This is certainly all good advice – although we contend that the average cyber or insider attack moves slightly quicker than the average box turtle.  There are, however, some major problems with Chris’ piece.

• First, the assumption is made that SIEM tools – of which Q1 Labs makes a very good one – can capture all of the information required to find our good friend, the turtle.  Unfortunately, that simply isn’t the case.  SIEM tools are highly focused on events.  Even in cases where a SIEM can look outside of the world of events at one or two other pieces of data (say, at network traffic, which is something that Q1 Labs’ SIEM does), that’s still woefully inadequate: if we’re going to find an errant turtle, we certainly need events and network traffic data, but we also need system asset and configuration state (from both hosts and devices, not just one or the other), system performance metrics, visibility into file integrity, and much, much more.  A SIEM is great if our Turtle friend has left behind a trail of breadcrumbs (or whatever it is that turtles leave behind them when they travel), but otherwise, the SIEM is going to likely lead us to a cold trail due to lack of data.
• Second, even if your SIEM can collect different types of data in search of our elusive turtle friend, it probably uses multiple, separate products to do so.  Q1 Labs has a great SIEM product – Qradar – but requires separate appliances to collect flow data and Q1’s proprietary pseudo-DPI information, as well as another, completely separate appliance to collect system asset data and configuration state (and even then, this data is limited to a small subset of network devices, and completely excludes hosts… which means we’re stuck in the world of limited data again).  Of course, Q1 Labs is not the only SIEM vendor who runs into this issue: Tripwire, Nitro Security, NetIQ, Arcsight, and others all rely on multiple tools to try and collect more than just event-based data.  Unfortunately, all this approach does is result in taking a bunch of smaller silos (from individual systems and point security tools), and turn them into a smaller number of bigger silos – certainly not useful as the clock ticks on finding our buddy, the turtle!
• Finally, even if you can collect a multitude of data points from various point security tools, and your security analysts have fed them into a traditional SIEM, you still have a problem: the SIEM views everything as an event: a piece of system state data becomes an “event” (which it isn’t), performance metrics become “events” (which they aren’t), and so on.  Much of the richness of the data is lost, and the only thing that most organizations are left with is a general idea that “’something’ has certainly happened…”, but they lose the critical context of exactly what that ‘something’ is.  A manual hunt for the turtle then begins in earnest.

So yes, what Chris describes is absolutely valid — we call it Unified Situational Awareness – but the fact is, traditional SIEM and “SIEM-plus” tools simply can’t deliver it.

The Forum identified three key challenges:

• Budgetary pressures
• Tackling the challenges posed by the increasing volume of data required to run the modern business
• Protecting sensitive data from an increasingly virulent and wide-ranging number of cyber and insider threats

Some interesting statistics on Enterprise data:

• According to Panda Labs research, in 2010 88% of Fortune 500 companies had botnet activity associated with their domain.  In many cases this was after they had identified [and resolved] known issues or attacks in their network.
• Enterprise data is forecast to grow by 50% between 2011 and 2020.
• Enterprise data will grow from 1.2 to 35 Zettabytes in the next few years.

Before you select an Enterprise information security there are a few questions we think you should answer in order to assess whether your choice of information security platform is up to the challenges of Big Data and Cloud! :

•  Can your choice of information security platform scale to support the amount of data your IT infrastructure will be supporting in 2020?
• Will your information security platform be able to correlate ALL your network security data to provide the information you need, when you need it?
• Does it provide actionable intelligence via a single pane of glass?

If the answer to any of these questions is no then we should talk!

Without Situational Awareness this could be your best chance of avoiding an attack

When McAfee announced in a recent blog post that its acquisition of NitroSecurity gave them “true situational awareness” we were – to be honest – a little skeptical.  Why?  Because developing SecureVue, our own situational awareness platform, has taken years of dedicated and disciplined product management and engineering work, organically building a solution from the ground up that is all the things a situational awareness solution needs to be: highly scalable, extremely fast, able to cross-correlate any security data elements, extensible to any type of security data, and delivering this all through a single unified console, to name just a few.  So you can see how surprised we were when McAfee suggested that their end-point management console, ePolicy Orchestrator, could simply become a “situational awareness console” by plugging into it the broad range of disparate products that McAfee has acquired through acquisition over the past several years.

Fortunately, McAfee shed some light on this strategy at this week’s FOCUS event in Las Vegas.  During McAfee’s Partner Summit on Monday, the company addressed the details of how they’re going to deliver situational awareness – a concept that eIQnetworks has been delivering on for several years, and a bandwagon on which everyone from McAfee, to IBM, to niche SIEM players seem to be jumping on these days.  During a review of the McAfee product roadmap, McAfee indicated that they are now planning on delivering situational awareness by… wait for it… 2016.

All their customers have to do until then is avoid APTs, insider threats and advanced compliance requirements, all of which require situational awareness to address!  We’re very pleased that McAfee cleared-up their approach to situational awareness, and we look forward to competing with them when they finally are able to deliver a solution that provides actual situational awareness in another four years.

While that’s great for McAfee, if you’re an enterprise CISO using McAfee products, there will doubtless be a few sleepless nights for you over the next four years; we wish you the best in avoiding these advanced threats that permeate every nook and cranny of technology today.  But, perhaps you’re interested in a solution to these problems today, without hoping that you’ll be the one-in-a-million enterprise that isn’t attacked?  Fortunately, you have an alternative to waiting four years for McAfee to deliver what you need: you could try SecureVue from eIQnetworks.  SecureVue is the industry’s first – and to date, only – security platform delivering true situational awareness, and is used by network security professionals around the world to protecting organizations ranging from global Fortune 500 businesses, to civilian and defense agencies across the federal government.

Like McAfee’s customers-in-waiting, our customers are often up late, too… but in our case, they’re thinking of new ways to use SecureVue’s situational awareness capabilities to gain more visibility into their enterprise – not sweating it out over whether they’ll be the next victim of an attack.

Following the announcements that IBM and McAfee are to acquire Q1 Labs and NitroSecurity, both vendors are claiming that the acquisition of SIEM tools will magically provide them with the ability to deliver ‘true’ Situational Awareness – we firmly believe that it won’t.  SIEM + Net Flow + some analytics isn’t situational awareness… it’s just SIEM plus a few other things.

Situational Awareness requires the real-time collection of ALL security data - logs and events, system configuration state, vulnerability state, security policies, network traffic analysis, performance, availability and connection state, user activity data, file integrity data, asset state and criticality, etc. – all in a unified view from a single, integrated console.

A true situational awareness solution must deliver three critical benefits in order to protect against APTs and cyber attacks :

1) Accurate, timely and coherent view of the threat, compliance and risk posture

2) Efficient and timely investigative analysis of ALL security data so that security professionals can proactively detect and fix potential problems  

(3) It should not require an army of consultants that would make it un-palatable and expensive.

The cobbled together point product approach from companies like IBM, McAfee, and HP will not deliver on these. Their approaches lack cross-correlation of data that is essential in early detection of an anomaly or threat, will result in swivel chair management to security and high TCO.

Cobbling together 4 or 5 different disjointed products – history tells us that both IBM and McAfee (and HP) have a history of poor integration of acquired technologies – will result in a lack of a unified view, inefficient operations and poor forensic analysis capabilities.  Their road maps will be re-evaluated and in all probability changed, resulting in not delivering what was promised to customers and there will likely be significant confusion and lack of execution among the sales and marketing teams. You only need to look at what happened when IBM acquired Consul for evidence.

IBM abandoned this product after 3 years, to now go acquire Q1 Labs.  As a customer, you have to wonder what will happen to Q1 Labs technology in 2-3 years’ time – will it go the same route of Consul?

Will Q1 Labs’ existing customers be forced to pay for exorbitant IBM services to fix problems?  From their press release It’s clear that IBM sees this as an opportunity to sell services – it clearly stated its goal is going after $90B+  Security Services business. Customers choosing an IBM ‘situational awareness’ tool can expect to see a significant charge for maintenance and servicing, while it is unlikely to deliver on its promised situational awareness.

Many vendors have jumped on our Situational Awareness message in recent months and we’d invite them to put their tools to the test by submitting them to an independent lab evaluation  in order to validate their claims.

There are the two questions you need to answer – and quickly?

1. Where [exactly] is the threat coming from?

2. What action should you take, immediately, to avoid a collision?

In the early days of flight all pilots had to rely on was radar. Radar provides what is known in the security industry as ‘event data’, which would tell you the current position and heading of the other plane.  Flying with radar only pilots relied, In part, on their instincts and your ability to make a call on what action to take in the event of an emergency. Even if you had enough information to take action they were also betting that the pilot of the other jet doesn’t take action that puts you back on a collision course!

Radar [and navigational beacons] worked in the early days of aviation when the skies were less busy, aircraft cruising speeds were slower and pilots were trained in fly-by-sight systems and processes. In today’s congested skies they simply don’t provide a pilot with enough information to safely get from point A to point B. It’s a useful tool, but insufficient as a standalone.

If you’re piloting either one of the planes on a collision course event data won’t help you answer either of those two critical questions in time to avoid a disaster. What you really need is ‘state’ data.  State data tells a pilot not only the position of the other aircraft, but how fast it is moving; it won’t just tell you the altitude it will tell you whether it is ascending or descending and how quickly. It will give you a specific heading – it’s not just ‘on your left’, but that the other plan is  advancing from ‘the pilot’s seven o’clock position’.

By correlating event and state data, a TCAS system will tell a pilot specifically what he needs to do – and immediately. He’ll know that he needs to climb or descend [and how rapidly], that he needs to turn the plane immediately right by forty-five degrees and that he needs to hold a new altitude and heading for a specific period of time in order to avoid a collision. We call this actionable intelligence.

Now translate this analogy to your network.  SIEM provides log and event data, but not state information. As a result, you’re only every getting a small piece of the picture about your security posture.  It can tell you that you’re under attack, but can’t tell you specifically where from, where an attack is heading, or how quickly it’s moving. As a result it can’t tell you what you should do to repel an attack and to minimize the damage.

I’m assuming that most of you wouldn’t want to fly on a plane that doesn’t have a TCAS system fitted – so why manage your network without it?

A lot has been made of eIQ’s recent statement that “SIEM is Dead“, with multiple pundits pointing out that, if SIEM is truly dead, why would big players such as IBM and McAfee be acquiring two prominent SIEM vendors?  Well, the answer to that question lies in exactly what these vendors plan on doing with their newly-acquired tools.  As announced in both the IBM press release and the McAfee press release, both vendors plan on using their new SIEM tools as one component of an overall technology offering to provide advanced threat detection and compliance automation.  Sound familiar?  It should… this has been eIQnetworks’ message of “Unified Situational Awareness” for some time.  Neither IBM nor McAfee is leaving these SIEM acquisitions on their own to function as independent revenue streams; both vendors recognize the need to expand security visibility beyond what SIEM can do on its own, and both will be furiously trying to integrate their new SIEM acquisitions with other products the’ve bought or built over the years.  Both IBM and McAfee recognize that customers need SIEM augmented with other security data; as a result, the IBM and McAfee acquisitions clearly validate eIQ’s message that SIEM is Dead.

Of course, eIQnetworks isn’t the only organization to claim that the next era of security monitoring – one that delivers situational awareness – is what’s needed to address today’s modern security threats.  Gartner’s recent research note on situational awareness clearly  stated that any solution delivering situational awareness solution should collect, analyze, correlate and report on all security and compliance data as well as provide long term historical archival and forensics analysis.  So, everyone is trying to get to that position in the market.  The difference, of course, is in how eIQ’s delivery of situational awareness differs from these big vendors’ pending solutions.  Fortunately, the differences couldn’t be more clear.

IBM and McAfee, like HP before it, are trying to take an M&A approach to developing an intelligent security platform that delivers situational awareness.  The main problem with that approach is one of logistics: if you’re buying up five, six or more different technologies (or in IBM’s case, ten!), what you have is a bunch of different technologies that most likely have a hodgepodge of different back-end databases, coding styles, APIs, and other components.  Why is that a problem?  Because the underlying value of situational awareness is not simply in the collection of data, but in the fast, efficient correlation of that data, ad hoc querying, fast forensics, and a unified view of security posture.  How will these vendors get all of these tools to “talk” to each other?  Well, certainly not by simply building a “brand” around a collection of tools — a marketing exercise does not make a platform!

Unlike these hodgepodge approaches to unifying security data, SecureVue from eIQnetworks was built from day one with a focus on fast, integrated security data that collects, analyzes, correlates, reports all security and compliance data in a unified product.  SecureVue natively collects a massive range of security information — from logs and other event data, to asset data, configuration state, network traffic analytics, performance and availability metrics, native FIM, and much more.  Of course, we also work with existing technologies in our customers’ environments, including SIEM, DLP, DAM, and a wide range of other security tools.  For eIQnetworks, there is no “technology integration issue”.

Another big problem with the M&A approach of IBM and McAfee is that it will still require customers to buy multiple products; the difference is they’ll just be buying them all from a single vendor.  If you want SIEM, and configuration assessment capabilities, and network behavioral analysis, and FIM… well, these vendors can certainly give it to you: for a price.  Again, that is not situational awareness; it’s simply a pick-and-choose approach to security products, some of which may — or may not – integrate with others.  When they fail at their integration efforts, they simply give up (like IBM gave up on their prior SIEM acquisition of Consul; or CISCO walking away from Cisco MARS) and acquire some other company to go through the exercise again with no real benefit to the customers.

At eIQnetworks, we realize that true situational awareness is not a pick-and-choose endeavor; you need all security data.  Unlike a vendor with a portfolio of different tools, however, with SecureVue customers get the ability to collect, correlate and analyze all security data.  We don’t “nickel-and-dime” our customers, because that’s the wrong approach to security.  With SecureVue, customers get everything they need in a true platform — not simply a collection of point tools that may (or may not) collect and integrate all the security data they need.  SecureVue helps maintain awareness of the security state of information systems by providing provides the most accurate, timely and coherent view of the threat, compliance and risk posture across the enterprise.

For incumbent Q1 and Nitro customers, another obstacles that they now face — and perhaps the most challenging one – is the fact that the new owners of their incumbent technologies drive a lot of revenue from services.  Existing Q1 and Nitro customers should fully expect to receive a barrage of offers for professional services from these vendors, that include a strong push for customization.  We certainly wish the best for existing Q1 Labs and Nitro Security customers, but if history has any bearing on the migration of their technologies to a new vendor, there may be rough seas ahead.

Unlike these vendors, eIQnetworks is almost entirely a product-driven company.  We don’t have a massive services bench, because our customers don’t need us to have one.  We’re focused on efficiency, ease of use, and most importantly, simple integration into your existing environment.  And most of all, we don’t push our customers to “rip-and-replace” their existing investments in security technologies, because we work with those technologies out-of-box (even SIEM!).

To IBM and McAfee, we applaud their recognition that their customers need a broader range of security data than what SIEM (or any other point product) can provide — we’ve been saying that for years, and it’s great to see that they’re validating our position.  SIEM is dead… long live situational awareness!

To read our posts outlining why we believe SIEM is Dead start here

It’s true that when SIEM first came on to the security scene, amid claims that this new tool would enable security analysts to identify and take action against them vendors didn’t specify how quickly.  It delivered for a while, when attacks were signature-based or exploited known vulnerabilities – but in a world of advanced, persistent cyber- and insider-based threats, tools like SIEM that rely on only log and event data offer no visibility into attacks exploiting misconfigured or badly secured networks.

If, after ten years after their birth this is the best they can do in the face of advanced persistent cyber and insider threats, it’s fair to say that they haven’t delivered on their promise.  SIEM is Dead.

In an environment of advanced persistent threats that can cause serious damage to systems, processes, bottom line and reputation within hours, 18 days is no protection at all. SIEM is Dead!

I spoke with Taylor Armeding at the end of last week for an article he was writing for CSO magazine exploring our claim that that SIEM is dead in some depth.  During our conversation we agreed that SIEM still has a role to play in security large enterprise networks; but as data collectors for more sophisticated systems that offer the ability to analyze ALL network security data in real time, via a single pane of glass, to enable you to identify an attack while it’s still in progress and – this is most important – take action to repel it and/or mitigate the damage then YOUR SIEM is definitely dead.

If your SIEM is dead, then we should talk.

There are two problems with this: first, while an organization has its entire security team in a room trying to figure out the entry point and intended target of an attack they’re not doing what they should be doing – helping protect the infrastructure.  The second problem is that the attack is still spreading, potentially reeking more havoc and rendering any conclusions made through manual correlation outdated and, potentially, valueless.

To effectively fight a breach security analysts need to see how security data elements (events, yes… but a whole bunch of other non-event data, too), and not just view everything through the myopic, SIEM-centric “everything’s an event!” filter.  They need to see events as events, system configurations as config. data, and network traffic as traffic.  They need to piece together all of those attack vectors that are potentially part of a threat: how the unusual network packet is related to unauthorized changes on the system that sent it; how a failed patch update is resulting in 100% CPU utilization and a runaway process on a critical server; or how a privileged user is changing file system ACLs in a manner that goes against policy.

Oh, and all of this needs to happen in real-time.  Does your SIEM allow you to do all of this?  If not, your SIEM is dead.

Read the third and final part of this series – ‘Identify attacks while they are in progress… and take action AT THAT TIME’ – here

Just as a few years ago when security analysts began realizing that signature-based detection technologies are an inadequate security strategy due to the advancing nature of threats, the same is being recognized today about SIEM (or at least, it is by the Fortune 1000 CISOs I talk to every day).  Security professionals realize that event-based information is only one wedge of the pie.  They also know they need to correlate log and event data with other, non-event stuff, such as asset and configuration data [and to be clear, I don't mean the SIEM-centric "scan the logs for system changes!" approach to getting asset and config. data].

As we all know, attackers and malware clear and disable logging when they acquire privilege making this acquisition method pretty useless; it’s also important to point out that many types of configuration data — Windows registry settings, ACLs, UNIX/Linux /etc file contents, etc. are difficult, if not impossible, to natively push to logging mechanisms.)  They also need performance metrics, network traffic (flow and/or DPI), user context, and lots of other types of security data.

If you’re looking for proof that traditional SIEM tools alone no longer provide adequate protection against modern cyber threats we’ll enter the attacks on Sony, the International Monetary Fund, Epsilon, Sega, Sony (again) and the CIA as evidence.

Read part 2 – ‘A single piece of glass for all security data’ – here

▪   How did such a widespread attack go unnoticed by so many organizations for so long?

▪   Is an attack only Advanced and Persistent if it uses new, previously vectors with which to penetrate and wreak havoc?

▪   Are current SIEM tools still the most effect way to monitor network security in a landscape where there is no common attack signature?

Most importantly – and the question that CISOs and Security Analysts around the world will be spending much time contemplating – just how do they best guard against a cyber attack and give themselves the best chance of either repelling or minimizing its impact.

We believe it’s time for a change.  In the coming weeks we’ll be answering these questions and others – and explaining why we believe there needs to be a fundamental shift in the way that

@VanityFair provides a comprehensive overview of Operation Shady Rat in its piece ‘Enter the Cyber-Dragon‘ by @M_J_Gross