Archive for March, 2011
It’s been a rough old week for RSA, and a very concerning one for their customers and business partners. Being mindful that pride comes before the fall, this post isn’t about how I believe our security intelligence solutions would have detected the Advanced Persistent Threat in question; I’ve been in security long enough to know that security is a game of changing offense and improving defense, and I don’t know all the details of the RSA breach. It is not clear that RSA/EMC does either.
What is very clear is this breach, on the heels of Stuxnet and Wikileaks and the Google hack, is yet another illustration of the fact that security logging and monitoring to simply achieve a compliance checkbox is no longer sufficient in a dynamic and dangerous threat environment.
I think customers and vendors alike have to be honest that the compliance bandwagon has driven the security market for a long time, and this has come at a cost. Gartner themselves would say that 70% of SIEM purchases are funded by a PCI budget. While funding has to come from somewhere, I believe that the desire to satisfy the auditor rather than meet the spirit of the security standard lead to poor habits in product development, selection and deployment. I can no longer envision a day when this is considered satisfactory by security teams.
It is somewhat ironic that earlier in the week I was at the e-Crimes Congress in London presenting on “Practical insights on how to use Security Intelligence to reduce risk, counter advanced threats and detect anomalous behavior” Below are four best practices that we are starting to see customers implement. This becomes all the more timely when we look at the news emanating from EMC/RSA.
- Network-wide visibility to detect threats that otherwise would be missed by traditional security products
- Identity correlation to detect fraudulent activity by users
- Monitoring and content forensics to detect sensitive data leakage through social media channels
- Advanced correlation capabilities and context awareness that detect the most sophisticated threats
Day 1: we participated in a panel at the William Blair Technology Symposium, “The Future of Cloud Computing.” The panel was entitled, “How the Cloud Changes Security”. Great topic, great panel, staffed by security solutions suppliers. Major takeaway based on the questions asked of the panel, by the investment community, not end-users: confusion reigns supreme, and most likely due to the outrageous amount of hype surrounding “cloud”. Usually the questions were about virtualization, but using cloudy(ed?) language.
Day 2: Q1 Labs Customer Council. The topic of Cloud came up twice: once in the form a customer’s presentation of one of his major use cases: SIEM as the security intelligence platform for his companies cloud-based services offerings. He relies on QRadar for visibility/compliance and intelligence/threat management to both ensure the integrity of his brand and to provide proactive threat management. And once from another customer in the form of a question, essentially: “What is the role of SIEM in the Cloud, in your opinion?” This generated a very grounded discussion of the various cloud types (private, public, hybrid, multitenant) and how SIEM, Log Management, Vulnerability Management play a role. Clarity prevailed: one size does not fit all use cases.
Prosodie (France) another customer, recently announced their adoption of our QRadar Security Intelligence Platform for both visibility/compliance for their cloud-based services and in addition uses QRadar SIEM from Q1 Labs for intelligence/threat management of their internal network, similar to the customer referenced above.
So, customers view cloud clearly (like how I did that?) as a potentially viable business proposition worthy of examination, versus a cool technology shift: if cloud adoption enables them to do their jobs better and grow their businesses, great. If not, it drops off the list of priorities.
And it would appear that while the market observers might be a bit confused about the exact utility and deployment model of the cloud, customers are not, and seem to have a pretty clear vision for SIEM’s role in securing it.