In information technology, big data consists of data sets that grow so large they become unwieldy to work with using available database management tools. How big is big? It depends on when you need to reconsider data management options – in some cases it may be 100 Gigabytes, in others, as great as 100 Terabytes.

Does more data necessarily mean more insight?

The pro-argument is that larger data sets allow for greater incidences of patterns, facts, and insights. Moreover, with enough data, you can discover trends using simple counting that are otherwise undiscoverable in small data using sophisticated statistical methods.

On the other hand, while this is perfectly valid in theory, for many businesses the key barrier is not the ability to draw insights from large volumes of data; it is asking the right questions for which insight is needed.

The ability to provide answers does depend on the question being asked and the relevance of the big-data set to that question. How can one generalize to an assumption that more data will always mean more insight?  It isn’t always the answer that’s important, but the questions that are key.

Here is an anecdote from a recent interaction with an enterprise application in the electric power industry:

1. Dave the developer logs all kinds of events. Since he is the primary consumer of the log, the format is optimized for human-readability. For example:

02-APR-2012 01:34:03 USER49 CMD MOD0053: ERROR RETURN FROM MOD0052 RETCODE 59

Apparently this makes perfect sense to Dave:  each line includes a timestamp and some text.

2. Sam from the Security team needs to determine the number of daily unique users. Dave quickly writes a parser script for the log and schedules it. He also builds a little Web interface so that Sam can query the parsed data on his own. Peace reigns.

3. A few weeks later, Sam complains that the web interface is broken. Dave takes a look at the logs, only to realize that someone else has added an extra field in each line, breaking his custom parser. He pushes the change and tells Sam that everything is okay again. Instead of writing a new feature, Dave has to go back and fill in the missing data.

4. Every 3 weeks or so, repeat Step 3 as others add logs.

In 2012, is it really necessary to have a unique parser hostile format for log descriptions?

If you are keeping track, developers have a choice of RFC3164, Windows Event Log, Apache log4j, MITRE CEE and even vendor standards like CEF.

Silly rabbit logs are for parsing.

April EventSource Newsletter

By: Rich Ptak, Managing Partner, Ptak, Noel & Associates LLC

Back in January, I said that the use of sophisticated analytics as a business and competitive tool would become widespread. Since then, the number of articles, blogs and announcements relating to analytics has increased dramatically:  an internet search for the term ‘Business Analytics’ using Bing yields over 47 million hits. Smart Analytics (an IBM term) shrinks that number to approximately 12.3 million hits. If we change the search term to ‘Applied Analytics,’ the number decreases to a little less than 7 million hits.

Analytics has certainly captured the attention of government[1], business[2], the industry press and management. The question, though, is whether it’s being put to use in the trenches. Are CIOs and IT staff searching out, acquiring and applying these tools to address their problems? After all, it isn’t enough to have access to analytic tools and services; you have to understand how to use and apply them to real problems. How many users are actually prepared to move forward into the big world of applied analytics to solve pressing business problems? Where does one go to begin to use these tools? Are analytics only of use for working with ‘Big Data’? What is ‘Big Data’?

There are a lot of questions there; too many to exhaustively address in this blog, and some that can’t be resolved without some detailed research. We’ll provide answers based on our own experiences in interacting with clients, research and informed opinion.

First, let’s agree on a few definitions. It often seems ‘Big Data’ is defined in as many ways as there are vendors offering solutions.  For our purpose, we’ll use a fairly loose definition that is based on the Volume, Velocity, Variety and Veracity of the data. Big Data comes in large enough volumes that it requires special software and hardware to process in a reasonable time (terabytes, petabytes and beyond!). At least some of the data, and perhaps all of it is ‘in motion’, coming in and moving out and changing very quickly. The source and form of the data is highly variable; it comes in different varieties, data types, structures and formats – audio, visual, media, structured unstructured, different sources, etc. The fourth characteristic is the question of data veracity i.e. uncertainty over the accuracy of data including questions of confidence in the source.

Second, analytics can cover a lot of ground, from manual number crunching to giant, specialty processors designed specifically to do real-time analysis in exploration for oil deposits. What we’re interested in, however, is the application of software-based analytics to collect, analyze and report on data collected in our IT and business environment.

Big Data and analytics are frequently paired; however, the relationship is far from exclusive. Analytics can be profitably applied to smaller data sets. The benefit comes from using the analytics to gain actionable information and insight across multiple business functions. This can be application of an investment analysis program to determine the potential profitability of a product development project by tracking development, packaging, marketing, delivery costs versus forecasts of revenue expected from sales and support under alternative market growth patterns. But, it can also be correlating event log data on application access, network traffic, file access and data routing of confidential files and initiating action to prevent those files from being published around the world.

It can also take the form of a Manager of Software Development recognizing his department has the potential to directly impact revenue. He has an idea that a regularly used, revenue-generating asset is not being used in a way that optimizes its potential for revenue generation. He’s convinced that if it were scheduled and managed more effectively this could be done. He knows the data to prove this is collected in logs and data files, but he needs to pull it all together. With some work, he can bootstrap a basic analysis from available tools to make his case to management for more detailed, integrated tools.

Those are typical examples of analytics in action today, and it is being done within the budgets of mid- to large-scale enterprises and without mathematical wizards on the payroll. Our discussions and experiences uncovered a lot more talk about Big Data and Analytics going on in the executive suite and among business and IT staff than previously. There is lot more planning and speculating about use going on among potential users and in enterprises and business of all sizes. But all too often, this isn’t translating into action.

The path to more effective use and application of analytics begins by using what you have today to its maximum advantage. Most businesses have a log management solution with at least some analytic capabilities. Start using the analytics if you aren’t already. Push your boundaries and use your imagination to identify new ways to use the analytics. Look at adding new data that can be correlated or plotted together to uncover new relationships. Extend the data view to adjacent, interacting and interdependent functions. The Software Dev manager spoken of earlier looked into the relationship of revenue generated with usage and scheduling to identify potentially profitable idle time. Look for a potential application and develop the case by using what you have to get to where you want to be.

Don’t be afraid to see what vendors are doing and offering to promote their own analytic solutions. You can get ideas about where to look and what problems are being solved by understanding what others have done. Look at vendor announcements to see how analytics are being promoted, then look for the opportunity in your own environment.

EventTracker demonstrates best-in-class capability and market leadership through demonstrated technology success and customer commitment. 

March 20, 2012

EventTracker, by Prism Microsystems, today announced it has attained a Gold ISV competency, demonstrating a “best-in-class” ability and commitment to meet Microsoft Corp. customers’ evolving needs in today’s dynamic business environment and distinguishing itself within the top 1 percent of Microsoft’s partner ecosystem.

To earn a Microsoft gold competency, partners must successfully complete exams (resulting in Microsoft Certified Professionals) to prove their level of technology expertise, and then designate these certified professionals uniquely to one Microsoft competency, ensuring a certain level of staffing capacity. They also must submit customer references that demonstrate successful projects (along with implementing a yearly customer satisfaction study), meet a revenue commitment (for most gold competencies), and pass technology and/or sales assessments.

EventTracker, a leading provider of comprehensive SIEM services, has a long-standing focus on providing complete monitoring of Windows applications, servers and workstations. Earning a gold competency gives customers greater confidence in its products and proves that it continues to be both a market leader and a thought leader in Windows log management.

“This Microsoft Gold ISV competency showcases our expertise in SIEM and log management, and demonstrates our deep knowledge of Microsoft and its products,” said A N Ananth, CEO and co-founder, Prism Microsystems. “We plan to accelerate our customers’ success by serving as technology advisors for their business demands.”

“By achieving a gold competency, partners have demonstrated the highest, most consistent capability and commitment to the latest Microsoft technology,” said Jon Roskill, corporate vice president, Worldwide Partner Group at Microsoft Corp. “These partners have a deep expertise that puts them in the top 1 percent of our partner ecosystem, and their proficiency will help customers drive innovative solutions on the latest Microsoft technology.”

Attaining the Microsoft Independent Software Vendor (ISV)/Software competency demonstrates partner expertise in developing applications based on Microsoft solutions. Equipped with exclusive training, the latest software, and support on Microsoft SQL Server, Windows Server, Windows 7 and Microsoft cloud services, these partners are equipped to develop innovative solutions to meet their customers’ needs.

The Microsoft Partner Network helps partners strengthen their capabilities to showcase leadership in the marketplace on the latest technology, to better serve customers and, with 640,000 Microsoft partners in their ecosystem, to easily connect with one of the most active, diverse networks in the world.

About Prism Microsystems

Prism Microsystems delivers business critical solutions that transform high-volume cryptic log data into actionable, prioritized intelligence that will fundamentally change your perception of the utility, value and organizational potential inherent in log files. Prism’s leading solutions offer Security Information and Event Management (SIEM), real-time Log Management, and powerful Change and Configuration Management to optimize IT operations, detect and deter costly security breaches, and comply with multiple regulatory mandates. Visit www.eventtracker.com for more information.  Follow us on Twitter @logtalk.

Press Inquiries:

Emily Strotman

443-539-3773

estrotman@eventtracker.com

March EventSource Newsletter

By: Rich Ptak, Managing Partner, Ptak, Noel & Associates LLC

Prism Microsystem’s founders decided early on that their goal and reason for the company’s existence was to design, develop and deliver SIEM services. As executives with a successful history in entrepreneurship, product development and enterprise management, they knew the risk and seductive promise of distractive diversification in pursuit of expanded revenues. They committed to concentrating specifically on SIEM functions of monitoring, discovery and warning about threats to security, compliance (in its multiple modes) and operational commitments.

Early on, their experience and careful listening to customers allowed them to align their message and product with market needs. SIEM was and is a specialized, dynamic and evolving task. In 2005, the most frequent question from potential customers was “Why do I need SIEM?” Many companies operated, more or less successfully, with in-place efforts at manual, home-grown and commercial solutions adapted from other functions. In actuality, this meant that such ‘solutions’ were time consuming, diverted scarce talent and yielded results that all too frequently fell far short of justifying the effort applied. EventTracker, among others, entered the market with an integrated solution designed specifically to do SIEM. With EventTracker, IT staff had in hand a collection of streamlined processes that reliably developed accurate, actionable information from log data.  The benefits obtained from using these bespoke tools won over skeptics, as a result the SIEM solutions market grew. Enterprises became enthusiastic users of on-premise SIEM solutions.

By 2009, the increasing interdependencies resulting from infrastructure interactions and complex, dynamic service delivery elevated the need for fast, accurate analysis of vast amounts of data. SIEM solutions continued to evolve to meet the challenge of more adaptive and dynamic operating environments. Emerging trends in the application of IT technology led to increased integration of the infrastructure. IT responded to business and customer demand more reliable, faster delivery of high performance services. New services were created by assembling components. The result was increasing dynamic operation, increasing interaction of distributed components and infrastructure all of which had to be closely monitored to avoid problems with security, reliability, etc. This meant that SIEM was becoming both a more critical and specialized effort. Enterprises began looking for external expertise as the range of knowledge needed for SIEM management expanded with the an escalation in the depth and breadth of responsibility.

One example was the demand for organizational accountability resulting from well-publicized failures to protect private records. A wave of regulatory, governmental and enterprise operational mandates were put in place along with a sea-change in accountability. Executive managers were to be held accountable for the effective implementation of controls to assure compliance to an increasing number of continually evolving mandates covering security procedures, access control, performance, etc., as applied to a growing number of business functions. Just keeping current with external mandates was causing major headaches.

This focus on governance and responsibility irrevocably and dramatically changed the relationship between IT and business managers. IT operations and staff had long been intimately involved with and responsible for all aspects of data handling, process implementation, workflows, etc. necessary for compliance. Now, management and IT had to become partners in assuring effective compliance.

The result was increased complexity in maintaining effective monitoring and compliance mechanisms. SIEM had become an operationally critical issue and responsibility. As experience with compliance challenges accumulated and customer sophistication in SIEM matters increased, the demand was for more options. At all levels, including large enterprise, as well as mid-range (100 to 500 systems) and smaller businesses (below 100 systems), the demand was for more flexibility in selecting the range of available services, features and sophistication in analysis. They also were demanding pricing that allowed them to add functionality as their needs changed and the available budget grew.

The explosion of the Whatever-you-want-as-a-Service (XaaS) market also influenced customer demands and expectations. Companies were recognizing and accepting the fact that oftentimes it was to their advantage, both operationally and financially, to selectively outsource some IT services. XaaS services allowed customers to match the consumption of services to demand, spread out payments over a longer period of time, use only the services they needed and avoided responsibilities for maintenance, support, updates, etc.

By the end of 2010, it became clear that the interest in and demand for SIEM as a Cloud-based service was no flash-in-the-pan. Enterprise customers saw it as an increasingly attractive way to outsource services that required expertise and effort not part of their essential business competency and focus. SIEM as a managed service provided a way for the enterprise to free-up scarce IT resources to concentrate on improving competitive positioning, developing new services devoted to increasing revenues, lowering costs and improving performance to increase customer satisfaction.

The need for, and development of hosted enterprise-class SIEM and “Security monitoring as a Service” (SecaaS) became the next logical progression in the evolution of SIEM solutions.

There are several models for SecaaS:  There is the Shared Cloud for small and medium size business. Data is collected locally, compressed, encrypted and sent to a central location for processing. Cost is kept low because companies ‘share’ the infrastructure. They avoid costs of dedicated SIEM infrastructure and support staff, but are guaranteed notification of disruptive events and activities. The companies and their respective data are isolated and protected from each other.

Then, there is the virtual private cloud deployment, for larger enterprise. Each company has its own private virtualized SIEM and data storage environment within the virtual private cloud, which isolates data from other customers. The architecture can handle 100’s of millions of events per day for each customer. Again, the customer saves by not having to purchase and maintain SIEM-specific infrastructure and support staff.

Finally, the Managed SIEM Service for those with a SIEM implemented on-site on their own infrastructure. The enterprise either lacks the manpower to or wishes to free staff from monitoring the infrastructure.  It provides 24/7 monitoring and guarantees notification of any incidents or threat to managed services, key alerts and operating conditions.

At this point, we have to mention that today’s conventional wisdom consistently trumpets the superiority and lower cost of XaaS and Cloud solutions. However, recently this assumption is being challenged[1]. It is my believe that an Cost-Benefit comparison is a necessary best practice as part of any project analysis to determine which is the right way to go.  But, that’s a topic for another column.

In The Information Diet, Clay Johnson wrote, “The modern human animal spends upwards of 11 hours out of every 24 in a state of constant consumption. Not eating, but gorging on information … We’re all battling a storm of distractions, buffeted with notifications and tempted by tasty tidbits of information. And just as too much junk food can lead to obesity, too much junk information can lead to cluelessness.”

Audit yourself and you may be surprised to find that you get more than 10 notifications per hour; they can be disruptive to your attention. I find myself trying hard (and often failing) to ignore the smartphone as it beeps softly to indicate a new distraction. I struggle to remain focused on the person in my office as the desktop tinkles for attention.

Should you kill off notifications though? Clay argues that you should and offers tools to help.

When designing EventTracker v7, minimizing notifications was a major goal. On Christmas Day in 2008, nobody was stirring, but the “alerts” console rung up over 180 items demanding review. It was obvious these were not “alerts.” This led to the “risk” score which dramatically reduces notifications.

We know that all “alerts” are not equal: some merit attention before going to lunch, some before the end of the day, and some by the end of the quarter, budget permitting. There are a very rare few that require us to drop the coffee mug and attend instantly. Accordingly, a properly configured EventTracker installation will rarely “notify” you; but when you need to know – that alert will come screaming for your attention.

I am frequently asked what is the maximum events per second that can be managed. I think I’ll begin to ask how many notifications per hour (NPH) the questioner can handle. I think Clay Johnson would approve.

The sailor in The Rime of the Ancient Mariner relates his experiences after long sea voyage when his ship is blown off course:

“Water, water, every where,

And all the boards did shrink;

Water, water, every where,

Nor any drop to drink.”

An albatross appears and leads them out, but is shot by the Mariner and the ship winds up in unknown waters. His shipmates blame the Mariner and force him to wear the dead albatross around his neck.

Replace water with data, boards with disk space, and drink with value and the lament would apply to the modern IT infrastructure. We are all drowning in data, but not so much in value. “Big data” are datasets that grow so large that managing them with on-hand tools is awkward. They are seen as the next frontier in innovation, competition, and productivity.

Log management is not immune to this trend. As the basic log collection problem (different sources, different protocols and different formats) has been resolved, we’re now collecting even larger datasets of logs. Many years ago we refuted the argument that log data belonged in a RDBMS, precisely because we saw the side problem of efficient data archival begin to overwhelm the true problem of extracting value from the data. As log data volumes continue to explode, that decision continues to be validated.

However, while storing raw logs in a database was not sensible, their power in extracting patterns and value from data is well established. Recognizing this, EventVault Explorer was released in 2011. Users can extract selected datasets to their choice of external RDBMS (a datamart) for fuzzy searching, pivot tables etc.  As was noted here , the key to managing big data is to personalize the results for maximum impact.

As you look under the covers of SIEM technology, pay attention to that albatross called log archives. It can lead you out of trouble, but you don’t want it around your neck.

5.  Overdoing compensating controls

When a legitimate technological or documented business constraint prevents you from satisfying a requirement, a compensating control can be the answer after a risk analysis is performed. Compensating controls are not specifically defined inside PCI, but are instead defined by you (as a self-certifying merchant) or your QSA. It is specifically not an excuse to push PCI Compliance initiatives through completion at a minimal cost to your company. In reality, most compensating controls are actually harder to do and cost more money in the long run than actually fixing or addressing the original issue or vulnerability. See this article for a clear picture on the topic.

4. Separation of duty

Separation of duties is a key concept of internal controls. Increased protection from fraud and errors must be balanced with the increased cost/effort required.  Both PCI DSS Requirements 3.4.1 and 3.5 mention separation of duties as an obligation for organizations, and yet many still do not do it right, usually because they lack staff.

3. Principle of Least privilege

PCI 2.2.3 says they should “configure system security parameters to prevent misuse.” This requires organizations to drill down into user roles to ensure they’re following the rule of least privilege wherever PCI regulations apply.  This is easier said than done; more often it’s “easier” to grant all possible privileges rather than determine and assign just the correct set. Convenience is the enemy of security.

2. Fixating on excluding systems from scope

When you make the process of getting things out of scope a higher priority than addressing real risk, you get in trouble. Risk mitigation must come first and foremost. In far too many cases, out-of-scope becomes out-of-mind. This may make your CFO happy, but a hacker will get past weak security and not care if the system is in scope or not.

And drum roll…

1. Ignoring virtualization

Many organizations have embraced virtualization wholeheartedly given its efficiency gains. In some cases, virtualized machines are now off-premises and co-located at a service provider like Rackspace. This is a trend at federal government facilities.  However, “off-premises” does not mean “off-your-list”. Regardless of the location of the cardholder data, such systems are within scope as are the hypervisor. In fact, PCI DSS 2.0 says, if the cardholder data is present on even one VM, then the entire VM infrastructure is “in scope.”

February EventSource Newsletter

By: Rich Ptak, Managing Partner, Ptak, Noel & Associates LLC

While there are still some who question the ‘relevance’ of IT to the enterprise, and others who question the ‘future’ of IT, those involved in day-to-day business activities recognize and acknowledge that IT operations is integral to business success and this is unlikely to change in the immediate future.  Today’s IT staffer with security incident and event management (SIEM) responsibility must be able not only to detect, identify and respond to anomalies in infrastructure performance and operations, but also build processes, make decisions and take action based on the business impact of the incidents and events recorded in ubiquitous logs.

Since the earliest incarnations of IT infrastructure management, a lot of ingenuity and effort has been applied to detecting, identifying and notifying a responsible party to take action when something occurs that signals a potential problem. Competition, combined with creativity, led to a proliferation of tools able to monitor and alert to problematic events.

Consider how far we’ve come in the process from the old days of manual tracking and analysis. Isn’t the whole process, from detection through analysis to notification and even resolution, now fully automated for nearly all installations?  Aren’t we long past the days when we had to worry about (and avoided) automated management solutions since they likely introduced more problems than they solved? Now, even compliance-related monitoring has been automated. And with the advent of Cloud computing, along with SaaS, PaaS and IaaS, has the user been isolated from the infrastructure underlying service delivery? Doesn’t IT have bigger, more pressing problems to concentrate on than SIEM?

Simply, “no.” While it is true that SIEM has evolved considerably over time, the fact remains that even with more sophisticated, intelligent and automated solutions – there remains the need for IT staff to mine data logs for more information and insight into infrastructure operations, and to understand the impact of that interaction on the delivery of business services and the experiences of the user. IT must be able to identify and inform business staff on risks toSLA and performance commitments. IT must also be able to contribute defining and taking the actions needed to eliminate or reduce those risks.

The increasing complexity of IT operations, resulting from the expanding diversity and distribution of infrastructure combines with an evolving, dynamic integration and interaction in the delivery of business services to escalate service disruptions. This means that avoidance of such disruptions is of increasing importance. The link between the service user and the performance of the infrastructure has become more critical. The need for SIEM and for the IT staff to obtain actionable information from these management solutions is the combination that drives convergence of the management discipline sassociated with Applications Performance Management (APM), Business Process Management(BPM) and Business Service Management (BSM). Once considered and treated as separate areas of expertise, their overlapping interests and interdependencies become apparent. They cannot succeed if treated as organizational silos. Integrated SIEM with their detailed end-to-end data collection and analysis helps to end siloed operations.

For example, BPM assures processes execute precisely and consistently to complete a specific task with all intervening steps. BSM tracks the proper functioning of involved infrastructure at all stages of the service delivery and business process to assure a satisfactory end-user experience. APM optimizes infrastructure utilization and performance.  IT needs to understand the involvement and impact of infrastructure on service delivery – hence they need data from all three functions. This involves monitoring, analyzing and reporting on a staggering number of incidents and events to identify what is significant to initiate appropriate action. This is the environment in which today’s SIEM best solutions demonstrate their value.

Free, entry-level SIEM solutions (such as EventTracker Pulse) provide basic functionality to begin data gathering, analysis and reporting from multiple different sources. Such solutions eliminate error-prone and tedious manual efforts. They can also provide basic application and service management. More feature rich products such as EventTracker Enterprise offer sophisticated functionality like complex analysis and custom reporting of potentially problematic behavior.

High functionality SIEM solutions provide significant opportunity for IT to exercise and demonstrate its ability to contribute to business success. The ability to document that ability is even more necessary as virtualized infrastructures and Cloud proliferate as de facto operating models.

The idea that IT operates to support the overall success of the business, not simply manage infrastructure is no longer a matter of contention. Today, IT is also under increasing pressure to document and demonstrate its contributions to business success.  The difficultly, in an environment filled with competing solutions, comes in deciding just how to do this most effectively without breaking the budget. The answer is found in leveraging cost effective SIEM solutions.

Since every cause needs “Awareness,” here are my picks for management speak to camouflage the bloody obvious:

 5. Events per second

Log Management vendors are still trying to “differentiate” with this tired and meaningless metric as we pointed out in The EPS Myth.

 4. Thought leadership

Mitch McCrimmon describes it best.

 3. Cloud

Now here is a term that means all things to all people.

 2. Does that make sense?

The new “to be honest.” Jerry Weismann discusses it in the Harvard Business Review.

 1. Nerd

During the recent SOPA debate, so many self-described “country boys” wanted to get the “nerds” to explain the issue to them; as Jon Stewart pointed out, the word they were looking for was “expert.”