eIQviews

One of the research positions that I took in my old research shop was that SIEM (security information and event management) never really met the needs of customers and suffered from a value disconnect. The solutions basically were too expensive, took too long to implement and required too much tuning to achieve value quickly enough to make it worth the effort.

And even after 10 years of trying to get it right, according to a recent Aberdeen Group study [highlighted in this Dark Reading piece), the industry in general is still screwing it up. Here is a pretty telling quote from the Aberdeen report:

“The majority of respondents have not yet achieved those quantifiable benefits, and in some cases are seeing increases in audit deficiencies, security incidents. and operational costs associated with security management.”

They go on to say it’s not the tools, it’s the way the tools are implemented. Given that the sponsor of the study, Vigilant is in the business of SIEM implementation – the conclusion is far from surprising. And it’s also right, the technology has matured significantly over the past few years. And folks like eIQ are adding more data types and pushing the envelope on scalability and the ability to detect new attack vectors.

Yet, it seems to always get back to expectations. The vendors positioned the technology as the Rosetta stone of all things security, and sorry folks – there is no Rosetta Stone. Unless you want to learn Mandarin or some other foreign language. No set of technologies or automation is going to eliminate the need for having smart folks who understand your environment, looking for bad things.

What SIEM (and the larger security and compliance management platform) can and should do is give those analysts BETTER INFORMATION. The point isn’t to eliminate those folks, it’s to make them more effective and efficient. It’s about focusing on the short term problem (you know, the one that has funding), but making sure to pay attention to the longer term strategy. I call this “buying tactically, but with an eye to the future.” So you may be solving a compliance problem right now, but doesn’t it make more sense to make sure you also get security operations help and also forensics and configuration audit?

But to be clear, a successful implementation requires investment. Not only the product itself and likely services to implement (like the stuff Vigilant does), but also a senior level commitment to embrace automation and rework security operational processes to use the tools. In the short term, it’s always easier to throw people at the problem, but that’ s not really feasible in today’s economy. And given the increasing complexity of today’s technology environment, it’s also the wrong answer strategically.

So automation is the only way you are going to keep pace, but embrace automation with your eyes open. It takes work. Work we’ve seen that’s well worth the effort, but it’s work nonetheless. Regardless of what the vendor is telling you.

It’s too bad the security management market continues to set the wrong expectations, as clearly evidenced by the Aberdeen study. Messages like “easy PCI compliance” are hurting the perception of SIEM technology and giving everyone a black eye. At eIQ, we try to paint a realistic picture of what’s going to be required during the implementation.

Customers have choices in who they select as their security management partner. They can keep their happy ears and pick the vendor that tells them what they want to hear. But truth be told, I’d rather not win those deals. Because there really is no “winner” at all, the customer will be disappointed and the vendor will get a black eye.

And everyone loses.