IBM's new security pitch is that, while there are numerous point technologies available today for monitoring enterprise systems, too often these system and monitoring tools work in isolation, failing to give businesses a big-picture view of their security posture, security policy effectiveness, or warnings of attacks in progress.
"There's a need for someone like IBM to approach this problem in a really, really big way, because guys like me have been trying to bite off edges of the problem for 20 years," said Jack Danahy, director of advanced security in IBM's recently created security division, via phone.
That big-picture approach to security means attempting to blend numerous types of prevention, detection, and correction capabilities, and not coincidentally also mirrors IBM's recent security acquisition spree, which has included buying trusted code development shop Ounce Labs, of which Danahy was CTO, in 2009. The next year, IBM bought risk and compliance management specialist OpenPages, network management and security shop BigFix, and governance and policy compliance vendor PSS Systems. This year, IBM has already bought cloud-based application testing service Green Hat. Overall, IBM executives have said they'll spend about $20 billion on acquisitions through 2015.
[ Advanced persistent threats are a growing risk to business. Learn from others' missteps--read 8 Lessons From Nortel's 10-Year Security Breach. ]
Steve Robinson, VP of strategy and development for IBM Security Systems, said in late 2010 that the company's security-acquisition ethos was being driven in large part by "a growing awareness of security by senior executives" and their need to tackle security issues from a higher-level, cross-business perspective.
Perhaps the most notable recent example of IBM attempting to meet that need was its purchase of the largest independent security information and event management (SIEM) vendor, Q1 Labs. That acquisition, announced in October 2011, speaks volumes about IBM's new approach, not least because Brendan Hannigan, CEO of Q1 Labs, became the head of IBM's newly created security division, which included its Tivoli, Rational, and Information Management security offerings, as well as security appliances, services, and lab offerings.
On a related note, IBM Wednesday announced that its QRadar Security Intelligence Platform--acquired with Q1 Labs--will be tied into IBM's X-Force Threat Intelligence Feed, which it said analyzes 13 billion security events daily. That move should help businesses better spot advanced persistent threats (APTs), in part by using analytics tools to keep tabs on massive quantities of security data. While QRadar can already monitor products such as IBM WebSphere and SAP, IBM said that by the middle of 2012, it will release further modules for tying it into its Security Identity Manager, Security Access Manager, Security AppScan, and Endpoint Manager products. Going forward, IBM also plans to add connection modules for Symantec Data Loss Prevention, Websense Triton, and Stonesoft Stonegate, among other products.
"Trying to approach security with a piece-part approach simply doesn't work," said Hannigan in a statement. "By applying analytics and knowledge of the latest threats and helping integrate key security elements, IBM plans to deliver predictive insight and broader protection."
IBM already offered a Tivoli SIEM product, but Danahy said that Q1 really excelled at tying together security information from a number of different devices. "It was that analytics capability that made them super-interesting to us, because our customers are generally looking to simplify this problem. Because they're asking IBM, 'how can you make it easier for me--more like other parts of my business--and less like a dark arts, extremely specialized sort of thing.'"
Danahy said his day job includes keeping his ear to the ground, to "get a much better sense about what [different] industries' security requirements are, and then come back to them." One of the hot-button issues he's been hearing about lately still includes Stuxnet, and the relative ease with which portable drives could be used to bridge air gaps. "Stuxnet ... brought a new level of awareness to industries that had traditionally thought of themselves as running on disconnected networks. If you look at the infrastructure space, for example ... the people running IT weren't talking to the people handling power distribution."
Businesses are also now keenly aware of the value of their data, thanks in large part to attacks launched by the hacktivist collective Anonymous, he said. "People have started to have a higher-level understanding of what their internal data is worth. So we've seen a lot of question around ... how am I monitoring data loss prevention?"
Another overriding concern he hears--beyond persistent questions about mobile device and cloud security--is that security budgets simply aren't as big as CISOs would like. That, in turn, is driving demands for more automated security analysis tools, including SIEM. "That's really what drove the Q1 acquisition," he said.
Stuxnet is a sophisticated, targeted weapon that proved utilities' seemingly isolated SCADA networks could be compromised, potentially disrupting energy production and distribution. In our Stuxnet Reality Check report, we'll explain how Stuxnet penetrated Iranian nuclear facilities and propagated through their networks, and guide you in protecting against a comparable attack on your organization. (Free registration required.)