We’ve been saying the same thing for a number of years.  2011 has demonstrated that, even when an organization knows that an attack is imminent, many remain unable to do anything to prevent it.  On this basis, it’s inconceivable that using the point SIEM tools that exist in many large organizations most will be able to contain it.  This is supported by Ponemon Institute research that suggests that the current average response time to a security incident is 18 days.

If Websense’ prediction is going to become reality then there needs to be a fundamental shift towards tools that can correlate large amounts of security data, in all of its native formats to provide analysts with a real-time, contextual view of their security posture.  And, in order for this to happen, SIEM must be dead.

Currently in Beta, SecureVue Express offers a glimpse of the future for security analysts, and has a brand-new user interface that simplifies enterprise security management.

To download your copy of SecureVue Express, click here.  We’d also welcome feedback via email, via Twitter or by commenting below.

McAfee wrote on its blog last week that, with its acquisition of NitroSecurity, it could now deliver ‘true situational awareness’.  We’d love to know how.  Simply plugging a SIEM product into its existing security product portfolio won’t do it, so we can only assume that it has something to do with magic beans!   Let us be clear. ePO is an end point management platform, not a Situational Awareness Platform.  In fact ePO is just one another source of data for a situational awareness platform.

SIEM + CONFIGURATION DATA + ANALYTICS ≠ SITUATIONAL AWARENESS!

It’ll be interesting to see whether McAfee will demonstrate their Situational Awareness Solution at their Customer Conference  (FOCUS 2011) next in Vegas!!!

[Oh, and just so that everybody is clear, we’re firmly of the belief that there are no  magic business beans and SIEM is, contrary to SIEM vendors claims, DEAD!]

Following the announcements that IBM and McAfee are to acquire Q1 Labs and NitroSecurity, both vendors are claiming that the acquisition of SIEM tools will magically provide them with the ability to deliver ‘true’ Situational Awareness – we firmly believe that it won’t.  SIEM + Net Flow + some analytics isn’t situational awareness… it’s just SIEM plus a few other things.

Situational Awareness requires the real-time collection of ALL security data - logs and events, system configuration state, vulnerability state, security policies, network traffic analysis, performance, availability and connection state, user activity data, file integrity data, asset state and criticality, etc. – all in a unified view from a single, integrated console.

A true situational awareness solution must deliver three critical benefits in order to protect against APTs and cyber attacks :

1) Accurate, timely and coherent view of the threat, compliance and risk posture

2) Efficient and timely investigative analysis of ALL security data so that security professionals can proactively detect and fix potential problems  

(3) It should not require an army of consultants that would make it un-palatable and expensive.

The cobbled together point product approach from companies like IBM, McAfee, and HP will not deliver on these. Their approaches lack cross-correlation of data that is essential in early detection of an anomaly or threat, will result in swivel chair management to security and high TCO.

Cobbling together 4 or 5 different disjointed products – history tells us that both IBM and McAfee (and HP) have a history of poor integration of acquired technologies – will result in a lack of a unified view, inefficient operations and poor forensic analysis capabilities.  Their road maps will be re-evaluated and in all probability changed, resulting in not delivering what was promised to customers and there will likely be significant confusion and lack of execution among the sales and marketing teams. You only need to look at what happened when IBM acquired Consul for evidence.

IBM abandoned this product after 3 years, to now go acquire Q1 Labs.  As a customer, you have to wonder what will happen to Q1 Labs technology in 2-3 years’ time – will it go the same route of Consul?

Will Q1 Labs’ existing customers be forced to pay for exorbitant IBM services to fix problems?  From their press release It’s clear that IBM sees this as an opportunity to sell services – it clearly stated its goal is going after $90B+  Security Services business. Customers choosing an IBM ‘situational awareness’ tool can expect to see a significant charge for maintenance and servicing, while it is unlikely to deliver on its promised situational awareness.

Many vendors have jumped on our Situational Awareness message in recent months and we’d invite them to put their tools to the test by submitting them to an independent lab evaluation  in order to validate their claims.

by John Linkous

Last week, RSA announced that a successful advanced persistent threat (APT) attack against the company’s infrastructure has resulted in the exfiltration of data that could potentially be used to reduce the effectiveness of RSA’s wildly popular SecurID two-factor authentication products.  While we don’t yet know what was compromised (A token seeding database? Future product design data? We may never know…) or who conducted the attack (China? The Anonymous group?), we do know one thing: the perception of the effectiveness of “secure” authentication and encryption has been deeply shaken.  The fallout from this compromise will likely be swift, and significant.

In my previous post I offered three things that organizations can do to mitigate these complex, advanced threats.

Having Access to All Security Data

Knowing How All the Security Data is Related

Near-Real Time Visibility to Make Effective Decisions.

In this final post I want to look at achieving near-real-time visibility of your security position to aide effective decision-making.

Recently, I spoke with with a global financial services firm that discussed how they were bringing together all of their security data (both event-based, and non-event based) into a single database platform, front-ended with a business intelligence (BI) tool to run queries and analysis.  Certainly, there’s nothing wrong with that; however, that approach is not the same thing as situational awareness.  Why?  Because it doesn’t provide the ability to make decisions in real-time.  It cannot help you if you’re in the process of experiencing an APT attack; it can only help you discover the attack pattern after-the-fact… and after critical data has been exfiltrated from your environment.  A true situational awareness solution requires real-time (or very near real-time) correlation and analysis of all security data, and needs facilities such as pattern/behavior recognition, live monitoring, and alerting — as well as backward-looking forensic analysis.

Do you have near-real-time visibility of your security position?  Could you make a decision based on up-to-date security data if your network came under attack?

by John Linkous

Last week, RSA announced that a successful advanced persistent threat (APT) attack against the company’s infrastructure has resulted in the exfiltration of data that could potentially be used to reduce the effectiveness of RSA’s wildly popular SecurID two-factor authentication products.  While we don’t yet know what was compromised (A token seeding database? Future product design data? We may never know…) or who conducted the attack (China? The Anonymous group?), we do know one thing: the perception of the effectiveness of “secure” authentication and encryption has been deeply shaken.  The fallout from this compromise will likely be swift, and significant.

In my previous post I offered three things that organizations can do to mitigate these complex, advanced threats.

Having Access to All Security Data

Knowing How All the Security Data is Related

Near-Real Time Visibility to Make Effective Decisions.

In this post, I wanted to provide a little more detail on each of these topics.  In this post I want to look at how an organization can know how ALL the security data in it’s network is related.

Collecting these many different types of security data is, of course, the first step to situational awareness.  But as importantly, you need to be able to see how these many different pieces of information are related; cross-correlation is the second component needed to address situational awareness.  For example, on a typical Monday morning, a security operations center (SOC) for a large enterprise may see hundreds of failed logons to servers and workstations.  The question becomes: how many of these are simply fat-fingered credentials, and how many are part of a broad-based attack, perhaps an APT? In most SOC environments, there are not enough personnel available to track down the root cause of each failed logon, resulting in SOC personnel simply clicking “acknowledge” in their console — but of course, that is not security. Answering that question requires correlating these failed logons with other information to find the proverbial needle in the haystack (if one exists).  A security engineer needs to be able to quickly correlate each failed logon (which is event-based data), with other non-event data.  The SOC engineer needs to be able to ask, “How many of these failed logons have occured on a system that experienced an unauthorized configuration change, and is communicating on the network using unusual ports/protocols?” (a tell-tale sign of a network worm, or other types of malware).  Unfortuantely, even if the organization has multiple point tools to collect all they data (SIEM, NBA/SPI/DPI, end-point AV, config management agents, etc.), these individual point tools do not talk to each other.  Something else needs to exist “above” these tools to provide correlation.  That something is a situational awareness platform can provide.

Do you know how all of the security data in your network is related?

by John Linkous

Last week, RSA announced that a successful advanced persistent threat (APT) attack against the company’s infrastructure has resulted in the exfiltration of data that could potentially be used to reduce the effectiveness of RSA’s wildly popular SecurID two-factor authentication products.  While we don’t yet know what was compromised (A token seeding database? Future product design data? We may never know…) or who conducted the attack (China? The Anonymous group?), we do know one thing: the perception of the effectiveness of “secure” authentication and encryption has been deeply shaken.  The fallout from this compromise will likely be swift, and significant.

In my previous post I offered three things that organizations can do to mitigate these complex, advanced threats.

Having Access to All Security Data

Knowing How All the Security Data is Related

Near-Real Time Visibility to Make Effective Decisions.

In this and two subsequent posts, I wanted to provide a little more detail on each of these topics.  First, I want to discuss the importance of having access to ALL security data:

Many vendors — and frankly, many enterprise organizations – believe that events are the panacea of security monitoring, and rely heavily on SIEM technologies to monitor their environment.  And it’s certainly true that events provide a good starting point for security-related data.  However, it’s critical to understand that you cannot detect many APTs simply by using event-based data alone.  System configurations (such as Windows registry values, UNIX /etc/*.conf file contents, and firewall port/protocol mappings), asset changes and discrepancies (e.g., a new wireless access point that suddenly appears on the network), network traffic analysis (netflow, SPI and/or DPI), and performance metrics are all critical pieces to the APT puzzle, and they cannot easily encapsulated (if at all) in event-based data.  Collecting all of this security-related data — events, asset information, host/device/application/database configurations (including changes), performance metrics, network traffic, and other event-based and non-event data – is the critical first step to discovering APTs.

Do you have access to ALL of your security data?