Given RSA’s investment in security management technology (cough, NetWitness, cough) and the investments of the other big RSAC spenders (IBM, McAfee, HP), you will see a lot about the evolution of security management this year. We alluded to this a bit when talking about Security Big Data Analytics in our Key Themes piece, but let’s dig in a bit more…
SIEM 3.0? We can’t even get SIEM 1.0 working.
The integration of logs and packet capture is now called Security Analytics; we will hear a lot about how SIEM is old news and needs to evolve into Security Analytics to process, index, search, and report on scads of data. Make that two scads of data. So the buzz at the show will be all about NoSQL data structures, MapReduce functions, Pigs, and all sorts of other things that are basically irrelevant to getting your job done.
Instead of getting caught up in the tsumami of hype, at the show focus on a pretty simple concept. How are these new tools going to help you do your job better? Today or maybe tomorrow. Don’t worry about the 5-year roadmap of technology barely out of the lab. Can the magic box tell you things you don’t know? Can it look for stuff you don’t know to look for? You need to understand enough to make sure you don’t trading one boat anchor, which you could never get to work, for another shinier anchor. So focus heavily on your use cases for that tool.
You know, boring and unsexy things like alerting, forensics, and reporting, as we discussed in Selecting SIEM and Security Management 2.0 in days gone by. We do expect these new data models, analysis capabilities, and the ability to digest packet traffic and other data sources will make a huge difference in the effectiveness of security management platforms. But it’s still early, so keep a skeptical eye on show-floor marketing claims.
Deeper Integration (Big IT’s Security Revenge)
Big IT got religion over the past two years about how important security is to things like, well, everything. So they wrote big checks, bought lots of companies, and mostly let them erode and hemorrhage market share. The good news is that at least some of the Big IT players learned the errors of their ways, reorganized for success, and have done significant integration; all aimed at positioning their security management platforms in the middle of a bunch of complimentary product lines providing application, network, endpoint, and data security.
Of course they all play lip service to heterogeneity and coopetition, but really they hate them. They want to sell you everything, with lock-in, and they are finally starting to provide arguments for doing it their way.
Back in the real world you cannot just forklift the entire installed base of security technologies you have implemented over years. But that doesn’t mean you have to tell either your incumbent or competitors about that. Use better product integration as leverage when renewing or expanding controls. And especially for more mature technologies, looking at an integrated solution from a Big IT/Security player may be a pretty good idea.