Sometimes technology areas that once seem distinct converge. Indeed there was a time when the term convergence was used, without qualification, to refer to the coming together of IT and traditional telephone networks, something that for many is now just an accepted reality. Two recent discussions Quocirca had brought into focus a convergence that is going on in the IT security space, driven by the growing volumes of security data and the ability to make use of it in real time. This is the convergence of IT forensics and security information and event management (SIEM) on to the area of real time security analytics.
First, IT forensics: historically this has been about working out exactly what has happened after a security incident of some sort; preparing reports for regulators or perhaps crime investigators. Specialists in this space include Guidance Software, Stroz Friedberg, Dell Forensics and Access Data, the last of which Quocirca has just spoken with.
Access Data is a mature vendor having been around since 1987; its Cyber Intelligence and Response Technology (CIRT) provides host and network forensics as well as the trickier to address volatile memory; processing data collected from all these areas to provide a comprehensive insight in to incidents. With some new capabilities, Access Data is re-packaging this as a platform it calls Insight to provide continuous automated incident resolution (CAIR). The new capabilities include improved malware analysis (what might this software have done already, what could it do in the future?), more automated responses (freeing up staff to focus on exceptions) and real time alerts. This is all well beyond historical forensics moving Access Data from what has happened to what is happening.
None of this makes Access Data a SIEM vendor per se; its focus is still on analysis and response rather data collection. Indeed it is partnering with one of the major SIEM vendors, HP ArcSight, for joint go to market. Access Data also says it works closely with Splunk, another vendor that makes its living from gathering data from IT systems, including those focussed on security, to provide operational intelligence.
Second SIEM: most vendors in this space come from a log management background. However, over the years, their capabilities have expanded to include data analysis, increasingly in real time. This is an area Quocirca covered in its 2012 report Advanced cyber-security intelligence, sponsored by LogRhythm, one of the leading independent SIEM vendors. Many of the other SIEM vendors have been acquired in recent years, including ArcSight by HP, Q1 Labs by IBM and NitroSecurity by McAfee.
This week Quocirca spoke with a lesser known vendor called Hexis which was created when its larger parent KEYW acquired yet another SIEM vendor called Sensage on 2013. Sensage already had a capability to respond to events as well as gathering information on them. It now seems to be positioning itself out of SIEM completely with the release of a new platform, Hawkeye G, which will enable malware analysis, real time response and so on. A layer above SIEM as its spokesman said (but with plenty of overlap). Indeed, it says SIEM vendors are key sources of information, citing Q1 Labs, Red Lambda, ArcSight and Splunk.
So, the good news is, if your organisation, as many seem to be, is concerned about resolving the problems caused by IT security breaches, or indeed, putting in place another layer of defence to help prevent them, there is plenty of choice. The bad news, that as vendors that once seemed to be doing distinct and different things start to sound the same, which end of the spectrum to you start from?