This month, we are taking a look at the UTM and SIEM product group. This is a very interesting group for where it came from, what it is today and where it is headed. This likely could be the poster child for product group convergence. What started out years ago as a multipurpose gateway and evolved at present into the UTM (unified threat manager), also took a crazy hop or two and spawned the SIEM and some more sophisticated gateways. Now it looks as if another evolution is at our doors and that could lead these tools – as we know them today – in the direction of next-generation threat management tools.
In fact, a couple of the solutions we looked at definitely are next-generation tools for their incorporation of threat feeds, machine learning and other niceties. We have said it several times before but it bears repeating: In today’s threatscape, if you aren’t learning to be a threat hunter, you’re actually devolving relative to the adversary. These tools are headed firmly in that direction.
We didn’t have a big group this month. In fact, that was one thing that was a bit of a surprise to us. We credit the distractions of RSA with some of that, but convergence is another big reason. Some of the old standbys were there, though, looking nothing like old standbys. And there were a couple of new entries. Also, we had appliances, software and virtual appliances as well as traditional SIEMS and UTMs contrasted with devices that are starting to look like anything but a SIEM or UTM. Some tools were easy to use, some moderately difficult to use and some really required thinking and planning. So there was a little something for everyone.
After getting some help from Mike Stephenson a couple of months ago, it was my turn back in the barrel and that gave us a chance to apply our newly rebuilt and upgraded lab. Over a two-week period, we tore the lab down to the floor boards, added a lot of new stuff and rebuilt it much better that it was. We now sport a four-host virtual environment – bare metal, of course – and, thanks to our SC Lab Approved vendors, several new monitoring tools.
For a quick list of the current crop of SC Lab Approved products, take a gander at the website. To be SC Lab Approved, these solutions have to be best of breed, place their product or service in the SC Lab for a year and then be willing to undergo an in-depth review at the end of the year. After a year of using the products, we look forward to a very deep, comprehensive set of reviews.
Finally, we are engaged in some very interesting research now that we have some fairly serious lab power – in addition to our test bed – behind us. Much of that will emerge in the Threat Hunter Blog on the website. In case you don’t follow that, currently we are analyzing ransomware, particularly the new breeds, such as TeslaCrypt 3.0 with the .mp3 extension and Locky, just to name a couple. Join us over there if you have a moment.