Skip to content

It’s not about adding another data source…

February 24, 2012

…it’s what you do with it that counts!

The New York Times Bits blog devoted 700 words to IBM’s announcement earlier this week that it has now managed to connect its newly acquired QRadar SIEM platform to its X-Force database. While this is news for IBM and QRadar customers it is, perhaps, less relevant for organizations that aren’t exclusively ‘Big Blue’.

The same piece states, “Businesses spend billions of dollars each year on firewalls, applications and antivirus software in a desperate attempt to ward off hackers and yet, even the companies, like Symantec and RSA, that sell “security solutions” can’t keep themselves hacker-free“.  This is, I believe, far more newsworthy – and an issue that I hope the industry will explore as it convenes in San Francisco next week for the annual RSA conference.

The article’s author claims that, ‘the crux of the problem is that businesses have taken a piecemeal approach to security’.  I disagree. There is no denying that you need these purpose built products as part of overall security strategy. The crux is that organizations do not have the capability to collect, monitor, analyze and correlate ALL relevant security data from each of the different devices/products, to make sense of what is actually happening in their network.  The majority products, including SIEM tools like IBM’s QRadar, collect just log and event data.  This may enables security analysts to understand that something has happened, but not answer the most important question: How, Where and What, exactly, has happened?  Because they can’t answer this question they can’t figure out what needs to be done to repel an attack, identify the likely target, and take timely action to stop it. .  You need to collect, analyze and correlate not only log data with Threat Intelligence data like X-Force, but need other critical data like asset configuration state, vulnerability state, asset criticality, connectivity state, etc. for effective threat detection and mitigation.

For the majority of organizations information security is more post mortem than critical care… and regardless of how many billions of dollars you spend on security tools until you fix this inherent problem in traditional SIEM tools large organizations will continue to be breached at will.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: