Is security intelligence a big data problem? We, at EiQ Networks, don’t think it should be. For security practitioners who are always fighting fires, security solutions should help them to identify and prioritize problems so their daily workload is manageable and the business is consistently meeting compliance standards. Unfortunately most solutions relegate security intelligence to a system of checkboxes creating a more complex big data problem than there really needs to be. Most vendors don’t have the knowledge or the time to properly help customers get the answers they really need. You have to pay extra for that.
SIEMs are based on data analysis and therefore require a lot of data. SIEMs are built to gather, ingest and then spit out data. Not a single SIEM solution offers actionable intelligence on what is happening in your security environment. Not a single SIEM can tell you the top 10 things you should be focused on at any given time.
Big data is often defined as volume, variety and velocity. In pursuit of big data, SIEM has evolved to take on more data from more sources and a higher rate. Vendors are in a contest of who can issue the most reports. Many SIEM vendors hit the wall in terms of how much data they can process. They take the volume and make it a big data issue. As a result the end user has to figure out what is important; where to focus. This approach deflects the real problem by making it into big data story that makes the security practitioner’s life more difficult.
Security intelligence should be a small data problem and SIEM should not be the core of how you build your security intelligence program. Automation adds is in the intelligence by identifying where the problem is and how to solve it. Some SIEMS can do this but you then have to connect the dots.
EiQ’s continuous monitoring solution, ThreatVue can do this. ThreatVue helps organizations answer the question, “Are my IT assets secure -- and what should I do to address areas of concern?” ThreatVue delivers answers to these questions via a closed-box, continuous-analysis approach that determines which IT assets meet (or don’t meet) a wide range of the most important information security best practices.