Years ago, in a meeting at IBM, a bunch of us were pointing out that IT focused too much on backup speed and not enough of recovery. Some of the fastest backup products at the time did a terrible job of at actually getting files back. To us, the whole point of a backup was the capability to restore a file that was lost.
Security information event management (SIEM) software placed an emphasis on identifying threats, not eliminating them. Most IT managers therefore avoided SIEM products - and with good reason.
Well, McAfee just attempted to fix that problem with its latest release of Enterprise Security Manager (ESM).
Most SIEM Software Identifies Problems, But Won't Solve Them
SIEM sounded like such a great idea: A class of product that categorizes and identifies all the potential security threats inside an enterprise. No more would you wonder how secure you were. With a bit of money and effort, you would finally know just how unsecure you really were.
Why did IT executives run screaming from these products? Think about it: These systems would generate a report highlighting every single security exposure in a firm - but they wouldn't generate the budget or the capability to fix the problem. Rather than benefit a company, SIEM simply became a great way to assure that IT knew about problems but couldn't correct them in a timely manner.
Speaking of Threats...: Pull the Plug on Java Before It's Too LateRelated: Never Mind the Security Products, Educate the Users
While I'm sure a lot of CIOs occasionally wish they chose a different career path, a product that pretty much assures catastrophic changes to their career path isn't going to get them very excited. A product that categorizes all the problems you don't have the resources to fix is less than useful. As with the opening example of a fast backup product that can't restore, SIEM that doesn't include remediation - that can't fix problems it has found - is worthless to anyone except internal auditors.
McAfee's Goal: Actually Fix the Problems
McAfee has clearly realized two things: That trying to sell a product that puts a target on a CIO's back would be a short-lived endeavor and that an SIEM product that can't address the problems it identifies won't sell particularly well. So its latest offering focuses on actual attacks, not exposures, and includes a remediation component with a high probability of first stopping an attack in progress and then eliminating it.
Exposures are one thing. We live in a world where government class military organizations are funded, often by our own governments, to penetrate our security, and these organizations apparently aren't that secure themselves. This can lead to breaches with far greater impact on customers and corporate reputation than weve seen in the past.
McAfee's ESM collects and provides situational awareness of the enterprise by actively looking for behavior that could indicate an attack in progress. Within minutes, it then delivers not only the information that defines the attack but the suggested response. Critically, it can also access the systems that need to be adjusted to stop the attack. Instead of putting a target on the CIO's back, ESM instead provides the tools to turn the hacker into the target and eliminate the attack.
With Good SIEM Tools, It's All About Remediation
The company using an old-school SIEM product reminds me of the patient whose doctor provides a comprehensive list of all the things wrong with him, then pats him on the head and say "Good luck!" without discussing how to lower his blood pressure, lose weight and so on. Most companies already know they have a lot of exposures they don't have the funding to correct. What they need to know is which ones are being exploited and what tools to use to stop the attack.
This is far from the end-game. Future tools will likely not only provide the comprehensive exposures but an automated process to eliminate them before they can even attack. Until then, McAfee's ESM offering appears to be best in class and well worth checking out.
The lasting lesson: Just as backup should be mostly about recovery, SIEM should be mostly about remediation. That's the process that justifies the purchase.
Rob Enderle is president and principal analyst of the Enderle Group. Previously, he was the Senior Research Fellow for Forrester Research and the Giga Information Group. Prior to that he worked for IBM and held positions in Internal Audit, Competitive Analysis, Marketing, Finance and Security. Currently, Enderle writes on emerging technology, security and Linux for a variety of publications and appears on national news TV shows that include CNBC, FOX, Bloomberg and NPR.
Read more about cybercrime in CIO's Cybercrime Drilldown.