Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Several people have asked for my feelings about the sale of Q1 Labs to IBM and Nitro Security to Intel/McAfee. In general, I can understand why Nitro and Q1 may have concluded that this is a good time to sell their businesses.
Personally, I classify these two companies as very good at what they do—to watch for what I’d call ‘known threats’ as reported from other signature and rule based systems. At the same time, traditional SIEM vendors such as Q1 and Nitro face many stresses. I believe that both Nitro and Q1 are challenged by ongoing support for specific data types, scalability, and new threats—namely Advanced Persistent Threat (APT) style malware deposited on systems using social engineering that can defeat signature and rule based systems. In my view, such APT style attacks have begun to marginalize the traditional SIEM moving it from ‘solution’ to ‘tool’ status.
As Kelly Higgins wrote on Monday, “Traditional security information event management (SIEM) systems typically don’t detect a relentless targeted attack designed to avoid raising any red flags: they’re tuned to catch unusual activity, not stealthy attacks that hide behind legitimate user credentials or normal traffic.” APT Shaping SIEM, Security Dark Reading, 10/3/2011.
This means that a SIEM would have to be able to monitor and alert on ‘normal traffic’ which would mean much larger data sets looking at patterns over very long periods of time. This is not what SIEMs were built to do. Retraining the SIEM to perform these new tricks in the short run will be painful for the companies and their customers.
To find these style attacks, you need:
1. A system that supports data from IT operations, applications, and security systems to find abnormal patterns in context in very large data sets (terabytes and petabytes) — a big-data solution.
2. The opportunity for security and operations teams (not vendors) to define patterns of data that represent specific attack vectors prioritized against the enterprise’s most important data assets or services. This includes private data, intellectual property, and systems that support the enterprise’s core services. These systems directly affect the enterprise’s bottom line and reputation. This type of thinking is called Security Intelligence or what I like to call ‘thinking like a criminal.’
3. A flexible analytics command language that enables active searches of large data sets, watching for normal events that, when taken together over longer time periods actually prove out as an attack pattern. Visualization of these incidents is extremely helpful to identify outliers in these data sets.
Splunk is the right solution – a Security Intelligence Solution or a business intelligence solution given to the security team—at the right time–for watching for these ‘unknown threats’ as it meets all these criteria and also supports the core SIEM use case of watching for ‘known threats.’
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.