Security has been a fascination for me for years. Not only was I in law enforcement early in my career, but I also had security organizations report to me. I really loved doing security audits when I was one of the top internal auditors at IBM. What makes security such a fascination is that it often has more to do with how secure you feel and not really how secure you are. For instance, in a town with little crime, you may feel secure with your doors unlocked, but in a town with lots of crime, even bars on your windows won’t make you feel secure enough.
Using the bars as an example, we just had a number of deaths near me that resulted from the combination of bars that were incredibly well done and a fire that, instead of keeping burglars out, kept firefighters out, which made that particular security solution into a problem.
That’s what security information and event management (SIEM) started out being—more of a problem than a solution. This week at Focus, McAfee flipped its solution to provide not only peace of mind, but also the high probability of a far more secure enterprise.
Let me explain.
Old SIEM: CIO Early Retirement Option
With products that are adjacent to core CIO functions—security is in one of those adjacent areas—we often fail to realize the priority to how things need to be handled. For instance, let’s say you were creating a product that did structural integrity testing after a building was built. You wouldn’t deliver it until you could also provide a way for the builder to fix the problems. Otherwise, builders would run away from rather than toward the product. And developers who have to fund the building by getting tenants or buyers wouldn’t buy it either, unless there was some risk the buyer would buy and use it.
SIEM, as a class, started out focused like a laser on being a comprehensive way to identify potential problems. This might sound good to a security guy, and it actually almost brought tears of happiness to my eyes when I thought of what this would do for a security audit, but it was deadly to IT management. This is because there can be literally millions of exposures in a good-sized enterprise, the vast majority of which may never result in an exploit. Worse, if an attacker got access to a SIEM report, they would have a template on how to successfully attack the firm. This puts the CIO in a lose/lose situation. The report makes them look incompetent for not fixing known problems, and should the report leak, it may make management look like they contributed to the problem.
The obvious fix was to run screaming from the SIEM product, which is difficult because both audit and security may lust for just such a tool. The audit team would love it because it would make security audits—even really nasty ones—damned easy. The security team would go for it because it would likely free up funding for security projects. Early SIEM should have been renamed the CERO—CIO Early Retirement Option.
McAfee Fixing SIEM
With McAfee’s latest offering of Enterprise Security Manager (ESM), it took the focus off of comprehensive lists of potential exposers and put it on actual exploits and then included remediation tools so an attack can be not only instantly identified, but it can also be mitigated nearly as quickly. This turns SIEM from being a tool that mostly assured that IT management felt unsecure into one where IT management can feel they may actually have a handle on the problem—and it appears to have that capability. This week at McAfee Focus, the company fixed SIEM and turned it from being an IT problem to potentially (given the level of security threats in the market) being its strongest weapon in the fight to keep the enterprise secure. And it spans from traditional to mobile platforms.
Wrapping Up: Avoiding the Ass Backwards Problem
The lesson learned in this process is that any tool that identifies a problem, particularly one that can identify large numbers of them, has to come with an affordable method of fixing the problems. A tool that just tells you that you are screwed not only isn’t valuable, it is career limiting. It makes you look negligent or incompetent. But a tool that focuses on real problems and provides a rapid and cost-effective way to fix them can be priceless.
At Focus this year, McAfee got it done and I think IT folks will be thankful for that. This latest SIEM offering can actually make them safer, both in the enterprise and in their jobs.