EMC announced a major update to the popular enVision security information and event management (SIEM) platform.
A few days back, members of the product team were in my office, and we were chatting about what made this announcement so cool. Update: one of them has even started a cool security blog: Token Security Guy.
And the cool stuff wasn't what I first thought.
What Is SIEM?
Products like enVision do a couple of things pretty well -- they gather all the logs and events that are relevant to security, they correlate them in real-time and alert the security administrator, and they provide a repository and reporting function to help when the auditors come calling.
As we started discussing the new release, I kept playing an irritating game that I occasionally use with EMC product people.
They'll mention a specific feature, and I'll say something like "so?" or "why does that matter?" or "what's the big deal?".
After a few rounds of me doing this to people, blood pressures get elevated significantly, and -- sometimes -- a key nugget of truth will pop out.
Such was the case with our enVision 4.0 discussion.
It's all about the security administrator.
Here's The Context
It was pretty simple, once it was explained to me.
Security people in large enterprises are very scare resources. There aren't a lot of them around. They tend to be put into very trusted positions. Their time and attention are very precious resources, as far as IT stuff goes. You really don't want to hire junior talent for this sort of role.
The reason that enVision 4.0 is cool is simple: it makes the senior security person's job far easier.
Not so they can slack off, rather it's so they can spend more time on the stuff that matters rather than stuff that can be easily automated.
Can gathering and correlating relevant information from hundreds of sources be automated? You bet.
Can hundreds of pre-complied security rules be supplied by industry experts to strengthen the environment? Of course.
Can additional context be displayed when an issue is discovered? Sure.
Can a trouble ticket be automatically generated to correct any config issues discovered? Yes.
Making Life Simpler For The Security Person
All of these features (and many others) reflect one core truth -- as you make life simpler and easier for the security person, you get better security.
And that's something that I think most every enterprise will want -- at least, hopefully the ones that I do business with :-)
"Can gathering and correlating relevant information from hundreds of sources be automated? You bet.
Can hundreds of pre-complied security rules be supplied by industry experts to strengthen the environment? Of course.
Can additional context be displayed when an issue is discovered? Sure.
Can a trouble ticket be automatically generated to correct any config issues discovered? Yes."
How is this any different than what any other major SEIM vendor offers?
Yes, every major SEIM offers similar features that claim 'better security'. But specifically, identify how the 'better security' translates into jobs handled by these security administrators that are already overloaded.
Even with streamlined processes such as correlated event management, we as security admins still need workflows and empowerment to act on this new information. Many tools can provide the data.
The trick is to provide action on that data....
Posted by: Sec Admin | March 09, 2009 at 01:29 PM
Hi Sec Admin -- couldn't agree more!
My post wasn't really targeted at security professionals such as yourself who require a much deeper level of detail, but to a more general IT audience ...
I hope our RSA guys can show you the new stuff sooner than later. I'd be interested in your opinion.
Thanks!
-- Chuck
Posted by: Chuck Hollis | March 09, 2009 at 01:37 PM
I must say I prefer Splunk.
The problem with classical SIEM is, they suffer from a too narrow view and the "Oh no! Not another agent!"-syndrome.
SIEMs are just as good as their data collectors. Your datasource is not suppotred? Oh, you're out-of-luck!
Splunk is unique in its way how it collects _all_ your unstructured data (logfiles, configfiles, command-output etc.) and provides simple access to that data through a google-like search. The best of all, you're not limited to just security data.
SIEM is death. The criminals have moved up to the application layer. SIEM is not there.
Posted by: Brainy | March 09, 2009 at 01:53 PM
I agree -- the ability to gather all forms of data (security and otherwise) is essential for SIEM. However, you'd be very impressed at the openness of RSA's enVision -- your comments don't really apply to that product.
Thanks for writing!
-- Chuck
Posted by: Chuck Hollis | March 09, 2009 at 01:55 PM
Thanks Chuck, and the commentators
"The trick is to provide action on that data...." - I take it you mean modifying a firewall rule, or resetting a port, or kicking somebody out of an application?
We've got the capability to kick off a script in response to an issue, but not many folks have the confidence in any technology to automate that sort of thing just yet.
We're already integrating more closely with Voyence, SMARTS, Infra plus other RSA & EMC technologies to streamline the process of dealing with a problem. And that's only going to get better
We reckon remediation is too big a problem to be a core SIEM function - but we'll sure interface with technologies that do know how to do this properly.
Cheers
Paul
Posted by: Paul Stamp | March 09, 2009 at 03:13 PM