Evaluating Security Startups
Richard Stiennon recently wrote an article on Evaluating Security Startups. In this article, Richard listed six rules in which he uses to evaluate products from security startups.
Even though the article’s got some points, I can’t say I agree with everything he says. As an example, in the article, Richard said, “Security is all about countering threats.” Well, that’s not always true.
Security is really about risk mitigation. It’s about mitigating the risk of
As described in many of the CISSP materials, a risk is the possibility that something may happen and a threat is the specific use or attempted use of a risk.
Richard also said that, “many organizations mistake a need for data management, reporting, and records keeping as a security requirement.”
Well, again, if you are purely looking from a countering threats perspective, this may be true, but that’s because Richard got it wrong in the first place. From a risk mitigation perspsective, this is absolutely critical to do. In order to identify the risks inherent in any organization, you have to manage the data and be able to identify the risks that occurs when users are using the systems. Users may not realize that they are violating any security policies, but the fact that they were able to do something outside of the access list should indicate a risk.
In the middle of the article, Richard said,
Do not make the mistake venture capitalists made in backing almost a dozen security event management (SEM) companies. Instead, ask yourself why you have so many security events to manage? Shouldn’t you be talking to companies that reduce your exposure and block attacks rather than those that help you manage your exposure?
Ok, I am speechless. I mean, that seems like a pretty narrow view of security. If all you are looking to do is reduce external exposures and block attacks, sure (even then, how do you guarantee that all attacks are blocked successfully?). But coming from Gartner, he should know that majority of the abuses are internal and they don’t come in the forms of attacks.
Managing the infrastructure data (full disclosure, in case you didn’t see from the right hand side, I work for LogLogic, the log management company.) is absolutely critical in mitigating risks. Not only does it allow you to go back and figure what had happend in case something happens, the infrastructure data allows one to review previous history and identify possible risk areas, whether the risk is security or operational related.
In any case, the article raises good questions. I am not sure the answers are sufficient though.
Well, I agree with the article. I would love to get rid of my SEM/SIEM/ESM/… solution and have border devices block the ATTACKS. Here’s the catch: Point solutions are:
- a pain to manage (you need to update them all, etc.)
- see only part of the picture (they are POINT-solutions)
- don’t know the business-relevance of the assets they protect (well, you could argue that they should, but have you configured 200 firewalls, 100 NIPS, 2000 HIDS, 2000 Operating Systems, 50 routers, etc. to know the business relevance of all your assets?
- how do you audit? Not at all? Have you had auditors for SOX in house? Well, get those logs from all your boxes and show that they really implement what you are claiming! (Have fun collecting logs from around 1000 different sources)
I could go on and on. I think the problem is that a lot of people still do not have a clue what a SIM/SEM/SIEM/ESM is.