Archive for June, 2011
Last week, 6/20 – 6/24/11, was the annual Gartner Security Summit in Washington DC. This is always an excellent event, as it is heavily weighted to end user customers.
Unlike industry trade shows which have largely become business development events for vendors, at the Gartner Summits we can interact all day – everyday, with a broad customer base, each of whom is there to discuss and learn more about IT security solutions, best practices, trends, and maybe best of all the opportunity to do some peer group sharing. And of course, all of the Gartner analysts are there, relative to security that is, and some Gartner folks responsible for corporate management, some of whom I had not seen in quite a while. All in all, a great event.
Below is a combination of my observations and experiences, as well as some third party comments from the investment community, in particular Todd Weller from Stifel Nicolaus. The data referenced is taken from Gartner presentations.
First, as Joseph Feiman told us a year ago, Enterprise Security Intelligence would become a pervasive and eventually over-arching theme at all Gartner Security events, and it was certainly the case here. Contextual information, which then becomes actionable intelligence, is the goal of Security Intelligence as we and Gartner define it. It was so pervasive that one end user customer even remarked to me that “context” is clearly the word of the day at Gartner!
Some highlights (the underlining/bold is mine):
- Security Information and Event Management (SIEM) remained a hot topic at the Gartner conference and was indicated to represent a foundation behind Gartner’s ESI concept.
- We had a chance to catch up with Q1 Labs management at the conference. We walked away from the conversation feeling that market demand for SIEM remains solid and that Q1 continues to experience solid momentum in its business.
- Security products and services markets expected to increase from $55 billion to over $71 billion by 2014.
- The enterprise security infrastructure market is expected to be $22.5 billion in 2011 and from 2009-2014 the expected CAGR is 11%. The security service market is expected to be $33 billion in 2011 and from 2009-2014 the expected CAGR is 8%.
- Security is one of the top concern areas and represents the number 1 topic inquiry for Gartner representing 17% of all its inquiries.
Security market numbers: (Note- if you add software only and appliance, SIEM clearly dominates the growth parameter)
- 2011 growth estimates for various enterprise security infrastructure market segments (Y/Y):
–Appliance: E-mail Security Boundary: 28.6%
–Appliance: Secure Web Gateway: 22.8%
–Appliance: Security Information & Event Management: 22.4%
–Security Information & Event Management: 22.4%
–Secure Web Gateway: 17.3%
–IPS Equipment: 16.1%
–Other Security Software: 15.7%
–SSL VPN Equipment: 15.5%
–E-mail Security Boundary: 12.8%
–User Provisioning: 8.4%
–VPN/Firewall Equipment: 6.6%
–Endpoint Protection Platform (Enterprise): 3.8%
–Web Access Management: 3.2%
- Security spending priorities for 2011 based on a Gartner survey:
–Data Loss Prevention: 54%
–User Provisioning or Identity Management: 51%
–Security Information and Event Management: 44%
–Network Access Control: 40%
–Intrusion Detection and Prevention (mostly driven by PCI): 39%
–Vulnerability Assessment: 39%
–Patch Management: 38%
–Application Security (mobile devices and web application firewalls): 34%
- existing security is made up of silos of security disciplines (identity and access management, endpoint protection platforms, network security, application security) and silos of monitors and scanners within each discipline. There is limited interaction, integration and correlation. Also limited context, history, and linear search.
- Gartner believes that in the existing approach enterprises can’t see the forest for the trees. Enterprise Security Intelligence (ESI) was indicated to be not a new market but a new paradigm that recognizes security intelligence as an explicit deliverable and designates it as a strategic objective for enterprises’ IT security and risk management.
- Gartner pointed to Security Information & Event Management as an important component of ESI as it enables the storing and querying of collected information. We call SIEM the “anchor tenant” of Security intelligence.
On SIEM in particular:
- Gartner pointed to a key issue of SIEM being “the big data problem.” The issue relates to many SIEM solutions using a single data store to support real time collection/monitoring and historical analysis. The issue is that event/log collection needs to support high insert rates in real time whereas historical analysis requires heavy indexing and high volume read activity. In short, Gartner indicated that these two are at odds with each other and that SIEM vendors need to extend their architectures to better support the disparate requirements. (Gartner knows that QRadar SIOS in fact uses both data store architectures.)
- Enterprise Security Intelligence (ESI) is about optimal decisions and technology interaction through information integration and correlation. SIEM is a foundation technology for ESI as it aggregates, normalizes, and monitors security events.
- As far as SIEM vendors, the Gartner analyst provided some insights into every vendor in the quadrant which was a lot. As far as the leaders quadrant, we thought the comments that stood out the most were positive comments related to HP/ArcSight and Q1 Labs and the lack of mention of EMC/RSA until near the end of the presentation. We believe this validates that EMC/RSA continues to experience some challenges in the SIEM space.
Wednesday night the ABC ‘ticker’ across the bottom of the TV screen declared that “Whitey” Bulger had been caught. James ‘Whitey’ Bulger has been on the run from the FBI for 16 years, is wanted in connection for 19 murders, and is on the FBI’s Top Ten most wanted list. You can’t live anywhere in New England without knowing something about the history of this guy.
Less than a week ago the FBI had launched a new campaign to find the gangster. They upped the reward for his discovery, but most importantly they focused in on Whitey’s long time girlfriend Catherine Grieg. The FBI listed a set of behaviors around Catherine’s profile, and it would appear that it is this behavior profile, subsequently fed through a witnesses’ brain and eyes, that led to the detection of a couple who had avoided being caught for so long.
Here is an excerpt from the FBI behavioral profile:
Some of Greig’s other distinguishing characteristics include:
- She loves dogs and all kinds of animals.
- She is likely to have well-kept teeth because she previously worked as a dental hygienist.
- She likes to frequent beauty salons.
- Prior to her fleeing with Bulger, she had multiple plastic surgeries.
I can’t help but think of the comparison to the information security challenge we face today. Cyber-gangsters are trying very hard to elude detection today. Some of the biggest threats to our networks look like and act like normal employees (in the same way that Whitey appeared to his neighbors in Santa Monica as a nice old man who liked squirrels). It simply isn’t enough to only use established detection capabilities: looking for threats you know about, only reviewing your security telemetry at the expense of other forensic sources, etc.
Behavioral profiling should be both a best practice, and a technology requirement for all networks. We have to be able to detect that applications are behaving strangely, or more importantly that an application is behaving as it should, but that specific content is being accessed in an anomalous fashion, or that a trusted user’s activity has altered from the norm. This is part of what we mean when we talk about security intelligence in the post-perimeter world we now inhabit, where mobility, social media and ubiquitous connectivity to the Internet are the norm.
PS- If you’re curious to learn more about network behavioral analysis, contextual correlation and advanced detection techniques being deployed by security teams today, take a look at this webinar.
Meet Brendan Hannigan, the new CEO of Q1 Labs.
In this brief video, discover what vision Brendan has for the future of Q1 Labs and how Total Security Intelligence will change the face of information security for customers world wide.
I just completed a webinar where I opined that today’s threat dynamic has changed significantly for organizations of all shapes and sizes. Not because there are more threats than before, and not because the threats are doing something so different in the way they can infiltrate an organization. What has changed, and the implications for this change are significant, is the intent of the threat. There has been a definitive shift from organizations being a target of opportunity, to now being a target of choice. Ok, ok, I can hear the Haytas out there asking “what does that really mean Mr Marketing man’. Well, I’ll tell you:
First let me borrow an image from Cisco. I guess they own it, though it was first put together by the good folks at OKENA (acquired by Cisco) almost 10 years ago……and they borrowed it from someone else I’m sure. All threats move through 5 general stages (the ’5 Ps’). They did 10 years ago, they do today. What’s different now is the implication of being a specific target.
Target of Opportunity (think Code Red, Nimda, Blaster, etc.)
Promiscuous worms and viruses whose payload ultimately lead to widespread propagation
‘Time to discover’ gap was limited as the author’s goal was ultimately notoriety
Denial of service conditions were very damaging to daily operations
But from a reputational standpoint there was safety in numbers
Forensic investigation was minimal though clean-up was time consuming
Target of Choice (think Sony, RSA, SEGA, Citibank, IMF etc.)
- Stealthy attack whose ultimate purpose is data theft
- ‘Time to discover’ gap is much longer as perpetrator often doesn’t seek notoriety
- This attacker is deliberately trying to subvert your specific security controls
- As such, from reputational standpoint there is no safety in numbers
- Forensic investigation is critical for public confidence and prosecution
The times ‘they are a-changin’, and security intelligence is more important than ever. Don’t you think?
In Gartner’s latest report, “Tools for Network-Aware Firewall Policy Assessment and Operational Support,” the analyst firm discussed the value that solutions like QRadar Risk Manager provide to network/security operations, including network/security policy assessment, Risk, and Compliance. It covers, in great depth, the value of solutions in this space to network and security teams and an overview of features provided by QRadar Risk Manager and other competitive products.
So what’s so interesting about this report? It is significant that Q1 Labs is the only SIEM vendor in this report, and that we are perceived as leading the charge in this space amongst our SIEM competitors.
The report is also important because it provides great insight into the value of products like QRadar Risk Manager to network and security teams to improve the overall security posture through improved configuration and vulnerability visibility.
A few snippets worth highlighting:
- “Only Q1 Labs incorporates routing flow data in its analysis of rule efficacy and network behavior over time.” – This is an extremely important differentiation amongst vendors in the field because organizations that leverage configuration data alone will often miss situations where a configuration is thought to be adequate but for some reason still allows potentially risky network traffic to propagate.
- “Tools that perform firewall policy assessment and related operational support functions, within the context of the networks connectivity and security zones, provide substantial benefits to security operations” – this is directly aligned with QRadar Risk Manager’s capabilities and core to its ability to assess and monitor configuration and compliance policies.
- “Q1 Labs […] integrate[s] with a range of third party vulnerability scanning products and leverage knowledge of topology and reachability to prioritize specific systems and vulnerabilities for remediation” – this capability is one of the key value propositions of the QRadar Risk Manager solution – the ability to minimize false positives common amongst vulnerability scanners and features that allow security teams to focus in on the highest risk vulnerabilities – those that can be easily exposed because of the way the network is configured.
- “Tools that enable rule changes for access requests to be simulated before implementation contribute to fewer service availability outages” – the capability of QRadar Risk Manager to simulate network change prior to implementation can greatly minimize the risk of the changes during operational deployment
In my opinion – Gartner has done the industry a great service in publishing this report – it is one of the few reports I’ve seen that helps organizations understand the value of products like QRadar Risk Manager. I spend the majority of my days working with organizations that are trying to be as proactive as possible getting ahead of the network “threat” curve. There are numerous industry reports that have determined that the primary reasons organizations are successfully breached are that they are either (1) poorly configured and/or (2) have not adequately addressed exposed vulnerabilities. Helping in these two areas is where solutions like QRadar Risk Manager are focused.