Venkatesh Swaminathan, Country Manager – India/South Asia, Novell Software Development (I) Pvt Ltd and Ian Yip, Identity & Security Management, Product/Business Manager, Asia Pacific, NetIQ talked to Prashant L Rao about SIEM and more
How sophisticated are Indian companies when it comes to deploying SIEM?
Does SIEM account for a significant slice of the overall security mart?
Yip: According to IDC, SIEM falls under threat management, which is the biggest piece of the overall security pie. Threat management also includes IAM, anti-virus etc.
Why is it that adoption has been relatively slow in Asia?
Yip: There’s no mandate in this region to report the matter to the public if an incident occurs.
How does your SIEM product collect information?
Yip: In cases where we must have an agent, we have one to collect information. For other aspects, logs and network type flows, we can do them without an agent by using APIs etc. For products that aren’t directly supported, we can use SNMP or pull the log files. An extension to our SIEM suite gives insight beyond what is in the logs by pulling native events. Typically you can pull the system logs in Windows systems; we also put an agent there to give you more information.
What’s going through the CIO’s mind when he considers going in for SIEM?
Swaminathan: Companies have gone in for SIEM with the objective of being able to determine what they control. In the past they simply used to block everything. Today, they can’t do that anymore. The market is looking at security as a business enabler nowadays. When you are looking at the Cloud and mobility then the old policies don’t work anymore.
Technologies like DLP and IPS can be used to monitor and block stuff but a human element’s required. We are trying to get our SIEM tool to monitor things and alert you automatically. People are looking for a solution that’s a bit more proactive, intelligent and gives you the flexibility to monitor and block and notify somebody immediately.
Is there a lot of interest in India?
Swaminathan: We have won deals in BFSI, government/PSU, defense and at MNCs where many of the deployments are driven from India, etc.
Where is your SIEM product line headed in terms of the roadmap?
Yip: There are lots of APTs out there so signatures won’t do the trick anymore. We are looking to build intelligence into our SIEM solutions so that, with a minimal configuration, it will tell you when something’s wrong. We already have anomaly detection but we need to go beyond that and be able to do automated correlation. Our goal is to make SIEM easier to use as a common criticism of SIEM in the past has been that the solutions are overly complex. The UI is much simpler as everything is drag and drop including the correlation rules.
Starting with the next release of our IAM solution, we want to enable mobility across our security suites.
Regarding insider threats, you can monitor them with SIEM solutions but you need to use it in conjunction with IAM and Privileged User Management (PUM) etc.
What’s PUM?
Yip: Typically, administrators can do pretty much anything that they want to. PUM makes it possible to lock that down to exactly what they need to do.
Do you offer SIEM from the Cloud?
Yip: Our partners offer SIEM as a service to their clients. For example, Atos Origin used our SIEM solution in 2010 for the Singapore Olympics. We are working with MSPs in the APAC, US and South Africa that have Cloud environments and are using our solutions to offer SIEM and PUM to their customers.