Beyond SIEM: IBM-Q1Labs, McAfee-NitroSecurity and Changing Perceptions of Data-Driven Security
This morning, a pair of announcements were made in the same space: IBM and McAfee are both making acquisitions in security information and event management (SIEM); IBM of Q1Labs, McAfee of NitroSecurity.
On the surface, there appear to be few surprises in these deals. Both “acquirees” have been widely rumored to be close to an exit for some time. After a series of acquisitions centered on security information management a few years back, IBM has taken heat for its relative acquiescence in the SIEM space compared to some of its most direct competitors. McAfee, meanwhile, has long had a SIEM gap in what is otherwise a fairly comprehensive strategy for centralized enterprise security management anchored on ePolicyOrchestrator.
It would therefore be easy to be dismissive about these deals. Despite its many challenges in adoption, SIEM is still a central aspect of security management in the enterprise, and has long been a focus of security operations. Having substantial weaknesses in this area is perceived as an oversight for any security vendor whose strategy embraces the enterprise to any significant degree.
But there is more to this story than just closing gaps or refreshing strategy. As with images which look like one thing when viewed a certain way, but when considered from a different perspective look like something entirely different, there is more to these deals than mere coincidence.
For one thing, the SIEM space itself has undergone changes in recent years. Many organizations that have bought SIEM have been frustrated with the end result. The deployment and integration of SIEM is typically no small undertaking – and not just in the largest or most distributed enterprises. Vendors often have their hands full trying to build compatibility with a wide range of point products – each of which may have a very different way of characterizing log or event data from one vendor to the next. In the enterprise, it would be challenge enough simply to integrate a number of point products to one central system – but when an organization is truly distributed across multiple groups, geographies or business units, the scale of the challenge can become oppressive. Meanwhile, smaller organizations that would welcome the advantages of greater security awareness find SIEM often beyond their reach.
These factors are bringing change to the nature of security information management. In the SIEM space, it has contributed to the rise of products that today emphasize ease of deployment, integration and use, with improved performance often highlighted. Q1Labs was one of the first to recognize that application flow data could be used to identify security-relevant events from a wide variety of very different technologies, freeing security vendors and enterprises alike from the many of the burdens of rationalizing and normalizing often incompatible data formats and making for more efficient deployments. This provided the basis for Q1 to differentiate in the SIEM space and take on established competitors with a fresh approach.
NitroSecurity, meanwhile, rattled incumbents with high-performance data management technology that it brought to bear not only on SIEM but on intrusion detection and prevention as well. Nitro has more recently complemented its performance advantages with a more natural approach to data query and analysis. The intellectual property behind Nitro’s performance capabilities has its roots in US nuclear labs. Today, Nitro has a substantial presence in both government and industrial control systems – both of which are of high interest to McAfee (and its parent, Intel).
Both of these vendors have made a claim on the evolution of a new generation of SIEM as a result of these capabilities. Both NitroSecurity and Q1Labs are both looking beyond SIEM toward something each refers to as “security intelligence” in their pre-acquisition taglines.
If you’ve been following this blog, you recognize this as part of the broader scope of Data-Driven Security – but only part. Data-driven security is well more than SIEM. It is an evolution in how organizations collect and manage information relevant to security from multiple sources – not just defensive point products that must already know what they’re looking for.
True intelligence depends on the gathering and correlation of a lot more than just event data from security defenses alone. Infrastructure monitoring must be complemented by data from a wide range of other sources. Threats must be distinguished from legitimate activity – itself a daunting task in the presence of more sophisticated attacks. To this should be added relevant third party insight into the nature of the threat landscape. These data sources must then be subjected to a variety of analytic techniques, from rules that trigger specific alerts, to better recognition of patterns and improved ability to call out anomalies often overlooked.
These are reasons why some organizations have gone beyond traditional approaches to SIEM with more flexible tools that enable more proactive forensic analysis of as much activity data as they can acquire (as opposed to reactive analysis only after the fact, once an incident is known), particularly when event-centric systems may be limited to identifying what they already know – not exactly an ideal situation in the face of threats or tactics as yet unknown.
But all this is still only part of the security information management challenge. There is the matter of expertise that goes beyond technology. Ultimately, it is people that must be intelligent. For security analysts, the goal is more immediate and accurate insight into the nature of the game. Strategists seek to better understand how to place their bets on security management. In order for information to play a more central role in achieving these objectives, data must be broken out of silos and freed to yield the insights needed to achieve these ideals.
Today, the siloing of data is becoming a thing of the past. Not necessarily rapidly, not uniformly, and not at a similar pace across all interests. But it is happening – and it is affecting security just as much as any other important aspect of the business.
If SIEM is undergoing a transformation, it is certainly not alone. The data-driven enterprise is embracing a number of new approaches to data management under the influence of new and emerging technologies and practices. We are learning new things and more rapidly and effectively deriving new insights from masses of data that in the past may be been considered simply overwhelming.
Today’s acquirers of new approaches to SIEM – and other technologies that disrupt legacy approaches to security data management – should therefore be watched closely for the directions they take these assets, as part of larger initiatives to both broaden and deepen the nature of data-driven security. Rarely has there been a greater need for more responsive insight and much-needed maturity in management than in information security today. Security still lags behind other aspects of the intelligence-driven business – but the evolution of security intelligence could do much to change that. SIEM is certainly not the only segment to watch in this regard. Technologies and expertise from forensic analysis and security information management “in the Cloud” to the world of Big Data should be followed for the ways in which they, too, are converging to transform security into a more truly data-driven discipline.
Keep an eye on this space over the next several days for some real-world examples of the application of Big Data techniques to security intelligence and forensic analysis.
For EMA subscribers, I’ll soon have further insight into the IBM-Q1Labs and McAfee-NitroSecurity deals as well.