RSA Conference Guide 2013: Security Management and Compliance
Given RSA’s investment in security management technology (cough, NetWitness, cough) and the investments of the other big RSAC spenders (IBM, McAfee, HP), you will see a lot about the evolution of security management this year. We alluded to this a bit when talking about Security Big Data Analytics in our Key Themes piece, but let’s dig in a bit more…
SIEM 3.0? We can’t even get SIEM 1.0 working.
The integration of logs and packet capture is now called Security Analytics; we will hear a lot about how SIEM is old news and needs to evolve into Security Analytics to process, index, search, and report on scads of data. Make that two scads of data. So the buzz at the show will be all about NoSQL data structures, MapReduce functions, Pigs, and all sorts of other things that are basically irrelevant to getting your job done.
Instead of getting caught up in the tsumami of hype, at the show focus on a pretty simple concept. How are these new tools going to help you do your job better? Today or maybe tomorrow. Don’t worry about the 5-year roadmap of technology barely out of the lab. Can the magic box tell you things you don’t know? Can it look for stuff you don’t know to look for? You need to understand enough to make sure you don’t trading one boat anchor, which you could never get to work, for another shinier anchor. So focus heavily on your use cases for that tool.
You know, boring and unsexy things like alerting, forensics, and reporting, as we discussed in Selecting SIEM and Security Management 2.0 in days gone by. We do expect these new data models, analysis capabilities, and the ability to digest packet traffic and other data sources will make a huge difference in the effectiveness of security management platforms. But it’s still early, so keep a skeptical eye on show-floor marketing claims.
Deeper Integration (Big IT’s Security Revenge)
Big IT got religion over the past two years about how important security is to things like, well, everything. So they wrote big checks, bought lots of companies, and mostly let them erode and hemorrhage market share. The good news is that at least some of the Big IT players learned the errors of their ways, reorganized for success, and have done significant integration; all aimed at positioning their security management platforms in the middle of a bunch of complimentary product lines providing application, network, endpoint, and data security.
Of course they all play lip service to heterogeneity and coopetition, but really they hate them. They want to sell you everything, with lock-in, and they are finally starting to provide arguments for doing it their way.
Back in the real world you cannot just forklift the entire installed base of security technologies you have implemented over years. But that doesn’t mean you have to tell either your incumbent or competitors about that. Use better product integration as leverage when renewing or expanding controls. And especially for more mature technologies, looking at an integrated solution from a Big IT/Security player may be a pretty good idea.
Every security practitioner’s ‘favorite’ way to get budget, compliance remains a central theme at RSA. But compliance is moving underground a bit, as there are just too many other sexy things to push on the show floor. How can PCI measure up to the sheer star power of Hadoop at this point? Compliance won’t be the ever-present force it was last year, but it will still be all over the marketing collateral at just about every booth.
PCI is still alive and causing headaches for companies; despite arguments that vendors will embrace smart-card technologies to get a PCI audit waiver, the reality is that companies pay less to audit than they would to swap out all their mag-stripe readers and point of sale systems. For now, EMV remains a non-starter here. The PCI “Security Special Interest Group” for ecommerce, starting a brand new game of “Liability, Liability, who’s got the Liability?” just released an “Information Supplement” for good security practices. It addressed the burning question on all our minds, “Is SQL Injection still a problem”? Which in turn caused many IT staff members to ask the philosophical question “If an information supplement falls in the woods, and nobody notices, does – wait, what were we talking about?”
HIPAA, with updated Omnibus Rules on Security and Privacy remains a newsworthy, although un-motivating, topic. The limited number of cases where fines have been levied (e.g., Cignet, UCLA Health, and a Prescott AZ firm you have never heard of), and the incredibly diverse way these breaches occurred (losing boxes of files, insiders leaking celebrity medical data, posting surgical appointments in a public place) are simply not enough to alter they way the medical industry handles information. Again, lots of wind for very little movement.
So what does all this mean? It means we are keeping the status quo. It means companies will continue to invest the absolute bare minimum into compliance. But compliance will still fund some security product purchases, companies will continue to complain bitterly about it, and the press will continue to yell from the treetops about how this breach will spur companies to take security seriously. God, I love re-runs! At least this is new stuff for the n00bs.
And don’t forget to register for the Disaster Recovery Breakfast if you’ll be at the show on Thursday morning. Where else can you kick your hangover, start a new one, and talk shop with good folks in a hype-free zone? Nowhere, so make sure you join us…
—Adrian Lane,Mike Rothman