Earlier this month The 451 Group released a Market Insight Service Impact Report about Decurity.  Wow.  We are flattered that The 451 Group (Nick Selby and his team) took the time to to understand what our team is doing at Decurity.  From the phone calls, tweets and emails I’ve received the readership of this report is pretty amazing.  It’s an honor to have a respected entity like the 451Group take notice of our baby.  Paul and I (and the entire Decurity team) are sincere in our appreciation of all of those that have taken the time to learn about our team and our vision.  I can’t even begin to express my appreciation for the trust and partnership that our clients have extended to Decurity over the last two years.  We have amazing customers, partners and friends and we hope that we can continue to earn the trust and respect for the next several years! 

I will say this - while we are very proud of what we’ve accomplished so far, there is a lot more coming from Decurity in the very near future - keep an eye (or RSS reader) our for more about us! 

UPDATE:  We’ve secured reprint rights and will post the document on our soon to be updated webpage in the coming days.  Link to the 451 MIS Impact Report on Decurity:  451_Group_Decurity_IMPACT_REPORT_-_10_June_2009.pdf

Updated 15 Jan 2010 (see bottom)
Gartner 2009 SIEM Magic Quadrant - It’s pretty easy to digest - Everyone is in the leader quadrant or is a “leader” of some sort.  No vendor has any “real” negatives, they will all work in nearly any situation, everything is peachy.  You can register with many of the vendors to receive your copy of the Gartner Magic Quadrant for SIEM 2009 report.  A few of those links are provided here:  Q1, ArcSight, LogLogic , RSA

My obviously frustrated opinion:
If you are an executive, director, manager, technician or otherwise breath air and you use this report to make any sort of determination about SIEM vendor qualifications you should probably be seeking professional career advice.  This report is great at providing the SIEM vendors with additional fodder to confuse the sales prospects, but it does absolutely nothing for the reader seeking information about which SIEM might fit their environment.  This is the one time that I don’t blame the vendors, they have to play the game.  The game is to mitigate the effect of competitive “spin” based on the results of the report by the “leaders” listed within the report.  Along those lines I won’t use this post to congratulate or bash vendors as to their relative position in the quadrant because it’s just insane to justify anything about this report.

Every year, I review these SIEM reports and find myself hoping that the next issue will reveal something insightful or even slightly meaningful.  I scrub the “cautions” looking for anything that points to a material technical weakness in the technology and usually the most meaningful thing I find is a veiled “feature request” for some trivial item.  A review of the “strengths” of each organization shows the points to be at best highly subjective and usually just completely irrelevant.  I always leave frustrated, but hopeful that the next version will set things right. 

Gartner isn’t alone in it’s pursuit of mediocrity here.  Most (not all) of the “analyst” firms and industry magazines offer a strikingly similar lack of useful information in their reports.  Please note: this is in no way a personal attack on any author or company, it’s a rant against crappy information as a whole.  Over the years I’ve met most of the reviewers and they “seem to get it” in person, it’s just the nature of these “ranking without context” reports that simply kills the value of any insight the authors might have tried to present.  The 451Group and a few others have tried to buck that trend over the years and are making some progress, but despite their efforts the overall industry standard is still too watered down to be of any real value. 

I know I’m not endearing myself to the analyst community right now, and I expect certain vendors won’t appreciate what I’m saying but bear with me here.  I think we can make this better and everyone can benefit.  As an industry we must start expecting better from our information providers.  We need to provide specific feedback about what information these reports should provide in order to be meaningful.  I have tried to influence better context and more meaningful technical criteria through several older blog posts and through conversations with anyone that will listen.  I’ll step up my game and offer even more direct advice in the coming months - I’m just asking that everyone do the same.  Let’s encourage our information providers to pursue a higher standard. 

Maybe, next year… Hey I’m a Cubs fan - There is always next year! 

EDIT - UPDATE-1 15 Jan 2010

So after I posted this blog I pretty much went on with life.  I did run into some Gartner folks at their IT Security Forum in DC right after this post and learned alot more about how Gartner positions these MQ offerings.  I’ve got to say that with the right perspective in place I’m much more agreeable to what they are trying to do from a macro perspective.  They do offer more detailed analytical documents (critical capabilities) and they do push for more detailed requirements gathering for buyers that send them inquiries.  I was expecting something else and really in the end that was the problem, my expectations were misaligned with the intention of this MQ.  So to Mark Nicolett I apologize for not taking the time to really dig deeper into your approach.  I do respect what you are doing and my offer to help still applies.

For those seeking more information about the Gartner SIEM MQ - Mark Nicolett’s guest blog post explains the process very well—> http://blogs.gartner.com/john_pescatore/2009/06/15/guest-blogger-mark-nicolett-and-the-siem-market/

Recently, I initiated a test survey using Linkedin’s Polling feature.  The survey was a quick and dirty way to help me gain a bit more perspective as to the number of resources organizations are putting towards their SIEM Projects.  There are a ton of limitations to this type of survey, including the fact you only have 75 characters to present your question to the audience.  That said, I’m sure I could have worded my survey question and responses even more clearly.  Those limitations aside, the results were very consistent with my observations over the last several years.  Put simply it requires a lot of effort, even halfway through 2009, to run a successful SIEM Project. 

Over the last month 13 organizations (75%+ Large or Enterprise Organizations) have taken the time to respond directly to the LinkedIn poll.  Quite a few more people went further and emailed me with details, questions and observations.  Just using the survey results, nearly 70% indicated that they had 2 or more FTE’s dedicated to SIEM.  With an additional 15% responding simply “Not Enough”.  100% responded with at least 1 FTE. 

My take on this initial poll - Even with all the improvements SIEM vendors are making in their products, SIEM’s are still not “plug ‘n play” systems, you need dedicated resources (internal, consultant, partner, etc) to extract the maximum value from your SIEM.  Duh!, I’ve been saying that for years, but it’s nice to see others nodding their head every once in a while.

I’m working on a better series of questions and responses with a more clear focus on for the next set of survey’s and I’ll use a more robust mechanism to accomplish that goal.  I’ll be using SurveyMonkey to get a better perspective and more clear insight into all things SIEM (and Log Management).  Look for those survey’s to begin in early July with results and analysis to follow shortly thereafter.  If you have questions or observations you’d like me to ask to the world about Log Management or SIEM - leave me a comment or email/DM me!  Thanks.

So if you follow me on Facebook or Twitter you may have heard our family had a bit of excitement over the weekend.  My wife and two youngest children (2 and 7)  got stuck at the top of a ride at Busch Gardens due to a “technical malfunction”.  I know that mechanical and/or technical failures happen all the time at theme parks, but when it’s your family up there and you’re on the ground, it sucks.

Busch Gardens did everything right, they quickly informed everyone on the ride of the malfunction, asked them to stay calm and at the same time sent emergency responders up to the top of the ride to help get everyone off safely.  No running around crazy, no unnecessary escalations, no waiting on approvals, no idle hands… Everyone played their role.  It got me thinking about the obvious parallels in incident response (well parts of it at least)

The ride was designed with safety mechanisms including emergency exit and communication mechanisms.  The “owners” had procedures that were extremely well tested, communicated and executed by the “administrators”.  Everyone had their role, understood it and was authorized to just “do it” and it worked out.  Once completed, they accomplished the repair, tested the ride, re-tested it from another perspective and then once approved by management they put the ride back into production for the park visitors (“users”).  Sure the visitors had to wait a few minutes, but everyone was understanding once they had the right information made available to them.  Certainly, I’d prefer this sort of thing to never happen, but that’s unrealistic given all variables in place at a Theme park in Florida with millions of visitors.  I’m just happy everyone was safe and we were able to enjoy the rest of the day.    and then just when you think it’s over…

Not more than 20 minutes later we saw another ride fail.  The sky-ride (gondola) got stuck mid-ride for over 10 Minutes.  Luckily, we were not on that ride.  I’d have gotten a bit suspicious at that point . 

Actually, at that time we were on a train ride enjoying a peaceful ride through the park, pointing out animals to my two year old, when a grumpy Rhino tried to prove to the train that he was in control and decided to give it a little shove to encourage the train to keep moving along.  I’m not sure if it was a full moon, an everyday occurrence for the park or Murphy’s Law that caused all the excitement. 

It just goes to show you that you can’t predict what’s going to go wrong, just that something will go wrong - it always does.  We must prepare for as many types of Incidents as we can and enable our teams to react effectively, and expect that they will.  Obviously, a lot of pre-planning, risk assessment, exercise activities, documentation and training goes into the equation.  Everyone has to become involved, if a barely over minimum wage them park worker can be trained to play a role during an emergency, certainly we can figure out how to more effectively involve our “owners”, “administrators”, and management in our incident response activities. 

Ok, enough excitement for one evening I’m off to bed,  I can’t wait for next week’s cruise and the lessons that will bring..