Posted by: Dan Kirsch | April 23, 2013

RSA Conference Wrap-Up — Part 1

RSA Conference Wrap-Up — Part 1

The RSA Conference has long been a leading indicator of the security market.  Therefore, it was not surprising that this year’s conference was bigger than ever with vendors, customers, the press and venture capitalists rubbing elbows and sharing new ideas about the next big thing.  Clamoring for attention on the showroom floor was nearly every noteworthy security vendor, from tiny shops addressing discrete problems to huge enterprise vendors offering products to solve almost all of their customer’s security needs.

RSA Conference

Nearly every security topic is discussed at RSA, from physical security to Anonymous and state sponsored cyber attacks.  However, there was lots of attention focused on security concerns related to three critical areas: mobility, cloud, and big data. With mobility, most organizations have begun to establish BYOD (Bring Your Own Device) policies. However, managing the onslaught and ever changing variety of devices and platforms is proving to be both an organization and technical challenge.   As these customers adopt cloud computing, security teams are struggling to ensure that the environments are secure enough to provide the right balance of flexibility and safety. Finally, big data was an overarching theme for vendors at the conference and mentioned in nearly every keynote.  The use case for big data with security is becoming clear – gather vast amounts of security data such as logs and threat feeds, and then analyze these data using a big data engine such as Hadoop to detect abnormalities that would not trigger traditional rule-based systems.  Operationalizing outcomes from such a massive amount of data is still a pipedream for many vendors and security operations teams.

The summaries below on Agari, Airwatch, Alert Logic and HyTrust are based on conversations I had with vendors at RSA.  Many of these vendors are beginning to look for ways to add big data technologies into their solutions in order to add “intelligence” into their product.


Agari is a security startup that focuses on protecting brand reputation and consumer security through the prevention of reverse-phishing and other fraudulent email activity.  The problem that Agari is addressing is that criminal organizations are sending out massive emails from addresses that appear to be from a legitimate sender.  For example, if a customer receives an email that appears legitimate and is from a sender within a company’s domain, for example, they are likely to respond.  When it turns out that the email is fraudulent, not only are customers harmed, but YourBank suffers a major loss of trust.

The company has partnerships with email vendors in order to stop fraudulent emails from reaching customers.  The solution is cloud based and uses a big data architecture to analyze billions of emails daily.  Currently Agari is focusing on the following vertical markets: financial services, eCommerce, and travel booking.  They have landed a number of notable customers, including JP Morgan Chase.  Although Agari is in a niche market, their solution is tailored to solve an increasing problem.


Airwatch is a Mobile Device Management (MDM) vendor that is helping companies implement Bring Your Own Device (BYOD) policies (See my previous blog on BYOD:  The MDM market is crowded and nearly every security vendor has some sort of multi-device management offering.  Airwatch has gained significant traction, and finds that many of its customers are actually implementing their 3rd or 4th MDM product.  The top reasons Airwatch reports winning customers is their feature set and variety of supported devices.  Airwatch has a strong focus on securing nearly every device that employees are bringing into the corporate network.  Although founded ten years ago, the company just received its first round of financing from Insight Capital Partners of roughly $200 Million.

Some of the highlights of Airwatch’s approach are:

1.  A cloud deployment model which means that clients do not need to make a large, upfront infrastructure investment.  Approximately 70% of Airwatch’s customers use their hosted, cloud service.  If a customer wants to gain greater control over their Airwatch deployment, a cloud deployment can be transitioned to on-premises to either a dedicated appliance or a virtualized environment.

2.  Airwatch is aggressively partnering with device manufacturers and platform developers.  The company has a strong partnership with Samsung and has announced new partners.  By partnering with device manufactures, Airwatch is able to offer greater security for both the hardware and software lawyers.

3.  An easy to use, yet powerful administrative interface is critical for successful implementation.  During a hands-on demo, it was clear the Airwatch has spent a significant amount of effort on ease of use.

Alert Logic

Alert Logic offers a Software as a Service (SaaS) solution for both compliance and security of cloud infrastructure.  At the core of the product is the capability to ingest and analyze millions of events a day in a in-house developed NoSQL database.  The company has several patents on their analysis technology.  Alert Logic has created a taxonomy that all of the log data goes into.  Several different “lenses” are offered to clients — for example the security lens highlight different events than the compliance lens.

Alert Logic has remained hypervisor agnostic, which allows it to be deployed in a variety of environments.  In Addition, the solution remains the only Network Identity Detection System (IDS) available in the AWS Marketplace (Amazon Web Services).

In February, 2013 Alert Logic announcement their 3rd generation log manager that is built on a big data framework.  The new log manager is meant to change the way customers interact with the solution.  Customer searching and exploration is a key highlight of the new user interface.  A simpler query has been added so users don’t need to execute complex specialized searches.


HyTrust focuses on addressing the unique security and compliance challenges associated with cloud computing.  The company has a deep partnership with VMware and works with organizations that are using VMware technologies to either create a virtualized data center or an on premises private cloud. HyTrust’s most recent customers have engaged with them in order to address the following problems:

1.  A large company in a highly regulated industry wanted visualization and auditing capabilities for data center services that they were outsourcing.

2.  With the cloud, services, storage and applications that used to be spread across an organization are consolidated into an easier to manage environment.  This consolidation can lead to risk however because so many critical services a relying on the private cloud infrastructure.  HyTrust addresses this concern by offering sophisticated monitoring capabilities at the individual Virtual Machine level.

3.  Empowering users to do their jobs while at the same time segregating duties, limiting access and meeting other compliance and auditing mandates is difficult.  This can lead to users creating workarounds.  HyTrust offers a monitoring capability that reports and logs events but allows them to take place.  This monitoring capability allows organizations to meet auditing requirements while at the same time enabling

Posted by: Dan Kirsch | January 30, 2013

The Emergence of Big Data Security Intelligence

What’s Driving Big Data Security Intelligence?

There is a new generation of security offerings that can anticipate threats and prevent them in real-time.  This new generation of offerings is emerging because of an increase level of risk.  Traditionally, security systems have worked by collecting and analyzing logs and then setting alerts to trigger action when activity falls outside of a specified pattern.  This approach  no longer satisfies the security needs of many organizations.  There are an increasing number of  newer threats, such as Advanced Persistent Threats (APTs) that are designed to look like normal system traffic and often do not trigger traditional log monitoring systems.  Vendors in the market are beginning to address this emerging requirement.

While the idea of addressing this issue has been around for the last few years we are moving into a new phase of addressing the problem.  For example, last year when I attended the RSA Conference in San Francisco, many vendors touted Big Data solutions for security but few of these companies offered real solutions.  I was intrigued by one vendor that proudly displayed a big banner reading “Big Data Security.”  After a short conversation I realized that the company was simply offering an appliance that could pull logs from nearly any device, but could not make these logs actionable.  This product couldn’t address emerging threats.   If an organization using this product experienced a breach, it would have taken months to sort through the logs to hopefully identify the breach.  While looking at historical logs is useful, organizations expect security offerings to respond in real-time to current events.

This demand for proactive security offerings has spawned a new breed of security offerings based on Advanced Security Intelligence that look beyond machine and log data.   These offerings can collect data from hundreds of independent sources, both within and organization as well as security threats and events across the Web.  The rise of Advanced Security Intelligence platforms is being driven by:

1.  The advent of Big Data. Big Data and the ability to access and process huge amounts of data from thousands of sources and can help organizations overcome security threats more quickly. In addition, Big Data allows organizations to recognize patterns and trends that they didn’t even know to look for. With this type of Big Data analytics , seemingly independent events can now be correlated to determine the source of a problem and allow the company to take preventive actions.  In the field of security, Big Data allows organizations to aggregate everything from logs, to tweets, known malicious IP addresses, emails, information on other cyber attacks, and third party research, just to name a few and feed this information into a Big Data platform.

2.  The rise of Advanced Persistent Threats (APTs) and other highly sophisticated and targeted threats.  Cyber attacks are increasingly being perpetrated by criminal rings who are motivated by profit, foreign governments, corporate espionage and “hacktivists” driven by political or social motives.  These groups don’t just seek the low hanging fruit and instead focus their efforts on specific companies and often specific individuals within a company.  For example, they might use social engineering for pre-texting or to launch a phishing attack.

3.  Advanced analytics and predictive analytics have become operationalized.  These technologies are no longer used for looking back over quarterly results and trends, but can be fed streaming data and give real-time recommendations.  Security vendors have taken note of this trend and have scooped up a number of security companies that used analytics for security.

In the second part of this blog, I will provide some information about how vendors are responding to this market opportunity with new innovations and new acquisitions.  The landscape of security services is changing dramatically, which will help customers be safer and more secure.

Posted by: Dan Kirsch | July 31, 2012

Strategies to confront the rising democratization of IT

How employee’s use of cloud services are changing the way IT handles security

Cloud computing has given business users the power to use sophisticated cloud services without the need to go through IT.  Well-meaning employees do not think about the potential risks associated with the cloud.  Software as a Service (SaaS) offerings like Facebook, Dropbox Flickr, Google’s Pircasa,  or LinkedIn  are commonly used by everyone from college users to business leaders.  Security and risk are far from the minds of most business users.

Cloud services can be a productivity boom for business users and has resulted in a shift in the balance of power between business users and IT.  This has left IT frustrated.  IT leaders have an obligation and legitimate right to protect valuable corporate assets like IP. Therefore, it is not surprising that IT is struggling to give users access to the tools they need while keeping corporate networks safe.

Cloud service providers focus on marketing their offerings to individuals rather than corporations..  This means that things like corporate governance, enterprise level security and service level agreements (SLAs) have been ignored in favor of usability and delivering a “freemium” offering (free for basic services, then fees for more functionality or storage).  In fact, if something goes wrong, such as a data breach or service disruption, these vendors typically have no intention to take any financial or legal liability.  In a perfect world, IT would be able to dictate what cloud services employees are allowed to use; however, the reality is the cat is out of the bag and there is no going back.  What can an organization do to protect its IP in a secure and responsible way?

1.  Understand new technologies and quickly develop a strategy.  IT should be proactive in understanding the security implications  of new technologies that employees are likely to bring into the workplace and be prepared to develop a strategy to manage the risks.  For example, several years ago companies found themselves struggling to create policies regarding camera phones.  Some organizations banned them altogether, while others only restricted their entrance into sensitive areas.  In many cases employers have employees sign an acceptable use policy (AUP) which clearly outlines what’s permissible and what the consequences are for breaking the policy.  An example of how a company is handling employee use of new technology is IBM’s recent announcement that they are prohibiting employees from using Apple’s Siri.

2.  Embrace new offerings.  Understanding the risks of new technologies is important, but IT must be willing to add support for new offerings if they have provide significant advantages.  For example, IT might notice that many of its business users are using Dropbox to internally share files.  Shutting down access to the service, even if it’s outside of the acceptable use policy, can be viewed by users as an extreme measure which will disrupt productivity.  Instead of immediately blocking access to non-approved applications, IT should investigate how and why employees are using the service, and identify the risks.  If the risks are too great, more secure alternatives should be offered to employees.  This approach requires that IT must work closely with business users to understand the value of a new cloud offering and how it is increasing productivity to help reach business objectives.  For example, IT might determine that the risk of a service like  Dropbox isn’t secure enough and can recommend a more secure alternative. VMware’s   Project Octopus  offers functionality similar to Dropbox, but is designed for enterprise use.  The product can crawl through a business’ network converting Dropbox accounts to Octopus accounts.  Project Octopus allows for much more control over the data than Dropbox, for example by allowing files to be stored on an organization’s choice of a public or private cloud.

3.  Educate employees.  Education is the best way to help avoid the security problems that occur when users bring untested cloud services and other new technologies into the workplace.  Employees most likely have the best intentions in mind when making use of public  cloud services for business projects and are simply unaware of the security implications.  Security has always been in the domain of  IT, and business users aren’t accustomed to thinking about the risk implications of using these offerings.    By educating and working closely with business users, IT is able to explain the risks that cloud services can pose, and why IT sometimes appear slow to adopt new technologies.

4.  Monitor and understand your data.  Data leaks and thefts pose a significant risk to organizational profitability and success.  IT must do an inventory of data to understand where it is stored and which files contain sensitive information.  Once the data is well understood, role-based access controls (RBAC) should be implemented to maintain tight control over sensitive data.  An effective RBAC strategy requires a clear understanding of both organizational data and user groups.   For example, in many industries such as retail, health care and education, organizations are legally bound to protect personally identifiable information (PII).  At the same time, a high priority must be made to protect IP, for example product research and development..  Applying these controls can be difficult.  Staff at a call center  need access to customer addresses and order histories, but shouldn’t have access to research for a new product.  Likewise, other corporate users should not be able to access customer PII.

5.  Thoroughly vet cloud service providers.  Organizations must only adopt new cloud services that meet their security and compliance requirements.  A standard approval process should be developed in order to streamline the evaluation process.  To assist with the approval process and meet customer demand, many cloud providers have been compelled to get third party assurances..  For example, Amazon Web Services (AWS) has SSAE 16 and ISO 27001 certifications and offers enough controls to build HIPAA compliant applications.  Many other cloud services offer similar certifications, such as, box, and Workday.

The Rise of BYOD Workplaces

Bring your own device (BYOD) to work is a growing trend across all industries.  The idea that an employee, customer, or partner will access your network with any device they choose was unheard of only a few years ago it wasn’t long ago that companies had strict policies on what devices could and couldn’t connect to the company’s network.  Today many companies still try to enforce these policies without much success. Now the tables are turned, when executives or partners want to use their iPads or smart phones on the corporate network, IT is forced to adjust so that it is easy to use those devices. Case in point, when the newly elected President-elect Obama decided that he wanted to use a mobile email device, IT had to find a quick and secure way to enable this.

There is no doubt that the movement to BYOD will continue.  The two main drivers for the growth of BYOD policies are:

  • Streamlining process — Organizations that used to purchase and control devices for employees are getting out of the business.  It costs far less to decommission Blackberry servers and get out of the cycle of purchasing new hardware for employees.  (I have had direct conversations with companies who have saved thousands of dollars per a decommissioned Blackberry, but there is some debate as to the real cost savings:

  • Supporting employee choice — At the same time that management wants to save money, employees want a single device based on their preferences for both personal and corporate use.

A generational divide for mobile device management expectations

In a BYOD environment, companies must balance corporate needs, such as compliance with HIPPA and PCI DSS, with employee expectations of privacy and independence.  A new generational technology divide has emerged in the workplace.  Early Blackberry users were given the company owned device by their employer.  Although the device may have been used for some personal calls or email, it was clearly a corporate asset.   Today, new employees have been using a smart phone for years.  Younger employees expect to control their own device.  These same employees would be horrified to learn that many current acceptable use policies (AUP) give employers virtually all control over a device. With changing employee expectations, organizations will be compelled to adapt the way they manage mobile devices.

BYOD software solutions and corporate policies must address the following issues:

  • Device wiping.  Most current mobile management platforms allow an organization to fully wipe all of the data and applications from handsets.  An employer must have good procedures in place to not mistakenly wipe handsets or delete personal data.  Full wipe policies are commonplace however because corporate data could be stored in different areas of the phone, for example the onboard memory or on the SD card.  A theoretical case study of the implications of device wiping is as follows:

An employee is hired and is told that he can use his personal mobile device for work.  He downloads the appropriate apps and his device is now on the corporate network.  Unfortunately, after several months the employee is fired.  Through an automated process, human resources decommissions the employee’s credentials.  As a part of this automated process, the employee’s mobile device is fully wiped and restored to factory presets.  Although upon hiring, the employee might have signed a contract that in small print permitted the device wipe, he was unaware that it would happen.  He loses valuable personal pictures and data that can never be replaced and had nothing to do with his employment.  The employer may face a costly lawsuit for destroying the data.

  • Jail broken and rooted devices.  Jail breaking an iPhone or rooting an Android allows device users to gain functionality that may be disallowed by a handset carrier or manufacturer.  Online guides and free software make this process straightforward and easy for people with moderate technical know-how.  Many current endpoint management solutions allow companies to ban jail broken and rooted devices from the corporate network.  A full ban is an easy policy decision, but may fail to increase security and could only alienate tech savvy, valuable employees.  Organizations and vendors should investigate the full implications of a blanket ban.
  • Web traffic, geolocation and activity monitoring.  Traditional lines of what an employer can and can’t monitor are fairly straight forward and understood.  An employee using a corporate owned mobile device understands that their web traffic and other activities might be monitored.  In a BYOD mobile environment, when does the monitoring end?  It is in both the employer’s and employee’s interest to prevent 24/7 activity monitoring.  Collecting mobile device web, relocation and other activity information could expose a company to liability or drag them into other legal proceedings.  At the same time, employees have a right to shield purely personal activities from their employer.
  • Illegal content.  If an employee stores or downloads copywritten material on a corporate device they can clearly be disciplined and reported to authorities.  With BYOD, companies risk employees connecting devices that contain illegal content to the network.  Does the company have an obligation to report the content if they find out about it, or so long as corporate resources were never used, does the employee have a right to privacy?  Organization will need to create unambiguous policies on how they will treat these situations in order to limit risk.

The reign of the corporate owned Blackberry has clearly fallen and creating consistent policies to address device management and governance of BYOD devices is still evolving.  Most current software device management solutions are either monolithic and destroy the native device experience, or are point solutions that lack full security or compliance capabilities.  Corporate risk must be reduced through new offerings while at the same time meeting the expectations that employees have for privacy and control over their device.

Posted by: Dan Kirsch | December 21, 2011

Holes in Endpoint Security

There is an avalanche of devices and end points that employees, customers and partners are beginning to utilize as they conduct even routine business transactions. An end point device might be a PC, smart phone or even a flash drive. The challenges of IT security are complicating the ability of organizations to protect their intellectual property as well as their reputations in the market.  And it isn’t just IT that is concerned. IT security has grabbed the attention of governmental bodies and the boards of directors of many companies.  Clearly, passwords – even when they are frequently changed and made more complex — are not enough to solve the problem.

It is becoming increasingly clear that there isn’t an easy solution.  A recent conversation with Steven Sprague, Wave Systems’ President and CEO, has caused me to reassess my thoughts on the direction of endpoint security.  There are many different approaches that address some of the potential vulnerabilities, but there simply isn’t a single, all-encompassing approach. I suspect in the near future we will see a number of innovations in this area and an emergence of new technologies combined with required governance and compliance best practices.  Of course there is no silver bullet because as soon as new security approaches emerge, those looking to bypass the security innovate.

So, where are we today?  There are three primary approaches: security tokens, software offerings and hardware solutions.  While all of these approaches offer benefits, none provides a holistic enterprise network endpoint solution.

Security Token Approach

Security tokens are often used when organizations need to allow users to access a secure network through a variety of endpoints.   Users must enter the unique code on the token as well as a password.  This approach allows employees to access the network on non-company issued devices and puts the power of access in their hands, so long as they have an authorized token.

Although tokens provide an additional level of authorization and allow access through any number of devices, there are a number of drawbacks.  There was, of course, the well publicized March, 2011 hack on security tokens provided by the nation’s largest token supplier, EMC’s RSA.  Hackers who sent phishing emails to RSA employees carried out the RSA attack.  When the emails were opened, malware contained in an Excel attachment exploited a backdoor and allowed the hackers to gain access to RSA servers.  Information stolen from RSA’s network allowed hackers to compromise security tokens, leaving many of the world’s largest organizations that relied on RSA’s tokens vulnerable to attack.

Beyond a security standpoint, deploying security tokens across a large enterprise requires the adoption and implementation of additional new hardware.  This is expensive and requires business process changes.  Security tokens can be inconvenient for users, and they have high ongoing fixed costs.

Software Approach

Software solutions installed on each endpoint device avoid the expense that is inherent in tokens.  Software solutions typically have full-disk encryption (FDE), which is designed to render lost or stolen computers worthless without the proper password.  Many vendors offering a software approach have strong central management tools that go far beyond setting password policies for complexity and frequency of password changes.

Software solutions have long implementation times, can impair a PC’s overall performance, and can leave data vulnerable to attack.  The danger with the software approach is that the device’s protection is only as strong as the software design.  The software-only approach leaves passwords on the software level, which makes it vulnerable to hackers who can make remote attacks on the software.  Furthermore, there are practical limitations on an individual’s ability to remember complex passwords that need to be changed so often that a person just begins to remember the old one when protocols require a change.

Hardware Approach

A third solution relies on a standard chip, the Trusted Platform Module (TPM) that is embedded in nearly all enterprise-class laptops and BlackBerries but not in other common devices like those running Android and iOS.  The TPM was standardized by the Trusted Computing Group, a standards body created by some of the world’s largest software and hardware vendors, such as AMD, Hewlett-Packard, IBM, Intel, and Microsoft, who are now joined by more than 100 enterprises to implement Trusted Computing.

This approach moves beyond the software-only model, which stores credentials at the software level; instead, it places security credentials on a physical module.  This hardware approach is not vulnerable to software hacking, and it does not have the drawbacks of a security token.   However, it is not the perfect solution some vendors in the TPM market have heralded it as.

While complex and requiring physical access to the TPM, there is a hack that leaves security credentials vulnerable (read more about the TPM hack).  While not a great concern to some companies, this hack will certainly impact the effectiveness of the TPM approach for organizations handling highly sensitive or top secret data (e.g., CIA, NSA, military contractors, etc).  Additionally, this approach requires an organization to deploy software that will enable and manage the module (Wave Systems, for example, offers such software).  Finally, although this approach may have seemed like the golden ticket to securing network endpoints just a few short years ago, in today’s business landscape, a standard that does not support Android or iOS devices certainly cannot be considered standard or universal.

Conclusion – a Unified Approach

Each of these approaches has strengths and weaknesses, but firmly closing the vulnerabilities in enterprise network security will require a holistic approach. There is a need to provide secure access from a variety of endpoints to employees, customers and business partners.  A unified effort by software and hardware vendors to create a standard, similar to the efforts that standardized USB and HDMI ports, will likely be required.  This unified approach will provide standardization, give organizations flexibility, and prevent vendor lock-in.

Those who offer TPM solutions are heavily advocating adoption of the module across all platforms and devices.  This would offer a great financial opportunity for vendors already in the market.  The Trusted Computing Group has succeeded in standardizing the module in laptops, but it has been unable to convince newer mobile manufactures to install the module.  Some large enterprises such as PricewaterhouseCoopers (PwC) have implemented TPM, and, if other large organizations move to the TPM approach, it is likely that businesses will force mobile vendors to install the TPM.  At this point, most large organizations are issuing or allowing the use of non-BlackBerry devices (remember, for now only BlackBerries have the TPM as a standard application), so clearly there has not been a strong business community push towards requiring the TPM in mobile devices.

I suspect that companies will be reassessing their endpoint security approaches in the next year, and especially in light of the RSA attack and the current economic climate, they will seek a more secure and more economical approach.  It is likely that a future approach will at least in part rely on work already done by the Trusted Computing Group.

Posted by: Dan Kirsch | October 20, 2011

IBM Rethinks its Security Strategy

IBM is making a major push to try to establish leadership in the broad market for security, compliance, and governance.  The company’s latest foray is significant with the  acquisition of Q1 Labs.   On its own, this is an important acquisition because the company has developed significant intellectual property in security intelligence products in vital areas such as SIEM (Security Information and Event Management), risk management, log management, network behavior analytics and security event management.  What is more significant from a customer perspective is the way IBM is going about transforming its approach to the security market.  IBM has taken the step to create a single business unit called Security Systems Division that will move all of its security products and services into a single entity.  One reason to create this new division is to target what IBM anticipates is a $94 billion opportunity in security software and services. Clearly, with the growing importance of cloud based services and big data, the potential for expanded security problems are enormous.

IBM is following the same pattern it has defined for its software organization: it has created a business unit that has leverage and best practices that are foundational across the company.  For example, the new security division will integrate IBM’s Tivoli, Rational and Information Management security software, appliances, lab offerings and services.  The aggregation of pieces from across software brands is an important strategic move for IBM.    It will allow IBM to offer solutions with a common underpinning and offer services to other divisions of IBM.  The Security Systems Division will deliver a tighter, more focused IBM security product strategy. At the same time, these security products will be used to strengthen offerings across the software portfolio.

IBM has acquired multiple security companies in the past several years including security analytics software firm, i2 as well as purchases such as Clarity Systems, a financial governance company, PSS Systems which offered legal risk management and Internet Security Systems (ISS), an information security company.  Although financial terms of the Q1 Labs acquisition were not made public, IBM’s surge in the security space has overall required an investment of several billion dollars. We expect that there will be a lot more acquisitions to come in this important area.

Q1 Labs was a shrewd acquisition. The company has had impressive growth over the past several years, with a 98% year-over-year revenue growth in 2010 and a customer base of over 1700 worldwide.  What Q1 will offer IBM, is strong IP that will bolster IBM’s SIEM offerings.  IBM in the past has acquired SIEM companies, such as Micromuse GuardedNet, but the Q1 Labs acquisition is the most significant to date.  IBM’s new Security Systems Division will have at its core Q1’s SIEM offering.  Further cementing this fact is that leadership of the new division has been given to Brendan Hannigan, Q1 Lab’s CEO.  We believe the best strategy for IBM is to truly integrate Q1’s core product, QRadar into IBM’s other security offerings and not simply offer it as a standalone solution.  Hannigan said, “at the end of the day, security intelligence is broader than SIEM,” an indication that he understands that his new division must go far beyond Q1’s SIEM.  Hannigan will need to quickly acclimate to the IBM culture while taking on the task of integrating groups who have previously operated within their own brand, such as Tivoli and Rational.  If IBM is to truly offer what they promise —  a full end-to-end solution, it is critical that the new division is able to efficiently create well-defined security services with clear standard interfaces to support the full IBM portfolio of software.

Coincidentally, on the same day of IBM’s Q1 Labs announcement, McAfee went public with news of its own SIEM play, the acquisition of NitroSecurity.  Others in the SIEM field include Hewlett-Packard, who is leveraging ArcSight, a SIEM solution to enhance its security offerings and Cisco Systems.