Log management technologies have become a staple for regulatory compliance and security reporting. That said, most log management systems provide little more than triggers and alerts when something happens. What about security forensics? Yes, all the information is there but getting to it is a lot like the early days of the World Wide Web when you found information by following hyperlinks. Even a senior security analyst can wade through useless haystacks of security logs for days before discovering valuable needles.
So what’s needed? The next generation of log management featuring:
Leading log management vendors like ArcSight, LogRhythm, Q1 Labs, and others realize that log management isn’t just about collecting and storing esoteric IT data, it is about providing organizations with the right data and tools to make this data actionable.
It’s time for users and other vendors to realize that the next generation of log management isn’t a visionary concept, it is an absolute requirement.
Tags: ArcSight, log management, LogRhythm, Q1 Labs Posted in Uncategorized | No Comments »
For better or worse, I’ve been following Cisco MARS for a long time. During that timeframe, Cisco promoted MARS as an essential component of its security strategy and then quietly backed away from these statements over time.
I did a bit of research to piece together a timeline of the rise and fall of Cisco MARS. This timeline is in no way an exhaustive study of events, but I do think it illustrates Cisco’s management of MARS and its changing attitude toward security.
12/20/2004: Cisco announces that it will acquire Protego for $65 million in cash. Protego will play an essential role in Cisco’s “Self-Defending Networks” initiative. Richard Palmer, Vice President of Cisco’s Security Technology Group states, “the acquisition of Protego further emphasizes Cisco’s commitment to network security and their (i.e., Protego) leadership in security monitoring, threat management, and mitigation, complements our ongoing work in security.”
Early 2005: Cisco re-names Protego to Cisco Security and Monitoring Response System (i.e., Cisco MARS).
RSA Conference, 2005: Cisco extends its self-defending network concept with “adaptive threat defense” whereby network devices coordinate with each other on threats, policies, and mitigation. MARS is touted as a central component of this strategy.
RSA Conference 2006: Cisco promotes another initiative called SONA (i.e., Services Oriented Network Architecture). This new initiative describes the network as an essential component of network applications. With SONA, security is simply “built into the network.” MARS is still touted as an essential piece of the puzzle.
January 2007: Cisco buys IronPort for $830 million. Palmer states, “We feel there is enormous potential for enhanced email and message protection solutions to be integrated into the existing Cisco Self-Defending Network framework. Using the network as a flexible platform to integrate IronPort’s technologies, Cisco will be able to build new security applications as customers’ demands evolve.”
RSA Conference 2007: While Chambers talks about “holistic security” in his keynote, the company emphasizes products like IronPort, NAC, and encrypting Fibre Channel directors rather than unveiling any new security agenda.
From 2005 through 2007, Cisco executes a “scorched earth” campaign with MARS, bundling it into many deals. MARS gains wide distribution and market share. Noting this success, I blogged about Cisco MARS in August 2007. My belief then was that Cisco was using its enterprise network dominance to get MARS installed everywhere. The strategy was working.
2008: I began to hear more stories about MARS issues. The product was not keeping up with the competition, was being replaced in the field, and was not being promoted by Cisco sales. I did some digging of my own to verify these rumors. Cisco channel partners and others in the distribution chain confirmed this scuttlebutt. Juniper OEMs Q1 Labs product, targets the MARS base and wins its share of deals.
December 2008: Based upon my research, I wrote a second blog titled, “Whither Cisco MARS,” discussing how Cisco seemed to be walking away from MARS.
January 2009: Cisco responds to my blog claiming that MARS is misunderstood. Cisco says that MARS is not a general purpose SIEM and that it is part of a Cisco security architecture.
May 2009. In spite of widespread rumors and Cisco’s admission to me that MARS was not a general purpose SIEM, Cisco MARS appears in the upper right hand box of the Gartner Magic Quadrant. Gartner does admit that Cisco doesn’t support nearly as many third-party devices as other leaders in its text. Curiously, Cisco does not publicize its placement on the Gartner MQ, in spite of the fact that the company has a history of doing so.
October 2009. About 5 months after given a winning position on the Gartner MQ, Gartner releases a research note telling users that Cisco will not support 3rd party devices and thus MARS should no longer be considered a general purpose SIEM.
Network World writes about this in early November and asks Cisco to confirm the Gartner research note. After some delays, Cisco admits that the Gartner note is accurate.
November 2009. Do a Google or Bing search on Cisco MARS and you’ll see lots of competitive ads for MARS replacements.
Through this period, MARS went from a critical component of Cisco’s “self-defending networks” to the digital dustbin. Cisco no longer trumpets security as aggressively as it once did, preferring to talk about data centers, clouds, and video conferencing.
How Gartner got it so wrong is another worthwhile question to ask. An upper right hand position on the MQ is an extremely valuable asset — Gartner knows this and takes its whole MQ business pretty seriously. Yes, Gartner qualified its position on MARS in the report, but as I understand it, one of the criteria of the MQ is market commitment. Given the rumors around MARS throughout 2008, how did Gartner miss this? How could Cisco go from MQ star to maintenance mode in less than 5 months?
Unfortunately, this whole episode will leave end-users a bit more cynical about tech industry leaders and pundits, myself included. It’s tough to know what to believe any more. As for Cisco, the company should remember that it is pretty easy to trace history these days. I believe the record speaks for itself.
Tags: Cisco, IronPort, MARS, Protego, Q1 Labs, RSA Conference Posted in Uncategorized | No Comments »
Your email: