logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

SIM and Log Management - endgame

By Mike Rothman
Created 2006-06-07 09:55
I finally figured it out. I've been railing SIM (security information management) for some time now, calling it a rear view mirror technology, etc. That's no secret. But I was still trying to pinpoint the root cause of my venom. Sure I tend to be pretty grumpy, but I've been hard on SIM even by my standards.

This morning, after seeing a few different news pegs and having an old blog post jog my memory, I can finally coherently explain why I can't stand SIM. It has also led me to understand why log management is both a different category and something important.

It's about the customer. It's always about the customer. SIM has always targeted the wrong customer. Security administrators don't have the time (unless they work for a huge company) to analyze what has already happened. And the end output of the SIM offerings, which were basically reports - were just of limited value. Most of the administrators had other means to figure out what was broken and SIM just didn't add much value, certainly not for the cost and implementation heartburn that it entailed. As I mentioned in a recent Daily Incite, security folks fix things. We have a fancy term called remediation to describe it. They may need to generate reports for management, but that's not what they love to do.

But auditors and compliance type folks are all about reports. They are not about remediation. They need artifacts of what has happened and in many cases they have to forensically look at the data to piece together the circumstances around an issue. Log management solutions cater to these folks. They gather a crapload of log data while maintaining forensic integrity. They are even starting to add value by putting a reporting engine on top of it to provide the auditors with - you guessed it - a set of artifacts to show what has happened and how it proves compliance.

So if you are a SIM vendor, what the hell do you do now? Basically you better look like a log management vendor or you need to get into the remediation business. We are starting to see this already, with SenSage positioning more like log management and ArcSight buying a company to do some level of remediation. Network Intelligence has always focused on gathering data, so they are probably solving log management problems now - without really saying it. The other guys, well not so much.

Given the continued focus around compliance there is a lot of running room for the log management business. For the time being, the auditors have money. The compliance budget is not long lived, but for now take the money and run.

So now I can get off my horse about SIM and move on. Like many markets that I've tracked over time, they just targeted the wrong customer with a complex solution and never made it across the proverbial chasm. Goodbye SIM, I won't miss ya!

Source URL:
http://securityincite.com/blog/mike-rothman/sim-and-log-management-endgame