Perimeter
4/5/2011
11:49 AM
Commentary
Commentary
Commentary
50%
50%

IT GRC, ESIM Vendors Dig In For War

With no sign of the two technologies combining into one, where does that leave the buyer?

Although IT GRC and the easily identifiable vendors that compete in the sector might sound fairly cut-and-dry, there is an adjacent technology sector muddying the water and causing confusion among buyers: enterprise security information management (ESIM).

The ESIM sector is composed primarily of security information and event management (SIEM) and log management vendors. One could easily draw static lines dividing disparate security technologies, but the lines (if they ever truly existed) between ESIM and IT GRC products are starting to blur.

Since EMC's January 2010 acquisition of Archer Technologies, ESIM vendors are including more risk-centric capabilities within their core products. In fact, many ESIM vendors began searching for an IT GRC product acquisition to achieve the competitive parity presented by a joint RSA (enVision) and EMC (Archer) product pairing. From a 10,000-foot view, one could easily draw parallels between both product sectors.

Generally speaking, both can consume log and vulnerability data in addition to providing users with alerting, dashboard, and ticket workflow capabilities. The biggest difference, however, is the audience for which each product is designed. ESIM products have always had a heavily weighted operations and security side, whereas IT GRC products are traditionally presented to CISO-, CSO- and CFO-level executives, in addition to the somewhat newly minted chief risk officer (CRO) and chief compliance officer (CCO) designates.

To appeal to all levels of the organization, nearly all of these vendors present their products with an alluring and whimsical term to hook buyers: a single pane of glass. Promising the coveted single pane of glass for all levels of the organization to leverage, vendors are hoping to bring their products to bear in support of the entire business stack -- from the entrenched security practitioner at the bottom to the executive branch of the organization.

Unfortunately, it is extremely difficult to present data in a way that is everything to everyone, since ESIM and IT GRC products were designed with different business use cases in mind. So ESIM is a more security-centric and operationally positioned technology, while IT GRC is a more business-centric and process-positioned technology.

So which one should you pick? One issue that plagues the adoption of IT GRC systems is the cost of purchasing both an IT GRC and ESIM product. Organizations faced with having to choose between an IT GRC or ESIM product typically do not have the budget to purchase both. Since the purchase of an ESIM is predominantly driven by a compliance mandate, the water becomes even more muddied when the buyer learns that the ESIM could cover everything but the "G" portion of IT GRC -- a somewhat lofty claim when the capabilities of both product sectors are examined under the end-user microscope.

So who's the buyer for IT GRC? The side of the organization that purchases IT GRC products remains those responsible for the measurement and reporting of risk and compliance within the organization. These people are also the holders of the budget for projects of this nature and might see the security aspect of an ESIM as simply "nice to have," as opposed to a primary purchasing driver. Should the security team have little sway over those further up the management stack, increasingly more organizations could find themselves adopting IT GRC products over ESIM products.

While I don't see the ESIM and IT GRC sectors converging to create a new combined sector, it is likely safe to postulate that there will at least be some overlap in the immediate future as the adjacent sectors figure each other out.

A more likely result will be closer integration and data sharing between the products in each sector. Why send IDS logs to both an ESIM and an IT GRC product when one could simply forward the data to the other? Instead of poking holes in a perimeter firewall to allow data sources to feed a cloud-based IT GRC product, why not allow the on-premises ESIM product to aggregate and forward, or vice versa? Of course, in order to facilitate this transparent cooperation, a promiscuous integration stance will need to be embraced by the vendors in their respective sectors to further the cross-pollination between products.

Andrew Hay is a senior security analyst with The 451 Group's Enterprise Security Practice

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8893
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) mainpage.jsp and (2) GetImageServlet.img in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-8894
Published: 2015-01-28
Open redirect vulnerability in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the out parameter.

CVE-2014-8895
Published: 2015-01-28
IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote attackers to bypass intended access restrictions and read the image files of arbitrary users via a crafted URL.

CVE-2014-8917
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media A...

CVE-2014-8920
Published: 2015-01-28
Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.