According to published reports, one of the anticipated sessions at the upcoming Black Hat conference will show vulnerabilities within smart metering technologies that certain utilities are deploying to make the electricity grid more intelligent– from energy production through consumption.
The big question is whether the vulnerabilities would put utilities out of compliance with energy industry regulations regarding security.
In the latest episode of eIQcast, Ross Levanto asks eIQnetworks Product Evangelist John Linkous for a review of what we know about the vulnerabilities and the current state of security compliance within the energy industry.
Running time: 10:27
Direct Link: http://eiqcast.podOmatic.com/entry/2009-07-06T06_58_21-07_00
Don’t be like Dick and check out eIQ’s video at logdataisnotenough.com
eIQnetworks grows 60%+ in past year
July 1, 2009
On Monday, eIQ announced our fiscal year 2009 results, which ended on April 30. You can check out the release to see the details. No, we didn’t talk about specific sales numbers (private companies don’t do that), but we are happy to announce 60%+ growth – in the worst economic situation of our time.
Significant company growth is not the result of any one employee or department. It’s the result of the many who have contributed to grow eIQnetworks’ business. Over the past year, eIQ has made significant investments in people and our products. We raised money from Venrock, a top tier security investor to allow us to continue investing in the business and allow us to play with the big boys in the space. We believe security and compliance management is a universal requirement and we have laid the foundation to ensure we can meet the need.
Over the past year, we’ve moved to an enterprise-centric strategy. The rest of the market is chasing the SMB segment. Why is this happening? Basically because it’s hard to really solve the problems of large enterprises. They have very large and very complicated environments and that requires a different kind of security and compliance management platform. So as opposed to building enterprise-class solutions, the other guys are turning tail and looking for simpler environments where they can be successful.
Our mantra that “log data is not enough” is gaining traction because it’s clear that there are too many ways to “fool” a product that only looks at logs. And best of all, we think we are only scratching the surface on helping customers improve their security operations and automate their compliance responsibilities. There is much work to be done, so with that I’ll get back to it.
We’ve recently published two newsletters out of a four part series featuring Gartner content. In each newsletter we feature a Gartner research paper and eIQ authored articles. To download both issues, you’ll need to register on the eIQ website.
Here’s a sneak peak at what’s included in each issue:
Issue 2 | Released June 2009
- Risk and Security Officer Role Responsibilities Broaden by Paul E. Proctor of Gartner
- Rothman’s View: IT Risk and the Point of Diminishing Returns by Mike Rothman of eIQnetworks
- Linkous’ View: Real-World IT Risk Management by John Linkous of eIQnetworks
Issue 1 | Released May 2009
- Security and Operations: Convergence and Segregation by Mark Nicolett, Ronni J. Colville, and Peter Firstbrook of Gartner
- Why Swivel Chair Management Will Kill you by Mike Rothman of eIQnetworks
- Bridging the Gap between Security Operations and Compliance – technical white paper by eIQnetworks
5 Reasons SIEM Projects FAIL
June 22, 2009
Based on a number of recent surveys and hearing general grumbling during my travels, the perception of SIEM has not changed much. Folks think it’s still too complex, too expensive and doesn’t provide enough value.
All of the vendors will tell you this isn’t so. They’ll point to their base of reference customers to show that the technology has gotten a lot easier and that customers are getting real value from the solutions. They are probably right. But as my driver’s education teacher told me: “You may be right, but you’ll still be dead.”
The point of my little anecdote is to remind us that the truth doesn’t really matter, the perception of SIEM’s problems are what the industry has to deal with. So in this post, I’ll hit one man’s opinion of the top 5 reasons projects and some potential solutions. And it turns out that many of the reasons projects fail have nothing to do with technology.
Reason #1: Unrealistic expectations
This is the killer. And I wish it was something that just plagued security management projects. Far too many organizations start a project without a clear understanding of what problem they are trying to solve and therefore do not have clearly defined SUCCESS CRITERIA established before they start.
This is a recipe for disaster because even if the project meets the goals in your head, other folks may have different opinions. And this has been one of the key issues with SIEM since the beginning. The technology was positioned as the Holy Grail and it just wasn’t for a lot of reasons.
So you have about 10 years worth of customers that don’t think SIEM solved their problem and their voices dramatically outweigh the quiet ones that have actually gotten value and had successful projects. As I mentioned in last week’s post (SIEM still struggles (and it’s our own fault)), we have to stop over promising and under delivering on the value of security and compliance management.
And making sure any organization undertaking a project has the right goals and realistic expectations at the front end of the process is the only way to solve this one.
Reason #2: Lack of implementation resources
No matter how you slice it, gathering data from a lot of different sources and trying to make sense of it is hard. It’s not something you buy at the local computer store, screw into your 19″ rack and let it run. And I don’t think it will ever be. The number of attack vectors is just too great.
So another reason many of these projects fail is the lack of commitment both from the customer and the vendor to devote the resources required to make the project successful. Yes, it’s going to take time (think weeks, not years) and it’s going to cost money.
No one bitches about spending 4x the cost of software licenses on services for an SAP implementation. You don’t need to spend anywhere near that multiple on SIEM services, but do plan on spending something. Or suffer the consequences.
Reason #3: Time to value too long
Finally, a technology issue. The first generation of SIEM products (many of which are still be pushed out there in the market) were built on big relational database back ends. These are big, ugly, expensive and perform like crap. When you have to bring your own DBA to the party, it ain’t going to be a clean install.
Time to value was also impacted by challenges in tuning and customizing the correlation engine and refining the reports needed for internal and external requirements. Basically it took way too long to get these things up and running (regardless of the number of bodies thrown at the problem) and that caused customers to lose faith in the value of the category.
Many of the vendors out there (including eIQ) have addressed these issues to one degree or another (we can certainly argue about the logic of front-ending a big RDBMS with a bunch of logging toasters to provide the illusion of scalability), but customers still hold onto that old perception. And perception is reality (have I said that enough times)?
Reason #4: Don’t embrace SIEM-based operational processes
Once again, this is a self-inflicted wound on the part of most customers. Basically they just want to set it and forget it. They figure it’s like an anti-spam device. Turn the knob and get out of the way. Well, not so much.
Let’s get back to the SAP analogy. No one implements SAP to overhaul their operational processes and expects it to just run, hands-off ad infinitum. These organizations build operational processes around the tool and constantly tune those processes to get the most value from automation and having an integrated view of their environment.
SIEM is no different. The organization must embrace a different way of doing business. They have to spend a large portion of their time in the interface every day and customize the user interaction model to meet with their own personal workflow. This isn’t about getting an alert in email and then riding off on the white horse to investigate the issue and repel the bad guys.
It’s about using the tool that was bought. If SIEM is shelf ware, then clearly this is project FAIL.
Reason #5: Political headwinds
Let’s wrap it up by dealing with reality for a little bit here. I’ve seen a lot of environment where other operational groups work to undermine the security team because they have data the ops groups don’t want them to have.
Like whether the network is working optimally. Or if the configurations are locked down. And how quickly patches get implemented or vulnerabilities get remediated. Not to be overly generic, but most folks aren’t big fans of being accountable and having someone else posses real data to hold their feet to the fire.
So political roadblocks are put in the way to either stonewall the data gathering efforts or challenge the accuracy of the data and the conclusions drawn by using the SIEM tool. Again, it’s hard to be a success if there are political roadblocks in the way.
Part of the implementation process MUST be a process to make sure everyone is on board and to identify these political hot buttons before they take down the project. Of course, this is easier said than done, but it’s critical. You can address all the other issues and be on the road to a successful project, only to be sent off the rails by petty politics.
Over the next few weeks, I plan to flesh out each of these reasons in much more depth with some recommendations on how to overcome each of these problems. Yes, I’m giving away some great stuff, but the more successful SIEM implementations out there, the better it is for everyone.
SIEM still struggles (and it’s our own fault)
June 18, 2009
One of the research positions that I took in my old research shop was that SIEM (security information and event management) never really met the needs of customers and suffered from a value disconnect. The solutions basically were too expensive, took too long to implement and required too much tuning to achieve value quickly enough to make it worth the effort.
And even after 10 years of trying to get it right, according to a recent Aberdeen Group study [highlighted in this Dark Reading piece), the industry in general is still screwing it up. Here is a pretty telling quote from the Aberdeen report:
“The majority of respondents have not yet achieved those quantifiable benefits, and in some cases are seeing increases in audit deficiencies, security incidents. and operational costs associated with security management.”
They go on to say it’s not the tools, it’s the way the tools are implemented. Given that the sponsor of the study, Vigilant is in the business of SIEM implementation – the conclusion is far from surprising. And it’s also right, the technology has matured significantly over the past few years. And folks like eIQ are adding more data types and pushing the envelope on scalability and the ability to detect new attack vectors.
Yet, it seems to always get back to expectations. The vendors positioned the technology as the Rosetta stone of all things security, and sorry folks – there is no Rosetta Stone. Unless you want to learn Mandarin or some other foreign language. No set of technologies or automation is going to eliminate the need for having smart folks who understand your environment, looking for bad things.
What SIEM (and the larger security and compliance management platform) can and should do is give those analysts BETTER INFORMATION. The point isn’t to eliminate those folks, it’s to make them more effective and efficient. It’s about focusing on the short term problem (you know, the one that has funding), but making sure to pay attention to the longer term strategy. I call this “buying tactically, but with an eye to the future.” So you may be solving a compliance problem right now, but doesn’t it make more sense to make sure you also get security operations help and also forensics and configuration audit?
But to be clear, a successful implementation requires investment. Not only the product itself and likely services to implement (like the stuff Vigilant does), but also a senior level commitment to embrace automation and rework security operational processes to use the tools. In the short term, it’s always easier to throw people at the problem, but that’ s not really feasible in today’s economy. And given the increasing complexity of today’s technology environment, it’s also the wrong answer strategically.
So automation is the only way you are going to keep pace, but embrace automation with your eyes open. It takes work. Work we’ve seen that’s well worth the effort, but it’s work nonetheless. Regardless of what the vendor is telling you.
It’s too bad the security management market continues to set the wrong expectations, as clearly evidenced by the Aberdeen study. Messages like “easy PCI compliance” are hurting the perception of SIEM technology and giving everyone a black eye. At eIQ, we try to paint a realistic picture of what’s going to be required during the implementation.
Customers have choices in who they select as their security management partner. They can keep their happy ears and pick the vendor that tells them what they want to hear. But truth be told, I’d rather not win those deals. Because there really is no “winner” at all, the customer will be disappointed and the vendor will get a black eye.
And everyone loses.
How to use Gartner’s SIEM MQ
June 16, 2009
Yes, that’s right. Our friends at Gartner have published their 2009 Magic Quadrant on Security Information and Event Management for Gartner clients. eIQnetworks is placed in the visionary quadrant.
Mark Nicolett hijacked John Pescatore’s blog for a day to clarify how to use the MQ. In the post, he describes leaders and visionaries: “Vendors that are in the leaders or visionary quadrant meet the major functional requirements of the broad SIEM market.“
The difference between a leader and a visionary? The post states: “Visionary vendors have scored lower in ability to execute (most often due to smaller company size or installed base or growth rate) as compared to leaders.” eIQ has been addressing the enterprise space for a touch over two years (as compared to the other leaders and visionaries in the space for 7-10 years), so we are pleased with our placement.
Yet, Mark Nicolett cautions customers against reading too much into the placements in the chart.
The written research is intended as a starting point for a product selection decision. We really encourage Gartner clients to use our inquiry process to augment your use of the published research. The idea is to get on the phone with us so that we can provide more specific advice based on the client’s environment.
Being a former analyst, I totally agree with Mark’s assessment here. It’s easy to just look at the chart and pick only the leaders to engage with and be done with it. But it would be the wrong thing to do, since visionaries usually bring a different perspective and set of capabilities to the table. At least eIQ does.
eIQcast Episode 16: The Need for Automation
June 11, 2009
As noted in the previous post, the results of spring surveys show that security spending is trending down. While that’s not exactly a surprise, it puts security managers in a pickle. Given the economic situation, how are they to keep their systems secure and compliant, especially since the regulations haven’t changed and the hackers don’t take time off during a recession? That question is the subject of the latest episode of eIQcast, where Ross Levanto interviews eIQnetworks senior vice president of strategy Mike Rothman.
Running time: 10:46
Direct Link: http://eiqcast.podomatic.com/entry/2009-06-11T14_33_26-07_00
Don’t be like Dick and check out eIQ’s video at logdataisnotenough.com
Security Spending Going Down. What Now?
June 11, 2009
Personally, I’ve been shaking my head for the past 8 months as most folks maintained that security spending was going to remain stable during the economic downturn. Huh? Everything gets cut in a downturn, yes Marge – even security. But the optimisists out there (how an optimists ends up in a security role is beyond me…) maintained that security spending would still happen for a couple of reasons:
- Compliance – None of the regulations are going away, nor are the auditors being furloughed. Thus, you still have to comply, regardless of the horror show that is the organization’s balance sheet.
- Attackers – It seems the attackers haven’t gone on vacation either. If anything, as things get tight they act more desperately to keep ill-gotten food on their table.
- Breaches – Successful attacks continue to happen every day, and they need to be fixed. Again, this is not dependent on the economy, so enterprises will still have to clean up their messes.
Those reasons are plausible, but I still didn’t believe it. Though I kept seeing survey after survey saying everything was OK. I was starting to think maybe it was me that was crazy.
Thankfully we are starting to see some rationality happen and perhaps even some honesty from the folks that fill out these surveys. I’ll point to a survey done by my friends at MetroSITE Group (PDF of the survey), as well as some research done by Peter Kuper and the IANS folks. Both show spending going down and even deteriorating a bit.
You can peruse the results yourself and draw your own conclusions, but ultimately the laws of economics have not been repealed. When an organization tightens the belt, EVERYONE needs to tighten. Even us security folk. So what? Budgets are down, what do we do now? The optimists do make good points in that compliance isn’t going away and neither are attackers.
It gets back to the age old need to “Do More With Less.” And the only way to do that is to automate. That’s right, the only way to continue to 1) comply and 2) secure with 3) less budget is to figure out how all that computing horsepower can be brought to bear to analyze what’s happening in your environment, allow you to react faster to threats, and to document your controls when the auditor comes to party.
So even in a “down” market, there is still a lot of need for security and compliance management solutions.
Rothman on Beyond the Perimeter Podcast
June 10, 2009
My friend Amrit Williams, CTO of BigFix, invited me to speak on his “Beyond the Perimeter” podcast yesterday. Big mistake for him. Kidding aside, we had a good conversation about a number of things, including how security needs to evolve and why his podcast is called “Beyond the Perimeter.”
Amrit Williams, CTO of Big Fix
Amrit used to cover SIEM (he claims to have originated the term back in the day, while he was burying Jimmy Hoffa, clearly) for Gartner, so we chatted quite a bit about how the industry has evolved and where it’s going, especially relative to emerging compliance requirements.
Here is Amrit’s description:
Episode 26 – Situational Awareness Inside and Beyond the Perimeter
Amrit Williams, CTO of BigFix, Inc. speaks with Mike Rothman, founder of Security Incite and recently hired Senior Vice President of eiQ network on the need to secure information wherever it resides or travels, and a pendulum shift away from log management back to situational awareness. According to Rothman, the emphasis on log management trend stemmed from organizations taking a “check off” approach to information stewardship compliance programs. The renewed interest in situational awareness results from realization that log management alone is not enough to understand, respond, or prevent security breaches–in short, what’s really at stake in information security.
All Aboard: eIQ jumps on the “Mainline”
June 8, 2009
It was only back in the late 90’s that most technology industries were awash in “Barney”-type channel partnerships. They are called Barney announcements because they resemble the purple dinosaur, who sings “I love you. You love me…” Those partnerships were really all about the press release. And in the days when a company could have an IPO based on its partnerships and business plan, Barney was good. But in hindsight (which is always 20/20) the partnerships turned out to be mostly crap, and nothing really came of the relationships.
At eIQnetworks, our partnership approach is quite different, which is why we don’t announce many of them. The one’s we do announce, actually mean something. As a perfect example, today we announced a partnership with Mainline Information Systems.
Mainline is a major reseller of IBM products, and they are getting a lot of requests from their customers for security and compliance solutions. What’s especially satisfying about our partnership is that Mainline really put us through the ringer. They looked at the entire industry and decided eIQ was best positioned to help Mainline solve the problems of their customers. When we made the point that “Log Data is Not Enough,” they got it.
So we welcome our partnership with Mainline and look forward to work with them and their customers to address security and compliance management issues.
