UTMs are defined classically as combinations of anti-virus, firewall and IDS (or some similar combination, depending on which vendor you listen to). SIEMs classically emerged from a marriage of SIM (security information manager) and SEM (security event manager). So much for classical definitions. Today we see supersets of each and crossovers between the two, which is where we believe this genre is headed.
There is a small "gotcha" as well in today's UTM/SIEM evolution and that is the next-generation firewall. NextGen firewalls are the industry's response to the death of the perimeter, in our opinion. And a good response it is. It's good because it has brought to the fore the notion of next-generation technology. While that may have started out as marketing hype with the hope of differentiating a product from its less sophisticated competitors, the actual result is that a pretty clear set of requirements for "NextGen" has emerged.
For example, NextGen means that some form of machine learning and/or advanced analytics are present. Also, it is likely that third-party threat feeds are a staple. In some cases, these products are tied to their own threat intelligence feeds. So, the idea of NextGen is solid and founded in information science and technologies that implement the science in useful ways. Why this matters to a discussion of UTM/SIEM is that some NextGen firewalls exhibit UTM/SIEM qualities. Of course, this muddies the market a bit, but if one looks at it critically, the three types of products have lots of opportunities to overlap and, perhaps, converge.
We have at least one product this month that insists that it is a next-generation firewall. We did not agree, which generated an interesting conversation and we now have seen the light. So, as we move through this month's products, it might be a useful exercise to consider just where this market is headed and how it might affect you.
The issue of which kind of product to buy is a bit thorny. Is a SIEM, UTM or, even, a NextGen firewall your cup of tea? Let's start with what your infrastructure looks like. A large, distributed architecture with disparate locations around the world presents a huge challenge, technically, operationally and legally. Remember that SIEMs correlate, UTMs generate their own data, and NextGen firewalls do a bit of each. Also, remember that the NextGen firewall has, as its primary mission, blocking the bad guys.
However, interestingly, the NextGen firewall also generates some intelligence information. Firewalls have the benefit of being easy to distribute and manage centrally. Given some form of aggregation and correlation, huge amounts of threat intelligence - actionable threat intelligence - is likely to be available. Feeding this back into the firewalls gives a defense layer that is evolving with the threatscape.
Optionally, today's heavy duty UTMs can perform much of what a firewall does plus can add the dimensions of various types of secure gateways - web, email, etc. - that add value to how you protect the perimeter. Earlier, though, it was said that the perimeter is a disappearing phenomenon. And so it is. Firewalls tend to be perimeter devices, but if there is no perimeter, what then? The reality is that even in enterprises where the perimeter is quite porous, there are parts of the enterprise that need to be protected with a hard boundary between the trusted and untrusted sides.
Now we're beginning to build a picture of an enterprise that can benefit from all three types of devices depending on where you put them. Bearing that in mind, the products we are looking at this month should not be viewed as SIEM versus UTM versus NextGen firewall. Rather, you should consider them in the context of your enterprise.
This is an extension of an old cyber forensic rule: Don't look in your tool kit and ask, as you pull out each tool in its turn, "Now, how do I use this for my investigation?" Rather you should start solving the problem, recognize that a particular type of tool is necessary and dig it out. In other words, specific problems demand specific tools, not the other way around.
So, now we've got some parameters to judge by. We have some commonalities and differentiators. And we have challenges within our enterprises to address. The next step is to see what's on offer in the marketplace and make some architectural choices ending up by applying the available tools as the architectural choices dictate. There certainly are some fine tools this month, so you should have what you need to start your thinking process. Enjoy!
Specifications for UTM/SIEM/NGFW management tools ●=yes ○=no
Product | AlienVault | CorreLog | EventTracker | Fortinet | LogRhythm | McAfee | Splunk | Sophos |
Performs log correlation | ● | ● | ● | ● | ● | ● | ● | ○ |
Offers | ● | ● | ● | ● | ● | ● | ● | ○ |
Available as a cloud service | ● | ○ | ● | ● | ● | ● | ● | ○ |
Supports | ○ | ○ | ○ | ○ | ○ | ● | ○ | ● |
Offers intrusion prevention | ● | ○ | ● | ○ | ○ | ● | ○ | ● |
Performs | ○ | ● | ○ | ○ | ○ | ● | ○ | ● |
Supports DLP functionality | ● | ● | ● | ○ | ● | ● | ○ | ● |
Includes built- | ● | ● | ● | ● | ● | ● | ● | ● |
Built on next-generation architecture (e.g., machine learning, etc.) | ● | ○ | ● | ● | ● | ● | ● | ● |
Accepts third-party threat feeds | ● | ● | ● | ● | ● | ● | ● | ● |