SECURITY

Security Predictions for 2009

It is the time of the year where everyone publishes their predictions for the upcoming year. In past years, I have refrained from publishing my own predictions. This year I am going to change that and I will take a stab. I don’t have any earth shattering things to say and I am covering quite a broad set of topics. Anyways, maybe you find one or two interesting things:

  • Security and IT spending: Security projects have never been the ones that were easy to fund (except right after a big worm outbreak, which we haven’t had in years). With the current economical situation, the security budgets for 2009 are not going to be any easier to justify. Therefore, we will see a convergence of projects. Security is going to piggy-back on other IT projects, for example, change management. CM is an integral part of a lot of security requirements, such as PCI. Visibility into the IT infrastructure is another project that will help fund security. SIM, SEM, SIEM, or ESLIM (no kidding, this exists! It wasn’t me. Blame the 451 group!) will need to extend their messages and capabilities to show how they can help provide visibility into the complete IT environment. IT search is going to be especially well situated for that.
  • Security ROI: Calculating an ROI for security is hard. It’s an often discussed topic among security experts. 2009 is not going to give us yet another formula to compute the ROI. However, as mentioned earlier, security will be used as an opportunity to optimize IT. Questions like: “How can you do more with less?” will be used to compute an ROI. A lot of companies have consolidation on their agendas for the new year. 75% of the solutions and tools will be eliminated. The tasks of those tools will have to be covered with the remaining 25%. A great opportunity for security monitoring tools to broaden their footprint.
  • Metrics: 2008 was supposed to be the year of risk management. I didn’t feel much of that. Or have you seen a push in risk management products? 2009 is going to be the year of metrics. People have to measure things. Not necessarily pure security metrics, but IT metrics, such as productivity, resources, MTTI, etc. Products will have to show actual, measurable benefits. It’s all about cost and how to reduce it. Without metrics you cannot assess how much a tool helps you safe.
  • More visibility: It is amazing, but a lot of companies don’t even know what assets/machines they operate. How can you do anything without that information? And that is just the top of the ice berg. IT needs more visibility. What is running where? How well are things running? How efficient? This plays into Green IT also, where you need to know how well servers are utilized how much power they consume and what the temperature is across the data center. Visibility also includes things like identity management. We need to know who executed a task or committed a transaction. It’s not of much use if we know that a certain machine attacked us. We want to know who is behind the activity. The question in 2009 is going to be how to integrate your asset management and IdM into your monitoring infrastructure.
  • Consolidation: We have seen acqusitions happen all through 2008. There will be much more. Just along the lines of the security initiatives being coupled closer and closer with IT initiatives, products/companies will be merging.
  • Visualization market/tools: What will be going on in the visualization market? Not too much. People are not ready. A lot of companies are still struggling with centralizing IT data. They are starting to use the data to troubleshoot problems. Beyond that, advanced analytics, such as visualization, are not commonly used yet. On the brighter side, new tools will enter the market. DAVIX will come out with a new release, hopefully early 2009. This will help make visualization available to the broader masses. The new release is going to have Splunk integrated, which should help manage all the IT data! In addition, a slew of new visualization tools will be available in the distro. Hopefully, this will help broaden the security visualization community.
  • Interoperability: This is a topic that I am fairly passionate about. I have been doing quite a lot of work on the topic of how to get machines to talk to each other through events, logs, and generic IT data. Recently a new syslog RFC was published. I was much too late to actually comment on it. It has good intentions, but it is definitely not what I would like it to be. CEE is still alive, despite the lack of new publications. 2009 will bring us at least one release of one of the sub-standards. If I had to take a guess it would be the syntax and accompanying dictionary. Well, maybe just the dictionary. And definitely will we start collecting log recommendations. That will happen very soon now!
  • No data sets: Over many years, we have been facing a huge problem in the research arena. Nobody has solved it yet. It’s the problem of data sets. Researches need data sets to verify their algorithms and approaches. Guess what, 2009 will not solve this. Unless someone comes up with a really great way of anonymizing data, data sets will not be shared. People are not sharing their logs without being absolutely sure that there is no confidential data leaking. I have a feeling that will we be able to solve this only with cryptography. Something along the lines of secure voting schemes, where the analysis would happen on encrypted data. But how do you do that? I have no idea. Until then, people will keep doing verification and analysis on synthetic, old, and irrelevant data sets.

By Raffael Marty

Splunk
Posted by

Splunk

Join the Discussion