Security Intelligence != SIEM

Ed Bellis    March 5, 2012

I’ve just returned from RSA, BSides and Metricon and thought I would pen a few of my thoughts while they’re still fresh in my mind.

On Monday I had the privilege of participating in a panel on Data Driven Security at Metricon 6.5. Scott Crawford moderated and has a great blog series on data driven security. It was an interesting group of backgrounds between myself, Mark Clancy, Chris Eng, Micha Govshteyn and Martin McKeay. Some of the participants were further along in their analysis of the data they were collecting while some had a volume of data (Akamai) most of us could only dream of. While I don’t think there was anything too surprising that transformed from the panel, the final question from Russell Thomas was the exception. Russell asked, and I’m paraphrasing, if we had one new open job req we could hire for right now, how many of us would hire someone dedicated to this topic. What surprised me the most wasn’t the question but roughly half the panel including myself answered yes.

We are very dedicated to data-driven security and have very specific use cases that we are building into our product. I went in to Metricon worried that security intelligence would be more talking about SIEM or the various ‘State of the Industry’ reports published by several security vendors. While I don’t have an issue with those solutions and actually appreciate several of the published reports, utilizing big data in security can and should go well beyond these. One useful way we see to use this data as part of a decisioning system is through prioritization.

For example: if I have one million identified security risks, realistically I have little chance of remediating everything. How do I decide what’s most important? As a service provider that has visibility across many organizations, we can take into account a lot of different factors to help determine when someone becomes a ‘target of opportunity’ including postures across these issues as well as threat data across both public and private networks. This, of course, is one of MANY examples on how you can feed security and operational data into a system that helps make smarter security decisions.

While I was pleasantly surprised to not be talking about SIEM at Metricon, walking the show floor at RSA brought all my fears back and then some. Big Data was a huge topic at RSA but as mentioned by the guys at Securosis, there was a lot of repurposing of existing products like SIEM. As I mentioned to a coworker as we walked the floor, “it’s like Vegas minus the fun.”

RSA aside, there are plenty of examples out there of using large amounts of data in the real world to aid decisioning systems. One shining example is what Preston Wood and the team over at Zions Bancorporation are doing. They have taken security intelligence way beyond SIEM. Imagine taking these capabilities and setting them atop data that Akamai or other large service providers may house. Additionally, if you haven’t seen the post by Ben Sapiro yet, go check it out. While it’s not focused on big data in security, he talks a lot about analytics and at the end of the post lists a LOT of real world metrics anyone can start with to improve their program.

2 thoughts on “Security Intelligence != SIEM

  1. Pingback: Prioritizing Vulnerability Remediation

  2. Pingback: The Top 10 Risk I/O Blog Posts of 2012 | The Risk I/O BlogThe Risk I/O Blog

Leave a Reply

Your email address will not be published. Required fields are marked *