Tuesday, February 3

Actionable Intelligence the Achilles Heal of SIEM

Today, I watched the fourth in a series of video discussions moderated by Richard Stiennon on various security topics. This one was focused on ESM (Enterprise Security Management) and SEM (Security Event Management). I combine the acronyms as 'SIEM'.

The panelists (Amrit Williams, Martin McKeay, and Mike Murray) covered a number of aspects of ESM-SEM solutions. My one line summary conclusion of the discussion is that:

SIEM's are not able to effectively correlate information and provide actionable intelligence.

A few of the supporting statements:

Murray: They lack the ability to "take data and pull information out of it"

Williams: The problem "can't be solved in a centralized way." The only way SIEMs would meet their goal is via "cooperation, communication and cognizance distributed out so the agents are essentially communicating with each other and responding to events that are being provided to each other" "I've talked to customers that are 18 months in and still can't get it properly deployed"

Murray: "there are vendors out there that you still have to manually setup every agent... the cost is staggering"

McKeay: "when I think SIEM, I think glorified log management"

Williams: "rarely are these things being used to detect and respond to incidents in real time... the market driver [...] is compliance... it is unfortunate"

McKeay: "it comes down to being able to understand your own environment... it's the definition of the problem that we don't have yet"

The consensus seemed to be that vendors do a good job of gathering and storing logs to meet compliance requirements that mandate storage of those logs. What customers really need and want from these vendors, however, is actionable intelligence.

Williams concisely defined the goal of information security:

"to limit the possibility of an incident from occurring... and when it does occur, to limit its impact (by identifying it quickly and responding)"
He continued "...what the ultimate goal of an intelligence system would be is that it's able to detect what are seemingly innocuous events and provide some actionable level of intelligence that shows that that's actually an incident occurring and you can respond to it and limit its impact on the environment - that's what they'd like to be, but they're not that"

Murray added that customers want the solution to "just tell me the five things I need to do - that's what SIEMs should do"As an industry, we're "really good at generating reams of data, but we're not very good at handling information... turning it into 'here's the 5 things'..." SIEM tools are great if "you have defined the problem that you're trying to solve and you know what the information is that you're trying to manage and you can setup a way to manage that."

It was a really interesting discussion. I've enjoyed each of the video discussions in this series so far which have also covered DLP and Firewalls/IPS.

Next, I'll tell you what NetVision is doing about the problem. We're not a SIEM vendor, but we beat the SIEMs to the finish line of actionable intelligence. Actionable Intelligence has been our internal mantra for the past year or so and it is the motivator behind our latest solution to market (as well as a few that are still on the road map).

No comments: