Bill Roth, Ulitzer Editor-at-Large

Bill Roth

Subscribe to Bill Roth: eMailAlertsEmail Alerts
Get Bill Roth via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

What does the “S” stand for?

By Gary Hemminger, VP of Product Management

Senator monitoring developments on SecurID safety

May 31 (Reuters) - A U.S. Senate committee that oversees Internet policy is closely monitoring news that has raised concerns about the reliability of widely used technology from EMC Corp (EMC.N) for securing access to corporate computer networks.”

The strange thing about these incidents is that RSA is the owner of eNvision, which is specifically made to prevent security breaches.  I assume that RSA is using its own technology, and if not, then it might be good to get an explanation from them why they weren’t using it, and their plan (if any) to use their SIEM technology to protect their own intellectual property (as well as that of their customers).

It seems right to assume that RSA is using their own technology and that this technology failed. This latter part does not surprise me.

SEM technology (especially real-time correlation) is perhaps the least cost-effective technology I have ever seen in the IT and Security space.  People spend huge amounts of dollars on this technology, then a lot of sophisticated labor trying to tune them down from the massive false positives they create, and then have to keep doing this over and over to get anything useful out of the product.  Then a sophisticated hacker comes in and nails the organization and maybe, just maybe, the SEM might produce some kind of alarm that is either ignored or doesn’t really pinpoint the issue until well after the breach occurs.  The response to this from the real-time correlation vendors is to spend more money and more time trying to find the signature of this hack, which of course, won’t occur again. 

What is worse is that customers spend so much time trying to get event correlation to produce anything valuable that they don’t (and can’t cost-effectively) get the vast majority of their IT data into a centralized system. Meaning that that after a breach, the SEM product is not capable of doing real forensics, because they’ve usually thrown the underlying log and IT data away. 

In my opinion, customers should focus on compliance as this is the best way to reduce business risk.  Focusing on real-time correlation is a great way for organizations to take their eye off the ball and spend a lot of money with little return.  This is the dirty little secret of the SIEM space.

Read the original blog entry...

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.