The sale of Q1 Labs and Nitro Security: An inflection point for SIEM

Several people have asked for my feelings about the sale of Q1 Labs to IBM and Nitro Security to Intel/McAfee.  In general, I can understand why Nitro and Q1 may have concluded that this is a good time to sell their businesses.

Personally, I classify these two companies as very good at what they do—to watch for what I’d call ‘known threats’ as reported from other signature and rule based systems.   At the same time, traditional SIEM vendors such as Q1 and Nitro face many stresses.  I believe that both Nitro and Q1 are challenged by ongoing support for specific data types, scalability, and new threats—namely Advanced Persistent Threat (APT) style malware deposited on systems using social engineering that can defeat signature and rule based systems.  In my view, such APT style attacks have begun to marginalize the traditional SIEM moving it from ‘solution’ to ‘tool’ status.

As Kelly Higgins wrote on Monday, “Traditional security information event management (SIEM) systems typically don’t detect a relentless targeted attack designed to avoid raising any red flags: they’re tuned to catch unusual activity, not stealthy attacks that hide behind legitimate user credentials or normal traffic.” APT Shaping SIEM, Security Dark Reading, 10/3/2011.

This means that a SIEM would have to be able to monitor and alert on ‘normal traffic’ which would mean much larger data sets looking at patterns over very long periods of time.  This is not what SIEMs were built to do.  Retraining the SIEM to perform these new tricks in the short run will be painful for the companies and their customers.

To find these style attacks, you need:

1.    A system that supports data from IT operations, applications, and security systems to find abnormal patterns in context in very large data sets (terabytes and petabytes) — a big-data solution.
2.    The opportunity for security and operations teams (not vendors) to define patterns of data that represent specific attack vectors prioritized against the enterprise’s most important data assets or services. This includes private data, intellectual property, and systems that support the enterprise’s core services. These systems directly affect the enterprise’s bottom line and reputation.  This type of thinking is called Security Intelligence or what I like to call ‘thinking like a criminal.’
3.    A flexible analytics command language that enables active searches of large data sets, watching for normal events that, when taken together over longer time periods actually prove out as an attack pattern. Visualization of these incidents is extremely helpful to identify outliers in these data sets.

Splunk is the right solution – a Security Intelligence Solution or a business intelligence solution given to the security team—at the right time–for watching for these ‘unknown threats’ as it meets all these criteria and also supports the core SIEM use case of watching for ‘known threats.’

Posted by