Arcsight recently announced a new product, called IdentityView, which links a user’s identity and role to his or her IT activity.  This is an important move and reflects a growing trend in Security Event Correlation systems that, I think, will move the security-monitoring model into the next phase of evolution.  The SIM vendors out there are starting to move up the ISO stack.

For too long, many organizations have just looked at security monitoring at the network and server level, examining the bits and bytes of activity at the lowest level to detect malicious activity.  Ports scans, usual network traffic patterns, and virus rules have been our common world of alerts.  Actually attributing the activity to an individual user has become the second part of the process.
The trouble with this traditional approach is that it focuses on the security team at the technical level, but not at the business process level.  Raffy recently proclaimed the death of the SIM, but I think, really, he is proclaiming the death of the current iteration of SIM.  I partially agree with him, but I think a lot of the issues that he has or had with an SIM solution is related to poor implementation as opposed to leveraging the true capabilities of SIM in a mature security organization.
This technical approach is also causing angst for the CSO/CISO/CRO as they continue to try to justify the investments needed to maintain a proactive security program.  One of the main challenges faced by many of them is how to demonstrate exactly how the security organization is protecting the business processes of an organization.  The regulation drum is rapidly wearing out and, even now, I am starting to see executives becoming numb to the argument of protecting the organization’s reputation.
There have been many proclamations of how security is going to become more business focused.  Unfortunately, we do not always have the tools orientated the right way to help us create those business dashboards that our business sponsors want to see.  Many times, if you dig below the initial gloss of those reports, it turns out that a lot of the information is subjective; and businesses should try to operate based on facts as much as possible, rather than opinions or feelings.
This is why ArcSight’s IdentityView might help.  This tool will hopefully help us track security events in terms of user and, for example, that orders are being processed, as opposed to just detecting a malicious attack against database XYZ.  I say “hopefully,” since I have only read the brochureware and we have not yet evaluated the IdentifyView product.
Other vendors are planning to release similar products with these capabilities so this is not a “one off,” but hopefully the beginning of the next phase in our evolution as protectors of people and organizations.
We also have a challenge.  I call this an “evolution” as opposed to the “next phase,” since we are going to have to change the way we talk and think as a security industry.  That means that we have to change our views, become even more passionate about the business processes and procedures, and really push the security vendors to give us the tools we need.
If you agree or disagree, please do not hesitate to comment.