The business sources of data have been a majority from Enterprise operations data, followed by IT warehouse for advanced trending, business application owner data, executive dashboard and security/audit compliance systems.
AIOps application to Security Information and Event Management (SIEM) requires a special mention. It is used to support early attack detection, investigation, and response. There are several approaches to meet these requirements including a log index store, a metrics time-series database, sensors and intelligent endpoint protection, network and security, and their corresponding intelligence in stores, collection agents, analysis, and reporting stacks. Not everyone looks for all these features to be present in a SIEM solution and some vendors find a niche market with their offerings. Integration of SIEM products has been particularly difficult because of restrictions and limitations with standardization of techniques and commodity software. Some deployments are forced to be software as a service with multi-tenants. Solutions also span hybrid clouds and private clouds.
Technologies used in SIEM do not belong to the platform because they form a dedicated purpose, yet platforms are commonly used to manage IT operations because they span all aspects such as CMDB, incidents and requests via ITSM (service management) and alerts and events via ITOM (operations management). SIEM cannot be included in the portfolio of a platform without integration and most of these products are specialized or prefer to have their own management interface. The SIEM products are also aggressively taking on both the ingestion of events from all services monitored via a platform as well as the use of specialized or general-purpose machine learning algorithms.
Some of the techniques in SIEM need to be called out for the impact they make and their justification to not be part of a platform. These include endpoint protection techniques. Earlier viruses used to be the major form of threat attacks to security if it were not for the vulnerabilities existing in the systems and were largely dealt with by firewalls, host scanning and sanitization, and policies including software control. Endpoint protection has changed that game. It is now a cloud-hosted service that is not confined to a platform or its resources, supports its own stack, and can scale to any number of events.
No comments:
Post a Comment