Last week, McAfee launched its long-awaited update to the SIEM (Security Information and Event Management) it had acquired when it bought NitroSecurity. SIEM products are a fascinating product set because they are incredibly comprehensive and can typically do a vastly better job of identifying potential threats than any other security offering. This is the first fully integrated SIEM product that McAfee has brought to market and I spent some time looking underneath the hood.
The Promise and Problem with SIEM
SIEM is supposed to be a comprehensive business security tool. The offerings in this class promise to provide not only raw security data, but compile that data into actionable information the user can translate into corrective action, hopefully before there is a successful breach. If there is a breach, the SIEM tool is expected to provide forensic information that allows the investigator to identify the attacker or at least discover what was stolen. Finally, it is expected to be a major security compliance tool demonstrating that security policies are being followed.
Unfortunately, historical tools used antiquated architectures, which traded off the time to get a report with the depth of that report. You could get a fast shallow look or a slow deep look; the first would likely miss a number of potential exposures and active exploits and the second would discover them but likely too late to actually mitigate the damage. Building on this, earlier tools were largely event-driven, so they would report a problem once it was exploited but weren't particularly good at finding potential problems. Finally, as a class, SIEM tools had to deal with massive complexity so they tended to be extremely complex to use and implement. That tended to make them, much like their early systems management siblings, into shelfware - products that were purchased that were only partially or never implemented.
McAfee initially tried to build a tool like this itself and found it too daunting a task. This forced the company to rethink the entire approach and put at the core of the solution a tool that had been designed for speed and ease of management by NitroSecurity. Presented as the first situation and risk-aware SIEM product, McAfee's offering is designed to provide a deep report very quickly. In short, unlike earlier products, it is designed to both provide a rapid assessment and for that assessment to be comprehensive.
Applying skills that are related to the work McAfee has done on viruses, the tool is also able to look for potential problems and flag unusual behavior like permission escalation, which can precede an attack. Tied to its Global Threat Intelligence database, the tool also effectively gains access to information on global attacks in real time and adjusts to ensure those attacks don't recur at the client site. It is also tied to the McAfee ePolicy and Orchestrator offerings for fast risk mitigation.
Finally, the tool is designed to be simple to implement, and very easy to use because McAfee recognized that shelfware doesn't result in return customers or business. This isn't a sell-it-and-leave-it effort; this product is expected to help create a relationship between the client company and McAfee that lasts indefinitely.
One thing to note is that McAfee was able to release this product only a few months after the acquisition of NitroSecurity; this is largely because both firms used open standards heavily and that made it far easier to integrate the NitroSecurity tool with the other key components in the McAfee offering. This last is becoming a near-standard benefit of the move to open source and open standards - things integrate more easily than they use to.
Wrapping Up: Just the Start
Behind every McAfee release is the knowledge that the firm is owned by Intel and that integration into core hardware is going on in the background. This last will likely become McAfee's sustaining advantage because if you can create a known state that is secured in hardware and unique, you'll likely be able to defend against the most aggressive attacks and the attackers will choose firms that aren't running McAfee's tools as the easier target. In the end, security isn't about being absolutely secure, just being secure enough so someone else is a more attractive target.
With this announcement and the joint projects with Intel, McAfee is well down the path of having what may be a sustaining, competitive advantage for its tool sets, particularly in the SIEM category. Looking ahead, it will be tools like this SIEM offering that may be crucial to understanding and mitigating future cyber threats given how fast they are growing.