Perimeter
4/5/2011
11:49 AM
Commentary
Commentary
Commentary
Connect Directly
RSS
E-Mail
50%
50%

IT GRC, ESIM Vendors Dig In For War

With no sign of the two technologies combining into one, where does that leave the buyer?

Although IT GRC and the easily identifiable vendors that compete in the sector might sound fairly cut-and-dry, there is an adjacent technology sector muddying the water and causing confusion among buyers: enterprise security information management (ESIM).

The ESIM sector is composed primarily of security information and event management (SIEM) and log management vendors. One could easily draw static lines dividing disparate security technologies, but the lines (if they ever truly existed) between ESIM and IT GRC products are starting to blur.

Since EMC's January 2010 acquisition of Archer Technologies, ESIM vendors are including more risk-centric capabilities within their core products. In fact, many ESIM vendors began searching for an IT GRC product acquisition to achieve the competitive parity presented by a joint RSA (enVision) and EMC (Archer) product pairing. From a 10,000-foot view, one could easily draw parallels between both product sectors.

Generally speaking, both can consume log and vulnerability data in addition to providing users with alerting, dashboard, and ticket workflow capabilities. The biggest difference, however, is the audience for which each product is designed. ESIM products have always had a heavily weighted operations and security side, whereas IT GRC products are traditionally presented to CISO-, CSO- and CFO-level executives, in addition to the somewhat newly minted chief risk officer (CRO) and chief compliance officer (CCO) designates.

To appeal to all levels of the organization, nearly all of these vendors present their products with an alluring and whimsical term to hook buyers: a single pane of glass. Promising the coveted single pane of glass for all levels of the organization to leverage, vendors are hoping to bring their products to bear in support of the entire business stack -- from the entrenched security practitioner at the bottom to the executive branch of the organization.

Unfortunately, it is extremely difficult to present data in a way that is everything to everyone, since ESIM and IT GRC products were designed with different business use cases in mind. So ESIM is a more security-centric and operationally positioned technology, while IT GRC is a more business-centric and process-positioned technology.

So which one should you pick? One issue that plagues the adoption of IT GRC systems is the cost of purchasing both an IT GRC and ESIM product. Organizations faced with having to choose between an IT GRC or ESIM product typically do not have the budget to purchase both. Since the purchase of an ESIM is predominantly driven by a compliance mandate, the water becomes even more muddied when the buyer learns that the ESIM could cover everything but the "G" portion of IT GRC -- a somewhat lofty claim when the capabilities of both product sectors are examined under the end-user microscope.

So who's the buyer for IT GRC? The side of the organization that purchases IT GRC products remains those responsible for the measurement and reporting of risk and compliance within the organization. These people are also the holders of the budget for projects of this nature and might see the security aspect of an ESIM as simply "nice to have," as opposed to a primary purchasing driver. Should the security team have little sway over those further up the management stack, increasingly more organizations could find themselves adopting IT GRC products over ESIM products.

While I don't see the ESIM and IT GRC sectors converging to create a new combined sector, it is likely safe to postulate that there will at least be some overlap in the immediate future as the adjacent sectors figure each other out.

A more likely result will be closer integration and data sharing between the products in each sector. Why send IDS logs to both an ESIM and an IT GRC product when one could simply forward the data to the other? Instead of poking holes in a perimeter firewall to allow data sources to feed a cloud-based IT GRC product, why not allow the on-premises ESIM product to aggregate and forward, or vice versa? Of course, in order to facilitate this transparent cooperation, a promiscuous integration stance will need to be embraced by the vendors in their respective sectors to further the cross-pollination between products.

Andrew Hay is a senior security analyst with The 451 Group's Enterprise Security Practice

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.