The ‘use’ section of our technology is actually lots of products that all feed off the central warehouse. We have a S.E.M. solution that we refer to as a SOC-in-a-box, which is probably the most accurate correlation engine available. We have compliance technology that takes your assets and people and matches them against directives, and then enforces your processes. We have a forensic workflow solution that is indisputably the most efficient in the business. We have a special data-aware console called Database Security Manager that gives you SOC-type security over your databases. And of course, everything we do is extensible with open APIs.

The point I’m trying to make here is that we give you the ability to do the alerting, searching and reporting that you need, whether it’s for compliance, security or IT operations - all of it enriched from our central warehouse in ways that others can’t match.

Our ‘see’ is simply the biggest, fastest, most scalable and complete IT data warehouse available today. We have one customer that currently gives us 53 BILLION logs per day. Twitter (not a customer), we estimate, produces 127,000 log messages per second. Our biggest box peaks at 250,000. This level of scalability means that if you’re considering building a large datacenter, we’re the only people you should talk to.

But we’re more than just scalable. Our warehouse specializes in structuring unstructured data. We take the data from our Universal Collection Framework and automatically identify it – no more tedious manual configuration the way you do with other vendors. We then feed that IT data into our taxonomy where we add the insight. We take information from asset databases, from active directories (LDAP) and use it, along with our deep knowledge of events, to turn error code 14 on device w3q into “Andy (West Sales) failed to gain external access to main CRM system.”

This insight comes from our unique patent pending taxonomy. But we don’t know everything. You may have a device we’ve never heard off, an application you built yourself, or something that’s so old it’s unique to your environment. Using our Log Labels technology you can, using a simple drag and drop GUI, teach our taxonomy about your uniqueness. And of course, we do this in an enterprise-class fashion. You define data just once, it gets added to a central library of terms, and is automatically pushed to all your appliances. The next version of this will enable you to share your work with the greater community, meaning as an industry, we can finally tackle the long tail of IT data sources.

To be a good corporate citizen, we of course have to play nicely with others. And so we have an open storage system that scales using our own disks, or plays nicely with your corporate SAN’s and NAS’s. It also uses a unique open forwarding technology so we can share our enriched view of the world with any vendor you wish.

And again, we have open APIs, so we’re extensible should we not entirely meet your needs.

Let’s look at ‘get, see, use’ in a little more detail.

Our “get” is actually technology called the Universal Collection Framework.

This framework provides universal IT data collection capable of collecting, without agents, from just about anywhere. Where we do need agents for those hard to reach places, like HP Integrity NonStop (tandem) machines, or exotic devices, we have them. We also provide specialized technology for capturing database activity without the need for you to turn on costly auditing. All of this technology is vertically scalable to suit data centers of any size. It is also the world’s only WAN-aware store-and-forward technology capable of adapting to time-zones, being scheduled, compensating for unstable pipes, and protecting your data from unauthorized viewers.

The technology that makes all of this work is a brand new protocol we’ve invented called the Universal Lossless Data Protocol – which we intend to open-source next year.

Of course, we also publish open APIs so that you can add to this framework if you wish.

This ‘get, see, use’ is what we refer to as ‘360 Insight.’

Put simply, it means that we don’t care where your data is, or what format it’s in; we can get it and give you 360 degrees of sight into all your IT data.

We don’t care why you’re capturing all that data. Whether it’s compliance, security, or IT-ops, we give you 360 degrees of sight into all your business drivers.

We don’t care who you are. Whether you’re looking for insight because you’re HR, an auditor/assessor, a partner, or that guy in IT - we give you insight.

‘We don’t care’ is harsh. ‘We’re neutral’ lacks the passion behind our focus. What I’m trying to say is that we’re doing all the hard work to understand all of your data, for whatever driver motivates you, while respecting your role within your organization.

We do the work, so that you (or a team of consultants) don’t have to.

Anyway, they’ve just written a “what the heck is SIEM” paper. Whilst I disagree with their definition of what SIM and SEM are (my definition is here), the paper is well worth your time. It’s long – 40 pages, but there’s something new for everyone in there.

I highly recommend you make the time (even if it is sponsored by a competitor).

Our approach is different. Firstly, there’s no spaghetti! Ours is a simple world where all data, regardless of source or type, is centralized, augmented, enriched, parsed and understood, then smartly passed onto the appropriate visualization tools. We aim to create a virtual information pool that enables you to see 360 degrees of your operation; to provide you insight into the workings of your infrastructure.

Over on the left we have what we’re calling ‘Get.’ This is our Universal Collection Framework technology – our unique ability to capture audit trail information from almost any device, in almost any format and then securely and wisely move it to a central store, regardless of LAN or WAN complications.

In the center we have ‘See.’ This is our uniquely, massively scalable IT Data Warehouse, currently represented by our ST range of appliances. If you think of Google for a second you’ll understand why we call this ‘see.’ You know there are a million places on the web to book a flight. But rather than reach into the net and try each site directly, if you ask Google, it will do the search for you. It will display results directly. It will order them in terms of popularity and augment your view of those travel companies, giving you greater insight than you would have gotten if you’d visited all the sites directly yourself. Google enables you to see the raw information in a new way. That’s what we do. We enable you to see your IT data in new and insightful ways.

Over on the right we have the ‘Use’ column. Here we list all the visualization tools you may need. Some we make, others we expect you to source elsewhere. Regardless, they are all able to reach into the warehouse, without all the spaghetti, and be fed enriched, consistent information.

‘Get, See, Use.’ A simple solution to a very complex problem. We provide visibility, control, and improve security without adding all the complexity that others rely upon. There’s also an openness implied in this diagram. We offer an expansible framework, so if our ‘get’ doesn’t meet your exact needs, you can add something else. If our ‘see’ isn’t quite what you need, you can extend it. And if our ‘use’ is not a perfect match, you can use someone else’s.

When you go with our solutions you’ll also find that we pride ourselves in building technology that is simple to use and easy to deploy.

And that brings us to what I’ll call 1st generation solutions to your problem.

On the left of the slide you’ll see what I call “data assets.” These are your routers, firewalls, switches, servers, operating systems, databases, commercial and homegrown applications and pretty much anything with a plug. It’s a fact of life that almost all of the technology we use creates an audit trail. Some of those trails are called logs, others flow, sometimes they’re just file dumps. The point is, everything we do within the connected world leaves a trail.

Over on the right of the slide are the consumers of those trails. These are the analytics engines - the panes-of-glass from the previous slide. Hopefully, from the tangled spaghetti of colored lines you can see the problem here. We have one customer that has deployed 4 S.E.M. products from several vendors in their SOC. They also have other solutions, such as network monitoring tools. What this means to them is that they have servers with 4 agents on them – all doing the same thing! They get alerts that some S.E.M.’s corroborate, and others totally miss. They have no consistency, they can’t confirm that all the right information is getting to all the right places. And to make matters worse, they’re fearful of upgrading or switching out some of these solutions because the tendrils reach too deeply into the organization and no one knows quite how it’s all wired together.

What started off with the best intentions of adding clarity to a complex network of devices has simply made things worse. An alarm you can’t verify and trust is worse than useless – it becomes the car alarm that goes off in the middle of the night that everybody ignores.

The good news for you is that, as an industry, we’ve recognized your needs and even given them a name – S.I.E.M. or Security Information and Event Management.

S.I.E.M. is made up of two separate technologies - the first and most important is S.I.M., Security Information Management. This is the foundational work of collecting all tracking data - be it Logs, Flow, Assets, Users or Files - consolidating it, and then turning it into useful data. It is the S.I.M. technology that allows for the forensic searching and reporting we just discussed. It is this that you use for good IT management or compliance. We can even use it for simple alerting, such as someone failing to authenticate against a database.

The S.E.M. on the other hand is often referred to as the pane-of-glass or the analytics engine that consumes the collected data and presents it in a way that is meaningful to your needs; whether that’s event management for a SOC, or trending for capacity planning, or SLA management. Some of these visualization tools even provide dashboards that reflect your compliance posture.

The important part of S.I.E.M. is that for it to truly work efficiently and effectively, the pane-of-glass needs to be presented with ALL of the available data and not just a subset.

Driving this desire for greater visibility, control and security is usually one of three things (there are of course other drivers, but these are the big three): compliance, security and the need to operate an efficient IT infrastructure.

Regardless of whether you’ve just failed an audit, or you’ve got one looming on the near horizon…or whether your firewall has just been kicked in, or you’re being paranoid because a “like” company has just been breached…or a critical system recently failed and it took you too long to recover - we always get asked for the same 3 things: alerting, searching and reporting.

People always ask us for the big red flashing light that screams something bad just happened. Our PCI data just made it out of the safe network. Warning! Our database just released data through a firewall port that it’s not used before. Warning! A router just went off-line and we’ve lost VPN access. Warning! Something bad has happened. Warning!

Of course, once the siren is silenced you need to get on with the very serious business of Crime Scene Investigation. You need to know: “How did the data get to the unsafe part of the network? Who did it? What else did they do?” You need to know: “Why did the database just send data outside the company? What else uses that port? When was the firewall last reconfigured? By whom?” You need to know: “Why did the router just stop working? Who was the last person to administer it? What was their reasoning?”

Once you’ve gathered your evidence, you need to document your findings – you need reporting. You need to be able to stand up in court and defend your compliance posture, to stand in front of HR or your CEO and defend your security best-practices, to stand in front of your LOB director and defend your operations.

That’s what we do. We give you the big flashing red light, we give you all the forensic searching tools you’ll ever need and we back it all with solid evidentiary reporting.

There are companies out there that specialize in each of these areas. They’ll tell you that once you have an alarm system, you don’t need the CSI stuff. Others will tell you that crime happens so you may as well let it get on with its thing and then have the best CSI team ready to pounce. Others still simply document everything that happens so that lawyers can later pour over the basic facts.

LogLogic believes you need three to be truly protected, to truly have total visibility and control.

The Problem

The problems we’re trying to address are simple to define but harder to resolve, namely the lack of control, visibility and security in today’s IT shops.

These issues manifest themselves in many ways that we’ll discuss, but they all arise from a basic fact of life – IT is complex. You have lots of apps, databases, servers, routers, firewalls, and just ‘stuff’ to manage. Pretty much anything with a plug these days falls under the realm of the IT department. And of course, it’s all inter-connected. It’s wired together in a way that is difficult to unravel. This complexity means that it’s hard for you to react quickly to security breaches or new compliance demands. It’s hard for you to adapt your system to changes within your organizations, such as mergers or departmental re-structuring. And with complexity come the ever present issues of management – or the lack of it. If I were to try and generically sum up the problems people describe to me, it’s that IT has a lack of visibility and control over the systems that are running the very core of your enterprises. And then of course, there’s security. There’s always the security problem.