Network World’s recent article provides additional evidence that Log Management and SIEM Vendors are still trying to evolve.

Recently, Log Management and SIEM vendors have spent a lot of time updating/fixing their products.  Over the past few months some vendors have quietly passed over other solutions in terms of market relevance and certainly the door has been opened to a whole bunch of upstarts trying to make a name for themselves.  While the majority of Log Management and SIEM business (and therefore product direction) is driven by compliance activities, I appreciate the forward movement towards enterprise security that many in the field are trying to make.  The initial execution on that product vision I’m seeing from many of the vendors this year is very welcome.  IMHO the entire space had gotten very stale with the big guys mainly focusing on compliance appliances or playing feature catch-up with one another.  Here’s my summary of what’s going on in SIEM and Log Management so far in 2009.

SOURCE Boston was an amazing experience for me.  A great deal of the thought leaders in our industry shared thoughtful insights and experiences.  I had the opportunity to really engage in a great many conversations with people like Raffy Marty, Ron Gula, Marcus Ranum, Peter Kuper, Amit Yoran,  Dov Yoran, and Jamie Fullerton the list could go on for days.  It renewed my energy to be around so many intelligent and security focused people.  Stacey Thayer and the entire SOURCE team should be very proud of this CON.  One presentation really stood out in my mind.  Hoff’s “The Frogs who desired a King” was easily one of the best presentations I’ve seen in years.  My quick summary of SOURCE and links to other reviews follow:

The following notional diagram provides some basic recommendations to consider when deploying and managing Log Management and SIEM systems together.  A well-maintained Log Management and SIEM deployment can significantly reduce the time to Incident Identification and really enhance your overall information security capability.  The diagram attempts to illustrate that all information from the Event Sources are processed through the appropriate Log Collection Mechanism and then forwarded to the Log Management System. The Log Management system eats, stores and can regurgitate everything put into it.  The Log Management Solution also can further refine the data set and forward only applicable events for analysis to the correlation engine (SIEM) through the use of intelligent “tagging” of events.  Overall data reduction is only part of the end goal, more importantly we want to ensure the right data is forwarded and evaluated so that we can gain from the overall efficiencies offered by the SIEM.  In short we’re ensuring the system has the correct information available to it so that it can respond to the questions you want to ask of it and reduce the garbage as much as possible.

Decurity’s new subscription offering works with your organization to understand your requirements and then supplies the necessary configurations and Log Management and SIEM data elements (Intelligent forwarding, correlation, reports, etc) to make this model work for you.

This week I was able to participate in the IANS Mid-Atlantic Information Security Forum in Washington DC.  It was a whirlwind of activity - from stepping off the plane and arriving just in time as the “Security Operations” session track with Marcus Ranum (which I’m honored to be a co-facilitator) was being introduced to dashing off to the airport yesterday afternoon every moment was consumed with interesting and important conversations about security operations and incident response.  In two days I was able to have solid conversations with folks like Chris Hoff, Peter Kuper, Nick Selby, Glen Sharlun, Aaron Turner, Ron Gula, Raffy Marty and Richard Bejtlich and so many more who really don’t like their names publicized