Skip to content

Real Integration

April 7, 2009

Our friends at the SANS institute are going to release their annual Log Management survey any minute now. Based on the early coverage hitting the wires and trade rags this morning, it seems one of the key findings is that most companies are collecting logs. That’s great news.

Additionally, customers now expect their log management and SIEM capabilities to be “integrated.” Again, eIQ believes this is right on the money. The issue in taking these statements at face value is that the term “integration” is going to be twisted and turned to such a degree, you won’t even be able to recognize it. No one wants to bring a “two headed monster” into the environment.

So let’s lay out a couple of key ideas of what integration really means and then you can ask your favorite vendors to what degree they meet these ideals.

  1. Does the vendor make both log management and SIEM technology? – As the SIEM market has evolved, you have vendors from both the SIEM and Log Management spaces converging into the same place. A few have decided to take short cuts and OEM technology to fill the gaps in their offering. So the first question to ask is whether the vendor actually produces both aspects of the solution. An OEM relationship doesn’t lend itself to real integration.
  2. Does the SIEM and Log Management functions share a data store? – This is another area that vendors will try to deceive customers. The fact is most vendors in the space offer totally separate products for SIEM and log management. Some use their log management products to address scalability issues with their SIEM. Whatever the reason, if the products use different data stores and hardly even have interface integration, how can they say the solution is integrated?
  3. Does the solution go beyond logs? – Log data is great, but it’s not enough. It’s critical to be able to analyze not just logs, but also other data types like configuration, asset, performance, vulnerability and network flow data to figure out what is happening in the IT environment. The vendors can talk about integration all they want, but if they are only looking at logs – then they are looking in the rear view mirror and will not be able to react fast enough to an emerging threat.

You probably aren’t surprised that eIQ can answer all these questions and show REAL INTEGRATION. SecureVue is a single platform, using a single data store for both SIEM and log management. We also do configuration assessment using the same platform and will continue adding functions over time.

The reason we use our own data store is because we couldn’t find one that could meet the needs of both SIEM and log management use cases. It seems other vendors are finding out the same thing and having to use separate data stores to solve the problem.

The two headed monster was kind of cool to see in a horror flick. They also say “two heads are better than one.” Sometimes that’s true, but not in this case. You don’t want to see two heads in your security environment. Clearly customers want integration, just make sure you understand what “integration” really means.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: