SIEM – it’s not mainly about tools

09.10.2011 by Martin Kuppinger

Last week, IBM announced the acquisition of Q1 Labs. The same day, McAfee acquired its plans to buy NitroSecurity. Not that long ago, HP bought ArcSight. Obviously, SIEM vendors seem to be very attractive to the large players in IT. SIEM, the acronym of Security Information and Event Management, consists of two disciplines. One is about managing the security information from different sources, the other is about real-time analysis of that information to identity events.

Given the increasing security threats (no, it aren’t just challenges anymore), having approaches in place which help in identifying security issues in time, is essential. Relevant data is found in a large number of sources. Collecting, aggregating, correlating, and analyzing¬† that data is supported by SIEM tools. However, with incredible masses of data, two issues become evident:

  • SIEM requires a strong knowledge about security to be able to understand security information from different systems and their relationship.
  • The art of SIEM is to – at best- identify exactly the critical situations which need to be handled. Not more, not less.

Given that real IT security experts are a rare species (at least compared to the demand), it isn’t easy to address the first point. Working with MSSPs (Managed Security Service Providers) might be one option. However, IT security has to play a much more prominent role in education, even while that will close the gap between supply and demand only slowly, if at all.

The other point is that SIEM is not mainly about tools. SIEM tools are only as good as they are used. If you end up with too many events you have to analyze manually, you haven’t won anything. If you end up with a situation in which some critical events aren’t detected, you have lost. Configuring SIEM tools optimally is an endeavour which takes its time and which requires a lot of up-front thinking. It is about identifying the controls you should have in place, it’s about understanding your security risks and the potential attacks, it is about understanding the relationship of different steps of more elaborated attacks like APTs (Advanced Persistent Threats).

So, as popular as SIEM might be: SIEM tools are nothing else than tools, until someone configures them right. So moving towards SIEM is not mainly about buying a tool, but about the controls, the configuration, the use of these tools. So don’t feel save once you’ve bought a SIEM tool – feel a little saver once you’ve done your work around that tool. But never feel save!


The secret leader in context-based authentication and authorization?

19.06.2008 by Martin Kuppinger

Context-based authentication and authorization is one of the topics which have the potenzial to become the next hype. I’ve posted twice on this subject, here and here¬†and we had, led by Dave Kearns, a lot of discussions around this at our EIC 2008. I’m convinced that the topic will become even more important at next year’s EIC.

Besides the ones which are obvious players in that future market segment like the risk-based authentication vendors (Arcot, Entrust, Oracle, RSA and some others) there are some other categories of vendors which offer even today at least some context-based authentication and authorization. One of them is Citrix. Given the number of installations of the Citrix Access Gateway they might even be sort of the leader in that market.

You might argue: A SSL Gateway is not a solution for context-based authentication and authorization. Yes – and no. No because a SSL Gateway without additional components is just a SSL Gateway. Yes, if you combine a Citrix Access Gateway with other things. At an Citrix Analyst Briefing yesterday, a Swiss bank talked about their approach for controlling access of remote workers. They use the Citrix Access Gateway together with many other Citrix technologies and with a NAP (Network Access Protection) tool from EPA factory.

Read the rest of this entry »


© 2015 Martin Kuppinger, KuppingerCole