Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/5/2011
11:49 AM
Commentary
Commentary
Commentary
50%
50%

IT GRC, ESIM Vendors Dig In For War

With no sign of the two technologies combining into one, where does that leave the buyer?

Although IT GRC and the easily identifiable vendors that compete in the sector might sound fairly cut-and-dry, there is an adjacent technology sector muddying the water and causing confusion among buyers: enterprise security information management (ESIM).

The ESIM sector is composed primarily of security information and event management (SIEM) and log management vendors. One could easily draw static lines dividing disparate security technologies, but the lines (if they ever truly existed) between ESIM and IT GRC products are starting to blur.

Since EMC's January 2010 acquisition of Archer Technologies, ESIM vendors are including more risk-centric capabilities within their core products. In fact, many ESIM vendors began searching for an IT GRC product acquisition to achieve the competitive parity presented by a joint RSA (enVision) and EMC (Archer) product pairing. From a 10,000-foot view, one could easily draw parallels between both product sectors.

Generally speaking, both can consume log and vulnerability data in addition to providing users with alerting, dashboard, and ticket workflow capabilities. The biggest difference, however, is the audience for which each product is designed. ESIM products have always had a heavily weighted operations and security side, whereas IT GRC products are traditionally presented to CISO-, CSO- and CFO-level executives, in addition to the somewhat newly minted chief risk officer (CRO) and chief compliance officer (CCO) designates.

To appeal to all levels of the organization, nearly all of these vendors present their products with an alluring and whimsical term to hook buyers: a single pane of glass. Promising the coveted single pane of glass for all levels of the organization to leverage, vendors are hoping to bring their products to bear in support of the entire business stack -- from the entrenched security practitioner at the bottom to the executive branch of the organization.

Unfortunately, it is extremely difficult to present data in a way that is everything to everyone, since ESIM and IT GRC products were designed with different business use cases in mind. So ESIM is a more security-centric and operationally positioned technology, while IT GRC is a more business-centric and process-positioned technology.

So which one should you pick? One issue that plagues the adoption of IT GRC systems is the cost of purchasing both an IT GRC and ESIM product. Organizations faced with having to choose between an IT GRC or ESIM product typically do not have the budget to purchase both. Since the purchase of an ESIM is predominantly driven by a compliance mandate, the water becomes even more muddied when the buyer learns that the ESIM could cover everything but the "G" portion of IT GRC -- a somewhat lofty claim when the capabilities of both product sectors are examined under the end-user microscope.

So who's the buyer for IT GRC? The side of the organization that purchases IT GRC products remains those responsible for the measurement and reporting of risk and compliance within the organization. These people are also the holders of the budget for projects of this nature and might see the security aspect of an ESIM as simply "nice to have," as opposed to a primary purchasing driver. Should the security team have little sway over those further up the management stack, increasingly more organizations could find themselves adopting IT GRC products over ESIM products.

While I don't see the ESIM and IT GRC sectors converging to create a new combined sector, it is likely safe to postulate that there will at least be some overlap in the immediate future as the adjacent sectors figure each other out.

A more likely result will be closer integration and data sharing between the products in each sector. Why send IDS logs to both an ESIM and an IT GRC product when one could simply forward the data to the other? Instead of poking holes in a perimeter firewall to allow data sources to feed a cloud-based IT GRC product, why not allow the on-premises ESIM product to aggregate and forward, or vice versa? Of course, in order to facilitate this transparent cooperation, a promiscuous integration stance will need to be embraced by the vendors in their respective sectors to further the cross-pollination between products.

Andrew Hay is a senior security analyst with The 451 Group's Enterprise Security Practice

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.