Research

As we continue with our tour through the RSA Conference, we’re in the home stretch. Today we’ll hit both security management and compliance, since the two are intrinsically linked. Security Management Security Management has been a dynamic and quickly evolving space that received a lot of attention at conference like RSA. Yet, we will probably see a little bit less visibility on the part of what we typically call security management (basically SIEM/Log Management) this year, because there will be fewer folks beating the drum for this technology. Why? That brings us to our first observation… I can haz your start-up Amazingly enough, the two highest profile SIEM/Log Management vendors were acquired on the same day last October. Q1Labs by IBM and Nitro Security by McAfee, which we wrote about in this post. This followed Big IT investing in the space over the previous few years (HP bought ArcSight in 2010 and RSA bought Network Intelligence in 2006 and Netwitness in earlier in 2011). So basically at the RSA show, you’ll see these security management platforms positioned clearly as the centerpiece of the security strategies of the Big security vendors. Cool, huh? The technology has moved from being an engine to generate compliance reports to a strategic part of the big security stack. What will you see from these big vendors? Mostly a vision about how buying into their big security stacks you’d be able to enforce a single policy across all of your security domains and gain tremendous operational leverage. I say vision because the reality is these deals have all closed within the last two years and true integration remains way down the line. So make sure to poke hard on the plans for true integration, as opposed to what the booth graphics say. And then add a year or two to their estimates. But there is one area of integration where you can get immediate value which is integration on the purchase order, which we don’t want to minimize. Being able to dramatically expand a security management implementation with money already committed to a 7 or 8-figure enterprise purchase agreement is a good thing. What about the Independents? You know, the handful that remain. These folks have no choice but to focus on the fact they aren’t a big company, but as we mentioned in the IBM/Q1 and MFE/Nitro deal analysis post, security management is a big company game now. But do check out these vendors to see them thinking somewhat out of the box relative to what’s next. Clearly you aren’t going to see a lot of forward thinking innovation out of the big vendors, as they need to focus more in integration. But the smaller vendors should be able to push the ball forward, and then see their innovations co-opted by the big guys. Yup, it’s a brutal world out there, but that’s how things work. Don’t forget about those pesky logs. As mentioned, a lot of focus will be on how SIEM becomes the centerpiece of the big IT companies security stacks. But let’s make the point that Log Management isn’t dead. You’ll see some companies looking to replicate the success of Splunk in focusing on not only security-oriented use cases for log data. That means things like the use cases discussed in our Monitoring Up the Stack research, and things like click stream analysis, transaction fraud detection, and pinpointing IT operations issues. Also expect to hear a bunch about log management in the cloud. For those smaller organizations, this kind of deployment model can make a lot of sense. But there are some multi-tenancy complications to storing your logs in someone else’s cloud. So be sure to ask very detailed and granular questions about how they segment and protect the log data you send to them. Platform hyperbole Finally let’s point out the place where you’ll need to cut through the vendor boasts and hyperbole with a machete. That’s these so-called platforms, described above. We’ve been talking for a long time about the need to go beyond logs for a more functional security management capability, and you’ll hear that at the show as well. But the question will remain, where does the platform begin? And where does it end? There is no clear answer. But let’s be very clear, we believe the security management platform of the future will be able to digest and analyze network full packet capture traffic. As we discussed in our Advanced Network Security Analysis research, to truly confirm a breach and understand the attacks used against you, it requires more granular information that exists in the logs. The question is to what degree the security management vendors acknowledge that. The vendors that have it either via acquisition (RSA) or partnership (everyone else), won’t shy away from this realization. The real question gets back to you. To what degree can your existing personnel and processes make effective use of packet capture data? if you don’t have the sophistication to do malware analysis or do a detailed forensic investigation in house, then logs are good for the time being. But if you are interested in full packet capture, then really hit the vendors on integration with their existing SIEM platform. Firing alerts in two separate consoles doesn’t help you do things faster, nor is clicking on a log record to isolate the packet capture data in another system going to be a long term solution. You’ll also still hear a bit about GRC, but the wind is out of those sails, and justifiably so. Not that IT-GRC platforms can’t add value, but most companies have a hard enough time getting their SIEM to correlate anything, so the idea of a big stack IT-GRC and the associate integration is challenging. Compliance We get the sense that most of the vendors are tired of talking about compliance as they have switched their focus to APT and ‘The Insider Threat’. You know, that sexy security stuff, while compliance continues to be the biggest driver of security spend. Though you know trade shows, the

Those of you familiar with DAM already know that over the last four years DAM solutions have been bundled with assessment and auditing capabilities. Over the last two years we have seen near universal inclusion of discovery and rights management capabilities. DAM is the centerpiece of a database security strategy, but as a technology it is just one of a growing number of important database security tools. We have already defined Database Security Platform, so now let’s spend a moment looking at the key components, how we got here, and where the technology and market are headed. We feel this will fully illustrate the need for the name change. Database Security Platform Origins The situation is a bit complicated, so we include a diagram that maps out the evolution. Database Activity Monitoring originated from leveraging core database auditing features, but quickly evolved to include supporting event collection capabilities: Database Auditing using native audit capabilities. Database Activity Monitoring using network sniffing to capture activity. Database Activity Monitoring with server agents to capture activity. So you either used native auditing, a network sniffer, or a local agent to track database activity. Native auditing had significant limitations – particularly performance – so we considered the DAM market distinct from native capabilities. Due to customer needs, most products combined network monitoring and agents into single products – perhaps with additional collection capabilities, such as memory scanning. The majority of deployments were to satisfy compliance or audit requirements, followed by security. There were also a range of distinct database security tools, generally sold standalone: Data Masking to generate test data from protection data, and to protect sensitive information while retaining important data size and structural characteristics. Database Assessment (sometimes called Database Vulnerability Assessment) to assess database configurations for security vulnerabilities and general configuration policy compliance. User Rights Management to evaluate user and group entitlements, identify conflicts and policy violations, and otherwise help manage user rights. File Activity Monitoring to monitor (and sometimes filter) non-database file activity. Other technologies have started appearing as additional features in some DAM products: Content Discovery and Filtering to identify sensitive data within databases and even filter query results. Database Firewalls which are essentially DAM products placed inline and set to filter attack traffic, not merely monitor activity. The following graph shows where we are today: As the diagram shows, many of these products and features have converged onto single platforms. There are now products on the market which contain all these features, plus additional capabilities. Clearly the term “Database Activity Monitoring” only covers a subset of what these tools offer. So we needed a new name to better reflect the capabilities of these technologies. As we looked deeper we realized how unusual standalone DAM products were (and still are). It gradually became clear that we were watching the creation of a platform, rather than the development of a single-purpose product. We believe the majority of database security capabilities will be delivered either as a feature of a database management system, or in these security products. We have decided to call them Database Security Platforms, as that best reflects the current state of the market and how we see it evolving. Some of these products include non-database features designed for data center security – particularly File Activity Monitoring and combined DAM/Web Application Firewalls. We wouldn’t be surprised to see this evolve into a more generic data center security play, but it’s far too early to see that as a market of its own. Market and Product Evolution We already see products differentiating based on user requirements. Even when feature parity is almost complete between products, we sometimes see vendors shifting them between different market sectors. We see primary use cases, and we expect products to differentiate along these lines over time: Application and Database Security: These products focus more on integrating with Web Application Firewalls and other application security tools. They place a higher priority on vulnerability and exploit detection and blocking; and sell more directly to security, application, and database teams. Data and Data Center Security: These products take a more data-centric view of security. Their capabilities will expand more into File Activity Monitoring, and they will focus more on detecting and blocking security incidents. They sell to security, database, and data center teams. Audit and Compliance: Products that focus more on meeting audit requirements – and so emphasize monitoring capabilities, user rights management, and data masking. While there is considerable feature overlap today, we expect differentiation to increase as vendors pursue these different market segments and buying centers. Even today we see some products evolving primarily in one of these directions, which is often reflected in their sales teams and strategies. This should give you a good idea of how we got here from the humble days of DAM, and why this is more than just a rebranding exercise. We don’t know of any DAM-only tools left on the market, so that name clearly no longer fits. As a user and/or buyer we also think it’s important to know which combination of features to look at, and how they can indicate the future of your product. Without revisiting the lessons learned from other security platforms, suffice it to say that you will want a sense of which paths the vendor is heading down before locking yourself into a product that might not meet your needs in 3-5 years. Share:

Just a quick announcement that this Wednesday I will be doing a webcast on how to reduce PCI-DSS scope and audit costs with tokenization. This will cover the meaty part of our Tokenization Guidance paper from last year. In the past I have talked about issues with the PCI Council’s Tokenization supplement; now I will dig into how tokenization affects credit card processing systems, and how supplementary systems can fall out of scope. The webcast will start at 11am PST and run for an hour. You can sign up at the sponsor’s web site. Share:

Just a little President’s Day update on the Malware Analysis Quant project. At the end of last month we packaged up all the process descriptions into a spiffy paper, which you can download and check out. We have been cranking away at the second phase of the research, and the first step of that is the survey. Here is a direct survey link, and we would love your input. Even if you don’t do in-depth malware analysis every day, that’s instructive, as we try to figure out how many folks actually do this work, and how many rely on their vendors to take care of it. Finally, we have also started to document the metrics that will comprise the cost model which is the heart of every Quant project. Here are links to the metrics posts we include both in the Heavy feed and on the Project Quant blog. Metrics – Confirm Infection Metrics – Build Testbed Metrics – Static Analysis Metrics – Dynamic Analysis Metrics – The Malware Profile One last note: as with all of projects, our research methodology is dynamic. That means posting something on our blog is just the beginning. So if you read something you don’t agree with let us know, and work with us to refine the research. Leave a comment on the blog, or if for some reason you can’t do that drop us an email. Share: