Posts tagged: 'event management'

The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.

“Keeping it in context”

Earlier this week, HP announced its plans to acquire ArcSight for $1.5 billion. This news signaled HP’s recognition that central log and event management is an essential technology platform for HP to pursue their vision on multiple fronts. Bill Veghte, HP’s executive vice president for software and solutions, said on a call with Wall Street analysts that the announcement confirms “HP’s intent to be a leader in enterprise security”.

Some SIEM vendors have used this news as a chance to spread FUD (fear, uncertainty and doubt) to organizations that might be considering an ArcSight purchase by suggesting that product development schedules at ArcSight/HP will be delayed, service response times will be hit, etc. Do they really think most IT purchasers just fell off the turnip truck? Certainly things will change for ArcSight. But mergers and acquisitions happen all the time and most IT purchasers are more than capable of assessing how vendors match up against their decision criteria, including those vendors that are in the process of being, or have recently been, acquired. These IT purchasers don’t benefit from vendor fear-mongering. Rather than contributing more FUD, I think a closer evaluation of Mr. Veghte’s comments serves a more useful purpose.

Mr. Veghte stated that the visibility ArcSight’s products bring into an organization is a cornerstone for HP to becoming a leader in enterprise security and that “if you can’t see it, you can’t secure it.”
While his statement certainly sounds good, if you’re only seeing “it” without seeing “it” in context, you’ll remain blind to potentially serious threats and significant points of exposure. By “context” I’m referring to all the other information relevant to that activity (the forensic details that help to tell the full story and/or paint the complete picture).

Let’s take an activity that on the surface is deemed benign at the time of occurrence, such as a successful authentication to a VPN server. Successful VPN connections happen all day long and represent normal business activity. As such, this activity never gets classified as an “event”. It’s simply seen as one of a million benign logs. But what if the user was connecting via VPN from Poltava, Ukraine at 2am local time? Wait a minute. You don’t have any operations in Ukraine and the apparent “trusted” user copied data from your payment application server to their laptop. Furthermore, that particular user logged off from his office in San Diego just six hours earlier. It becomes clear that just seeing your VPN server and perhaps even watching for unauthorized access isn’t enough.

Capturing valuable contextual data such as direction, bytes in/out, geolocation information, impacted hosts and applications, universal time, etc., and storing it in a single, highly accessible and searchable data structure is critical to truly securing your enterprise. LogRhythm provides over 40 metadata fields to capture such context with powerful tools to tap that information for unprecedented insight and awareness.

We’ll be steering clear of turnip trucks and continuing to build truly best-in-class Log Management and SIEM 2.0 solutions (and keeping things in context).


Tags: , , ,

1 Comment | General


The Genesis of LogRhythm – Integrated Log Management & SIEM

For my initial Blog posting, I thought it worthwhile to share with you our mindset and vision for starting LogRhythm.  I mean, after all, what drives a couple of 30 year old men to put their combined financial fortunes into a software startup?  Phil had just gotten his Ph.D. in Physics from the University of Colorado.  I had become used to making six-figure salaries with reputable security service/product companies.  We both had lucrative paths open to us that were certainly more secure.  So why go “all in” on LogRhythm?

For me, it was pretty basic.  I saw fundamental failings with the state of intrusion detection, network monitoring, and security event management in 2002.  I knew a better solution was needed, should exist, and we could build it.  For Phil, his reasons were more on the intellectual side.  Through conversations we’d had around campfires in Colorado – after a beer or four – he’d come to understand some of the data analytics challenges I’d become familiar with while at Counterpane.  Through these conversations, Phil saw an opportunity to apply his high-performance computing and data analytics background to the problem of finding high value information within the noise of log and event data.

In September of 2002 Phil flew to DC and we spent three weeks in my kitchen prototyping an anomaly detection engine based on log data.  The result of this effort was proof we could find high value events current SIEM could not.  We also determined the reason current technology could not find these events was because the architecture and approach could not support the analytics we envisioned.  Most significantly, SIEM was not collecting ALL the logs, they were only collecting events and discarding everything else.  For the revolutionary analytics we prototyped and foresaw, we needed not just events, but log data across the entire IT stack.  We knew a fundamentally new approach and architecture was needed to advance the state of the art.

With a belief that what we were doing was important, needed, and doable, I sold my house to fund the company.  With $100,000 from my home, personal savings and credit cards, we spent the next three years developing the LogRhythm platform.  In 2005 we released LogRhythm 2.0, the first truly integrated Log and Event Management platform.  That year we managed to land our first customer, attracted a CEO and began to seek outside funding.  It has been off to the races ever since.

With this Blog, I and others at LogRhythm look forward to sharing with you our unique vision and approach for this vitally important technology and welcome your contributions to “The Dialog.”

Thank you.

Chris Petersen

Tags: , , ,

1 Comment | General