What happened to the SIM market?

[thehorse13]

Is it me or did anyone else notice that the once hot SIM (Security Information Management) market is not so much as causing a ripple in the marketplace right now. About a year and a half ago, all people were talking about was how they were going to install SIMs to monitor and remediate network security events. I have several theories on why this market cooled off fast. I'm sure that folks quickly learned that SIMs devices actually require advanced skillsets to setup and tune properly and you still have to investigate and monitor events that may indeed turn out to be false positives. Does anyone else have thoughts on this?

--TH13

[RoadClosed]

One phrase... cost benefit related to risk?

[MrLinus]

I expect that you're referring to products like Symbiot and their iSim product. I wonder how much of it is fear of what the legal environment for these might create. Additionally, I think people are still dealing with what they know (e.g., firewall, IDS, wireless security or lack thereof, etc.) rather than what they don't know.

Add to it budgets being limited even more each year and just wanting to stay above the water, deploying new security models may not be beneficial.

[chsh]

I think a lot of people still cling to the belief that a human can always do certain tasks safer than a machine -- and rightly so IMO. To date I have yet to see an IPS that did the right thing when it found a false positive.

It does take a lot of skill to set up any such systems -- just like IDSes. I think it will become more evident as time goes on that networks are a lot like plant or animal ecosystems (I remember reading an article about something along these lines recently), and with that comes the concept that a fluid environment can't easily be predicted, nor can it be easily replicated. Any two networks with the same given size, computers, and hardware throughout will still vary greatly in terms of usage, environment, etc... I would certainly think that hiring someone to initially configure such systems would increase the cost of deployment to beyond the point where it's worthwhile to have an automated network security analyst, especially when you can just hire one.

[thehorse13]

Yes, and others like Guardednet's NeuSecure console. We use this product to receive feeds from SAV, ISS and other IDS/IPS sensors. We monitor all of this data based on event threat calculations done by the SIM and the sensors then we are presented with what it feels are legitimate threats. Again, it takes time to tune the events because we're getting feeds from devices that are made by different vendors. As chsh points out, the enviroments while physically similar, are used very differently, thus, tuning is a pain in my ass. On average, we do a gig and a half of HTTP traffic each hour. Add in all the other traffic and events we monitor and you quickly see that we're spending a lot of time investigating issues. To the product's credit, it has been useful during virus outbreaks and such. We are able to quickly disable switches and routing gear at different locations in order to contain an outbreak.

Anyway, I was curious if others noticed this cool down too.

[zencoder]

RoadClosed hit it right on...

cost benefit related to risk

Too many companies have been bitten by these 'products', or the vendors have been overwhelmed with the backend support of such an engagement.

My current client keeps talking abou an SEM. Security Event Manager...a rose by any other name... But yes, they are all hot and bothered to get one of these up and running...and don't have the slightest clue of what it will *REALLY* take to engineer and deploy this vision they have. What they'll get, probably, is a broken lame retarded half-cousin of what they want. I'm not criticising them, I'm just stating fact based on my experience. "It costs HOW MUCH? You don't really need these three consultants, at that rate, for that long, do you? We can get by with an intern part time, I'm certain."

I see it in my current projects. "Nonono, we contracted you to deliver THE WORLD...read the fine print...go ahead..."



(Can you tell I'm having a crappy day at work?)

[RoadClosed]

There are extemely limited markets with a risk high enough to benefit from costly systems. Costly in hardware, deployment, management, and upkeep. They aren't pushing them because they don't sell and you can segregate systems into smaller chunks based on specialty. In addition there is an added benefit of oversight by additional parties.

[Tiger Shark]

When we reach the point that a computer can more accurately defend itself against a human attacker then a human can we have truly reached AI. Until then security will have to remain in the hands of a human. Yes, there are a lot of 'tools' that a human can use to help them in the task but when it comes down to it the human is still the best 'filter".... and that's why these tools don't work..... Yet.... I have faith that they will.... but that brings up other issues.... that may only be mitigated by a human..... Do I see a cycle beginning here?.... Yes....