SIEM is moving on up

ArcSight got acquired by HP last year.  Now McAfee has Nitro Security and IBM gobbled up Q1 Labs.  Who said SIEMs were not allowed in the cool kids club? SIEM is short for Security Information and Event Management.  Basically, they are high-volume correlation engines where you can dump logs from across your network and have the system make security decisions for you.

If you are doing network security work in the enterprise and do not have a SIEM, your CIO or CISO will be asking you if you need one very soon.  With a product lines in hand, you can be sure these large vendors will be looking to expand their footprint inside your organization.  And my response to choose your flavor and hop on the train!  It will be a great ride with the right people and processes in place.

Hopefully, enterprises will realize that this market is not like other security markets.  So many CISOs want a tool they can purchase and without additional headcount make the enterprise more secure.  Just not going to happen.  Why?

SIEM technology is all about people and process.  You get out what you put in and not a nickel more.  If an Outbound Network Sweep happens in the enterprise and no one sees the alert; it didn't happen.

It is very important to hire analysts along with a shiny, new SIEM.  Event correlation and Incident Response are at the heart of these systems.  Insight and Warning should come out of a SIEM and not just Information.  This is part of what some in the industry call Security Intelligence.

Make sure to read some of the work by Mike Cloppert, Richard Bejtlich and other leaders in the Incident Response and Computer Network Defense area.  While they do not tout themselves as SIEM experts, these two guys will really give you a headstart on any SIEM implementation.