Years ago, in a meeting at IBM, a bunch of us were pointing out that IT focused too much on backup speed and not enough of recovery. Some of the fastest backup products at the time did a terrible job of at actually getting files back. To us, the whole point of a backup was the capability to restore a file that was lost.
Security information event management (SIEM) software placed an emphasis on identifying threats, not eliminating them. Most IT managers therefore avoided SIEM products - and with good reason.
Well, McAfee just attempted to fix that problem with its latest release of Enterprise Security Manager (ESM).
Most SIEM Software Identifies Problems, But Won't Solve Them
SIEM sounded like such a great idea: A class of product that categorizes and identifies all the potential security threats inside an enterprise. No more would you wonder how secure you were. With a bit of money and effort, you would finally know just how unsecure you really were.
Why did IT executives run screaming from these products? Think about it: These systems would generate a report highlighting every single security exposure in a firm - but they wouldn't generate the budget or the capability to fix the problem. Rather than benefit a company, SIEM simply became a great way to assure that IT knew about problems but couldn't correct them in a timely manner.
While I'm sure a lot of CIOs occasionally wish they chose a different career path, a product that pretty much assures catastrophic changes to their career path isn't going to get them very excited. A product that categorizes all the problems you don't have the resources to fix is less than useful. As with the opening example of a fast backup product that can't restore, SIEM that doesn't include remediation - that can't fix problems it has found - is worthless to anyone except internal auditors.
McAfee's Goal: Actually Fix the Problems
McAfee has clearly realized two things: That trying to sell a product that puts a target on a CIO's back would be a short-lived endeavor and that an SIEM product that can't address the problems it identifies won't sell particularly well. So its latest offering focuses on actual attacks, not exposures, and includes a remediation component with a high probability of first stopping an attack in progress and then eliminating it.
Exposures are one thing. We live in a world where government class military organizations are funded, often by our own governments, to penetrate our security, and these organizations apparently aren't that secure themselves. This can lead to breaches with far greater impact on customers and corporate reputation than weve seen in the past.
Sign up for CIO Asia eNewsletters.