More information on the conference can be found here: http://www.securitybsides.com/w/page/50371774/BSidesAustin2012

I’m honored that my friends (special nod to Richard Bejtlich) over at Mandiant have invited me to participate in their second annual Incident Response Conference (MIRcon).  

I’ll be participating in a couple of different panel discussions on the “Management Track” at MIRcon.  These include topics like career growth for Incident Responders and discussions around insourcing/outsourcing for CIRT.  

I’d highly encourage anyone in the area (Alexandria, VA) on Oct 11, 12th to attend these sessions.  Mandiant does a great job putting the right audience(s) together with engaging topics.  Scheduled keynote sessions from Richard A. Clarke and Michael Chertoff should not be missed!  Of course I’ll be sure to share my thoughts post-MIRcon in the visiblerisk blog and I’ll tweet (@rockyd, @visiblerisk) and probably try out Google+ to relay thoughts and lessons learned during the conference.

The thought that still resonates with me after Bsides is the personal nature of the conference.  It’s the family atmosphere, the relationships that get built or strengthened.  There was one talk in particular that echoed that sentiment very closely.   Sec Burnout.  A panel discussion with Jack Daniel, Josh Corman, Martin McKeay, Stacy Thayer, Gal Shpantzer and of course the audience. 

Prior to the talk the team did a basic survey and received 400 responses to their survey, which indicates to me great interest in the topic.  Perhaps its the stage of life I’m in or the struggles I’ve faced over the years but for me personally the technical/numerical results of the survey weren’t all that exciting.  Yes people are stressed, yes they take their job seriously, yes life could be better, but what got me hooked were the personal stories that followed.  Certainly this isn’t a topic limited to our career field but it may have been the first time people in our field were comfortably enough to talk about it openly.  They aren’t my stories to share so I won’t do them an injustice but I’ll just say it was powerful to watch and feel everyone react to these topics, specifically the downfall that can occur because of depression and how our coping mechanisms are broken at times. 

In all honesty I would have changed this session from sec burnout to “lean on me” because in the end that is exactly what it came to.  Build a community of friends and interact with them on a consistent basis (I fail at this miserably).  Many of us are empathetic and it can help to share the burden with others, if only to discover you’re not alone or that there might be alternate perspectives to consider.  For me this seems exactly like the transition I made when I left the military/intel fields.  I spent years dealing with stuff I couldn’t share with anyone, other than those that shared the mission with me.  It took years to normalize and learn I could be even better with the help of others.  How my wife puts up with me I’ll never know.  anyway…  The point is the same some of us are conditioned to not share, for various reasons and over time that winds up hurting us and those around us.  This was a stark reminder that many people share this or similar personality trait and that a simple act of human interaction can serve as a catalyst for growth.

Our Industry isn’t alone – I imagine many others suffers from this.  I see it in the LE and Medical fields and of course in the Military/Intel field -  anytime you internalize a sense of ownership that we all take in our work and the privacy or at times secrecy that is required in our work live things get hairy.  Sharing intimate details goes against our very nature. We all have periods of time where we fail to recognize is the value gained from sharing and we try to go it alone. You can have all the greatest coping mechanisms in the world but there will be times when the challenge(s) you face is/are too much for you to handle by yourself.  This talk was simply to state – there are others out there that feel the same way and we’re all willing to listen and help (and we might need you to do the same one day).

This session is what made BSides for me.  Technical details are nice and learning is good, but what makes us great is supporting each other and pushing each other to be better – as people.  

Back in April I suggested the following to EMC/RSA in response to the acquisition of NetWitness:

 

“My advice to EMC is very simple.  Let NetWitness run wild.  It’s a family that can deliver you to greatness if you allow them to lead the way.  Amit Yoran, Tim Belcher and the entire team at NetWitness deserve your complete attention and support.  NetWitness has accomplished amazing things because from day one they understood the simple fact that the data is important but being able to understand and interact with the data is crucial.”

Fast forward to today, just 4 months after the deal was announced and NetWitness is already introducing an entirely new product, interestingly named (at least to me)* NetWitness Panorama.  Wow.  If I was the acquiring organization I can’t begin to imagine a better scenario than the team we brought in to solve a particular market segment continuing to kill their core market and then getting comfortable enough to branch out and address an even broader market in a very meaningful manner. 

NetWitness develops products based on the core belief that the analyst needs to interact with the data, not just have it and/or search it, but to truly be able to use the information in a manner they choose.  This has always set them apart from their competition.  Using that framework they were able to quickly innovate and execute.  This is exactly how this sort of things should occur and I applaud RSA for allowing this to happen! 

The most important piece by-product of this announcement is that NetWitness is showing the world that they have RSA’s full attention and support.   Whether that support within RSA was “given freely” or “aggressively taken” doesn’t matter, it is externally obvious that Amit, Tim and the team are serious about making RSA a better security company.  I don’t think this point can be overstated, by allowing NetWitness to simply do it’s thing, RSA is a better company in terms of market trust, product functionality and applicability and ultimately in future earnings. 

About Panorama:  Very few companies get a “flyer” from me about code not in GA yet, but I think we can all agree NetWitness lives up to it’s promises so I’m more than willing to take them at their word for now (I’ll verify it later). Here is what I understand so far about the product.   

Analytics:  Pivot just like NW Investigator through logs.  Imagine that an analytical technique that uses the context of the data at the core of the process instead of as an afterthought to having logs and figuring out what you want to do with them.

Context: View Log information and NetWitness Meta in the same window and pivot amongst them?  Pretty sweet.  

Reporting:  Nothing of note in the PR but I’m sure extensive reporting won’t be far behind but instead of 1000+ reports that are possible I’m hoping they’ll focus on the “n” that might actually matter to someone.

Integration:  As the very carefully worded* press release notes there this new product ill have to play nice with EnVision for some time period.  Seems Envision 4.1 release includes code that allows for the products to work in conjunction with one another.  EnVision pulling the various data sources into Panorama for instant and detailed analysis. There is probably an entire suite of RSA technologies that can benefit from output or provide input into this product.  I don’t think technology is a hurdle there.  Should be quite interesting to watch this product evolve over time.

Speeds and feeds: From what I’ve come to understand from the team the speed of ingest/interaction will be very concerning to the competition.  When I can get my hands on it I’ll be happy to confirm those details with more specifics.  

The Press release indicates 10X search responsiveness over EnVision alone.  I never like multiplying by 0 but in this case I’ll take it to mean that with the information available in NW you’ll be able to use it immediately and extensively without having to wait hours.

I don’t yet have confirmation as to whether or not there will be a Freeware / Personal use version made available (hint, hint) but I’m hopeful that they’ll follow what both Splunk and ArcSight’s did in that regard and continue to support the vast freeware community NetWintess has cultivated over the years.

Availability:  Q4 (after Beta period in Q3).  I’ll revisit this once it hits GA and give more feedback on likes/feature requests.

All in all – I’m surprised and very happy for both teams.  Sounds to me like the stars aligned fairly well thus far and I’m hopeful that trend will continue to gain momentum!

*Quirky Note:  The name Panorama should get a nice rise out of the ArcSight/HP Team – at least those that took the time to comprehend what the ArcSight name/logo represent.  It is a direct shot across the bow so to speak.

*The PR is overflowing with concepts I’d love to dig into - words like “module” versus product and then fully describing vastly different deployment scenarios ranging from “augmenting” EnVision to working independant of SIEM altogether.   It will be interesting to watch where this heads over time. 

I’ve been in the shoes of the vendor many times and I’m sure any day now I’ll be back on the street representing a vendor and selling myself to all of you again, but as always - I fight for the user!

The following are direct quotes from some of my calls this week and some of the more interesting miscommunications that occurred (at least in my head).  

Vendor Says:  “We’re meant to be deployed tactically on critical systems.”

The realist in me hears: Our product is not scalable.

The hopeful in me hears:  The product has yet to be tested enough in large scale environments and the engineers will kill me if I over-promise.

Vendor Says: “Our product has many applications”

Realist: The company lacks focus and doesn’t understand who they are selling too.

Hopeful: Pieces of this product might actually fit into multiple markets if combined with “x” technology - there are possibilities here.  I just wish they’d pick a market.

Vendor Says: “We’ll integrate with anything”

Realist: There is no strategy around integration.  This could end very poorly for everyone.

Hopeful: Flexibility is good for gymnasts maybe it works for products too.

Vendor Says: “Good question, yes we do that.  That’s a good introduction into my demo”

Realist: No, No you don’t and here is why you couldn’t possibly do that …. 

Hopeful: I’m not sure you actually heard me, but perhaps I can divine an answer from whatever I can grok from your .ppt demo. (ugh)

Vendor Says: We don’t compete with product “x”, we think there is room for everyone in the enterprise to co-exist and augment one another

Realist: You don’t understand your competition well enough.

Hopeful: At least they didn’t bad mouth their competition (yet).

Vendor Says: “We’re the first and only”

Realist: You’re not nearly as bright as I had hoped.  Please do not waste too much more oxygen.

Hopeful: I wonder if Angry Birds could do a enterprise/vendor based spin-off - Angry customers would fling bundles of $ at the problem in a exhausting exercise of futility.

Vendor Says:  “We lead the market in …”

Realist: I’m sorry I can’t hear you over the feces spewing in here. 

Hopeful: Interesting spin your marketing team put together I wonder if they could come talk to my mgmt.

Vendor Says: “Both of our customers tell us that our competition is flawed because … “

Realist: <a fit of rage ensues> 

Hopeful: You’ll learn to focus on your own strengths.  Maturity is a wonderful thing.

I love the vendors that are just honest.  My favorite quote comes from a previous employer ” We do what we do and we suck less at it” or more to the point “Here is what we do and if you’re interested here is how we do it”.  These vendor pitches should be conversations and not aloof presentations.  Understand that someone in your audience may actually care about what you’re saying but you’ll turn them off in an instant if you push too hard.

About Rocky

I’m really glad SANS tested out Live Streaming for this event and I hope they’ll make it available at all future Summit and What Works Events.  The combination of Streams and Twitter (#DFIRsummit) with these topics works fantastically well to encourage interaction and even more robust discussions.  I found myself equally engrossed by the presenter and the twitter conversations – that’s a good sign.

I’ll apologize ahead of time to the presenters, panelists and people involved.  There is no way in one blog post I could every accurately represent the value I gained from your insight.  I thank Rob Lee for putting this together and each of you for your insight and willingness to share.  Without further ado here are my thoughts:

Overall Theme - Forensics:  Traditionally there is a heavy bias towards traditional law enforcement “forensics” but this year’s event saw a shift (finally) in the recognition that simply imaging drives and reading tool output is a singular skill and the world has evolved way past being able to get by with just that skill in your pocket.  The topics over and over again illustrated the need for in depth understanding and flexibility.  More and more I’m thinking InfoSec in general needs to follow Medicine’s example and allow for specialists to be board certified in a topic.  The Art/Science evolved way to fast and we need to mentor deep skills and broad baselines.  First be a Doc, then a Specialist.  There is a place for both.  No I don’t think CISSP counts as a board certification.  Perhaps it counts as one of the entrance exams to school like a SAT?  For more about the need for flexibility and in-depth understanding see “Sniper Forensics” or talk to any IR team. 

I’ll touch on some of the topics that most resonated with me or pushed me to think differently.

• Mike Cloppert’s (IR vs. CND) Presentation.  Please go through and listen to it in its entirety.  Avoid spending too much time debating Incident v Event or Intrusion v Incident, etc it only detracts from the real value of the conversation which is Intelligence Led Information Security Defense.  I’ll dig into this topic in much more depth soon but once you get “it” it changes everything about how you approach Information Security from an Enterprise perspective.
• Lunch and Learn by Mike Sconzo – Everyone that stayed for lunch was treated to Mike’s sense of humor and equally amazing his ability to simply complex topics into bit size morsels.   Mike’s candor and expertise is refreshing.  Simply put he made the case for Network Analysis and gave insightful tips on where to start no matter the maturity of your organization you’ll benefit from his time.
• Hal Pomeranz – Hal hurt my head multiple times with EXT2/3 and then EXT4 How-to’s.  Hal is engaging, funny and brilliant.  He is way too sexy for that filesystem as we were reminded a few times.  I’m still consuming these sessions but at least I know I have a ton more to learn! Seriously these were amazing tutorials made simple by a true master of his art.
• Andrew Hay’s 5 Point Palm Exploding Heart Technique.  This is one of those presentations that has the ability to evolve over time.  It’s very good now and as a presenter Andres is engaging and funny.  Certainly the presentation itself was insightful especially to the newer crowd.  In simplest terms Andrew makes the cases for a holistic approach and avoiding silos.

I apologize I didn’t summarize all of them.  I enjoyed all the remaining presentations but still need time to fully comprehend some of them.  I love all of the contributions made in the tools presented that collaboration and committment to aiding one another is exactly what our community needs to encourage!

Panels Summary:

I’m a fan of panel’s when they are open to community input.  SANS does a good job with this though I’m feeling the yellow cards are a bit deprecated at this point.  Having moderated a SANS panel in the past I can tell you that trying to read through the cards, while interpreting handwriting and keeping pace with the flow of the conversation is very difficult.  Certainly it helps avoid audience domination but I think it’s time to lean more heavily on Twitter or similar and have audience +1 questions they’d like to see answered.  All that said. This year’s panels were great.  So here are my top of mind thoughts about each panel - not in any particular order:

Professional Development in DFIR (Lenny Zeltser, Richard Bejtlich, Joe Garcia, Ken Dunham, Bamm Visscher) This was even more fun for me because I’ve worked alongside Richard and Bamm and seen firsthand how effectively they lead their teams. 

The “Eye Opening” statement was from Joe Garcia about how LE specifically his LE team only recruits from within the department.   I can’t even begin to express how sad I think this is for the LE community.  I get the need for sworn officers because unless you have a badge you’re not part of the family, but this is only hurting that family.  I would have expected this to change decades ago. 

Richard and Bamm echoed the mantra that resonates with me very well about needing leaders not just managers and that the team is the most important resource and should be encouraged and motivated in the right manner.  Ken’s points were more corporate in nature one point that struck me as odd was a quote about gaining insight from a resume about a person’s “passion” by looking at their career progression and “job hopping” as a negative indicator, then a few minutes later acknowledging that your resume is nearly meaningless in the hiring process that you need to network (Twitter, LinkedIn, Conferences, etc).  I’d hate to have Ken review my resume.

One of the more tweeted items from this session was Richard’s statement about listing skills over tools.  A very simple point, but IMHO an important one.  No one should care about how you pressed a button to solve a problem, tell me about your approach to problem solving.

Forensics in the new Cloud Frontier:

Andrew Hay, Cory Altheide, Joe Garcia, Rob Lee, Ed Skoudis

Next year I’d love to see this as case studies of forensics techniques used while investigating cases/events that involve cloud providers.  What are the lessons learned about the types of information available from PaaS, IaaS, SaaS providers?  This was a great introduction setting the stage for what legal and overarching technical hurdles may exist.  Ed’s points about building necessary visibility into the contract terms is key for the few companies that “get it” but will be lost on the majority.  Cory’s insight about spinning up 1:1 or N:1 Forensic workstations to Compromised machines was what intrigued me the most.  I would have loved to hear him dive into that deeper.  Having hundred/thousands of machines spin up to run “strings” to find indicators sounds like a dream, but makes sense for the world he lives in.  I’m certain many enterprises could do it as well at least to a certain degree.

Vendor Panel: What Works

Rob Lee, Mike Sconzo and Brian Karney

These sessions always hold a special place in my heart because I love the raw nature and brutal honesty on both sides of the equation.  Rob sets the tone very well but acknowledging the contribution vendors make to the community and then the gloves come off.  In this case both vendors NetWitess and Access Data are probably two of the most humble companies on the planet.  Both panelists did great, this should probably be a corporate exec representing the company based on the questions that pop up.  Mike did a fantastic job representing NW and of course Brian is honest and candid about AD.  My question about balancing “Innovation” vs. “Profit” would have been better posed to each company CTO but I liked the answers I heard just as much.

Logistics/Location:

I’m admittedly biased here but Austin is a great place for this or just about any thing.  It’s centrally located so it’s pretty easy for anyone to get here (Canadian’s excluded).  The city itself is amazing and it easily pulls up the teams from San Antonio and over from Houston.  The AFCERT “reunion” was pretty cool as well!   I only saw a few people for DFW but I’m sure this event could have easily been 200+ people if focused on Response/Detection and those teams came along.  Along those lines the only request I would have been to reverse the timing for this and the Incident Detection Summit so people get to avoid the 100+ June weather in Austin and instead enjoy our 75 degree weather in December versus freezing in DC.

Overall: 

This event really is worth the time and energy.  It’s the right people in the room engaging in great conversation – what’s not to love?

Thanks again Rob and of course SANS for putting this on and to Richard for inviting me!

Resources/Reference:  https://files.sans.org/summits/forensics11/

About Rocky

Background:

I’ve been extraordinarily blessed over my years to work alongside some of the greatest minds and most accomplished practitioners and leaders in our industry.  I owe so much to these people for believing in me, mentoring me, pushing me to be better and I can’t possibly stand by and just “take a job” or “further my career” I need to create, build and help others reach new levels.  I’m not at their level and perhaps never will be but I can strive to mentor the next generation of leaders to do better that they otherwise might have.   I’ve been part of both disastrous business decisions and some of the most amazing results companies have achieved in our lifetime.  I’m learning each and every day from everyone around me how to more fully understand and therefore deal with situations.   I don’t for a moment think that I’ve got the answers and it has to go this way, but I do know when it’s the wrong way and I’m unafraid to say so.  That endears me to some and creates chasms with others.   I’m ok with that.

If you want more about the roles/companies I’ve participated in – check out my LinkedIn page.  I’m completely open about my professional life. 

Next Steps:

I’ve been blessed with a number of opportunities to consider.  Most of these had natural conclusions based on organizational culture / location, timing or other reasonable considerations.   I appreciate every second people have taken (and are taking) to talk with me.  I learn from every one of these interactions about how I can help, how I might not be the right fit in certain circumstances or how I might need to be more patient.  To that end I’ve come to a point where several branches lie ahead of me (and probably more that I haven’t yet considered – but these will do for illustration purposes).

Option A:  I can go it alone.  Visible Risk is a viable company and I can fairly easily find projects to keep myself busy and engaged for the foreseeable future.   The downside is that it doesn’t
quite “feel right” because I feel like I should be doing more (what impact am I having?)  It’s not a bad option to have but at times feels more like a crutch than a mission.  How odd is that? 

Option B: I can start something anew.  Having the self-confidence to succeed in any situation is a freeing thought.  It doesn’t remove fear, it simply provides an opportunity to adapt and overcome it.  I have some ideas here (I’m never at a loss for ideas) but this is a path that requires commitment to your “best idea” and not just another idea.  I need to refine the best ideas a bit further before I jump back into this route.  This is possible if I’m patient but the timing seems to be inconsistent with my need to help.

Option C:  Joining a team.  I am most successful in very small companies.  There is no such thing as too-early for me.   I’m not necessarily suited to be employee 50001.  That’s not so say I’d avoid all large companies there are some with very progressive business units that focus in a manner that would excite me, but overall those opportunities seem very hard to find from the outside.  If I could find the right team, right focus, similar values and keen timing – the world would be even more fantastic.

Currently I’m leaning towards option C but doing so in a way that doesn’t preclude me from exploring Option A and B until I find the right Option C.  That said – it is probably the wrong approach.  I need to explore these organizations without the “net” of A and B and let them stand on their own merit.  I get too entrenched in battles of this trade-off for that one. 

Recent Influences:

                To many to list but I’ve interacted with no less that 2 dozen companies over the past 30 days that all have interesting attributes whether that be technology, leadership, vision or passion (or some combination therein).  Some things that have become apparent to me are simple but evasive principals that I’ve noticed to some degree over the years at companies I’ve lived at.  Most importantly is the feedback from the field (customer and field teams) into development.  In most software worlds this is a gate controlled by Product Management and in some cases it is done very well, but in all cases can get better.  Recent trips to Silicon Valley only served to crystalize that point for me.  Companies like Google, Facebook, Twitter, LinkedIn and so many others made a crucial change in the landscape and not because of the service they offer but through the means they deliver.  Software was fundamentally altered when companies started designing to the user instead of for the user.  Live feedback is supreme.  I used to think that the only way to get this level of feedback was through Services, field teams or customers/partners feeding requirements back to development and was constantly frustrated by how slow that process would work or how many misinterpretations were possible in it.  Certainly that is still a viable feedback loop as are User Conferences and other observable interactions but I’ve come to learn that the software needs to be designed around the user and constantly evaluate its usage by (and value to) the user.   Some amazing thoughts going on there and it has changed my perspective completely.   Whomever I work for next will “get” it.  This is an area I intend on exploring much more fully in the coming years.

Considerations:

Location:  Depends on the position.  As a family we’re heavily tied to Austin/Round Rock as far as “home” is concerned.  I’ve traveled for the better part of my career, much of it 100% for extended periods.  In all honesty I’m connected enough at my home office(s) that I’d argue I’m better prepared to do battle from here than just about anywhere on Earth.  In other cases my connectivity and resources are not nearly as important as the day-to-day interaction with the team(s) I’ll support so I’ll endure the TSA massages to be at the location(s) that make the most sense for everyone involved.  Really this question is more suited to your company’s organization culture than it is to my preferences.  I’ll be wherever I need to be to ensure the success of the mission.

Compensation:  I value long term commitment to a mutually beneficial relationship.  Remuneration is important but it is not the first thing I’m seeking in this relationship.   I’m looking to be mentored by your Exec team, Board, and customers.  I have a need to better myself every day.  On the financial side of the equation equity is a strong motivator.   I’m willing to find the right balance to make sure the benefits of the relationship are strongly valued by all involved.

Interviewing:  I’m happy to interview with anyone on your team!  I view this as an opportunity to learn about you equally as much as you wish to learn about me.  I will talk to your competitors, customers, ex-employee’s, current employee’s, investors, industry analysts and anyone else that a few hours on Facebook, Twitter and Linked-in make readily apparent.  I encourage you to do the same about me J 

Title:  I’m not a slave to a title.  I’d prefer “Rocky” @ yourcompany than XXX of YYY any day.   That said the contribution I make is not usually at the individual contributor level.  I’m closer to senior executive than I am to manager with the benefit of still being “hands on” and very passionate about doing things in a manner consistent with the needs of our customer/market.  I get “it” from a technology, business and market perspective and understand the relationships between them.    

Role:  What is your biggest need?  Seriously I’m not one for a single role.  I’d rather solve a problem and as part of that teach someone to grow into that role and manage that team/capability moving forward.   Lately my value seems to be creating Services teams within Product companies in a non-traditional manner.  I’m not a guru at it, but building offerings that adds value to the customer, partners and the overall market is relatively intuitive for me.   Understanding the nature of that role is interesting as well but that’s a book in itself.  I’d like to be part of the senior management team and help move a company beyond the current limitations they face.   

Vision:  Long-term success is much more important than short term gains.  I can build a company to several million or even tens of millions in revenue.  I’ve even been a part of one start-up that wound up being worth significantly more ($B) than that.  At this point I’m more interested in building a company that has a reasonable shot at doing things right.  Customer Focus is the key for me.  We must adapt on a daily basis to our customer’s actual needs not to an abstracted understanding of how we as the vendor can provide a solution that might hit some of their requirements.  The company I work for will inherently understand the difference. 

Personal Opportunities:

Biggest Weakness:  Patience.   I abhor anything that takes forever to accomplish.  Counter that with the fact that I’m a perfectionist at times and there you will find an interesting study in itself.   If there is a problem to be dealt with I prefer to deal with it head on, immediately.  If no one else acts on it you can be sure I will address the issue.  Clarity as early in the process as possible is a key. 

What am I doing to work on my weakness?  Well in addition to raising my four kids I’ve recently taken on Coaching 3-4 year old T-Ball.  Seriously, Try it.  It is an amazing thing to see how your actions are mirrored by those around you, good and bad.  It always amazes me how much people can do when prepared properly and trusted to do the right things.   In one day we went from a team of dog-piling ball hogs to a cohesive unit trusting each other to get the ball.   Making the right priorities known and consistently evolving that vision together works a lot better than assuming everyone gets it and hoping it’ll work out.

2^nd biggest weakness – Introvert by nature.  I’d much rather gather Intelligence than express my ignorance.  Blogging/Tweeting helps me reach out and stay connected and refine thoughts a bit better prior to inserting my foot too deeply in my mouth.  I also do a fair amount of public speaking to help move past this but in the end I’ll always by default seek a corner table rather than a space in the spotlight or on a stage.

Oh yeah… One last “gotcha”:  I don’t do excel or PowerPoint.  Honestly I’ve found both lead to antiquated thinking or unnecessary and restrictive boxes.  If you process is managed by either I believe that it is destined to failure.  I’ll help you fix that, but I’m giving you fair warning….  I’m going to blow up your process and create a much better one that is managed with the right tools and by the right people. 

Some things I’m decent at:

I’ve heard I’m not horrible to work with/for.  I’m not one to call on everyone that works for my on a daily basis, but I understand where everyone is mentally and work very hard to ensure it is positive for the company and for the individual at the same time.   I love my team(s) there is no other way to put it.  I’ll never put anything ahead of the team which admittedly can limit my usefulness in certain circumstances but I believe in my team(s).  I’ve managed teams of between 2-150 over the years.  If anything I’ve learned that mentorship skills outweigh my people management skills.  In most cases I feel strongly that people deserve much more attention than I am able to provide on a daily basis.  I can manage but I always Mentor.

Technical Comprehension:  I can break/build just about anything.  Whether it’s a lab or an enterprise solution I’ll take it apart and understand it to its core and then figure out how to best solve problems using that technology within the environment that exists.  I never do this by myself.  I surround myself with people much more versed in the technology to absorb and learn from and apply it in real-world situations.  I don’t claim competency until I’ve mastered it a few hundred times.

Business Acumen:  The most fun projects I’ve done recently were the ones where I evaluated companies for M&A or Investment for Exec/Boards or VC’s.  Digging into a company’s technology, people, culture and extracting there essence combined with my understanding of the current market and my perception of where the market is headed is something that hits on my primal traits.  I’m by nature an Intelligence analyst.  I can ask the right questions, understand the Bias involved and get to the truth very quickly.  I’m not always 100% but I’m never wrong J  (Kidding I’m always learning).

Summary:

I’m just another 30-something year old gentlemen full of first world problems seeking to make a difference that is meaningful in our Industry.  I come with my experiences, my lessons learned and a hunger to learn.  I’m insanely passionate about people and doing things right and will push you and the company I work for upwards with all of my energy.   I enjoy obstacles (once) and fiercely look to squash them moving forward.

My Apologies:

This blog post has turned out to be much more self-explorative than I originally intended it to be; maybe it’ll help someone else figure out their path?  Maybe it’ll just scare potential employers away in any case I sincerely appreciate you taking the time to consider my thoughts!

-          Rocky

About Rocky

“Stuxnet is the Hiroshima of cyber-war. That is its true significance, and all the speculation about its target and its source should not blind us to that larger reality.”

 

First please allow me to get one thing out of the way.  Yes Virginia, there is Bad stuff™ happening out there in the world.   Individuals, Criminal groups, Corporations and Nations all with various motivations, resources and techniques seek control of information, money, people, etc.  Espionage, War, Greed all exist.  It’s been happening for thousands of years and will continue for thousands more.   And now to our story..

I’m not debating that Stuxnet was interesting in the context of incident escalation.  I’m not debating it in the context of “war”.  I’m not even debating the attribution or targeting aspects suggested in this and other Stuxnet publications (though I reserve the right to do that in the future).  I will debate, with every fiber of my being, that Stuxnet on any level compares to the absolute horror that was Hiroshima.  

Overall this is a very well-written article certainly better than anything I could ever accomplish.  Obviously it is romanticized to a certain degree and as such will attract a much broader audience than most of the other Stuxnet articles. I get it, I really do, the messaging has to match the audience and I appreciate the effort given to expand the message that we’re facing serious threats and assuming escalating risks on a daily basis.  I do suggest you read the entire article as it has some interesting perspectives to consider.  As you progress through the article you’ll encounter several salient points, fairly thorough research by the author and quite possibly a movie script in the making.   

One might notice that pieces of this article might be considered flawed, for example much of the attribution assigned was hypothesis or theory rather than anything resembling facts based on empirical evidence but that’s an entirely different rant.  Anyway… The point is that there is a lot of solid information to devour and a lot of context that is provided for us to consider, some of it even being relevant to the Stuxnet story.  It makes for interesting reading and hopefully some aspects of this story will resonate with people outside our standard circles and help them realize there are sophisticated adversaries and targeted threats that puts all of us at risk.  

And then… in the last paragraph the “True Significance” of the story is defecated upon us and we’re asked to chew on the excrement comparing the instant deaths of 80,000+ souls and the lingering suffering and painful demise of millions more to this “cyber attack” that affected exactly 0 people.  This is one of those quotes that instantly and completely irritates everything within me.  I’ll just say it this way.  This is irresponsible, offensive and utterly sickening attempt to exploit a tragedy and the authors, editors and overall publication should immediately reconsider this wording and apologize. 

I’d suggested somewhat jokingly on twitter that a more appropriate analogy for Stuxnet might be the  “underwear bomber”, meaning a new, targeted, fairly sophisticated technique that failed miserably as an attack of war (unless you count “Security Theater” by TSA as a win for the bad guys).  I’m sure you guys will come up with even better and more accurate analogies, but I’m confident it won’t equate to stuxnet equaling one of humanities worst moments.

But as the anonymous reference is quoted in the article as saying “In this business, fear is my friend.”  And as an industry we wonder why no one listens to us.   With friends like this, who needs adversaries?  Can we all at least fight the same war and not some fantasy romanticized and artificially inflated to the point it would necessitate ninja pirate cyborgs riding armored unicorns to fight it?  Our battles are hard enough as it is.  Let’s just focus on the facts.  Bad stuff™ is happening and we need to collectively focus our energy on figuring out better ways to deal with it.  


 

Reference Information:
Article: Vanity Fair - A Declaration of Cyber-War

Author: Michael Joseph Gross

Original Source: http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104

UPDATE-1: Seems Vanity Fair wasn’t the first to make this assertion.  I had never seen ZDNET’s commentary where the reference is explored in more detail.  To make tha parallel more tolerable they use the attributes of launching a new weapon type and announcing to the world that is it viable virtually gauranteeing an arms race of cyber weapons (I’m paraphrasing).   I still think the entire thing is over the top, irresponsible and diminishes the actual impact of what happened but I’m always interested to hear your side?  What do you think?

Source: ZDNET Special Report: Stuxnet may be the Hiroshima of our time

Link: http://www.zdnet.com/blog/government/special-report-stuxnet-may-be-the-hiroshima-of-our-time/9888?pg=2

By David Gewirtz | January 18, 2011, 4:12am PST

The Sessions: Others have done a create job highlighting meaningful information from many of the sessions.  I won’t recreate all of my notes here, but there was one session that really stood out in my mind perhaps because it’s a core belief that I share with the presenter(s) or perhaps it was the Zombies present during the talk in either case, as usual Josh Corman made me think.  Josh has forced me to move beyond my “Compliance is the devil” stance and adapt a more helpful paradigm when thinking about how these initiatives are used.  Don’t get me wrong I still believe them to be more harmful to the overall Security industry than any threat we’ve faced so far it’s just that I’m learning to turn the conversation sideways a bit and find alternative approaches.

I’ve been lucky enough that over the years I’ve been involved with hundreds of SIEM evaluations for customers, service providers, investors, acquiring organizations and of course the vendors themselves.  Now I’m not going to share the results of each of these reviews because 1) NDA’s and such and 2) they instantly become outdated as vendors merge/evolve but I did want to share some of the more basic questions I look for when I do an evaluation.  Listed are over 140 criteria and yes they do further break down into hundreds of other discreet questions and measurements, but this will give you a glimpse into what I look at when I break down SIEM Players.

 The list below is part of the database I keep on these vendors, obviously without the details.  I’ll keep updating it over the next few months and leave the link “live”.  Feel free to use this information or some subset of it in your own evaluations.  Remember - Define your Use-Cases first - then worry about scoring the criteria.  This is just an information collection mechanism and covers most use-cases, but the prioritizing of these entries will greatly depend on your usage.

Note:  If the embedded table does not function with your RSS reader I apologize, please refer to the source visiblerisk website for the entry:  http://www.visiblerisk.com/blog/2011/2/7/siem-evaluation-criteria-functionality-matrix.html 

About Rocky

Content Extraction: NetWitness has always collected everything on the network and provides top of the line analytical capabilities to slice and dice that information. Now the team has taken things one giant step forward by offering the ability to support extraction of key artifacts or “content” for further analysis.

The automated extraction of artifacts that cross the network and facilitation of the analysis of that extracted information has been a need of security teams for a number of years. Malware analysis being the most tangible example today, but many other possibilities exist. Looking forward and building that capability into an operational model by refining that collection along the way of the data to target more specifically or to not extract and re-analyze known good information sets makes this even more efficient and helps to level the playing field for the Good Guys!

Now that the content from the data has been extracted you need a tool to analyze that information and NetWitness thought through that problem from several perspectives, certainly Investigator and Informer offer their own views of the information, but now with Visualize, NetWitness offers a truly unique way of going through information and identifying interesting anomalous traffic. 

NetWitness provides examples for “Data Leakage”, “Personnel Investigations” and “A Day at NetWitness” as extracted content packages for you to peruse and analyze.  These seem to accurately fit the initial enterprise use-cases for this technology supporting various analytical teams.  The only experiences you don’t get from the demo would be integration with Investigator and looking at your environments data set.  You’ll have to schedule with sales to gain that additional experience.

Overall I think that the term “Visualize” may more accurately apply to your thought process than the limits of the product itself (for example it can replay audio). 

Summary:

NetWitness Visualize and the associated content extraction platform allow for a significantly enhanced analytical experience by providing new and meaningful reconstructions and related investigative tools and in reality that is just the beginning! 

Next NetWitness Related Post:  Spectrum.  Visualize is a great add-on tool to extend analytical techniques, Spectrum is a platform that extends analytical reach, improving effectiveness, efficiency and really allowing security programs to take the next logical step forward.

References:

Original Blog Post:  http://www.networkforensics.com/2010/07/19/visualize/

Demo Location: http://visualize.netwitness.com

Overview Video: http://www.youtube.com/watch?v=p4nIqIWKiMo

Other Blog Posts: http://www.dragoslungu.com/2010/07/20/new-netwitness-visualize-welcome-to-the-future/  <-  Great review

So why not combine those ideas into a thought incubator a place to put ideas so that can grow!

Think of it as conversation using bits and pieces of blog posts as the kindling and the community’s collective wisdom as the oxygen to feed the fire.  This entire post is an example of how it could work - This idea was further corroborated by Paul Melson and Ben Tomhave and others on twitter.

(extract of the twitter lead-in follows in reverse time order)

Ben (@falconsview) suggested SBN as a place to host the “incubator”.  I haven’t talked to Alan Shimel (@ashimmy) yet but I don’t disagree with that idea at all.  As long as it is a community resource and I can be invloved I’m open to it.  But before we get there I thought it prudent to at least start the requirements part of the discussion and see where it goes before we jump into a solution.

When I mentioned this topic yesterday @Grecs suggested some great resources to consider - a wiki, google docs solution or using the blog drafts feature - all three ideas have merit and they do have pieces of what I’m looking for but none of them is really perfect for what I’m looking for.  I spent yesterday looking at potential solutions, but I think it makes sense to talk about how and why I would use something like this and then we can all figure out what tools might make it work.

Requirement 1: Passionate Community

Twitter is the perfect starting place.  A passionate community of professionals, the beginnings of conversations (sometimes even using #hashtags to help identify the conversation thread).

Twitter isn’t perfect as an delivery mechanism because of text limitations and inability to thread and easily sort/find.  I certainly think Twitter is a key element of the overall solution though, in fact I can’t see this project moving forward at all without figuring out the right way to use twitter!

Requirement 2: Collaborative Environment

The entire concept is predicated on active participation.  People must be willing to share “ugly baby” ideas, ask questions and share their knowledge in a positive but honest environment.  A certain amount of ownership and moderation would have to apply given the world we live in, but that might be mitigated by registration/invitation for a while.  It has to be perfectly acceptable to have incomplete ideas posted and differing opinions.  We’re all learning and growing.  There are some that won’t see the benefit of reading half-baked ideas and that’s fine no one is forcing participating at gunpoint.

As for a tool to help fill these needs something like Google Wave or a wiki helps thread the conversations and encourage feedback both “live” and perpetual.

Requirement 3: Attribution/Sourcing/Mentoring

So many people influence my thought process on a daily basis I’d love to be able to sort and give them all credit for the pieces that are floating around in my head.  It may not always be a new new idea, it may simply add more confidence in a certain area, but usually it is a refinement or new perspective that fills out the picture.  I’d like to have a way to “tag” people to “thoughts” and show my appreciation for their contribution.  At another level if the conversation expands via the tool in the text, video, voice (we shouldn’t limit it to text) attached to the object then I think everyone involved in that discussion should have partial ownership of the ideas and be allowed to move the conversation to their blog/podcast outlet and reference the origins of the thought.

The opportunities to help incubate ideas or refine thought on a continuous basis has at least some of its roots in watching the Great PCI Debate move from conference to conference.  Such great perspectives and many have gained tolerance and understanding over time.  This has the potential to do the same for hundreds of ideas across so many more participants.

Requirement 4: Data Extract. 

We all using different blogging platforms and I would hope that one of the goals of the incubator is one or more blog posts by everyone involved in “raising the baby”.  That means the data (with or without formatting) should be easily exportable.

Requirement 5:  Ease of Use

We’re asking for yet another way to interact and share ideas which means we need to leverage the tools they are already using (as input and/or output).  Tools Jive or any of the products that Vendors / Conferences use to interact with their user communities are good examples of the overall framework I’d like to see long term, but are way to expensive and cumbersome to set up/manage at first.  But a wiki or forum is too far isn’t enough to kick it off either.

This post is intentionally pre-mature - I need your help to incubate this baby.  How would you add to requirements and use-cases?

Topic 1:  LogLogic

LogLogic announed last week about slashing price on SIEM (well actually SEM) I posted my thoughts about their move here.  Who knew the response I’d get.  Here’s a sample of how the conversation exploded via blogs over the last week. 

The Response (so far):

LogLogic was nice enough to email and call me to help me understand their thinking, they also crafted 3 blog posts on the subject (Part 1, Part 2 and Part 3). 

Paul Melson enhanced the conversation (“Twitter Killed the Blog Star” and “SIEM Market Conversation Continues” and now Q1Labs jumps into the fray with their perspective.  There were plenty of private conversations from other vendors, analysts, end-users that occured off-line - I’m hoping more of those will see the light of day soon!

 Count: 1 post (6 Blog Responses + comments)

Topic 2: Tetragon

Then the real fun started.  Gartner released their Magic Quadrant for SIEM and I had a little fun with it and then I had an absolute blast with my Tetragon post.

The Response (so far):

Chris Blask on the new AlienVault Blog responded to my First MQ post with his insightful perspective.

Rich Mogull and Mike Rothman of Securosis had some fun with my Tetragon post and did a great job adding even more perspective to how and why these “tetragon’s” get so much attention. 

Anton Chuvakin made reference to the posts here.

Q1Labs talks about the MQ any my post here.

Count: 2 Posts (4 Blog Responses + Comments and more coming)

I’d like to thank everyone that participated in the conversations (public and private), everyone who publicized the conversation via blog, re-tweeting or email.  Analysts, Vendors and End-Users everyone was involved over the last week!

As numerous and insightful as the public blog and twitter conversations were, the private DM, Skype, Email and Phone call were also insightful and at times absolutely hilarious.  I wish I could share some of them, but I’m hoping some those conversation will take the form of a blog post or 12 soon.  There are a lot of great ideas waiting to push these conversations even further.  All in all it was an amazing experience to jump in, start a conversation or two and see where passionate people take it. 

Now that I know more people are paying attention and willing to join the conversation I think I’ll do this more often :) 

-Rocky

Why worry about defining requirements? Dont stress about how to consider the impact of this technology when in specific use within your environment. The Tetragon knows the answer, it IS the answer. 

Obviously no analyst group wants their work misread or misinterpreted.  They put a ton of work into these offerings. We’re human and as such no matter what someone may want us to comprehend, we’re all going to read things from our own perspectives.  Sometimes our understanding and follow-up discussion enhances the conversation, sometimes we can be completely off the mark and are provided ourselves with an opportunity to learn. In the end as long as the conversation continues everyone wins.

Since I wrote the blog post about this years SIEM review(s) and the marketplace in general there have been a few dozen conversations that I’ve have the pleasure of participating in.  One in particular, rekindled a thought process in my head about maintaining perspective and context when reading reviewing publications of this sort and I thought I’d share the humor and story with you.

I’d like to present to you three hypothetical perspectives each reviewing the new “Tetragon of Prestidigitation” report.  The views are from The Veteran Information Security Professional, A Vendor and The Executive.  Certainly these do not represent all of the potential views but it is a broad enough sample to get the point across.  The point being that we need to seek to understand all of the perspective’s better and then push our thoughts on how to better collect and analysis the data.

Case 1: The Veteran Information Security Professional:

This realist wants to believe that products are getting better and that analysts get their “hands dirty” when providing information that will define which products they’re going to get stuck with over the next few years.   From years of experience they know that if the product isn’t in the upper right or leaders area of the review they’ll face a nearly impossible battle for project justification and funding.  These professionals are passionate, battle hardened and look at any publication with a deeply technical perview about what will work in the environments they support.  Many in this group don’t necessarily find enough “meat” in the report to make any specific determination about technologies presented so they have a tendancy to discount the report in general.  It becoms a necessary evil.  For those that fall into that camp (I did for a long time and still revert to that tendancy at times) I suggest a reading of this post to put into perspective the effort that goes into these type of reviews.  It isn’t trivial and there is a method to the madness. 

That said, the security professional’s interpretation of these types of reviews isn’t likely to change, perhaps it is time to add a few more dimensions than a 2D table can represent? My question to anyone that falls into this camp (or similar one) -  What are the questions and context that should be included in these reports moving forward?  How would you contribute to the conversation?  Provide input, Press buttons, Express yourself - I think you’ll be amazed at the response.

 How a Jaded InfoSec Professional might see the Tetragon of Prestidigitation:

Case 2: The Vendor

The Vendor’s perspective is perhaps the strangest of all involved.  Based on how certain elements of the community interprete these reports they have the most to lose and unless they are put into the “right” place very little to gain.  Of course as mush as the vendors complain about their relative ranking (assuming #2 or lower) they will all use these reviews as justification for market positioning in competitive situations.  Funny how you’ll see 20 vendors representing their positions in press releases following these reports each claiming a victory of sorts.  Either “we’re the best”, “we’re the future”, “we scale down”.  Propaganda is powerful marketing.  

Now what control do the vendors have in this situation?  In truth, very little.  Vendors get beat up by analysts, customers and of course other vendors.  Do I feel sorry for them? Nope, not even a little bit.  Do I respect them for putting everything on the line to try and provide a solution? Yes.  Personally, I think if some of these teams spent more of that mindshare that is dedicated to “spinning” the results into influencing a better process to begin with, we’d all be be better for the effort. 

Let’s look at how our example Vendor might see the Tetragon of Prestidigitation:

Case 3: The Executive:

The overwhelmed corporate executive is the target consumer of these reports.  Well, at least, the info graphic portion of the report.  A very select few will understand every detail, spend time looking at collateral documents, comparing them against known information and dissecting the body looking for nuggets the help differentiate the products as it might apply to the environment.  Instead they will rightfully leave that effort to their techncial staff.  On the other hand the executive team needs to make decisions that are going to allow the project to be successful and if they can find a way to reduce the time and pain associated with the product selecation and  purchase process then they’ve done a good thing for the business. 

From the executive’s perspective having hundreds of peer experiences aggregated into a single report or table seems like a gift from above.  It allows for focus and being the standard across the industry it also allows some level of protection. 

Every rational person knows that it isn’t wise to rely on any single piece of evidence in the decision making process, but yet it happens hundreds of times per year because the business has limited resources and a mandate to become compliant.  Management works with the best set of information available and makes the best possible decision based on what they have in front of them.  They have a sometimes defined mission, numerous competing priorities and a very limited set of resources.  The “Tetragon” provides them a shortcut in the conversation with the procurement team.  

How an executive (or procurement team) might view the “Tetragon of Prestidigitation”:

Summary:

Industry analysts put significant effort into the report and just as many disclaimers and qualifiers about how to use the reports.  We still are inclined to extract only what is relevant to our situation and that makes our lives easier (Technical, Vendor or Management).  In order to use the information presented in the “tetragon” report it needs to be analysed by your team in the context of your overall requirements, processes, your team and numerous other criteria. 

We all have our perspective, and some balance of time / motivation guiding us when we read these reports but it’s time to step back and put their value into perspective.  The “Tetragon” is a macro statement and your situation requires micro level details to be successful.  Certainly there are trends to consider, but in no way should these reports be the determining or even scope defining factor(s). 

Call for Action:

Throughout this post I started to highlight some simple ways to help push for better quality and more meaningful analysis across industry.  In short we need to speak up from each and every level (Tech, Management, Vendor, Executive and Analyst) and articulate clearly the information that would best enhance our perspective about the technologies, the use-cases and the market in general.  What else would you like to see in the Tetragon or similar reports?

The “Tetragon of Prestidigitation” is just my little way of reminding you to not settle for what there is today - always seek more!

Following-up:

I don’t beleive in defining a problem and not at least attempting to present the beginnings of a solution.  Soon, I’ll be posting Chapter 2 the follow-up to SIEM Evolution Chapter 1 which will help me articulate what I see as major trends or innovations in the SIEM industry.   Additionally, as soon as I can find the right mechanism for sharing the information I intend to post my SIEM evaluation checklist so that at a minimum my thoughts on the subject are provided to the world as a starting point and then you can help by re-defining the “right” questions to be asking (and expected responses) moving forward.

Thank you,

-Rocky

Positive Reflections on this announcement:

LogLogic is a almost exclusively a channel driven sales entity and the “channel play” with a move like this makes perfect sense.  It allows even more flexibility by the channel to sell downmarket, but I would have expected an announcement like this to coincide with a major channel or partner strategy announcement.  A refreshed service offering being made available through partners or a partnership with several managed services to deliver more value, etc.  Something that would represent a larger strategy is in play.  Maybe I missed it?

Help me maybe I’m missing something:

If the focus of the pricing strategy was log management, storage or just about any product outside of SIEM that might be considered a commodity within the IT world I’d understand the pricing movement.  To me SIEM is much more complex and as such requires continuous effort and is not ready for this pressure.  Right strategy, wrong product.  In my opinion they should have lowered price on the commodity (Log Management / IT Search).

Very often I’ve heard of Symantec, RSA (via EMC), Q1 (through Juniper/Enterasys), SenSage (through HP) and of course Mars (via Cisco) basically giving SIEM away for free as a bundle with other products or services, yet companies like Q1 and ArcSight continue to knock the ball out of the park at a “premium” rate (via direct or indirect sales). 

If the leaders in the space can compete at that level with the huge machines in this environment how does LogLogic affect the market at all with this announcement?  Without the context of a larger product strategy or channel/partner offering this new pricing effort seems like a missed opportunity at best and a last ditch effort at worst.  (I hope it is not the latter).

As a company LogLogic seems to be doing well (43% year over year growth) but I think this SIEM pricing strategy confirms that the growth is relative to the strengths of their Log Management product.

Another Possibility:

Ok so there is another thread running through my head about this subject.  Which is that this pricing move simply reflects the reality of their effective price book.  Depending on the spin doctor this might be taken a few different ways:

1. SIEM has a ton of features that most users can’t quite implement because the vendors haven’t made it easy enough - so why charge a premium?

- or -

2. We don’t have the ability to do “x” or “y” so we can’t charge a premium and compete in that space.

Given what I know about the LogLogic team, it actually makes sense that this was the thought process.  They are sharp and motivated to do the right thing.  Even so, it doesn’t detract from some of the things I presented above as potential missed opportunities.  If this is true then does it also mean when (if) those advanced features are developed the pricing model gets complicated?

Misguided Quote:

The quote at the end of the press release is even more haphazard than the announcement itself.  (Paraphasing the quote by Mike Davis: “We see 80+% of the needs of the SIEM space being satisfied by log management. SEM fulfills a further 10+% of those needs” to be that quote is dangerously misguided on two fronts.

1. This quote signifies the lack of market understanding, a lack of appreciation of SIEM or maybe just an overestimation of Log Management. Perhaps the quote is relative to only the qualities of a SEM (versus SIEM), but that doesn’t reflect the reality of the market today (Log Management and SIEM) and serves no real purpose other than to discount the value of SIEM/SEM.
2. The quote also serves to invalidate a product that LogLogic invested in with the purchase of ExaProtect and continues to attempt to sell as a competitive offering in the space.  It seems odd to invest in a technology that only meets 10% of a market need (still leaving 10% unfulfilled).  It is my opinion that the quote does more damage than service to Log Logic.

Summary:

I don’t disagree that there should be pricing rationalization that occurs across the market, but I’m not convinced LogLogic took the best approach (or perhaps I simply don’t understand the strategy well enough at this point).  I’m hoping they’ll take the time to enlighten me!

Reference:  http://loglogic.com/news/news-releases/2010/05/loglogic-slashes-sem-prices/

Note:  I apologize I wasn’t able to get input from LogLogic in time for this initial post but I will update the comments of this post with any lessons learned from LogLogic.   I really do want to understand and not just seem like I’m beating them (or anybody) down.

I took some liberties with the MQ in order to segment it out the information in the report for my own analysis.  Simple geographical/mathmatical groupings were applied and a few notes added.

The cluser of providers in the middle was not unexpected as I have a similar group in my head as I think about this.  Having an outlyers like RSA to me means that RSA’s vision resonated very well with Gartner.  As it should, however I’d expect that to be meaningful once they get to that execution.  I can’t find the rationale for them escaping the “Clump”.  I did use RSA’s relative position as a measuring stick to divide the clump and segment out a couple of “Maybe’s”

The “Clump”: Symantec, IBM, CA, LogLogic, Novel, SenSage, LogRhythm, Trustwave, NetIQ, TriGeo, NetForensics, eIQnetworks

The “Maybes”: Nitro and Q1 Labs

The “Others” Quest, Prism, Tenable, LogMatrix

Next Year:  AlienVault and several others might add more to the middle of the page.  Splunk was left off of SIEM this year for a reason and I applaud Gartner for doing so!

Note:  I do beleive that the The Strengths and Cautions tell a little better story this year than previous years. 

Trends and Subplots:

1. The re-emergance of NetIQ & SenSage as a SIEM (and SenSage’s continued relationship with HP) is interesting.

2. The “Clump” is a great way to illustrate that there are way to many products that are virtually indistinguishable to the market.

3. I’d had expected more from Q1 via the Enterasys and Juniper OEM deals.  I also expected Tenable to fair a little better, but Security Center 4 was just released so I understand it’s standing based on a review of the older technology.

4. Enterprise Players (RSA, IBM, CA, Symantec) seperating out functionality into various products instead of having it all within the SIEM.  I think these guys are ranked a bit too high and right.  RSA with Archer will be a great improvement, someday.  Even more importantly RSA has a chance with EMC to really do well in virtualization if they focus on it.  We’ll see what happends.

5. The exists a Vast Ocean between ArcSight and the rest of the field.  Out of the “Clump or Maybe’s” I’d expect 1 or 2 to rise over the next year and begin to challenge more directly for #2 in the space.  This will require innovation on either User Anomaly/Behavior (beyond IAM), System Config (FIM?), Network Content (beyond netflow), and of course ease of use for Security Use-Cases such as Threat Monitoring and Dynamic Updates!

6. The inability to execute in a viable manner with applications, hosts attributes, vulnerability information or even get data out of the system still plagues many vendors in this space - whether or not they admit to it.  Read between the lines of the report to figure out who this affects.

You should read the report.  Each of the vendors will have copies linked off their webpages and with minimal registration you should have it in a matter of seconds.  Enjoy!

About Rocky

Having the time and inclination to look at the entire SIEM market is something I’ve been afforded over the last few years.  While certainly I’ve had more exposure to some vendors more than others I’ve been very lucky to have had very in-depth discussions with most, if not all of them over the last few years.  Nothing I’m saying will violate NDA or even simple common sense but there are some interesting general threads happening across the SIEM market (and by proxy Log Management) and perhaps the entire Security Industry.

For the most part I’ve found that vendors will create exactly what they think users require of them to the best of their abilities (financially and technically).   A thought that is both empowering and terrifying at the same time given both the vendor’s ability to listen and the user’s ability to articulate requirements. The result is at least in my mind a market that should be 3 years further along than it currently is both in terms of industry consolidation and functionality.

In short, everyone approached the “problem” from their initial perspective.  Andrew Hay of The 451 Group has a recent post that describes this pretty well.  You have Network, Host, Operations, Logging and Analytical limbs of the SIEM tree you can point to as a heritage for most of the products in the space today.  As a result you have varying levels of expertise and limitations based on where in the tree your product hails from.  The environmental dimension of their evolution was the customer’s they were listening to as they started development and refined features.  Those driven by SMB may have done well with ease of use, but probably lacked scalability and flexibility.  Those that were scalable and flexible probably had to contend with usability.  To this day, there is no perfect solution, there are a few good ones, some others with potential and a lot of dead limbs waiting to be pruned.

Genesis

In the beginning there were “Speeds and Feeds”.  You know the claims of “x” EPS and “y” devices supported.  What did it mean?  In reality, not a whole lot.  Why do vendors still push this in their marketing?  In reality so that they can claim relevance alongside their big brothers. It’s a marketing game, currently the high water mark is at 200K EPS and 500+ devices supported.  How much do you need to be successful in your organization?  Good question, please answer it before you contact the vendors. 

Initially, the only real requirement we related to the vendors was having a place to store the logs and search them, some offered a lot more than that, some not so much but there was an entire market (or two) around Eating, Storing and Regurgitating.

Tainted Apple (misguided passion)

The requirements were comprehended by vendors as “make my life easier, automate the analysis, identify everything bad”.  So the vendors initially asked about “Use-Cases” and developed features to accommodate those use-cases.  The problem was the influencers were the top 1% of the field and as a result the solutions developed were so complex that only a handful of people could effectively utilize them. The features were in reality solutions that might actually have been years ahead of the mainstream consumer so figuring out how to apply them caused confusion.  In general this led to two things:

      1.) Adding features that were so complex that they hurt performance/reliability and

      2.) an opening for even more competition because of complexity, performance, reliability, and other assumed badness. 

Competition is good for a market to a certain extent, how many players do you need to validate a market? Certainly the answer to that question can be the current answer (over 20).

Healing (Bulletproofing)

So now we come to the phase in each Vendor’s lifecycle where they get to address reliability and stabilty commonly known as bulletproofing.  Some hit this in 2004, Some in 2010.  The fact remains that every solution hits a phase in its evolution where they need to stop new features and make their current solution more stable and robust to accommodate current needs and future vision.  Sometimes if the vendor is lucky enough to survive long enough it happens multiple times.  Sometimes it happens at a point in the market where other providers can capitalize on it and make a name for themselves.  It’s an important step that takes anywhere from 12-24 months to complete.  Ideally, it would happen prior to or immediately after an acquisition.  No such luck so far. 

Plagues: Blood, Frogs and Locust

Then came Compliance  (Specifically SOX, PCI and HIPAA) and all security innovation ceased.  Well maybe that is a bit harsh, but it did derail certain elements of where functionality was headed, but on the other hand compliance kept everyone in business.  Even many who really should not be in business today.  So the market made a decision - we want to believe in SIEM (and security in general) and Compliance provided us money to invest in it.  The thought was “We’ll find a way to make the investment work for us later.”  We can use Compliance to make “ROI” (I’m shuddering inside) possible. 

So the requirement was mandated as “Make me Compliant”  and as it was said so it was done… Vendors put together reports and other content, packaged it up and sold it back at a premium and the world was saved.  Birds sang, people stopped dying and there was no longer evil occurring anywhere.

Ok so back in reality we soon found out that it was unreasonable to expect check box security to do anything meaningful (we are at that point, aren’t we?!?!) and we may have sacrificed actual security in the name of creating a nearly meaningless lowest common denominator.  But hey everyone is still in business and we all have jobs.

Current State:

SIEM functionality is all over the map, though if you look at analyst rankings everyone is a leader.  I took a fun poke at this in my “Olympics Preview” post back in Jan.  It was meant to be tongue-in-cheek, I had no idea it would be taken as seriously as it was by anyone. 

A simple fact remains true, each of the vendors addresses a subset of the problem from their perspective and that perspective has been broadened and lengthened by their customers over time.  Your requirements will probably not match exactly with anyone else’s but there are at least some criteria you will need to define prior to heading to vendor selection.  When I do an evaluation of a product I have 150+ specific items I look at not as a positive or negative, but I seek to understand how they solve that problem.  Then I try and make it relevent to the specific customer’s situation over the next 12 months.  Some times it’s as easy as log management (eat, store, regurgitate) other times it is very complex.  The worst thing is settling for a solution without knowing your requirements first.  No product can solve that problem.

Utopia

In the next post I’ll describe where I think SIEM is headed based on the gaps I see today, the innovation that IS being driven across the industry and the requirements that I think should exist, such as:

• Adding perspectives: Context such as User, Network, Host, Application, Virtualization, and Cloud Services.
• Integrating Platforms (SIEM, Log Management and others)
• and of course meaningful and timely Content. 

 - Rocky

I just finished up facilitating the Security Operations Track at the New York Metro Information Security Forum and some related IANS projects for customers in the area.  The conversations on Security Operations, SIEM, Log Management, Incident Response and Detection Techniques are always fantastic becuase they come from real world practitioners.   

Insights:

Participants in the track that Marcus and I lead provided some wonderful details about really scary incidents and outlined some fascinating detection techniques.  At least in my mind a couple of facts were clear related to the disparity in an organization’s ability to detect and respond to incidents - (1) The skill set of the team is the key to success as is (2) having complete enterprise visibility.  It is obvious but worth mentioning - the tools used ranged from custom built systems to top of the line commerical products but in the end the more information available and the better the capabilities of the team the more likely they were to focus on the detection of meaningful incidents. 

The trend on focusing on threat management versus solely on vulnerability management also seems to be experiencing a very welcome uptick.  If a company understands the difference, it seems that they almost always have started a project to focus on threat management.  Not that the % comprehension is very high across the board, but at least from my perspective there seems to be a noticable increase from a year ago.

The interest in APT seemed amazing to me, both in terms of number of people listening in and in the number of offline conversations I was involved in directly.  Let me explain a bit further, the interest I noticed was not in assigning attribution nor focusing on a single actor but seeking to understand how their current security program lacked the ability to detect or respond to a threat of that nature. There was a great interest in sharing information both in terms of tools and tactics - we’ll see where that heads…

Further, it seemed to me that there is a a growing realization that we need to “unbind” our thought process on security from specific activities (compliance?!?!) and focus on solving the problems we face by creating flexible and comprehensive solutions that fit our specific situations.

The analogy I’ve used recently goes like this - we’re in the middle of The Pacific Ocean on a submarine (The size and stealth of our sub is relative to our Company) and as the security team we’ve been asked to build visibility into risk for our business, in response to the box that we’ve been placed in, we’ve built a periscope. The periscope we’ve built does offer some visibility, if we’re near the surface and if the threat is within our line of sight then hopefully we’ll be able to convince the team to steer around it.  The periscope obviously does not offer nearly enough visibility for the environment we’re in and certainly offers no real defensive capabilities nor can it be used to provide us with a holistic sense of the risks we face.  Don’t get me wrong, I’m not suggesting we build torpedo’s, but perhaps it is time to remove the binders from our security teams and help them to build night vision, sonar, radar, perhaps incorporate some stealth technology and add some additional manueverability to the sub so that we can expand both our visibility and flexibility in dealing with the threats we face. 

Finally, I have just confirmed that I’ll be participating in at least two more IANS events later in the year - I hope to see you there!

IANS Lonestar Information Security Forum Dallas: June 23-24
IANS New England Information Security Forum Boston: September 28-29

-Rocky

If you’re in the area you should stop by…. You do have a relationship with IANS, don’t you?

- Rocky