SIEM is a SILO, and the clock is ticking!

Posted on: May 16th, 2010 by AccelOps

Otherwise known as Nero Fiddled while Rome Burned

How long is it going to take before our industry realizes that the promise of SIEM cannot be realized until organizations conclude that current SIEM solutions are a Silo, and that Security Operations require a more holistic view to do their job?

Good Security people are hard to find and retain and Security products are difficult to cost justify. Making things worse, Security operations can often be ancillary to Network and Systems groups.  Doesn’t it make sense to integrate the needs of the IT organization into a system that “includes” Security while addressing the broader need of Network and Systems Operations?

Over the last few years, most SIEM vendors have attempted to retool their 10-15 year old architectures to keep up with an ever-increasing amount of data produced by an ever-increasing number of diverse data sources.  The notion of correlating security events to “find the needle in the haystack” works ok for a “black hat” sitting alone in a dark room with his or her monitor, but in reality they are fooling themselves if they think they have the situational awareness necessary to quickly and accurately determine the root cause of the alerts they are viewing.

As an example, if my help desk gets a call from an end user stating they cannot get access to a critical application on a web server, what tools do they turn to in order to quickly determine the root cause and the scale of the incident?  Do they need:

  1. Network performance monitoring
  2. Security event information management
  3. Application performance data
  4. Device configuration data
  5. All the above?

Maybe someone changed a configuration on a router or firewall effectively creating a “Self-Imposed DoS”, what tool is used to figure that out, and how long will it take to determine who did it and when? Most likely, many different people will check many different tools, while the clock is ticking and Nero fiddles.

Up to now, there has been very little innovation regarding ‘Root Cause Analysis’, largely because most vendors are highly leveraged into their 10-15 year old code, which primarily focused on doing one thing well. Some large vendors have acquired adjacent technologies to address the 800lb Gorilla in the room (root cause analysis), or improve time to market, but they’ve ended up with a cobbled together bundle of “expensive to purchase and maintain” modules; and they still don’t really work well as a system.

IT organizations exist to serve their respective businesses, and regardless of the technology in use, stakeholders only care about the health and growth of that business.  It is time to break down the Silo’s of SIEM, Network Performance, Server and Application Monitoring, and Change Management so IT staff  can work together to solve the major issues businesses face today. Whether the driver is regulatory compliance, maintaining profitability, protecting the brand, or “doing more with less”; IT teams need to break down the logical and physical barriers that have only served each individual team, but have not provided any meaningful results towards serving the business.

What is needed is a centralized dashboard that everyone in IT can use to determine whether an incident is occurring due to an attack on the network, maybe a BOT; or someone opened up the network by putting a rogue wireless access point in their cube, or again, maybe someone made a configuration change to a Firewall causing what is essentially a self imposed denial of service.

For my money, I want one tool that gives me a quick view of all security, performance, and availability related events, and a few clicks into the CMDB to quickly identify devices that are running low on memory or where a faulty fan is causing a device to run hot.  In fact, I want a system where it’s as easy to see how VMotion is optimizing performance by moving applications from one server to another, as it is to determine if the source of failed logons are by valid internal users, or by someone who came in from overseas via VPN (or a rogue wireless router) without valid credentials.

I suppose we can continue to throw huge sums of money at multiple modules and thousands of agents, and add dozens of headcount, but what good is a tool if you spend more time with the care and feeding of the tool rather than solving problems and serving the business?

In my opinion, IT organizations benefit when each unique (not disparate) group under IT has a similar vision of how everything is interconnected, each device, each application, each event, and most importantly how these elements are grouped based on their unique business services.  One view, one set of metrics, one source of accountability, and one IT Service goal, all while maintaining separation of duties for regulatory compliance and accountability.

Silo’d legacy tools served a purpose in their day, but that day has passed. Just like each agency under our federal government has been tasked to share information to protect our country, each area of IT must do the same in order to serve and protect their stakeholders.

Sign up for a 30 day free trial and see it by yourself.

Comments are closed.