SIEM: Out with the Old

About 4 years ago we saw the first big wave of replacements of older email security tools with a second generation we now call ‘content security’. Early email security products were deployed in-house and focused on anti-virus, anti-spam, and mail server integration. The current generation of products offered new SaaS and hybrid deployment models, technology advancements in web and content filtering, more elastic service sets, and centralized web management consoles. And let’s not forget the larger security firms with products lagging far behind the state of the art, milking their cash cows while smaller firms innovated. We see the same wave of succession right now in the SIEM market. First generation products – despite being entrenched – make customers uncomfortable enough to start asking what else is available. They are looking for better, easier, and faster. We hear numerous complaints about existing solutions: “We collect every event in the data center, but we can’t answer security questions, only run basic security reports.” “We can barely manage our SIEM today, and we plan on rolling event collection out across the rest of the organization in the coming months.” “I don’t want to manage these appliances – can this be outsourced?” “Do I really need a SIEM, or is log management and ad hoc reporting enough?” “Can we please have a tool that does what it says?” “Why is this this product so effing hard to manage?” We see new products designed to both improve scalability and come closer to real-time analysis. They can collect events from just about every type of network device and application, normalize, and provide better drill-down capabilities. And there are many new analysis features – including enrichment, attack signature patterns, and application-layer monitoring. The first generation of products are looking old and I hear more and more unhappiness with today’s entrenched solutions. I ran across Anton Chuvakin’s How to Replace a SIEM? this week. But his tips apply to a wider audience than just Cisco MARS customers kicking other vendor tires. He offers two excellent vendor migration suggestions that bear repeating. First, leave the existing system running for some time – at least through the migration. This way you are still covered during the migration, and in the event previously collected data is not compatible across systems, you can still run reports and access forensic data. I have seen cases of “rip and replace” where the old system is removed while – or even before – the new system is up and running. That means no coverage for a (potentially extended) period. I sometimes call that ‘optimism’, but you may prefer another term. The sales process is a good time to ensure your (new, hungry) vendor can run in parallel with your existing tool – don’t buy it and then let them tell you that’s an unsupported scenario. Second, have the new vendor help with setup. Deployment issues are some of the most serious problems we hear of. Hiring the vendor not only helps avoid many pitfalls, but also makes it easier and quicker to replicate the rules and reports you currently use. And during the sales process you can negotiate attractive pricing on getting the work done as a condition of the sale. But before you replace a SIEM there are a couple other things you need to consider: Post Mortem: What exactly are the problems with the existing system and what do you hope to accomplish? It’s not hard to come up with a list of problems and areas for improvement – it’s much harder to vet a new technology to confirm addresses your demands without adding its own slew of new pitfalls. The problem here is that vendors will tell you they can do whatever you ask for. Realistically, you need to check with other customers who already own and operate new products before you buy – see what their experiences have been. What you have: The SIEM you have was installed for a reason. Actually, they are normally installed for several reasons, to address a list of business and security problems which grows over time. It’s easy to forget everything your system does when its failings are so easy to see. Make sure you have a complete understanding of what issues are currently being addressed and must be replicated on the new system. This includes compliance and security functions across management, operations, and security organizations. Worse, the existing SIEM likely feeds data to other systems you forgot about. The list you build is almost always much longer than expected. The good news is this process saves time and avoids trouble down the road, and helps form RFP questions and guide proof of concept testing. You want a new product that handles your new wish list, but don’t give up on any core reasons you are already running SIEM. SIEM replacement can be easier than a first installation, but you need to leverage the knowledge you have to make it so. That may sound easy, but it takes work to gather the organizational memory you need and clearly document your goals moving forward. Share:

Read Post

Incomplete Thought: Existential Identities (or: Who the F*** are You?)

Do you ever think about how you could just disappear? Or become someone else? Maybe only I do that after reading one too many Jason Bourne novels. Given anyone’s ability, with a keyboard and an Internet connection, to become anyone (even Abraham Lincoln is spewing quotes on Twitter now), what does ‘identity’ mean now? In the future? And is your ‘identity’ singular, or will it become identities moving forward? This interview on NetworkWorld with a guy who specializes in making folks disappear was fascinating. Mostly because the approach is totally counter-intuitive. You’d probably guess it’s about hiding your identity or taking someone else’s. But it’s not – at least according to this guy who helps folks hide for a living. It’s about making it hard (if not impossible) to find you through disinformation, using tactics like manufacturing online identities with the same name and sending anyone trying to find you on a wild goose chase. Unless you have someone very motivated to find you personally, this should work like a charm. Think about that for a second. Maybe even think about it from my perspective. There are already a bunch of Mike Rothmans out there. I went to college with one. Yes, a guy with my name – even down to our common middle initial – ended up in the same class at the same college. And that’s without even trying. What if a bunch of new Mike Rothmans showed up? How would you know which one(s) was really me? Maybe I’m not a great example due to my attention whoring disorder – I want you to find me, at least online. But less public folks could likely disappear with little fanfare, leaving a myriad of false trails. So as The Who sang years ago, “Who the F*** are you?” False identities are created every day, with severe ramifications. Think about all those crazy parents creating Facebook identities to spy on their kids or make their kids’ rivals look bad. In this age of social networking, citizen journalism, and Twitter, identity matters but is increasingly hard to define – and even harder to verify. Some folks have been able to get verified Twitter accounts, which could then be hacked. We talked about identity verification and non-repudiation as this ecommerce thing caught fire a few years ago, and we basically forget about it and forced the credit card companies to take on most of the liability from it. Then they forced the merchants to eat it. Risk transference for the win. And now the media seems to fall hook, line, and sinker every time a “citizen journalist” creates a meme, which turns out to be just a front for some big nameless company driving its own agenda. Folks take seriously what they read on all these myriad communication vehicles, regardless of source. And everyone engaging in social networking contributes. As long as they don’t exhibit trollish behavior, it looks like most of us have no issue linking to them and including them as part of the conversation, even though we don’t know who they are. I know I do, fairly frequently. I’ve been struggling with my position on anonymous folks for years. I get that some folks cannot divulge their real names because it could cost them their jobs. But do I continue giving these unverified folks any airtime? And what do I tell my kids? I constantly harp on honesty and honorable behavior. But I’m trying to show them that not everyone holds themselves to the same ethical standards. It’s important they do not believe everything they read or hear. They need to do the work, and figure out what is real and what is not. What they want to believe and what they want to reject. Given this lack of identity, the problem is going to get worse. Where is identity going? How will we verify who is who? Do we even need to? What’s the significance for how we do security? At this point I don’t have any answers. I’m not even sure I know the questions. I know Gunnar and Adrian have been thinking quite a bit about how identity evolves from here. I plan to pick Gunnar’s brain at Secure360 this week, and plenty of other big brains. If you have given some thought to this, please let me know what you think in the comments. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.