IBM Got it Wrong: It’s Not about Adding Another Data Source

Tuesday, March 13, 2012

John Linkous

39728eff8ac87a48cfb050f0df29ceaa

…it’s what you do with the data that counts!

The New York Times Bits blog devoted 700 words to IBM’s announcement recently that it has now managed to connect its newly acquired QRadar SIEM platform to its X-Force database.

While this is news for IBM and QRadar customers it is, perhaps, less relevant for organizations that aren’t exclusively ‘Big Blue’.

The same piece states, “Businesses spend billions of dollars each year on firewalls, applications and antivirus software in a desperate attempt to ward off hackers and yet, even the companies, like Symantec and RSA, that sell “security solutions” can’t keep themselves hacker-free“. 

This is, I believe, far more newsworthy – and an issue that I hope the industry will explore as it convenes in San Francisco next week for the annual RSA conference.

The article’s author claims that, ‘the crux of the problem is that businesses have taken a piecemeal approach to security’.  I disagree. There is no denying that you need these purpose built products as part of overall security strategy.

The crux is that organizations do not have the capability to collect, monitor, analyze and correlate ALL relevant security data from each of the different devices/products, to make sense of what is actually happening in their network. 

The majority products, including SIEM tools like IBM’s QRadar, collect just log and event data.  This may enables security analysts to understand that something has happened, but not answer the most important question:

How, Where and What, exactly, has happened?  Because they can’t answer this question they can’t figure out what needs to be done to repel an attack, identify the likely target, and take timely action to stop it. . 

You need to collect, analyze and correlate not only log data with Threat Intelligence data like X-Force, but need other critical data like asset configuration state, vulnerability state, asset criticality, connectivity state, etc. for effective threat detection and mitigation.

For the majority of organizations, information security is more post mortem than critical care… and regardless of how many billions of dollars you spend on security tools, until you fix this inherent problem in traditional SIEM tools, large organizations will continue to be breached at will.

Cross posted from The Situational Room

Possibly Related Articles:
12781
Network->General
Information Security
Firewalls IDS Security Strategies SIEM Event Logging Network Security Monitoring IBM Threat Intelligence QRadar
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.