ScienceLogic: What’s your real job when you’re not here?

Cummings: I’m a consultant. I have a networking services company through which I offer services all the way from Layer 1 to desktop support.

ScienceLogic: How long have you been involved with Interop?

Cummings: I attended my first show in 1996. I volunteered for my first shown in 1999 and haven’t missed a year since.

ScienceLogic: What makes you want to come back each year for the additional punishment?

Cummings: Working with the team, which are long-term established friendships at this point. That and the excitement of working with the new technologies as they or even before they come out.

ScienceLogic: In Las Vegas you were Team Lead for Help Desk. What are you going be doing in NY?

Cummings: Same thing. That position incorporates some management over the show floor and off-show floor area. That’s kinda where they put me and I’ve been doing it solidly for about 5 years.

ScienceLogic: What are the biggest changes you’ve seen in the show over the years, what sticks out?

Cummings: The amount of monitoring that we have and what we do with it has really been changing. We went from more, to almost none and now back to more. We’ve been through numerous vendors and apps over the years and until recently weren’t overly happy.

ScienceLogic: Did the integration between Service Desk and Monitoring that ScienceLogic created help streamline things in a meaningful manner?

Cummings: Absolutely. In the short time that we have to get things setup there’s no way to integrate multiple products in this area. Having things pre-integrated allowed us to quickly link network events and the related tickets together in the management system [EM7].

ScienceLogic: Moving forward on the Service Desk, do you think you can move away from your current paper driven process to a completely paperless process?

Cummings: I could potentially see it changing as we get the process down and fine tune it. We might be able to get an electronic interface for people. It’s tough. There’s always going to be an aspect of the shows we have to hand off on paper and get to legacy people such as electricians and movers.

ScienceLogic: If there was one thing you could improve that you think would make the overall show or help desk operate better, what would it be?

Cummings: We need to keep refining processes down to get information into EM7. Better for using the integration and automation that already exists in EM7.

ShareThis

Several weeks on and I'm still digesting the massive amount of information and insight from the second European identity conference in Munich, organized by Kuppinger Cole. Five days chock-full of content (7 am to 7 pm every day!), 50 exhibitors, 130 speakers, four workshop tracks, five theme tracks, and 25 best-practice sessions. Hundreds of delegates showed up from all over, even though Infosecurity 2008 was raging in London the same week. EIC 2008 was a superbly run event, with the seemingly inexhaustible Martin Kuppinger at the center of the storm.

It's difficult to sum up the content: Internet-scale identity, identity-driven security, federation, single sign-on (SSO), provisioning, context-based authentication, mobile and user-centric identity, SOA, entitlement management, and information risk management all commanded their own tracks. But some unifying themes emerged, chief among them that well-planned and -implemented identity and access management (IAM) is increasingly a must-have if we want to have effective information security, information risk management, and even GRC in today's and tomorrow's enterprises. 2008 may not be the tipping point for IAM, but we're getting close. A few highlights:

• It seemed that every third presentation contained the words "Société Générale" or "Jérôme Kerviel". Nothing like an(other) egregious breach of policy, procedure, and trust to concentrate the mind! Suddenly everyone is rediscovering the Barings debacle of a decade ago and recalling the name "Nick Leeson" — and realizing that, while we have made great technological strides in the past decade, all too often the people and process elements get short shrift. (If the control framework breaks down, it matters little what tech was used to enact it...). So while there was plenty of forward-looking technology-centric discussion, the thread of policy and process ran through every conversation — there was even an entire track session devoted to avoiding internal fraud via rogue trading and the changing threat landscape.
• A lot of the Identity 2.0 discussion was still quite fuzzy. There was little agreement on what mobile identity really means and how companies offering consumer services can provide it to customers, and what the role of mobile operators (who at the moment look like the weak link in the security chain) might ultimately be. User-centric identity is a great idea, but needs to be implemented in a way that gives users meaningful control over their identities and associated credentials in a way that doesn't also shift all of the liability for financial fraud (identity abuse) from institutions to individuals. This has significant implications for things like mobile commerce.
• There was a great physical/logical convergence case study from City College Coventry (UK), which is providing converged smart-card credentials to more than 10,000 students and staff. The card will function as an ID badge across the College, parking pass, building pass, cashless payment card, library card, etc. It will also be required to use any computer, printer, or photocopier connected to the College's network, and will allow lecturers secure access to classroom resources. The College does have the luxury of setting up this system in the context of moving to brand-new facilities, but it shows that if the IT and physical security folks can agree to pull in the same direction, convergence is a wholly attainable goal.
• Results of an enterprise IAM study were presented; one of the most troubling findings was that half of the respondents reported that their biggest obstacle to implementing IAM was that the business was just not ready for it. User management is often in place, but downstream functions like auditing and monitoring are still far from mature in a holistic IAM context. Firms also report big gaps between expected and actual benefits from implementing IAM. That last bit is one reason we advise not trying to do it all at once; rather, break a planned IAM implementation into manageable project chunks, focusing on one set of short-term, tangible, demonstrable benefits at a time.

One panelist put it best: Technology maturity and integration are all well and good, but we need workflow integration and organizational maturity. The need to implement IAM provides an opportunity to share information, define new policies and processes, and streamline existing ones. The CEO and CIO/CSO/CISO need to sit at the same table, commit to eliminating organizational silos, and devise a cooperative approach.

Blogger: Dan Blum

There are two groups actively working to create a common event standard that allows event logs and audit records to be shared and understood across many products, and the good news is that they’re talking to each other:

• Common Event Expression (CEE) language, by Mitre 
• X/Open Distributed Audit Standard (XDAS), by Open Group 

The business benefits of creating a common event standard would be considerable:

• Reduced log management and security information event management (SIEM) system integration costs 
  • Reduced volume of event data and simplification of SIEM architecture 
  • Reduced need for (and increased effectiveness of) normalization 
• Reduced cost of integrating new solutions with security management infrastructures and frameworks 
• Lower cost of integrating event management and audit into cross-enterprise applications (such as federated identity management)
• Faster and simpler data exchange between organizations, vendors and incident response services supporting real time response to threats and attacks 
• Better forensics for a common defense 

Late last year, our Burton Group Security and Risk Management Strategies (SRMS) group decided to push the question of event standards with vendors, trade press, and standards groups. But we felt that we needed evidence of end user enterprise interest and involvement to start doing so. Happily, as we began researching the space, we found that Mitre’s CEE was being driven by the EU, NATO and DoD as well as log management and platform vendors. Burton Group held a conference call discussing common event standards and SIEM with members of the International Information Integrity Institute (I-4), and key stakeholders showed up. The Open Group reports that enterprises as well as vendors are getting involved with XDAS. Clearly, enterprises seem ready to focus on this topic.

Of course, there are challenges ahead. Not only is there no complete common event standard out in the field today, there are many partial standards or solutions, including Syslog; the IETF’s Intrusion Detection Message Exchange Format (IDMEF) and Incident Object Description and Exchange Format (IODEF); the Java Specification Request (JSR) 47 Logging API, WS-Management subscribe/publish APIs and so on. Any comprehensive standard released in the future should work with existing technologies like these as much as possible. Also, there are a number of complexities, including mapping event semantics between different systems, synchronizing time while managing clock drift, and maintaining dynamic event handling policies.

Fortunately, the Mitre and Open Group efforts are gaining traction. Mitre has put up a CEE web site and one can ask to subscribe to the CEE mailing list. Mitre has described its scope as covering standard event taxonomy/terminology, log syntax, log transport and recommendations on what types of events and data elements systems should log. Mitre’s specifications are in the draft stage, and publication for comment is “expected 2008” according to the website. That’s pretty indefinite. But we are told that while not complete, these draft documents will reflect a considerable amount for work that has already been done and can be built upon. It is positive that a CEE community representative says Mitre plans to begin by seeking comments on the underlying goals and requirements for event standards. But to establish a broadly accepted industry standard anytime soon, Mitre and the government/defense community it servers will have to accelerate overly lengthy document review cycles and possibly streamline handling procedures designed for classified information rather than open standards deliberation.

As my colleague Bob Blakley wrote in “An Auditing Standard: Has this rough beast's hour come round at last?” last July, Open Group revived prior work on a specification called “X/Open Distributed Audit Standard” (XDAS).  XDAS addresses the concerns necessary to build a robust distributed security auditing system in a mature and complete way, but its 1990s era C and UNIX interfaces need to be updated. Novell, whose Bandit Project incorporates XDAS, has contributed source code to a new open-source project called OpenXDAS (http://openxdas.sourceforge.net/) which makes an XDAS implementation widely available.

As these two standards efforts proceed, we hear mixed signals. There have been some indications of contention; for example, CEE representatives purport to have a strong emphasis on “simplicity,” while some observers have expressed concern that XDAS may be “too complex.” Of course, the other side of the argument could be that CEE will over-simplify issues, but it’s hard to have that discussion when specifications for CEE aren’t publicly available yet.

Fortunately, olive branches have been extended as well. During the Open Group meetings in January, 2008 Burton Group observed the XDAS and CEE leadership discuss ways they could coordinate and avoid overlaps. For example, CEE and XDAS could make sure that XDAS APIs become a CEE-compatible logging transport and, if both organizations produce data dictionaries for events, they could be perhaps formulated to use a common taxonomy and to avoid schema conflicts and overlaps. We’re also hoping that vendors such as Arcsight, Oracle and CA – who have been proactive about proposing specifications or encouraging the industry to create a common event standard – will be become part of the convergence on a common solution.

In the coming weeks and months, Burton Group will keep watching the event standards space and post more information on how matters develop. Please let us know by commenting on this blog if there are other standards efforts we should be watching, compatibility concerns to address, or other issues and questions you’re concerned about. We hope to continue being a voice for convergence and standardization that helps put the industry on the road to a common event standard by 2009.

Blogger: Dan Blum

There are two groups actively working to create a common event standard that allows event logs and audit records to be shared and understood across many products, and the good news is that they???re talking to each other:

• Common Event Expression (CEE) language, by Mitre 
• X/Open Distributed Audit Standard (XDAS), by Open Group 

The business benefits of creating a common event standard would be considerable:

• Reduced log management and security information event management (SIEM) system integration costs 
  • Reduced volume of event data and simplification of SIEM architecture 
  • Reduced need for (and increased effectiveness of) normalization 
• Reduced cost of integrating new solutions with security management infrastructures and frameworks 
• Lower cost of integrating event management and audit into cross-enterprise applications (such as federated identity management)
• Faster and simpler data exchange between organizations, vendors and incident response services supporting real time response to threats and attacks 
• Better forensics for a common defense 

Late last year, our Burton Group Security and Risk Management Strategies (SRMS) group decided to push the question of event standards with vendors, trade press, and standards groups. But we felt that we needed evidence of end user enterprise interest and involvement to start doing so. Happily, as we began researching the space, we found that Mitre???s CEE was being driven by the EU, NATO and DoD as well as log management and platform vendors. Burton Group held a conference call discussing common event standards and SIEM with members of the International Information Integrity Institute (I-4), and key stakeholders showed up. The Open Group reports that enterprises as well as vendors are getting involved with XDAS. Clearly, enterprises seem ready to focus on this topic.

Of course, there are challenges ahead. Not only is there no complete common event standard out in the field today, there are many partial standards or solutions, including Syslog; the IETF???s Intrusion Detection Message Exchange Format (IDMEF) and Incident Object Description and Exchange Format (IODEF); the Java Specification Request (JSR) 47 Logging API, WS-Management subscribe/publish APIs and so on. Any comprehensive standard released in the future should work with existing technologies like these as much as possible. Also, there are a number of complexities, including mapping event semantics between different systems, synchronizing time while managing clock drift, and maintaining dynamic event handling policies.

Fortunately, the Mitre and Open Group efforts are gaining traction. Mitre has put up a CEE web site and one can ask to subscribe to the CEE mailing list. Mitre has described its scope as covering standard event taxonomy/terminology, log syntax, log transport and recommendations on what types of events and data elements systems should log. Mitre???s specifications are in the draft stage, and publication for comment is ???expected 2008??? according to the website. That???s pretty indefinite. But we are told that while not complete, these draft documents will reflect a considerable amount for work that has already been done and can be built upon. It is positive that a CEE community representative says Mitre plans to begin by seeking comments on the underlying goals and requirements for event standards. But to establish a broadly accepted industry standard anytime soon, Mitre and the government/defense community it servers will have to accelerate overly lengthy document review cycles and possibly streamline handling procedures designed for classified information rather than open standards deliberation.

As my colleague Bob Blakley wrote in ???An Auditing Standard: Has this rough beast's hour come round at last???? last July, Open Group revived prior work on a specification called ???X/Open Distributed Audit Standard??? (XDAS).  XDAS addresses the concerns necessary to build a robust distributed security auditing system in a mature and complete way, but its 1990s era C and UNIX interfaces need to be updated. Novell, whose Bandit Project incorporates XDAS, has contributed source code to a new open-source project called OpenXDAS (http://openxdas.sourceforge.net/) which makes an XDAS implementation widely available.

As these two standards efforts proceed, we hear mixed signals. There have been some indications of contention; for example, CEE representatives purport to have a strong emphasis on ???simplicity,??? while some observers have expressed concern that XDAS may be ???too complex.??? Of course, the other side of the argument could be that CEE will over-simplify issues, but it???s hard to have that discussion when specifications for CEE aren???t publicly available yet.

Fortunately, olive branches have been extended as well. During the Open Group meetings in January, 2008 Burton Group observed the XDAS and CEE leadership discuss ways they could coordinate and avoid overlaps. For example, CEE and XDAS could make sure that XDAS APIs become a CEE-compatible logging transport and, if both organizations produce data dictionaries for events, they could be perhaps formulated to use a common taxonomy and to avoid schema conflicts and overlaps. We???re also hoping that vendors such as Arcsight, Oracle and CA ??? who have been proactive about proposing specifications or encouraging the industry to create a common event standard ??? will be become part of the convergence on a common solution.

In the coming weeks and months, Burton Group will keep watching the event standards space and post more information on how matters develop. Please let us know by commenting on this blog if there are other standards efforts we should be watching, compatibility concerns to address, or other issues and questions you???re concerned about. We hope to continue being a voice for convergence and standardization that helps put the industry on the road to a common event standard by 2009.

To answer that question, let’s turn the question on its head. What did security spending look like when times were pretty good?  Say from early 2005 to 2007 for example - did we see an upturn in spending? Our research found that security spending was flat or declining as a proportion of overall IT spending during that period. So then why, when the economy goes south would we spend less on security?

The vast majority of organizations spend money to counter threats and incidents that they’re seeing, and to comply with governmental and contractual requirements. Neither of these two factors are hugely dependent on economic cycles.

OK, so there’ll be less cash floating around for the big banks to fill their labs with new product evaluations, but does that really affect the majority of us? I would say not. Yes, we’re going to have to show more business justification for our technology. Yes, we’re going to have to consolidate. Yes, we’re going to have to streamline process. But weren’t we doing that anyway?

We’ve come to learn that security is a necessary cost of doing business – not a luxury item where we can turn spending on and off at the behest of economic demand. Luckily for us, I reckon there’s fewer of us that are going to be on the streets looking for jobs than other disciplines.