Interactive Courses + DFIR NetWars Available During SANS Cyber Security Central in June. Save $300 thru 5/12.

Thought Leaders

Table of Contents

A. N. Ananth, CEO, Prism Microsystems, Inc.

Stephen Northcutt - August 7th, 2009

A.N. Ananth, CEO of Prism Microsystems, Inc. was one of the original architects of the EventTracker product offering, Prism’s enterprise log management solution. We certainly thank him for his time to be interviewed for our Securitylab Thought Leader series.

Ananth, I know you have an extensive background in product development and operations for telecom network management. I also understand you have field experience consulting for companies on their compliance strategy, audit policy and automated reporting processes. What are the two or three biggest pain points you typically find?

In 2009, we find much greater acceptance by organizations about the need to "do something" about IT security and even about SIEM/Log Management. There is, however, rampant confusion about exactly what needs to be done and in what order. Enterprises clamour for specificity but, sadly, most regulatory guidelines are quite vague, leading to delay or paralysis in execution. Usually an episode such as a security breach or audit failure focuses senior management very quickly. The biggest pain points, therefore, are 1) Actionable plan to address IT security, and 2) How to prioritize the execution given real-world budget and staff constraints. Recommendations like CAG are helpful in this regard.

My understanding is that you co-founded Prism, can you tell me a bit about your work experience that got you to the place you are now?

I come from a background of telecom product development and network management. In that universe, considerable emphasis is placed on Fault Management, the network having extremely high uptime requirements (four 9s is routine). The shift in the data center from a few minis like VAX or IBM to many smaller servers like Intel or SPARC was clear, but the corresponding disappearance of the "operator" was confounding -- who replaced those functions? Some problems have almost disappeared, such as chargeback, but many remain, such as upgrades, log management, etc. It turns out, in many of the mid-size organizations these issues are ignored as much as possible and, to this day, it’s a problem. It’s the difference between a NOC mindset and an IT mindset. We developed the initial versions of our products to resolve these problems and formed the company to commercialize and support these solutions.

I agree with you, people tend to ignore their logs, but in this busy world you have to establish priorities. Why is log management a priority? What will happen to me if I don’t look at my logs? Who will even know?

While log data is useful in myriad ways, we classify uses broadly into three groups, viz Operations, Security and Compliance. Let’s look at each with an example. Operations is both the most common and the most overlooked: Not paying attention to logs can cost you BIG money, when your disk space goes low, when an admin inadvertently changes virtual machine configuration, when a backup job fails but goes unnoticed, etc. Security use cases get the most press and range from being owned and not knowing it, to loss of Intellectual Property, which when made public causes a loss of confidence. In the Compliance use case, the auditor will certainly know, and if they are doing their job, your senior management will hear about it. In these difficult economic times log management should be a priority because: a) It can save you serious money in Operations; b) Security is everyone's concern, more so if you are having employee churn; and, c) Compliance regulations are here to stay, for good reason.

Many of our readers may not be familiar with EventTracker, can you give us the $.25 tour?

EventTracker is a Security Information and Event Management solution that combines classic Log Management functions such as real-time processing, correlation and alerts with positive security features such as whitelisting, file integrity monitoring and compliance/assessment features.

We have relentlessly focused on the medium enterprise since 2001 and are currently shipping version 6 of the product. Our strong background in the operation of mission critical networks serves us especially well in understanding and addressing the problem.

You mention a focus on the mid-size enterprise. What is unique about this market?

All enterprises are ever more dependent on their IT but mid-size enterprises have it particularly hard. The corner hardware store gets to put up a "Gone Fishing" sign if the computer acts up while waiting for resolution, the F-500 giant gets to outsource the problem to a dedicated team. Neither is true for our customer base. Plus nobody is loosening the regulatory guidelines based on size, nor are hackers cutting them a break. Add in budget constraints and vagueness in regulations and it gets pretty hard.

Our customers prefer strong robust features but demand quick install and ROI and low on-going TCO. As an analogy, a Formula-1 race car is great to own and goes really fast in the straights but unless you are driving at the Circuit de Monaco and have a dedicated pit crew, it’s more trouble than its worth. Some of the products in the SIEM space are comparable to such race cars, whereas EventTracker is more like a high performing sedan, much easier to own and operate, and applies to a large variety of daily use cases.

In general, the biggest factor in the Total Cost of Ownership or TCO for a log management solution is the time an operator has to spend on the console identifying the actionable items and running them to ground. What are some ways that EventTracker’s design helps reduce TCO?

Great question. Looking at logs gets old even for logaholics and time is always a scarce resource for Admins. In broad terms, we recommend that users: a) Configure alerts for well defined cases; b) Examine specific summary and trend reports driven by business priority (users, systems, applications); and, c) Go to detailed analysis only as needed. An ounce of prevention being worth a pound of cure, as the saying goes.

To elaborate further, never mind the logs, think top down – what are the business scenarios of interest? Privileged use? USB activity? Intrusion attempts? Compliance workflow? They can be single events or require multi-event correlation. These are the conditions that you know and can define. EventTracker offers a correlation engine and various alert notification methods to help. We also ship a broad set of Knowledge Packs which include rules for popular applications and platforms.

Next, configure summary and trend reports on assets and users that are important. Examine these regularly for outliers – these are the conditions that you will know if you see them. EventTracker offers various summary and trend reports including modules to detect unusual activity. If needed, analyze log files to address specific questions. EventTracker includes an excellent analysis console and a powerful search interface for this purpose.

Since you have been working in this space for many years, how do you think SIEM evolved and what future trends do you see?

Think back to the IBM System/360 announced in 1964, it emitted logs which the operator had to examine to know about its health and job status. Fast forward to VMware and Windows 2008, these also emit logs to inform Administrators about their health and status. In the five decades in between, almost nothing about computing has remained unchanged -- CPUs, memory, sizes, programming languages, user interfaces, etc. However, logs are still essentially used for the same purpose as nearly 50 years ago; many more logs from more sources in different formats with ever increasing obscurity and in enormous volume, same reason. This shows that the problem is a basic one that must be addressed by every generation of computing.

Some trends:
  1. The data center is being transformed by virtualization in almost all industries. Hypervisors such as VMware and Hyper-V are increasingly common and these bring their own set of challenges to SIEM. As a software-only solution with deep support for such technologies, EventTracker is particular well suited for these datacenters.
  2. Uncertain economic times in many verticals are leading to tactical deployments of SIEM solutions. CIOs are demanding meaningful business cases to justify spend and often constraining the purchase/rollout to maximize ROI. Here again, with our pricing being per managed node, highly granular buys and upgrades are easy.
Looking forward, our industry must resolve the "shallow root" problem. SIEM solutions are currently deployed by IT Departments for their internal needs (usually security, compliance and operations). To more fully realize the potential of this technology, SIEM must provide value to more touch-points across the business process.

I am not familiar with the term “shallow root”, can you please elaborate on what this is and why it is a problem?

As long as SIEM solutions are useful only to a few people in the enterprise i.e., a subset of the IT Department, then the technology has “shallow roots” within the enterprise and its potential is not being fully realized. SIEM can be valuable across the enterprise, especially to data owners (usually middle management). IT is normally the curator of the systems where data resides, whereas the true owners of data can and should receive value from SIEM technology. For example, a sales manager whose team generates quotes and receives Purchase Orders is much more likely to recognize suspicious behavior if shown audit logs (who accessed, when, who added/deleted or copied to USB) than the IT Department, who can only go by well defined rules on acceptable behavior.

Without this, SIEM is relegated to the role of a specialized tool delivering limited value to a small set of users. The technology can and should be asked to do a lot more across the business process. Innovations like mashups, web services, and web slices are potentially useful in this regard.

The buzz today is about Cloud Computing, what implications do you see for IT security in general and SIEM in particular?

Cloud Computing is a tradeoff between efficiency and sovereignty. It is now an over hyped term. We see variations such as on-premise clouds, dedicated remote clouds, shared business class clouds and consumer clouds, each offering different levels of service at different price points.

We see the mid-size enterprise of tomorrow using a mix of a form of cloud computing, SaaS and dedicated on-premise infrastructure, in accordance with cost/security drivers.

Cloud computing represents an opportunity to build security from the beginning instead of making it a bolt-on later. It remains to be seen if this will be so, we hope past is not prologue (as is carved on the National Archives Building in Washington, D.C). SIEM must adapt to this universe to be relevant. This means many things including multi-tenancy; the ability to forward some SIM information to the platform provider (e.g., ISP) but other data from the same machine to the end-user/customer; ideally, standards for SaaS providers, but in their absence, broad support for the popular players.

One of the traditions of the Thought Leader project is to offer a bully pulpit, a chance to share what is on your mind, what would you like to share with our readers?

Demand more from your SIEM solution. The technology has the potential to be useful in multiple ways. Remember, the bad guys depend on the fact that if you do collect this information, usage is limited to compliance.

SIEM/ log management is a core discipline and can be useful in myriad ways. To highlight these use cases, I've got a series running on our blog site called 100 uses for Logs (

I have seen your blog and it is one of the most educational and useful resources related to logging I have ever seen. Do you have any war stories where a logging system has been used to catch an internal or external criminal? I know some stories from health care where employees were looking at medical records they should not have such as Britney Spears and George Clooney. I also understand the IRS does something similar with respect to tax records, but you are closer to this area, what are one or two of your favorite log management stories?

Thanks for the kind words on the blog, it’s quite a bit of work. Here are my favorites:

A financial institution let a Sys Admin go on a Friday. Naturally, this person’s account was disabled in Active Directory. Late Friday evening, an existing account was used to access payroll data, which it was not authorized to access. EventTracker was configured for remedial action (disable the account in AD) and notification (e-mail the admin group). Analysis showed the account came through the VPN and was traced to the cable modem at the ex-employees home.

At a local government agency, an employee was dismissed and one reason was repeated violation of Internet use policy. The employee sued for wrongful dismissal. EventTracker was being used to get logs off the originating system and saved in a central, secure repository. The court found that given the archive method used by EventTracker (SHA-1 signed), it was not reasonable that the logs could be faked in an attempt to discredit the employee and that the employer had exercised due care in protecting the logs from tampering.

Another interesting story is of a dairy cooperative in Western Canada that actually uses EventTracker to monitor a cow milking application which is critical to their operation.

Can you tell us something about yourself? What do you like to do when you are not behind a computer?

As our kids are quite young (one is still in diapers), I spend a lot of my free time looking at the world through their eyes and find it very enjoyable. In an alternate reality, I beat Ken Jennings in Final Jeopardy!