Q&A: How EventTracker breathes new life into SIEMs — by co-managing company systems

Security information and event management systems – aka SIEMs — arrived in the corporate environment some 13 years ago holding much promise.

Related article: WannaCry revives self-spreading viruses

SIEMs hoovered up anything that might be a security issue in real-time from various event and data sources. Companies could pump in all of the data traffic crisscrossing their networks, and out the other end would come intelligence about anything deemed suspicious.

Despite growing into a multi-billion dollar market, SIEMs never really lived up to the early hype. The knock on SIEMs is two-fold. First, they haven’t kept pace with the advancing complexity of business networks, such as the rise of cloud systems, mobile and IoT. And, second, SIEMs, to be truly effective, must be nurtured daily by human security analysts, who happen to be in very short supply.

One of the cybersecurity vendors I met with at RSA Conference 2018, EventTracker, a Netsurion company, aims to remove much of the frustration of operating SIEMs. EventTracker  has set out to help mid-sized enterprises overcome SIEMs’ intrinsic shortcomings, and thus breathe new life into this comparatively old technology.

I sat down with EventTracker CEO A.N. Ananth who walked me through his company’s business model, which revolves around supplying a “co-managed” SIEM service. For a full drill down, please listen to the accompanying podcast. Here are excerpts, edited for clarity and length.

LW: It’s a tough environment out there. Companies have to deal with the security implications of digital transformation.

Ananth: Yes, indeed. Anything connected to the network is a target for attackers. SIEMs are a solution that looks at all of the data, from all of devices on the network, in order to provide an early warning as to what might be going on, that could compromise security.

LW: Generally speaking, SIEMs haven’t really kept up; why so?

Ananth: Frankly the promise of SIEMs has remained unfulfilled mostly because there are two other components that you need in addition to technology. One is the fact that you have to have expertise to understand what the SIEM is saying, and the second is you have to have process discipline to do it every day. Most organizations  buy the technology, but then the other two problems remain unsolved.

LW: How do you address that?

Ananth: Our mission is to provide outcome, rather than just provide technology. It isn’t just about providing technology, it’s about providing the process discipline and the expertise. We recognize that there are things that we can do for our buyer, and there are things that the buyer must do for themselves, especially remediate, because they have the knowledge of the network, and the administrative privileges to do so.

On the other hand we are experts of the product, and we’re very familiar with the threat landscape. So we can use this knowledge to bring to the table a service, rather than just a product, and thereby propel our buyer toward an outcome, rather than just merely providing them technology.

LW: Can you give an illustration?

Ananth: We have a dedicated Security Operations Center, with expertise available 24 by 7. We usually cooperate with the installation piece, to understand where the pain points are, and what outcomes the customer is looking for. Over the course of the service, we get better and better, as we better understand.

This is a two-legged race. On one side, the customer has detailed knowledge about their network. On the other side, we have detailed knowledge about the product and the threat landscape.  The happy ground is in between. We take a step or two or three in the customer’s direction, and they maybe take one step in our direction. Ultimately co-manage means we’re on their team. We’re trying to act the way they would have, had they had the time, the expertise and the process discipline.

LW: What kind of response are you getting in the market?


Ananth: In the last nine or 10 months the response has been fabulous, frankly, all across the board, from small and medium business, to small and medium enterprises. Obviously as you get further up the chain, very large enterprises are able to afford their own SOCs and they have their own process maturity. But even there, there are glimmerings of ‘Why am I doing this myself?’

LW: How much of a driver has compliance been?

Ananth: A trick question that people ask you is, ‘What comes first, security or compliance.?’ Our answer is, ‘Security comes first; compliance is an outgrowth.’ There are buyers who buy it because of the fear of the auditor, or the fear of being in the news in the wrong kind of way. If fear of getting a ticket motivates you to click your seatbelt, good; do it because you’ll be safe anyway. And society needs you safe. So we think of compliance as a necessary thing. But we see security as the primary objective.

(Editor’s note: Last Watchdog has provided consulting services to EventTracker.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: