UTM, SIEM. What's the difference?
Several years ago, I started writing about UTM – universal threat managers, also called unified threat managers. In those days, they were a sort of evolution of several types of gateways. Their purpose was to manage threats actively. Typically, these devices included firewalls, VPNs, IPS, URL filters, DLP, anti-spam and anti-malware. The gateways evolved from point solutions to point problems and, in effect, simply pulled all of the pieces together in a single system.
At the time, I railed against the weaknesses of UTMs – most notably their position as a single point of failure and their lack of defense-in-depth. Of course, early UTMs did not have all of the functionality above. That has been added as the genre has evolved. And, it certainly has evolved. The UTM market continues to grow in the double digits year on year, according to Forrester. Along the way, other technologies – such as load balancing and integrated endpoint security – have gone a long way toward easing my pain relative to these tools. I guess, in that regard, I'm ready to cry “uncle.” I no longer need to wonder if UTMs are “soup yet.” They assuredly are. Which brings us to SIEMS.
SIEMs are another evolutionary product – an amalgam of SIM (security information management) and SEM (security event management). Those originals have not been around for a very long time. The amalgam took off like a flash, eclipsing the older approaches. And for very good reason: information and events go together very closely in the cyber event management world. It makes sense to keep the two together. But, it is important to remember that SIEMS do not create their own data. They consume other data and analyze and report on it. Reporting can – and should – take the role of alerting.
So the SIEM becomes the point of aggregation. It aggregates information from a variety of sources and manages the events sent to it. This is a good thing since it is far easier and more effective to address security issues from a single management point – even if one has multiple data feeds to that point.
The UTM market continues to grow in the double digits...
I have been a sort of SIEM maven for a long time. I started playing with them when they were new on the market and my impression at the time was that they were tools for the analyst. Nobody else could get anything useful out of these beasts. But if you could, you could find things out about activities on a network that might only have been suspected.
That, too, has changed dramatically. Today's SIEMS can do things with data feeds that just a few years ago seemed like science fiction: Imaging gathering data streams from a variety of sources, stripping out indicators of compromise and using that information – along with some additional data – to identify a known threat actor. That is pretty heady stuff, even in today's emerging cyber threat intelligence discipline.
So, it is clear that these are two entirely different beasts. But do we need both? If we're talking about my network, you bet we do! On your network, your mileage, as they say, may vary. But I certainly would want both for protection and knowledge of what is happening on an increasingly complicated enterprise. So, that is the theme this month – SIEMs and UTMs and where they fit into your enterprise. Our review team this month was Ben Jones, Sal Picheria and James Verderico. Nice job, team!