Posted by John Burnham in Security Intelligence
Just as surely as spring has established a foothold on Cape Cod, the SIEM Magic Quadrant for 2013 has published. The news is out, and IBM Security has improved our position as a Leader in the 2013 Magic Quadrant for SIEM (Security Information and Event Management) again — marking the 5th year in a row that IBM Security/Q1 Labs has achieved this leadership position. For the first time, IBM/Q1 Labs is in the top position in the SIEM MQ.
IBM/Q1 Labs also received outstanding scores and improved standings in the 2013 SIEM Critical Capabilities report, which provides numerical ratings of vendors by capability and use case.
Back to bragging: IBM/Q1 Labs is rated #1 (above every other vendor) on “Ability to Execute” (the Y-axis). This represents overall viability, product/service, customer experience, market responsiveness, product track record, sales execution, operations and marketing execution.
- IBM/Q1 Labs is rated above major competitors (McAfee/Nitro, Splunk, LogRhythm, and RSA) on both “Ability to Execute” and “Completeness of Vision” (the X-axis). Completeness of Vision represents product strategy, innovation, market understanding, geographic strategy, and other factors.
- IBM/Q1 Labs is rated highest in the Critical Capabilities report for essential elements of Security Intelligence with Big Data: Analytics and Behavior profiling
- IBM/Q1 Labs is the highest rated in the SIEM Use Case, Product Rating, and Overall Use Case categories.
Besides vendor chest-thumping, what does this mean to our customers? Simply this: the creation and development of the IBM Security Systems division concurrent with the acquisition of Q1 Labs ensured:
- Customer-facing focus
- Continued and increased investments in Security Intelligence
- More opportunities to engage with more customers worldwide
- More 3rd party partnerships to ensure Big Data collection from more and more sources
- Resources unique to IBM. And face it, no one knows data like IBM.
Advanced Persistent Threats (APTs), or Advanced Targeted Threats as Gartner calls them, are now top of mind with security professionals, C-level executives and Boards of Directors.
All brands – as well as major events such as the London Olympics — are now being targeted by ever increasingly sophisticated attackers and techniques, whether the intent is to steal corporate intellectual property (Lockheed, RSA), disrupt websites to bring attention to a particular cause (FBI, MPAA), or steal customer data (LinkedIn, Epsilon, etc.).
Regarding APTs, Charles Kolodgy, VP of Security at IDC, was recently quoted in this article from Network World:
IBM Tuesday introduced what it’s calling a “next generation” intrusion-prevention system (IPS), an offering that not only is designed to stifle network-based attacks, but adds application-level controls and URL filtering capabilities typically found in separate products such as Web security gateways … With the XGS 5000, IBM wants to maximize its influence with IPS buyers (IBM ranks only behind Cisco with 13.2% of the $1.88 billion market, according to IDC) …
IDC security research analyst Charles Kolodgy says the IBM XGS 5000 does represent a new kind of IPS-based product that “improves network, user, and application awareness” and “vastly improves an IPS’s ability to provide full network protection, especially trying to uncover custom malware and stealth attacks perpetrated by advanced persistent threats.” APT is the term use to describe stealthy attacks to try and steal sensitive corporate data.
Although the term “next-generation IPS” is starting to be bandied about, IDC is still pondering the usefulness of this phrase or whether a new category entirely should be established that “goes beyond either firewall or IPS.”
“The uniqueness isn’t so much in the application layer and URL [visibility], a lot of products have that, but it’s in the ability to set up security at the user level (like the next-generation firewall), correlate that information (in this case with QRadar), and utilize cloud-based threat intelligence to uncover malicious websites and files,” Kolodgy explains.
The article continues to discuss APTs: Indeed, IBM says the appliance’s integration with IBM’s Advanced Threat Protection Platform, which utilizes anomaly detection and event correlation capabilities, enables users to better address more complex attacks such as Advanced Persistent Threats (APTs).
My point for this post is to highlight our most recent offering at IBM Security Systems, the Network Security Protection Platform, and specifically how it may indeed be ushering in what I call Security Intelligence 2.0.
Perhaps this graphic represents the foundation of Security Intelligence 2.0:
What the heck, Q1 Labs put “Security Intelligence” on the map as a new term years ago, in the context of SIEM + Log Management + Configuration & Vulnerability Management + Behavior Anomaly Detection + Deep Packet Inspection. Do you see why we called THAT Security Intelligence?
Now with our Next-Gen IPS being tightly coupled with other related components – as in XGS + QRadar + Anomaly Detection + X-Force real-time threat intelligence feeds — I assert we have raised the bar. And if some leading industry influencers actually said we did, even better. Fact is, when Q1 Labs started talking about Security Intelligence we did not think of it as a “category” but as a better way for customers to both proactively and defensively address what are now commonly called APTs (sorry Gartner).
In other words, it’s not about defending against the latest advanced threats with a new “box” that has more bells and whistles – it’s about tying a range of information sources together with analytics to quickly identify behavioral anomalies, and minimizing false positives so you can quickly remediate the most important threats.
Gartner held its annual Security and Risk Management Summit, in Washington DC last week. This is always an excellent event to gauge the IT security market in general: attendance was up from last year according to Gartner, more sponsors, more attendees, and far more focus on targeted attacks. The headlines of the last twelve months confirm what we call the Year of the Breach.
More relevant to our patch, however: for the first time ever at this event, Security Intelligence and SIEM were called out during the opening keynote as "no longer nice to have but fundamental." SIEM and Security Intelligence have now been recognized across Gartner security for what we (and our customers) have known for years. More than three years ago, IBM developed the IBM Security Framework, and we positioned to Gartner as the foundation of our go-to-market and development strategy. It is great to see this message corroborated at the analyst firm's top security event, which I learned is their 2nd largest event behind Symposium. This fact is further evidence of the elevation of IT security challenges and prioritization in the marketplace.
Some highlights from the Summit:
- "Gartner predicts the global spend on security services to exceed $49B by 2015."
- During a SWOT on our major competitor the analyst listed this among that vendor's Threats: "IBM is becoming a security powerhouse."
- What IT event would be complete without discussions of Big Data? Security Intelligence' relevance to Big Data was prominent at the event:
Gartner definition: "Big Data is a class of information processing problem that, due to the volume, velocity, variety and complexity of the data, requires different approaches to support analytics to derive cost-effective, timely, business-relevant insight. However, Big Data in and of itself, is not our goal. Delivering risk-prioritized actionable insight is. To support the growing need for security analytics, changes in information security, people, technologies, integration methods and processes will be required, including security data warehousing and analytics capabilities, and an emerging role for security data analysts within leading edge enterprise information security organizations."
- Gartner also believes that a key driver of Security Intelligence is the "the shift to context-aware security": "To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the time a security decision is made." Gartner elaborates that context should be obtained from a range of sources, mirroring our announcement earlier this year about integrating various sources from the IBM security portfolio such as network security (IBM Network IPS), endpoint security (IBM EM/BigFix), IAM (IBM Identity Manager), mobile application security (IBM Mobile AppScan), and content/data security (IBM Guardium), in addition to threat intelligence (IBM X-Force).
- Gartner also mentions the need to incorporate flow data: "Vendors ... such as IBM/Q1 Labs ... collect large amounts of network packets and/or flows to support the analysis for anomalous activities."
- And finally, collecting all that context doesn't help unless you can also create actionable intelligence via analytics: "Some, such as IBM's Q1 Labs with its QRadar, provide a form of security analytics on top of its SIEM repository, which is a good example of how we believe the vendors will evolve to deliver Security Intelligence."
We couldn't have said it any better.
Posted by John Burnham in Threat Management
According to a UK news website, the CEO of a large, really large, hardware vendor just noticed that the world is being ravaged by terrorists, and warned that a ”cyber-attack of 9/11 scale” is likely to take place in the near future. So now the terrorists are using cyber attacks. Hhmmm…selling security with FUD is not even old school: it’s irrelevant. And when delivered by a CEO, well it just smacks of over the top chest thumping. Nowhere in the entire article did she discuss how they solve their customers’ complex security problems. Instead, more defensive posturing: “We will darken the skies with our agenda to help organisations (sic).”
Oh wait: “We are offering customers differentiated products in security. They (sic) are about applying actionable intelligence and compliance (sic).” Uhh, how does one “apply” compliance?
Okay, I am being snarky, Ya got me, guilty as charged. But, we are not talking about trivial matters here. And our leaders need to take this just as seriously as our customers do. It’s not just about offering “differentiated products” to help their customers “protect their infrastructure.” Yes, the perimeter is essential, but not sufficient in dealing with Advanced Persistent Threats, insider attacks and fraud. Keeping the Bad Guys Out and Letting the Good Guys in means telemetry from all sources, applications, mobile devices, cloud platforms and and cloud services. It means partnering with your customers and their chosen suppliers.
It means applying analytics to all the data, constantly. It means Total Security Intelligence.
Learn more about security intelligence in this webinar from the IBM Institute for Advanced Security, featuring Chris Poulin, “Defining Security Intelligence for the Enterprise: What today’s CISOs Need to Know.”
This is the traditional time of year for Predictions of all sorts. One of my favorites was from the late, great George Carlin, AKA “The Hippy Dippy Weatherman“: “Today’s weather forecast is for gradual brightening in the morning, increasing throughout the day, with gradual darkening through the evening into late night, when the pattern repeats itself.”
In security, it could go something like: “The forecast is for continued escalation of targeted attacks by nation states, professionals, insiders and hacktivists. Occupy Data today announced…”
ABC News: “Big companies and government agencies likely will have to rethink their approach to tech security in the wake of the disbanding of hacktivist group LulzSec, security analysts say. Spending on information technology security already is growing faster than spending on general technology. And corporate and government tech buyers will have to dole out even more to defend against profit-minded cyber thieves and spies looking to swipe state and corporate secrets. In fact, global spending on security products and services is expected to reach $71 billion by 2014, up from $55 billion today, according to Lawrence Pingree, research director for Gartner.”
And the professional prognosticators forecast increased investment in tools, solutions, services and systems as a result:
Canalys ended 2011 by announcing the results of its latest enterprise security forecast, indicating that total investment is expected to grow 8.7% year-on-year in 2012 to reach a market value of $22.9 billion worldwide.
- Eighteen percent of respondents say they are not PCI-compliant, even though the data suggests they should be.
- Thirty-three percent of respondents are expecting their overall IT budgets to increase this year.
- Spending on personnel has decreased by 3% this year, which will result in higher expectations by organizations for better integration and automation from their technology purchases.
- In this year’s survey, IT security-specific budget allocations have climbed by 4% to a mean of 10.52% of the total IT budget.
We see all of this as evidence that technologies such as data loss prevention (DLP), device control, database activity monitoring (DAM), security information and event management (SIEM) and IT governance, risk and compliance management (GRCM) tools stand poised for strong growth as respondents have indicated they rank them as priorities.
The numbers might be various, but they are all big and getting bigger.
Share your predictions in the comments below.