SIM and Log Management - endgame
Submitted by Mike Rothman on Wed, 2006-06-07 09:55.
I finally figured it out. I've been railing SIM (security information management) for some time now, calling it a rear view mirror technology, etc. That's no secret. But I was still trying to pinpoint the root cause of my venom. Sure I tend to be pretty grumpy, but I've been hard on SIM even by my standards.
This morning, after seeing a few different news pegs and having an old blog post jog my memory, I can finally coherently explain why I can't stand SIM. It has also led me to understand why log management is both a different category and something important.
It's about the customer. It's always about the customer. SIM has always targeted the wrong customer. Security administrators don't have the time (unless they work for a huge company) to analyze what has already happened. And the end output of the SIM offerings, which were basically reports - were just of limited value. Most of the administrators had other means to figure out what was broken and SIM just didn't add much value, certainly not for the cost and implementation heartburn that it entailed. As I mentioned in a recent Daily Incite, security folks fix things. We have a fancy term called remediation to describe it. They may need to generate reports for management, but that's not what they love to do.
But auditors and compliance type folks are all about reports. They are not about remediation. They need artifacts of what has happened and in many cases they have to forensically look at the data to piece together the circumstances around an issue. Log management solutions cater to these folks. They gather a crapload of log data while maintaining forensic integrity. They are even starting to add value by putting a reporting engine on top of it to provide the auditors with - you guessed it - a set of artifacts to show what has happened and how it proves compliance.
So if you are a SIM vendor, what the hell do you do now? Basically you better look like a log management vendor or you need to get into the remediation business. We are starting to see this already, with SenSage positioning more like log management and ArcSight buying a company to do some level of remediation. Network Intelligence has always focused on gathering data, so they are probably solving log management problems now - without really saying it. The other guys, well not so much.
Given the continued focus around compliance there is a lot of running room for the log management business. For the time being, the auditors have money. The compliance budget is not long lived, but for now take the money and run.
So now I can get off my horse about SIM and move on. Like many markets that I've tracked over time, they just targeted the wrong customer with a complex solution and never made it across the proverbial chasm. Goodbye SIM, I won't miss ya!
This morning, after seeing a few different news pegs and having an old blog post jog my memory, I can finally coherently explain why I can't stand SIM. It has also led me to understand why log management is both a different category and something important.
It's about the customer. It's always about the customer. SIM has always targeted the wrong customer. Security administrators don't have the time (unless they work for a huge company) to analyze what has already happened. And the end output of the SIM offerings, which were basically reports - were just of limited value. Most of the administrators had other means to figure out what was broken and SIM just didn't add much value, certainly not for the cost and implementation heartburn that it entailed. As I mentioned in a recent Daily Incite, security folks fix things. We have a fancy term called remediation to describe it. They may need to generate reports for management, but that's not what they love to do.
But auditors and compliance type folks are all about reports. They are not about remediation. They need artifacts of what has happened and in many cases they have to forensically look at the data to piece together the circumstances around an issue. Log management solutions cater to these folks. They gather a crapload of log data while maintaining forensic integrity. They are even starting to add value by putting a reporting engine on top of it to provide the auditors with - you guessed it - a set of artifacts to show what has happened and how it proves compliance.
So if you are a SIM vendor, what the hell do you do now? Basically you better look like a log management vendor or you need to get into the remediation business. We are starting to see this already, with SenSage positioning more like log management and ArcSight buying a company to do some level of remediation. Network Intelligence has always focused on gathering data, so they are probably solving log management problems now - without really saying it. The other guys, well not so much.
Given the continued focus around compliance there is a lot of running room for the log management business. For the time being, the auditors have money. The compliance budget is not long lived, but for now take the money and run.
So now I can get off my horse about SIM and move on. Like many markets that I've tracked over time, they just targeted the wrong customer with a complex solution and never made it across the proverbial chasm. Goodbye SIM, I won't miss ya!
Right On...
So I have a vested interest in this argument... Saying that, you are right. These are two very different markets, not because we as vendors say so but because customers use the technologies differently. Compliance is a big driver. I was with an operations team this morning who dumped SIEM for LMI - not because SIEM was bad but rather it didn't do what they needed - deep and near instant forensics on mountains of log data coupled with SLA reporting.
You are right on the mark.
Forensic needs
I wonder at what point forensic log data, enough to satisfy auditors, is not enough to be accepted in court?
In order to be forensically defensible in court, it seems to me that the audit logs would have to be absolutely non-negotiable, or tamper proof in any way. Not even the CSO or system administrator would be able to alter the logs. With that requirement, one is getting into the realm of trusted systems.
Is there any chance that when the s*** hits the fan in court, that many of these logging systems will not deliver the goods?
There is always the chance
Until something gets litigated and goes through the process, there is always the chance that data gathering techniques will not stand up in court. But the log management folks I've talked to all take hashes of each log record and secure them. So based on past precedent, I believe these approaches will hold up in court. But that's my opinion, given that judges and juries sometimes come to different conclusions.
Recent comments
2 years 19 weeks ago
2 years 19 weeks ago
2 years 19 weeks ago
2 years 21 weeks ago
2 years 21 weeks ago
2 years 22 weeks ago
2 years 22 weeks ago
2 years 22 weeks ago
2 years 22 weeks ago
2 years 22 weeks ago