RSA Conference 2012 Guide: Security Management and ComplianceBy Mike Rothman
As we continue with our tour through the RSA Conference, we’re in the home stretch. Today we’ll hit both security management and compliance, since the two are intrinsically linked.
Security Management has been a dynamic and quickly evolving space that received a lot of attention at conference like RSA. Yet, we will probably see a little bit less visibility on the part of what we typically call security management (basically SIEM/Log Management) this year, because there will be fewer folks beating the drum for this technology. Why? That brings us to our first observation…
I can haz your start-up
Amazingly enough, the two highest profile SIEM/Log Management vendors were acquired on the same day last October. Q1Labs by IBM and Nitro Security by McAfee, which we wrote about in this post. This followed Big IT investing in the space over the previous few years (HP bought ArcSight in 2010 and RSA bought Network Intelligence in 2006 and Netwitness in earlier in 2011). So basically at the RSA show, you’ll see these security management platforms positioned clearly as the centerpiece of the security strategies of the Big security vendors. Cool, huh? The technology has moved from being an engine to generate compliance reports to a strategic part of the big security stack.
What will you see from these big vendors? Mostly a vision about how buying into their big security stacks you’d be able to enforce a single policy across all of your security domains and gain tremendous operational leverage. I say vision because the reality is these deals have all closed within the last two years and true integration remains way down the line. So make sure to poke hard on the plans for true integration, as opposed to what the booth graphics say. And then add a year or two to their estimates.
But there is one area of integration where you can get immediate value which is integration on the purchase order, which we don’t want to minimize. Being able to dramatically expand a security management implementation with money already committed to a 7 or 8-figure enterprise purchase agreement is a good thing.
What about the Independents? You know, the handful that remain. These folks have no choice but to focus on the fact they aren’t a big company, but as we mentioned in the IBM/Q1 and MFE/Nitro deal analysis post, security management is a big company game now. But do check out these vendors to see them thinking somewhat out of the box relative to what’s next. Clearly you aren’t going to see a lot of forward thinking innovation out of the big vendors, as they need to focus more in integration. But the smaller vendors should be able to push the ball forward, and then see their innovations co-opted by the big guys. Yup, it’s a brutal world out there, but that’s how things work.
Don’t forget about those pesky logs.
As mentioned, a lot of focus will be on how SIEM becomes the centerpiece of the big IT companies security stacks. But let’s make the point that Log Management isn’t dead. You’ll see some companies looking to replicate the success of Splunk in focusing on not only security-oriented use cases for log data. That means things like the use cases discussed in our Monitoring Up the Stack research, and things like click stream analysis, transaction fraud detection, and pinpointing IT operations issues.
Also expect to hear a bunch about log management in the cloud. For those smaller organizations, this kind of deployment model can make a lot of sense. But there are some multi-tenancy complications to storing your logs in someone else’s cloud. So be sure to ask very detailed and granular questions about how they segment and protect the log data you send to them.
Finally let’s point out the place where you’ll need to cut through the vendor boasts and hyperbole with a machete. That’s these so-called platforms, described above. We’ve been talking for a long time about the need to go beyond logs for a more functional security management capability, and you’ll hear that at the show as well. But the question will remain, where does the platform begin? And where does it end? There is no clear answer.
But let’s be very clear, we believe the security management platform of the future will be able to digest and analyze network full packet capture traffic. As we discussed in our Advanced Network Security Analysis research, to truly confirm a breach and understand the attacks used against you, it requires more granular information that exists in the logs. The question is to what degree the security management vendors acknowledge that.
The vendors that have it either via acquisition (RSA) or partnership (everyone else), won’t shy away from this realization. The real question gets back to you. To what degree can your existing personnel and processes make effective use of packet capture data? if you don’t have the sophistication to do malware analysis or do a detailed forensic investigation in house, then logs are good for the time being. But if you are interested in full packet capture, then really hit the vendors on integration with their existing SIEM platform. Firing alerts in two separate consoles doesn’t help you do things faster, nor is clicking on a log record to isolate the packet capture data in another system going to be a long term solution.
You’ll also still hear a bit about GRC, but the wind is out of those sails, and justifiably so. Not that IT-GRC platforms can’t add value, but most companies have a hard enough time getting their SIEM to correlate anything, so the idea of a big stack IT-GRC and the associate integration is challenging.
We get the sense that most of the vendors are tired of talking about compliance as they have switched their focus to APT and ‘The Insider Threat’. You know, that sexy security stuff, while compliance continues to be the biggest driver of security spend. Though you know trade shows, the focus needs to remain on the shiny stuff and thus we don’t expect compliance to be a major theme for the show this year. With compliance we will see a mix of regulation-focused messages and compliance-specific technologies, pretty much like every year:
We continue to see rapid adoption of tokenization to address the Payment Card Industry Data Security Standard (PCI-DSS) and you’ll likely see all of the vendors crowing about this at RSA. We’re seeing widespread interest, especially within the retail and finance verticals for tokenization. Companies are looking to reduce costs and minimize PCI audit scope, since it’s not like PCI adds to their top line. Thus the desire to at least reduce — if not eliminate — the expense. Remember that tokenization substitutes credit card numbers stored at a merchant site with a harmless, well, token. It only represents the credit card transaction, so a stolen token cannot be used to commit fraud. If you are looking to get educated at the show, focus on the sessions where savvy users talk about how they reduce the scope of PCI audits along with the associated costs of securing credit card data using this approach. While only a handful of tokenization vendors will be at the show, many of the payment processors have partnered with technology providers to offer tokenization as a managed service. Expect to see plenty of interest and discussion on this topic, and long lines at vendor booths.
GRC, Risk and The Cloud
While most journalists fling FUD balls with claims that ‘the cloud’ is less secure than traditional IT centers, most companies continue to look at how to use the cloud securely. Policy wonks work feverishly to see how they can leverage cheap cloud resources while meeting governance and compliance requirements. When in doubt, companies are using ‘virtual private‘ clouds to maintain the spirit of compliance, while the assessors debate about how to factor these new architectures into their findings. This might mean creating a private cloud on public infrastructure – one that can only be accessed from inside a company’s existing IT systems – or as a virtual private storage container where they encrypt everything before it’s moved to the cloud. Suffice it to say, these kinds of cloud use cases should be an interesting topic of conversation on the show floor, especially for application and database security types struggling with architecting security cloud offerings.
ETL, dynamic masking, and masking in place are three deployment variations to data masking, and we are seeing growing adoption of all three, again as a means to reduce scope for these pesky audits. As applications are deployed faster under ‘Agile’ development cycles, there is a clear need for the agile creation of near-production quality data. Big data storage and processing requirements outstrip the performance capabilities of encryption, further complicating the issue. Complex data sets used for analysis – such as medical data – defy tokenization and stringent access control restrictions for security, thus masking tends to be the best option to protect these data types. Thus the masking products have evolved to fit the bill and fill the need. We expect masking technologies to play an increasing role in data security at the show and in the coming years, as an adjunct to encryption and tokenization-based approaches to compliance-driven data security.
Tomorrow we’ll post the last two parts of the Guide (Data Security and Virtualization/Cloud Security) before distributing the entire Guide in all it’s glory on Wednesday. You’ll have plenty of time to download the Guide to your iPads and iPhones (and maybe even for your Android heretics) in time to board your flights to San Francisco.