McAfee Moves to Redefine SIEM, Enterprise Security

Years ago, in a meeting at IBM, a bunch of us were pointing out that IT focused too much on backup speed and not enough of recovery. Some of the fastest backup products at the time did a terrible job of at actually getting files back. To us, the whole point of a backup was the capability to restore a file that was lost.

Security information event management (SIEM) software placed an emphasis on identifying threats, not eliminating them. Most IT managers therefore avoided SIEM products - and with good reason.

Well, McAfee just attempted to fix that problem with its latest release of Enterprise Security Manager (ESM).

Most SIEM Software Identifies Problems, But Won't Solve Them

SIEM sounded like such a great idea: A class of product that categorizes and identifies all the potential security threats inside an enterprise. No more would you wonder how secure you were. With a bit of money and effort, you would finally know just how unsecure you really were.

Why did IT executives run screaming from these products? Think about it: These systems would generate a report highlighting every single security exposure in a firm - but they wouldn't generate the budget or the capability to fix the problem. Rather than benefit a company, SIEM simply became a great way to assure that IT knew about problems but couldn't correct them in a timely manner.

Speaking of Threats...: Pull the Plug on Java Before It's Too LateRelated: Never Mind the Security Products, Educate the Users

While I'm sure a lot of CIOs occasionally wish they chose a different career path, a product that pretty much assures catastrophic changes to their career path isn't going to get them very excited. A product that categorizes all the problems you don't have the resources to fix is less than useful. As with the opening example of a fast backup product that can't restore, SIEM that doesn't include remediation - that can't fix problems it has found - is worthless to anyone except internal auditors.

McAfee's Goal: Actually Fix the Problems

McAfee has clearly realized two things: That trying to sell a product that puts a target on a CIO's back would be a short-lived endeavor and that an SIEM product that can't address the problems it identifies won't sell particularly well. So its latest offering focuses on actual attacks, not exposures, and includes a remediation component with a high probability of first stopping an attack in progress and then eliminating it.

Exposures are one thing. We live in a world where government class military organizations are funded, often by our own governments, to penetrate our security, and these organizations apparently aren't that secure themselves. This can lead to breaches with far greater impact on customers and corporate reputation than weve seen in the past.

News: John McAfee Proposes Anti-surveillance 'D-Central' Router to Beat the NSA

McAfee's ESM collects and provides situational awareness of the enterprise by actively looking for behavior that could indicate an attack in progress. Within minutes, it then delivers not only the information that defines the attack but the suggested response. Critically, it can also access the systems that need to be adjusted to stop the attack. Instead of putting a target on the CIO's back, ESM instead provides the tools to turn the hacker into the target and eliminate the attack.

With Good SIEM Tools, It's All About Remediation

The company using an old-school SIEM product reminds me of the patient whose doctor provides a comprehensive list of all the things wrong with him, then pats him on the head and say "Good luck!" without discussing how to lower his blood pressure, lose weight and so on. Most companies already know they have a lot of exposures they don't have the funding to correct. What they need to know is which ones are being exploited and what tools to use to stop the attack.

Report: Browsers Pose Greatest Threat to Enterprise

This is far from the end-game. Future tools will likely not only provide the comprehensive exposures but an automated process to eliminate them before they can even attack. Until then, McAfee's ESM offering appears to be best in class and well worth checking out.

The lasting lesson: Just as backup should be mostly about recovery, SIEM should be mostly about remediation. That's the process that justifies the purchase.

Rob Enderle is president and principal analyst of the Enderle Group. Previously, he was the Senior Research Fellow for Forrester Research and the Giga Information Group. Prior to that he worked for IBM and held positions in Internal Audit, Competitive Analysis, Marketing, Finance and Security. Currently, Enderle writes on emerging technology, security and Linux for a variety of publications and appears on national news TV shows that include CNBC, FOX, Bloomberg and NPR.

Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about cybercrime in CIO's Cybercrime Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags security information event managementmcafeeIBMsecuritySIEM softwarelegalSecurity | CybercrimeIT security threatscybercrimeenterprise IT security

More about BloombergCNBCFacebookForrester ResearchGiga Information GroupGoogleIBM AustraliaInformation GroupLinuxMcAfee AustraliaMicrosoftNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rob Enderle

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts