In my mind there is a point where a SIEM becomes something more than being constrained by the “S” especially as you move into a context of smaller enterprise environments. No doubt the majority of SIEM purchasers have done so with the idea of using it for security and/or compliance of one flavor or another – at least initially. Maybe another way to approach this is if SIEM is sort of the next gen implementation of log management do you have to constrain yourself to just a security based use of the product to the exclusion of the other groups within the IT shop? At the end of the day you have a box/system/appliance/magical holder of a whole lot of events. It is the security mentality you bring to those events that defines how you use those logs. If you are already tracking user movement in and out of ACL groups so that you could do security minded things like overlay that data with successful and failed logins to certain systems or keep an eye on particularly sensitive groups why not spend just a few minutes to slice and dice the data so into something a program manager can use? Alternatively if you track the source address where people have logged in you have a vestigial IDM which can be used for security stuffs but it isn’t a hard stretch to cross into BI or resource usage tracking.
Maybe the third generation (are we on other generations? I haven’t been doing this long lol) of log management isn’t so much technological improvements as much as a change in the perception of what you can use these sorts of solutions for. Isn’t that one of the main reasons why HP bought ArcSight? That’s one of the takeaways I had from the last ArcSight user conference at least. CISOs are looking to collapse a range of point solutions designed to capture and process events for a select group of IT folks into fewer devices that can be used by a broader audience. Pull the events into one place and pull out what you need.
The question is what to call this. You could drop the S and just go with IEM I guess but it isn’t that great. “Hello executive purse string holders, we want to buy an IEM.” “ooh I’m sorry; you can only buy vowels” (that’s some bad Wheel of Fortune humor right there) We could try enhancing it to Audit and Unified Nuance Technology Information Event Manager (AUNTI-EM) but that might lead to too many Oz jokes. Another option I guess is Stuff Happens in Information Technology but putting that in the proposal slide deck might lead to disapproving looks.
Would be interested in feedback and/or name ideas for the paradigm.
No comments:
Post a Comment