike Highlander, I hope that in the end there can be more than one. SIEM is NOT dead, but if High-Tower’s recent announcement is any indication it certainly will become a thinner herd in the very near future.

How many vendors have both viable solutions and can realistically survive in SIEM and/or Log Management for the long-term? ArcSight, RSA EnVision, NetForensics, Q1 Labs, CA, NetIQ, Symantec, eIQNetworks, Splunk, Cisco, IBM, Nitro Security, TriGeo, Tenable, Log Logic, LogRhythm, Intellitactics, Sensage, Exaprotect, Alertlogic, Checkpoint, Novell and IBM. Not to mention MSSP specific solutions or vendors I may have missed.

A few years ago there was a period of acquisitions / consolidation (Cyber Wolf, E-Security, Micromuse/GuardedNet) but if this article from socaltech.com is correct than this is the first outright collapse from a SIEM product company that I can think of off the top of my head. High Tower had reinvented itself over the past 18 months from the ground up. They had some very dedicated and talented folks on staff. When they rebuilt CINXI they had a simple but relatively effective tool for the SMB marketplace. Most importantly to me they always seemed passionate about making life better for their customers. That moves me to another train of thought....

SIEM: Time to re-focus?
In my mind that “passion” for customer success is what the SIEM market sorely needs again. The main focus of many vendors has turned to targeting smaller companies and/or providing specifically branded solutions striving to solve all the world’s problems related to PCI, etc.

It seems to me that the magic SIEM once had, has been lost. The “magic” was the partnership that existed between the vendor and the customer where the entire vendor organization pushed relentlessly for customer success! The vendor would sit with the customer and pull use-cases (teeth) from the customer. Then together they would develop customized solutions to those defined problemsets. The initial process might take weeks or even months to accomplish because it is a learning effort for the customer but the level of trust, understanding, collaboration and overall value to the entire security team is tangible. Thinking through how to define the necessary data elements, ensure time sync is in place, obtain and centralize the data, refine analysis processes, enact acl’s, create reports and facilitate actions is a difficult but crucial element to ensuring your can effectively monitor and identify incidents on your network.

What needs to happen?
The vendors need to make the products easier right from the start and work constantly to add value to the overall solution. We need to help the customer understand the value of the event sources they have in place today and which event sources add value in conjunction with current/planned event sources. What information can remain in the log management solution and what is best feed to the SIEM? What are common problemsets/solutions and how can they be enhanced/updated more frequently? We need to collaborate better and level the playing field for the “good guys” for a change.

SIEM has significant value:
Implementing a SIEM correctly forces you to look at and specifically address all of these issues mentioned earlier. SIEM also provides benefits including enterprise-wide changes in enterprise visibility, log standards, time sync, IT and business unit collaboration, reporting and overall security posture. It certainly doesn’t hurt that the efficiency and overall effectiveness of your security team greatly enhanced by having a good process, comprehensive enterprise visibility, the right tools and trained professionals!

Summary:

  • There are a ton of Log Management and SIEM vendors and the smaller ones will continue to be bought or fail through the next 12-18 months.
  • The Log Management and/or SIEM solutions you put in place need to be driven by real world and well defined problem-sets and you do need to worry about long term viability of the company, many won’t exist this time next year.
  • Both Log Management and SIEM are tools that fit into an overall process within your organization and the entire process needs love to be successful!

No comments: