Named: Endpoint Threat Detection & Response [BACKUP FROM DEAD GARTNER BLOG]

NOTICE: after Gartner killed ALL blogs in late 2023, I am trying to salvage (via archive.org) some of the most critical blogs I've written while working there, and repost them with backdates here, for posterity. This one reminds the world that I invented the term EDR :-)

After a long agonizing process that involved plenty of conversations with vendors, enterprises and other analysts, I have settled on this generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints: Endpoint Threat Detection & Response.

So, to summarize:

• Category name: Endpoint Threat Detection & Response
• Capabilities: see On Endpoint Sensing
• Use cases: see Endpoint Visibility Tool Use Cases
• Examples: Mandiant (MIR and MSO tools), CarbonBlack, Guidance Software (EnCase Cybersecurity [yes, that really is the name of the tool] and EnCase Analytics tools), RSA ECAT, CounterTack, CrowdStrike, etc.

The tools do have somewhat differing capabilities (such as the extent of data analysis performed on the agent vs the backend, collection timing and scope, integration of OOB indicators/intelligence, etc), but IMHO belong under the same general label.

By the way, a few other related tools may have broader functions and thus may justify a broader name – in their case the name “Endpoint Threat Detection & Response” can be applied to relevant tool capabilities and not to the entire toolset. Examples include Tanium, Bit9, HBGary, etc.

This name reflects the endpoint (as opposed to the network), threats (as opposed to just malware and officially declared incidents) and tools’ primary usage for both detection and incident response. While some may argue that “endpoint” label may be seen as applicable to workstations and not to servers, this minor loss of precision seems acceptable for the sake of brevity (others will say that four words is already too long).

These tools usually do not focus on full disk image acquisition and analysis (traditional computer forensics), but some can acquire such data as well as perform other forensic functions. On the other hand, the “next gen” endpoint prevention/blocking/isolation-focused tools should get their own category – but they are not my problem at this point 

There you have it! Thanks to everybody who participated in this discussion.

UPDATE (2015): these tools are now known as “EDR”; more research Gartner research refers to them as EDR tools. In essence, ETDR (2013) = EDR (2015).

Posts related to the same project:

• Endpoint Threat Indication & Response?
• Endpoint Visibility Tool Use Cases
• On Endpoint Sensing
• RSA 2013 and Endpoint Agent Re-Emergence
• A Quiet Assumption
• All posts tagged security incident response
• All posts tagged endpoint

Monthly Blog Round-Up – June 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Why No Open Source SIEM, EVER?” contains some of my thinking from 2009. Is it relevant now? Well, you be the judge.
2. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
3. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
4. “On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
5. My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on incident response:

• Time-tested Incident Response Wisdom?
• Incident Response: The Death of a Straight Line
• Alert-driven vs. Exploration-driven Security Analysis
• My Next Research Area: Incident Response

Past network forensics research:

• Our Network Forensics Paper Publishes
• On Futility of Dead Packet Storage
• Processes for Network Forensics
• Use Cases for Network Forensics Tools
• Network Forensics Defined?

Past security data sharing research:

• Our Security Data Sharing Paper Publishes
• From IPs to TTPs
• Consumption of Shared Security Data
• On Trust in Security Data Sharing
• On Security Data Sharing Research
• On Security Data Sharing

Miscellaneous fun posts:

• 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
• Bye-bye, Compliance Thinking. Welcome, Military Thinking!

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – May 2013
• All posts tagged monthly.

Monthly Blog Round-Up – May 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
2. “On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
3. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
4. “Why No Open Source SIEM, EVER?” contains some of my thinking from 2009. Is it relevant now? Well, you be the judge.
5. My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research:

• My Next Research Area: Incident Response

Past network forensics research:

• Alert-driven vs Exploration-driven Security Analysis
• On Futility of Dead Packet Storage
• Processes for Network Forensics
• Use Cases for Network Forensics Tools
• Network Forensics Defined?

Past security data sharing research:

• From IPs to TTPs
• Consumption of Shared Security Data
• On Trust in Security Data Sharing
• On Security Data Sharing Research
• On Security Data Sharing
• More on DoS and Shared Security

Miscellaneous fun posts:

• Patch Management – NOT A Solved Problem!
• 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
• Bye-bye, Compliance Thinking. Welcome, Military Thinking!

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – April 2013
• All posts tagged monthly

Monthly Blog Round-Up – April 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
2. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
3. “On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
4. “SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.
5. My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current network forensics research:

• On Futility of Dead Packet Storage
• Processes for Network Forensics
• Use Cases for Network Forensics Tools
• Network Forensics Defined?

Current security data sharing research:

• From IPs to TTPs
• Consumption of Shared Security Data
• On Trust in Security Data Sharing
• On Security Data Sharing Research
• On Security Data Sharing
• More on DoS and Shared Security

Miscellaneous fun posts:

• My Coverage Areas Reminder
• Bye-bye, Compliance Thinking. Welcome, Military Thinking!
• 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
• On Being An Analyst or WHO Are We Hiring?
• Verizon DBIR 2013 Highlights and Favorites

(see my published Gartner research here)
Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.
Previous post in this endless series:

• Monthly Blog Round-Up – March 2013
• All posts tagged monthly

Monthly Blog Round-Up – March 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
2. My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.
3. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
4. “On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
5. “SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current network forensics research:

• On Futility of Dead Packet Storage
• Processes for Network Forensics
• Use Cases for Network Forensics Tools
• Network Forensics Defined?

Current security data sharing research:

• Consumption of Shared Security Data
• On Trust in Security Data Sharing
• On Security Data Sharing Research
• On Security Data Sharing
• Our Log Standards Paper Publishes (mentions select data sharing standards)
• More on DoS and Shared Security

Miscellaneous fun posts:

• A Quiet Assumption
• Too Late to Fight “Cyber”

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – February 2013
• All posts tagged monthly

Monthly Blog Round-Up – February 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
2. My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.
3. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
4. “On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on  choosing SIEM tools.
5. “SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current network forensics research:

• Processes for Network Forensics
• Use Cases for Network Forensics Tools
• Network Forensics Defined?

Current security data sharing research:

• On Trust in Security Data Sharing
• On Security Data Sharing Research
• On Security Data Sharing
• Our Log Standards Paper Publishes (mentions select data sharing standards)
• More on DoS and Shared Security

Previous DLP research:

• DLP: Education and/or Automation?
• More On Internal Data Loss Incidents
• On “Internally Lost Data” and DLP Discovery
• On Risks of DLP
• DLP and Data Classification
• DLP: Discover First or Monitor First?
• On DLP and PCI DSS
• On DLP and IP Theft
• DLP and/or/for/vs Data Security
• On DLP Processes or “No DLP For Dummies”
• On DLP Research

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – January 2013
• All posts tagged monthly

Monthly Blog Round-Up – January 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
2. My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.
3. “On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on  choosing SIEM tools.
4. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
5. “SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:
Current network forensics research:

• Network Forensics Defined?

Previous SIEM research:

• My SIEM Papers Are Out

Previous DLP research:

• DLP: Education and/or Automation?
• More On Internal Data Loss Incidents
• On “Internally Lost Data” and DLP Discovery
• On Risks of DLP
• DLP and Data Classification
• DLP: Discover First or Monitor First?
• On DLP and PCI DSS
• On DLP and IP Theft
• DLP and/or/for/vs Data Security
• On DLP Processes or “No DLP For Dummies”
• On DLP Research

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.
Previous post in this endless series:

• Monthly Blog Round-Up – December 2012
• All posts tagged monthly

Annual Blog Round-Up – 2012

Here is my annual "Security Warrior" blog round-up of top 10 popular posts/topics in 2012.

1. “Simple Log Review Checklist Released!” was again the most popular this year. The checklist, a list of critical things to look for while reviewing  system, network and security logs when responding to a security incident
2. PCI DSS Log Review series of posts take the #2 spot; they are about planning and executing PCI DSS-driven log review at an organization
3. “On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
4. “On Free Log Management Tools” is another perma-popular post, presenting a companion resource to the log checklist above
5. “Top 10 Criteria for a SIEM?” is an EXAMPLE criteria list for choosing a SIEM.
6. “Log Management at $0 and 1hr/week?” is pretty much what it is. How to do log management under extreme budget AND time constraints?
7. “Updated With Community Feedback SANS Top 7 Essential Log Reports” and an older “SANS Top 5 Essential Log Reports Update!”
8. “SIEM Bloggables” has one possible view on higher-level SIEM use cases and basic functionality, and a quick discussion of SIEM user types.
9. “How Do I Get The Best SIEM?” is a discussion (circa 2010) about approaches to choosing SIEM tools and matching functionality to requirements.
10. 2009 post called “Log Management + SIEM = ?” gives some quick architecture advice on combining SIEM and log management

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.
Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Monthly Blog Round-Up – December 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
2. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
3. “On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on  choosing SIEM tools.
4. My classic PCI DSS Log Review series is popular as well. The approach is useful for building other types of log review processes and procedures, whether regulatory or not.
5. “SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:
Current DLP research:

• On “Internally Lost Data” and DLP Discovery
• On Risks of DLP
• DLP and Data Classification
• DLP: Discover First or Monitor First?
• On DLP and PCI DSS
• On DLP and IP Theft
• DLP and/or/for/vs Data Security
• On DLP Processes or “No DLP For Dummies”
• On DLP Research

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.
Previous post in this endless series:

• Monthly Blog Round-Up – November 2012
• All posts tagged monthly

PCI Compliance Book Giveaway #2

OK folks, our PCI Compliance book has been out for a few months now, and Branden & I thought it would be fun to give away a copy with another contest! We have assembled a group of three independent judges who will look at the submissions and pick winners for each competition. The winner will receive a free, signed copy of the book! In fact, it would be one of those rare “dual-signed” copies with both of our signatures (and the book will have to travel from TX to CA – or from CA to TX – for this )

So, on to the second contest (first one).

Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey “anything goes” view. We want to take a compliance-friendly and security-friendly, practitioners line. However, sometimes even a compliance guy has to be CREATIVE!

So our second challenge to you, in the comments below, please tell us about your MOST CREATIVE PCI DSS CONTROL you implemented, assessed or even witnessed.

HOWEVER, it will help your submission if such control was also ACCEPTED by a QSA. We will absolutely reject the creative control submissions that have no chance of making your environment PCI DSS compliant…

You’ve got about a week (until the end of December 21st), and we will announce the winners after the holidays!

It doesn’t matter if you comment here or on Branden’s blog, we will capture all of them.

Related posts:

• PCI Compliance Book Giveaway #1
• PCI Compliance Book Giveaway #1 –Results

PCI Compliance Book Giveaway–Results

Our PCI Compliance Book Giveaway has ended – with a bang!  The winning entry (submitted here) is below:

"Hilarious in a sad way, the worst PCI fail I ever had was getting
solicited by a Wedding / Bridal catalog company to assist them in
improving their online ordering and bridal catalog subscription
service. I had no contract with them, this was just a preliminary
"Let's see what we can do for you." They sent us their website, and
also e-mailed me a copy of their site's source code.
In the source code was an SQL dump of over 7 years of brides personal
information including names, addresses, birthdays, and FULL credit
card numbers, expiration dates, CCVs, card type, phone numbers, email
addresses, and unencrypted passwords.
In shock of seeing this, I called the potential client, said we
couldn't help them and deleted the data as completely as I could.
Eek!"

The winner, “James P”, please mail your address to authors@pcicompliancebook.info and we will mail you your signed copy of The PCI Book, 3rd edition. And, no, we won’t charge your credit card for that

The runner-up entries were:

“A very large retailer decides to reorganize their IT department to be more responsive and reactive. As part of that reorganization, they create a group titled 'Enterprise Monitoring' that is responsible for the care/feeding of the log management and analysis solutions. Centralized personnel that actually do the monitoring are pushed out to the business units where, according to IT management, the actual monitoring belongs. Everyone at the meeting announcing this decision says that the name. Enterprise Monitoring, needs to be changed because it gives the impression that the group does the monitoring, but they are over ruled.
Spin ahead almost a year later to their PCI assessment. The monitoring personnel that were pushed out to the business units were, surprise/surprise, were seen as new bodies that could be used for everything BUT monitoring. So, we have great log management and analysis solutions running, but no one has been monitoring anything for almost a year! When asked, the business units point to the Enterprise Monitoring group and say that it is their responsibility because they are 'Enterprise Monitoring'. DUH!” (source)

and

“I work with a stadium and arena concessions operation that once told me they were compliant because they put their card swipe readers on the counter and turned them around to face the customer. They no longer touched the cards so this made them compliant. True story.” (source)

and

“It’s a not a fail, but I certainly found humor in this. When enrolling in training with the PCI Security Standards Council, if you would like pay by credit card they ask that you write your CC#, CVV, Expiration, etc on the invoice and fax it or mail it to them. They note, it is a secure and password protected fax. I expected something a little more from the people who create the standards, but hey that’s one way to reduce your scope. Upon receiving the invoice, it was an LOL moment. ” (source)

MORE PCI Book CONTESTS ARE COMING!! Stand by….

Monthly Blog Round-Up – November 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
2. “PCI Compliance Book Giveaway!” announces our new contest and its prize – The PCI Compliance book. We will announce the winner any day now.
3. My classic PCI DSS Log Review series is popular as well. The approach is useful for building other types of log review processes and procedures, whether regulatory or not.
4. “On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on  choosing SIEM tools.
5. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current DLP research:

• On DLP and PCI DSS
• On DLP and IP Theft
• DLP and/or/for/vs Data Security
• On DLP Processes or “No DLP For Dummies”
• On DLP Research

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – October 2012
• All posts tagged monthly

PCI Compliance Book Giveaway!

OK folks, our PCI Compliance book has been out for a couple of months now, and Branden & I thought it would be fun to give a way a couple of copies with a contest! We have assembled a group of three independent judges that will take a whittled down list and pick winners for each competition. The winner will receive a free, signed copy of the book!

So, on to the first contest.

Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey anything goes view. We want to take a compliance-friendly, practitioners line. But we’ve all been in those meetings when you look at a particular defense of a control (or lack thereof) and you can’t help but laugh a little bit on the ridiculous nature of what was presented.

So our first challenge to you, in the comments below, please tell us about your MOST HILARIOUS PCI FAIL.

You’ve got a week (until the end of Wednesday, November 21st), and we will announce the winners after the US Thanksgiving holiday!

It doesn’t matter if you comment here or on Branden’s blog, we will capture all of them.

Monthly Blog Round-Up – October 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update)
2. “On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on  choosing SIEM tools.
3. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
4. My PCI DSS Log Review series is popular as well. It actually needs no introduction.
5. SIEM use cases (however they are defined) seem to be on a lot of minds and so “SIEM Bloggables” post (and this one too) is on my top list.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current DLP research:

• DLP and/or/for/vs Data Security
• On DLP Processes or “No DLP For Dummies”
• On DLP Research

Recent SIEM research:

• On “Output-driven” SIEM
• On SIEM Maturity Scale and Maybe On CMM Too
• My SIEM Workshop / SAS Day
• On SIEM Deployment Evolution
• On People Running SIEM
• My SIEM Workshop / SAS Day
• On SIEM Processes/Practices
• On Large-scale SIEM Architecture
• Some of the Big SIEM Questions
• My Upcoming SIEM Research

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – September 2012
• All posts tagged monthly

Monthly Blog Round-Up – September 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update…)
2. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
3. “On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on  choosing SIEM tools.
4. My PCI DSS Log Review series is popular as well. It actually needs no introduction
5. “The Myth of SIEM as “An Analyst-in-the-box” or How NOT to Pick a SIEM-II?” is about how some organizations want to buy a SIEM and pretend they now have security monitoring

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

• On “Output-driven” SIEM
• On SIEM Maturity Scale and Maybe On CMM Too
• My SIEM Workshop / SAS Day
• On SIEM Deployment Evolution
• On People Running SIEM
• My SIEM Workshop / SAS Day
• On SIEM Processes/Practices
• On Large-scale SIEM Architecture
• Some of the Big SIEM Questions
• My Upcoming SIEM Research

Other fun Gartner blog posts:

• On Nebulous Security Policies
• How Are We Doing Compared To Peers?

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – August 2012
• All posts tagged monthly

On “Output-driven” SIEM [BACKUP FROM DEAD GARTNER BLOG]

NOTICE: after Gartner killed ALL blogs in late 2023, I am trying to salvage (via archive.org) some of the most critical blogs I've written while working there, and repost them with backdates here, for posterity. This one reminds the world that I popularized the term "output-driven SIEM"

Here is a great term I picked from another SIEM literati: “output-driven SIEM.” This simply means deploying your security information and event management tool in such a way that NOTHING comes into your SIEM unless and until you know how it would be utilized and/or presented. Thus, only existing/planned reports, visuals, alerts, dashboards, profiling algorithms, context fusion or whatever other means of using the data can make a SIEM implementer to “open the floodgates” and admit a particular log type into a tool. If a process exists outside of a SIEM tool that will make use of the SIEM data, that qualifies as well. In this model, goals drive security requirements, requirements drive use cases, use cases drive functionality and collection scope. By the way, this model is as well-known and effective … as it is, sadly, uncommon among the organizations deploying SIEM tools today. “Now that we have all this data [and now that our SIEM is very slow], how do we use it?” is much more common….

For example, if your goal is to make it possible to detect when your users abuse access credentials (or when somebody steals their credentials), requirements will call for login-counting correlation rules, user activity profiling as well as associated reporting on user access data. Thus, various types of authentication records (Unix syslog and Windows event logs, access control and remote access server logs, VPN, etc) need to be collected.

Now, this is dramatically different from an approach one should take with broad scope log management, aimed at general system troubleshooting or incident response support. This is where being “input-driven” and getting every possible bit of data in would be admirable. Collect “100% of all logs,” pile them in Hadoop, have them ready for use, etc  works brilliantly there – pick the data now and sort it out later, don’t dwell on choosing collection-time filters. However, doing the same with a SIEM is a great way to turning your deployment into a quivering, jumbled mess of barely performing components and oodles of “crap-ta” (a hybrid of “crap” and “data”, as you can guess). “Big” or “small”, unused data just does not help the SIEM perform its security mission well.

How does such difference matter in real-world deployments?

Every log line going into a SIEM tool “costs” (and sometimes actually costs – i.e. in dollar and not just in computing resource terms) much more than a log line dropped into a log aggregator.  $50,000  for an appliance system that does 100,000 EPS sounds like a great log management price, while SIEM deployments where 100,000 log messages are actually analyzed by a SIEM every second are both rare and really expensive (likely well into 7 digits territory).

Admittedly, “output-driven SIEM” is hard work. It makes soooooo much sense to “just collect it for now” and then “figure out how to use it later.” In many cases, however, this means that your deployment will be stuck. Sometimes it may work for you – but please be aware that for many people who thought that “it would work for them," it actually did not. At this point, it should be obvious to most readers that combining “input-driven” log aggregation and “output-driven” SIEM analysis is still the best way to go for most organizations. And, yes, as with every great useful rule, it has great useful exceptions …

On the architecture side, if your SIEM includes log management components (like most do today), the same logic applies: that aggregator component will see all of the data, while core SIEM analysis components and dashboards will only see the data that needs to be there. For two distinct tools, this “magic” is achieved via filters that are deployed between a log management system and a SIEM.

So, think about using the data before you admit it into a SIEM!

Related SIEM posts:

• On SIEM Maturity Scale and Maybe On CMM Too
• My SIEM Workshop / SAS Day
• On SIEM Deployment Evolution
• On People Running SIEM
• My SIEM Workshop / SAS Day
• On SIEM Processes/Practices
• On Large-scale SIEM Architecture
• Some of the Big SIEM Questions
• My Upcoming SIEM Research
• Our SIEM Futures Paper Publishes!
• All posts tagged  SIEM.

Monthly Blog Round-Up – August 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update…)
2. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
3. My PCI DSS Log Review series is popular as well.
4. “On Choosing SIEM” is another old classic (from 2010) that shows up on my top list.
5. Next is “SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?” While reading this, also check this presentation.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

• On SIEM Deployment Evolution
• On People Running SIEM
• On SIEM Processes/Practices
• On Large-scale SIEM Architecture
• Some of the Big SIEM Questions
• My Upcoming SIEM Research

Other fun posts:

• On Nebulous Security Policies
• How Are We Doing Compared To Peers?

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – July 2012
• All posts tagged monthly

One Year at Gartner!

Believe it or not, but I've been at Gartner for a year. One whole year has passed since that infamous blog post. I don't feel like diving into deep reflections and long contemplations about it, but I wanted to share how it was. During this year, I …

• learned a lot, and expanded my security knowledge into new areas such as denial of service defense 
• found out that being an analyst is a lot of fun
• realized that there are many levels of writing excellence beyond the level that I thought I had …
• interacted with a lot of smart people both within and outside Gartner
• helped dozens of our clients – both security vendors and large enterprises - with their security challenges, some simple and some pretty esoteric
• discovered that a lot of companies are not where our industry pundits and "thought leaders" say they are (“what is more common  today at large organizations, cloud or Windows 2000?”)

That's about it - I am really looking forward to my second year!

Monthly Blog Round-Up – July 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
2. Next is “SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?” While reading this, also check this presentation.
3. “On SIEM Services” appearance on this list reminds me that the Internet has a mind of its own as this post is closely related to what I am working on right now
4. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
5. Finally, “Book Review: “UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence” by Richard Stiennon” made it to the top 5 as well.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

• On SIEM Processes/Practices
• On Large-scale SIEM Architecture
• Some of the Big SIEM Questions
• My Upcoming SIEM Research

Other fun posts:

• How Are We Doing Compared To Peers?

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – June 2012
• All posts tagged monthly