“The trail is dusty and my road it might be rough / But the better roads are waiting and boys it ain’t far off.” – from Paths of Victory by Bob Dylan
It has been close to a year since RSA announced RSA Security Analytics, our foray into big data security analytics. Being first to the market delivering a unified platform for incident detection, investigations, compliance reporting and advanced security analysis has been a fantastic voyage so far.
When we first started going down this path at RSA my main concern was whether the market would accept our strategy. Would they see the need for big data security analytics or were they happy with the SIEM status quo? Would organizations be eager to come along for the journey or did they disagree with our vision? Fortunately, the reaction to RSA Security Analytics has been amazing. Most of the questions we have gotten in the marketplace haven’t been “why would you go down this road” they are “how do we get started?”
That said whenever you are breaking new ground you get asked a lot of good questions. Information security, by its nature, attracts naturally inquisitive people (often times naturally combative ones as well). With that I thought we would review some of the more common questions we get asked when first introducing the concept of security analytics:
Is SIEM dead?
No, at least not yet. It would be easy for me to take a pot shot at traditional SIEM and say its dead but, SIEM isn’t dead, organizations have just started pushing the limitations of what a traditional SIEM tool can achieve. SIEM has been very successful in order to meet its main purpose, log collection and compliance reporting. However, it has been only moderately successful (and some would say that is a stretch) at actually detecting incidents. Even worse SIEMs really struggle when investigating incidents and trying to get more context around alerts.
Is security analytics different than SIEM?
You might get three different answers to this question depending on who is answering it (and who is asking it). I would say that security analytics, as a concept, is a continuation of SIEM. It’s building on the process of log collection and putting much more focus on the analysis piece. In order to conduct that analysis, a true security analytics architecture needs to have the ability not only to collect large amounts of log data, but different types of data such as network packets. Then it needs the infrastructure and analytical firepower to get value out of that data.
Can I keep my existing SIEM tool and still progress down the path of big data security analytics?
Yes. Some organizations will rip and replace their SIEM while others will supplement their traditional SIEM with RSA Security Analytics. RSA Security Analytics offers a number of deployment options to help customers address key SIEM and logging requirements while reducing cost for long term retention. It all depends on individual needs of the organization.
Is the market really ready for big data security analytics?
Yes, like it or not this is where the marketplace is heading.
To be clear not every organization is ready to flip a switch and start really conducting advanced security analytics tomorrow. There is a natural growth curve from compliance to incident detection to incident investigations and forensics and then advanced analytics utilizing big data warehouses. Organizations need to ensure whatever tool they are using will grow with them over time as their needs change. Otherwise you’re just going to be bolting on or ripping and replacing every few years.
Do I get paid every time I say “Big Data”?
I wish. I think at this point we’d be more likely to get paid avoiding the term “big data”. That said, the concept of big data security analytics is here to stay and it has already begun changing the way the market thinks about threat protection.
To hear more about moving beyond SIEM, I urge you to listen to this webcast “From SIEM to Security Analytics: The Path Forward” which took place on December 17, 2013