RSA NetWitness Panorama Aligns Information with Analytics

Remember when commercial security incident and event management (SIEM) platforms came out in the early 2000s? At that time these systems were designed to take in firewall and IDS events, correlate and filter the data, and let you know whether you were under attack. Since then, SIEM platforms have gone in a multitude of directions like compliance, IT operations, and network performance management based on where the VCs saw the best chance for short-term revenue. Fast forward to the past few years — the era of low-and-slow sophisticated attacks sometimes referred to as Advanced Persistent Threats (APTs). CISOs quickly learned that their “jack-of-all-trades” SIEM platforms weren’t so helpful for things like log management, security analysis, or forensic investigations. To cover these requirements, large organizations turned to the likes of Fidelis Security, FireEye, LogRhythm, Splunk and Trend Micro. Earlier this week, RSA Security jumped into the fray, albeit with a different approach that may be especially interesting for enterprises with lots of Internet traffic and complex networks. Combining multiple assets, RSA announced a nomenclature mashup product called RSA NetWitness Panorama. Panorama can be a bit confusing as it can be part of a NetWitness implementation, deployed with enVision, or act as a stand-alone log management service. In the NetWitness context, Panorama is intended to enhance “situational awareness” by bringing together network forensic and log data into a common platform for analytics. If you think you are under attack you now have one place to go for analysis across multiple data sources. The bad guys know how to cover their trail and find places to hide. Combining network forensic and log data gives CISOs a more complete intelligence picture in order to smoke them out.In reading between the lines here, Panorama also points to a burgeoning security architecture from RSA. I foresee a data collection tier, a middleware tier, and then multiple analytics engines that use this data for various purposes (event detection, security controls management, analytics, compliance, etc.). I know IBM and HP are thinking along the same lines.Security is really about two things: 1) Make attacks as difficult as possible. This involves risk management, secure IT design, layered defenses, etc., and 2) Implement the right tools and analytics to detect and respond to attacks. Security best practices tend to focus on #1 but we need really strong data analytics to deal with #2. This is the area that RSA is focused on.