Wednesday, November 5, 2014

SIEM 3.0 - Continuing to Deliver on Failed Promises

SIEM - Security Information and Event Management - has been a product for many, many years now and virtually every organization out there has bought into the promise of what SIEM will bring. Since the term was coined in 2005, the security industry has largely struggled to deliver on all the promises the product family made.

Bring on the Blame

- We can blame marketing professionals who over-hyped the capabilities and wowed buyers with their mastery of buzzwords.
- We can blame the product managers for failing to build coherent features and functionality were based on anything resembling actual use-cases.
- We can blame user interface designers for making products it takes a 40hr course to understand, and a 1,000 page tome to utilize.
- We can blame sales executives for pushing products as solutions when most enterprises simply weren't ready to divert resources into implementation of yet another security project.
- We can blame sales engineers for convincing enterprise security professionals a that a few carefully planned demo scripts could be practically implemented in their environment with any success.
- We can blame CISOs for failing to have a salient security strategy and instead chasing "shiny objects".
- We can blame security professionals for having no grasp of use-cases, or even bothering to fully operationalize one product before moving on to the next like a child with ADHD.

You see, the reality is I think everyone is equally culpable for the state of enterprise security right now. Specifically looking at SIEM, the hysteria has long gone over the back-side of the hype curve so we're forced to create new curves to go over.

Up, Up, and Up Some More

It's like a repetitive cycle, with only one small problem. If we keep setting new and higher expectations through hype after first failing to meet previous expectations it sets the whole thing up for a monumental fall - eventually. You see, we haven't yet fallen down the back-side of the hype curve...not totally. Every time we do someone invents another term.

Case in point, "SIEM 2.0" and associated silliness. Why did we need the term SIEM 2.0? I honestly didn't know what it meant so I asked a few people whose business it was to build, sell, or operationalize SIEM. The answer I heard the most often was this:
"SIEM 2.0 is another attempt at SIEM. The first time we barely got the log aggregation. This time we're going to try and achieve correlation."
Mind. Exploded.

So if I understand this, SIEM 2.0 is a term created because SIEM has miserably failed to deliver value, based on what it was sold as. Am I getting this right?

At this point, the hype knob goes to 12. I've heard a SIEM can be leveraged to detect fraud, APTs, botnets, malicious insiders, and behavioral anomalies. SIEMs are local appliances, virtual images, cloud-based, and of course leverage "big data". SIEMs feature log collection, aggregation, correlation, analysis and custom rules development. Did I miss anything?

Analysts, Leaders, Visionaries, and Execution

What really boils my bunny is every time one of these mystic quadrants shows up I sit and scratch my head and wonder how these things are done. Clearly the analysts haven't talked to any real users of the products because they would hear the same things I do - disappointment, anger, and disillusionment.

What separates a leader from a visionary? The ability to execute? And if that's true - how do we define successful execution? What test-cases are we using and who gets to determine succeed or fail?

Completeness of vision is great, but failure to execute makes that worthless. On the the other side of that coin, execution is brilliant unless you're executing on dated and undesirable features. Where do we factor in the success KPIs?

The security professionals and executives I talk to have a clear emphasis on execution. Make it work. Make it do what it's supposed to do. Make it relatively operational with minimum additional resources, since that's the point after all isn't it?

Actually that's an interesting point - what does the enterprise security professional expect from their SIEM product? What are the use-cases that are most useful to the broadest enterprise community? What features and functions could we simply throw away without anyone noticing - because no one uses them?

Does being a leader mean you are telling your customers and end-users what they should be doing? Or is that the role of the visionary? Who is really driving this bus?

On Point

So let me close this post out with a proposal. How about we start over, again, for the first time. Let's call it SIEM 3.0, or Next-Gen SIEM, or SIEM Type-R (R for reinvented). I don't care what you call it, but let's start by getting together some focus groups of enterprises large and small. Let's get them talking, building use-cases and then let's define products, services and operational strategy around that. Once you've got the thing going, let's talk about maintenance, management, and operationalizing the thing so that the number of systems submitting logs doesn't mysteriously drop over time, or the blinking alerts don't go un-noticed or un-actioned.

Maybe once we get past all the failed promises, we can start to develop real and useful tools that help security rather than hinder it. It's clear to me that enterprise security professionals spend way too much time fighting the technology that's supposedly helping them, which leaves little time to fight the actual bad guys. Security suffers from an operational problem, not a tools problem. The tools are there, just the operational processes and methodologies are missing, poorly developed, or just plain broken.

This thought needs further development - but this has been bugging me long enough so that I finally had to sit down and write it out. I hope you found some useful points amongst the ranting.

1 comment:

Jason Sievert said...

So I am in the middle of this battle right now. I have recently taken over a small shop as the whole IT department and have the opportunity and the management backing to fix a lot of what is missing. I have been reading your blog and listening to your podcast and there is a lot about how we as security professionals are doing to wrong but not a lot about how to do it right. Right now I have several log/SIEM solutions I am kicking the tires on but if SIEM is not the solution what is? How do I get out of this purgatory that the pundits have me in where there does not seem to be any hope of doing it right. What we need is less of doom and gloom but more of what we can do NOW to make it right.