Comment Re:I'm not certain this is a rethink, really (Score 2, Insightful) 35
Not being able to read the (slashdotted?) article, it sounds like he's calling for companies to buy and install the latest series of security gizmos - the Security Event/Information Manager (SEM/SIM). This is truly the greatest generation of toys - it slices/dices/makes Julianne fries!
The goal of these devices is to take the data from the varying sources - syslogs, firewall logs, IDS/IPS entries, and so on and correlate it in an automated fashion. The challenge with these solutions is that it's, well, hard to do right. How long did it take us to get a decent IPS device? If you count the Checkpoint/Realsecure connections (where Realsecure could modify Checkpoint rules), it was about 4 years between that and a functional IPS that organizations could effectively trust. The S(E/I)M is a pretty big step beyond that. That's why managed security providers are in business, and even their correlation engines aren't that advanced. It's a great idea, and would be great to see, but I'm not convinced the complexity issues can truly be overcome. Can we really take in all the data from our servers, switches, routers, firewalls, IDS/IPS, workstations, network managment systems, application logs, LDAP/AD logs, email systems, etc. etc. and create a cohesive top-down view? I'd love it, but I wouldn't want to try to write it.
It reminds me a bit of ERP systems - great tools that managed everything and are amazingly expensive to purchase, customize, and use. Then again, if the security market goes that way, we'll have job security just installing the buggers.
The goal of these devices is to take the data from the varying sources - syslogs, firewall logs, IDS/IPS entries, and so on and correlate it in an automated fashion. The challenge with these solutions is that it's, well, hard to do right. How long did it take us to get a decent IPS device? If you count the Checkpoint/Realsecure connections (where Realsecure could modify Checkpoint rules), it was about 4 years between that and a functional IPS that organizations could effectively trust. The S(E/I)M is a pretty big step beyond that. That's why managed security providers are in business, and even their correlation engines aren't that advanced. It's a great idea, and would be great to see, but I'm not convinced the complexity issues can truly be overcome. Can we really take in all the data from our servers, switches, routers, firewalls, IDS/IPS, workstations, network managment systems, application logs, LDAP/AD logs, email systems, etc. etc. and create a cohesive top-down view? I'd love it, but I wouldn't want to try to write it.
It reminds me a bit of ERP systems - great tools that managed everything and are amazingly expensive to purchase, customize, and use. Then again, if the security market goes that way, we'll have job security just installing the buggers.
