Is the Next Generation of Security Monitoring Around the Corner

Arcsight recently announced a new product, called IdentityView, which links a user’s identity and role to his or her IT activity.  This is an important move and reflects a growing trend in Security Event Correlation systems that, I think, will move the security-monitoring model into the next phase of evolution.  The SIM vendors out there are starting to move up the ISO stack.

For too long, many organizations have just looked at security monitoring at the network and server level, examining the bits and bytes of activity at the lowest level to detect malicious activity.  Ports scans, usual network traffic patterns, and virus rules have been our common world of alerts.  Actually attributing the activity to an individual user has become the second part of the process.
The trouble with this traditional approach is that it focuses on the security team at the technical level, but not at the business process level.  Raffy recently proclaimed the death of the SIM, but I think, really, he is proclaiming the death of the current iteration of SIM.  I partially agree with him, but I think a lot of the issues that he has or had with an SIM solution is related to poor implementation as opposed to leveraging the true capabilities of SIM in a mature security organization.
This technical approach is also causing angst for the CSO/CISO/CRO as they continue to try to justify the investments needed to maintain a proactive security program.  One of the main challenges faced by many of them is how to demonstrate exactly how the security organization is protecting the business processes of an organization.  The regulation drum is rapidly wearing out and, even now, I am starting to see executives becoming numb to the argument of protecting the organization’s reputation.
There have been many proclamations of how security is going to become more business focused.  Unfortunately, we do not always have the tools orientated the right way to help us create those business dashboards that our business sponsors want to see.  Many times, if you dig below the initial gloss of those reports, it turns out that a lot of the information is subjective; and businesses should try to operate based on facts as much as possible, rather than opinions or feelings.
This is why ArcSight’s IdentityView might help.  This tool will hopefully help us track security events in terms of user and, for example, that orders are being processed, as opposed to just detecting a malicious attack against database XYZ.  I say “hopefully,” since I have only read the brochureware and we have not yet evaluated the IdentifyView product.
Other vendors are planning to release similar products with these capabilities so this is not a “one off,” but hopefully the beginning of the next phase in our evolution as protectors of people and organizations.
We also have a challenge.  I call this an “evolution” as opposed to the “next phase,” since we are going to have to change the way we talk and think as a security industry.  That means that we have to change our views, become even more passionate about the business processes and procedures, and really push the security vendors to give us the tools we need.
If you agree or disagree, please do not hesitate to comment.

Paul,

You hit the nail on the head with “poor implementation”. The major bump I experience (to put it nicely) is lack of prior information when attempting to implement an infrastructure. You have three FW management consoles reporting, but have another 12 to implement, how do you determine (as an outside contractor) how to spread the load across agents? EPS estimations? Using existing FW management consoles won’t do no justice, the number of reporting firewalls can differ across managers, not to mention different logging levels, etc… Too many times do I hear “this information is impossible to get” which is sad. This is just one issue, many more on the list. An aggressive plan is needed with as much details as possible, but at the same time, this is why they are bringing in a SIM solution to assist with this…

One question with traditional methods focusing on technical and not business process level for the security team. Impact/Critically of attack on X server/dmz/whatever, business function of said server (really useful!) or higher up? Sorry if I mis-interpreted. Raffy’s post mentions one of the drawbacks as:

“Complexity of modeling environment”

IMHO, this is the main task for any SIM implementation. It can definitely be a daunting task but I have seen it done in a day (10k hosts w/ a network model). It is a lot more efficient for the security team to determine from/where when the modeling is done. Couple that with asset information (vulns, patches, OS, open-ports, etc…) and you can really start impacting priority/relevance, analysis time, etc… A successful SIM implementation should not have the security team jumping from tool to tool to continue the analysis. Thanks for the great post, cheers!