Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Q1 Labs’

Log Management, The Next Generation

Wednesday, June 30th, 2010

Log management technologies have become a staple for regulatory compliance and security reporting. That said, most log management systems provide little more than triggers and alerts when something happens. What about security forensics? Yes, all the information is there but getting to it is a lot like the early days of the World Wide Web when you found information by following hyperlinks. Even a senior security analyst can wade through useless haystacks of security logs for days before discovering valuable needles.

So what’s needed? The next generation of log management featuring:

  1. Consolidation of logs and network flows. Some vendors collect both of these data sources but most don’t. Log and flow data together tells about individual network nodes and where they are connecting, helping me understand the origins and ramifications of an attack. Without this combination, I am filling in the blanks in one area or the other.
  2. Location awareness. Yes, I want to know what happened but I also want to know where it happened. An IP address is a piece of random evidence while an IP address in the Ukraine may constitute a crime scene.
  3. Deeper granular visibility. The system logs provide the big picture but researchers need to dig into particular sub-routines and processes to get a more accurate understanding of what happened. This requires the correlation of many types of data inputs and visual tools that make these relationships understandable.

Leading log management vendors like ArcSight, LogRhythm, Q1 Labs, and others realize that log management isn’t just about collecting and storing esoteric IT data, it is about providing organizations with the right data and tools to make this data actionable.

It’s time for users and other vendors to realize that the next generation of log management isn’t a visionary concept, it is an absolute requirement.

Tracking the Rise and Fall of Cisco MARS

Friday, November 13th, 2009

For better or worse, I’ve been following Cisco MARS for a long time. During that timeframe, Cisco promoted MARS as an essential component of its security strategy and then quietly backed away from these statements over time.

I did a bit of research to piece together a timeline of the rise and fall of Cisco MARS. This timeline is in no way an exhaustive study of events, but I do think it illustrates Cisco’s management of MARS and its changing attitude toward security.

12/20/2004: Cisco announces that it will acquire Protego for $65 million in cash. Protego will play an essential role in Cisco’s “Self-Defending Networks” initiative. Richard Palmer, Vice President of Cisco’s Security Technology Group states, “the acquisition of Protego further emphasizes Cisco’s commitment to network security and their (i.e., Protego) leadership in security monitoring, threat management, and mitigation, complements our ongoing work in security.”

Early 2005: Cisco re-names Protego to Cisco Security and Monitoring Response System (i.e., Cisco MARS).

RSA Conference, 2005: Cisco extends its self-defending network concept with “adaptive threat defense” whereby network devices coordinate with each other on threats, policies, and mitigation. MARS is touted as a central component of this strategy.

RSA Conference 2006: Cisco promotes another initiative called SONA (i.e., Services Oriented Network Architecture). This new initiative describes the network as an essential component of network applications. With SONA, security is simply “built into the network.” MARS is still touted as an essential piece of the puzzle.

January 2007: Cisco buys IronPort for $830 million. Palmer states, “We feel there is enormous potential for enhanced email and message protection solutions to be integrated into the existing Cisco Self-Defending Network framework. Using the network as a flexible platform to integrate IronPort’s technologies, Cisco will be able to build new security applications as customers’ demands evolve.”

RSA Conference 2007: While Chambers talks about “holistic security” in his keynote, the company emphasizes products like IronPort, NAC, and encrypting Fibre Channel directors rather than unveiling any new security agenda.

From 2005 through 2007, Cisco executes a “scorched earth” campaign with MARS, bundling it into many deals. MARS gains wide distribution and market share. Noting this success, I blogged about Cisco MARS in August 2007. My belief then was that Cisco was using its enterprise network dominance to get MARS installed everywhere. The strategy was working.

2008: I began to hear more stories about MARS issues. The product was not keeping up with the competition, was being replaced in the field, and was not being promoted by Cisco sales. I did some digging of my own to verify these rumors. Cisco channel partners and others in the distribution chain confirmed this scuttlebutt. Juniper OEMs Q1 Labs product, targets the MARS base and wins its share of deals.

December 2008: Based upon my research, I wrote a second blog titled, “Whither Cisco MARS,” discussing how Cisco seemed to be walking away from MARS.

January 2009: Cisco responds to my blog claiming that MARS is misunderstood. Cisco says that MARS is not a general purpose SIEM and that it is part of a Cisco security architecture.

May 2009. In spite of widespread rumors and Cisco’s admission to me that MARS was not a general purpose SIEM, Cisco MARS appears in the upper right hand box of the Gartner Magic Quadrant. Gartner does admit that Cisco doesn’t support nearly as many third-party devices as other leaders in its text. Curiously, Cisco does not publicize its placement on the Gartner MQ, in spite of the fact that the company has a history of doing so.

October 2009. About 5 months after given a winning position on the Gartner MQ, Gartner releases a research note telling users that Cisco will not support 3rd party devices and thus MARS should no longer be considered a general purpose SIEM.

Network World writes about this in early November and asks Cisco to confirm the Gartner research note. After some delays, Cisco admits that the Gartner note is accurate.

November 2009.  Do a Google or Bing search on Cisco MARS and you’ll see lots of competitive ads for MARS replacements.

Through this period, MARS went from a critical component of Cisco’s “self-defending networks” to the digital dustbin. Cisco no longer trumpets security as aggressively as it once did, preferring to talk about data centers, clouds, and video conferencing.

How Gartner got it so wrong is another worthwhile question to ask. An upper right hand position on the MQ is an extremely valuable asset — Gartner knows this and takes its whole MQ business pretty seriously. Yes, Gartner qualified its position on MARS in the report, but as I understand it, one of the criteria of the MQ is market commitment. Given the rumors around MARS throughout 2008, how did Gartner miss this? How could Cisco go from MQ star to maintenance mode in less than 5 months?

Unfortunately, this whole episode will leave end-users a bit more cynical about tech industry leaders and pundits, myself included. It’s tough to know what to believe any more. As for Cisco, the company should remember that it is pretty easy to trace history these days. I believe the record speaks for itself.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site