Forrester Research’s recent white paper, called Security’s Cloud Revolution identified a new generation of protection best practices that expands the boundaries of traditional IT security solutions by applying proactive behavioral analysis intelligence to the end result. They call it SECM: security event correlation management. This is not SIEM and not another marketing ploy to repackage SIEM as some holistic cure-all. SECM, as defined by Forrester, is an adjustment in strategy that continuously monitors and integrates identity and user activity and application intelligence.
Although a traditional SIEM deployment correlates events to detect anomalous activity, it is typically pointed outward. It continuously monitors for intrusions and in some cases, creates actionable alerts. It is limited by the fixed agents to which it’s pointed to collect data (like system logs). It is a single component looking at a single selection of data. SECM is more unified in its approach. It uses SIEM as an engine to analyze data from multiple security silos and create a contextual intelligence that can predict behaviors and remediate threats before they escalate into breaches or other serious hazards. And as a cloud-based security strategy, it achieves proactivitiy by interpreting events and performing forensic analysis in real time. With any security program, speed is just as important as coverage. It’s the difference between avoiding the pothole and having to pay for tire alignment on your car after you hit it.
But even a SECM engine needs fuel. It needs data to process. Yes, like SIEM it looks at log events looking to penetrate the network, but as important it must correlate information from other established sources like identities, user activity, devices, access controls and privileges. In short, SECM incorporates SIEM, system log collection, identity management, and access management (SSO) to create enterprise end-to-end visibility. But with this new practice, it is important to know that these aren’t solutions cobbled together, but a seamless and centralized cache of intelligence (made affordable and manageable by the cloud) that leverages mission critical functions.
Comparing SIEM with SECM is like much like a steak against a whole 3-course dinner. The steak may be the centerpiece of the meal, but without the seasoning and the right amount of sear, the potatoes, vegetables, salad and cherry tart it’s just a good slab of meat. From a less-culinary comparison, SIEM is a tool. SECM is a unified platform. SIEM deployment is only as good as the data that flow through it. If it is just logs, then there is a significant portion of the IT environment that remains generally vulnerable.
Cloud-based SECM’s greatest advantage is its ability to recognize patterns of behavior in real time…like the Accounts Payable Clerk who logs into the sensitive banking applications from her office in Milwaukee, Monday through Friday. Using her identity, privileges and activity, someone trying to spoof her access from Florida is going to be immediately flagged as suspicious. Adding additional context such as the time of day and the device used to log in and the attempted access of data beyond established usage policies, it is immediately blocked and reported…and the Director of IT doesn’t need to be awoken at 3am to put out the fire.
It would seem that adding all these functions and capabilities might overwhelm a modest IT department, but organizational assets are diverse so their protection must be equally diverse and versatile. In that SECM is a cloud deployment, means that though you may be adding heft and layered complexity, you’re not mining existing corporate resources such as headcount, task reprioritization and budget. In most cases a full SECM deployment from the cloud is less than the annual support and maintenance costs paid for on premise equivalents.
As this concept has multiple moving parts, it’s also likely that a company may currently have one or two of these solutions deployed. So if identity management is managing roles and privileges and SIEM is managing activity logs, if there is no direct communication between the capabilities context is lost. This leads to reams of false positives or a widening vulnerability gap. SECM brings the whole package together as security-as-a-service. I can think of no easier, cost-effective way of augmenting existing programs or fortifying an enterprise quickly, completely and efficiently that embracing a holistic approach.
Whether prepared or not, the boundaries of an enterprise are blurred with a variety of extended community of networks, shared infrastructures users, usage agendas, devices, applications and more. The controls that must be in place supersede the sum of what most organizations have deployed. This is the vulnerability gap that most breaches, theft, carelessness and mistakes worm their way into a network and do irreparable damage. If the issue is budget, personnel expertise, or hours in the day, need a strategy that coalesces all the data under a single pane of glass and…
• Continuously monitor the entire enterprise 24/7/365
• Recognize threats and trigger intelligent alerts in real time
• Identify anomalous security patterns via behavioral context and report on remediation steps
• Scan for vulnerability gaps
• Safeguard any device or app within your network
• Control user access to applications and data
• Control identities through fluid provisioning/deprovisioning
• Streamline compliance reporting through automation
Most of this functionality is beyond any standard SIEM solution capability (cloud based or on-premise). Not SECM…this is what a unified platform is built to do—close the vulnerability gaps through proactive behavior analysis, enable further reaching user activity and application intelligence and centralize management resources. When figuring out next steps in how to approach enterprise security, it shouldn’t have to be a choice between solutions. Cloud-based SECM creates the best of both worlds: expand beyond a single dimension of monitoring and do so responsibly without an invasive culture change or the expenditure of key security resources.
Forrester sees this as the future of enterprise cloud security. We see it more proactively…it’s achievable right now.