Security incident and event management (SIEM) systems have a reputation for being hard to configure and tune.
But analytics, orchestration and other new pieces increasingly available won’t necessarily make SIEMs easier to use unless CISOs know what they want.
Jason Rolleston, McAfee’s vice-president and general manager of security intelligence and analytics made that point Tuesday in an interview during a roadshow for customers highlighting the latest version of the company’s Enterprise Security Manager 11.
“If you think a SIEM bought off the shelf is suddenly going to protect you without understanding what your trying to focus on, what types of risk, what particular challenges you’re trying to deal with, without having a specific idea of what you’re trying to accomplish, you will struggle,” he said.
“You have to think about what kinds of attacks you’re trying to prevent, are you more focused on insiders, compliance, breaches or denial of service, and then design a protection stack against that. “Traditionally that’s been the biggest shortfall – that people would buy something with the belief that they can buy a couple of weeks of services, rack and stack them and you would have a useful defence. “For a long time we ’ve said the SIEM would deliver a full value set to you, and people have struggled with that.” However, Rolleston added, while a SIEM is necessary for data collection and aggregation, it isn’t sufficient to deal with the today’s advanced threats.
“So if you haven’t thought about SecOps in a holistic way in the next two to three years, you could very easily buy into a technology that limits you, or a spend lot of money on a part of the stack that eats up a lot of money that you need to be spending on other technologies [for example, behaviour analytics, threat investigation, automation] that will get your (staff’s) time back.”
When it was suggested this could be interpreted as buying ESM only means buying additional products with these capabilities, Rolleston replied, “the practical reality is that’s true.” However, he added, McAfee doesn’t force customers to scale ESM to to full data injestion capability. A SIEM should be sized for the use cases it needs, he said, handling only the data it needs. If additional data is needed for other tools, add it there.
In addition to talking about ESM 11, McAfee also wanted to bend the ear of invited customers about the effect of its year-old separation from Intel.
“Traditionally the McAfee roadshow is about device protection,” country manager Brian Rutledge said in an interview. “Part of this show is to show people what we’re doing in other areas like SOC (security operations centre), orchestration, analytics that people don’t traditionally think of when they think of McAfee.”
Partner perspective
Asked what the impact of the split has been on the company’s channel partners and distributors, Rutledge noted that many of them were with McAfee long before it was acquired by Intel in 2010 for about US$7.6 billion. “I think that post-Intel they’ve seen us do is be able to be more channel-friendly, and do things like … make it be more flexible.”
Those changes, introduced in January, include consolidating the deal registration program from two sections into one, adding the ability to sell professional services and removing the Incumbency Advantage program to encourage partners to move customers to the latest products.
In an interview Ken McCray, who heads channel sales for the Americas, said McAfee is now talking about updating its engineer certification program.
Like most mature companies, McAfee wants to expand its channel selectively. Rutledge said he looking for solution providers who specialize in areas such as analytics.
This year “the channel can look forward to is what we are doing around our strategy and the products we’re bringing to market,” he said, “because the channel is an extension of our selling capability. So when we bring things like McAfee Behaviour Analytics, Investigator, the new version of the SIEM, the acquisition of SkyHigh Networks, all of those contribute to the channel having better capability to sell.”