Sensage Blogs

Sensage in the 2013 SIEM Magic Quadrant – Uniquely Positioned

Posted: June 13, 2013 at 10:27 am | by Joe Gottlieb

Sensage in the 2013 SIEM Magic Quadrant – Uniquely Positioned

As I peruse the new Gartner 2013 Security Information and Event Management (SIEM) Magic Quadrant, I am pleased with the perspective they offered about our capabilities.

Of 16 vendors evaluated, five vendors were named as Leaders — those who best address the use cases outlined across a broad swath of organizations. On the other hand, Sensage technology was clearly called out as “optimized for large organizations that require high‐volume event collection, analytics and reporting for large amounts of log data over long periods for audit, compliance and internal investigations.”

We handle the baseline real-time and compliance requirements, but big data collection, sophisticated analysis and deep forensics and historical analysis are – and have always been – our differentiators.

We were also recognized as one of 12 vendors in Gartner’s Critical Capabilities report again this year. I think Gartner sees us as filling an important market segment, and they even counsel that firms in the Leaders Quadrant are not a perfect fit for every organization: “focusing on the leaders’ quadrant isn’t always the best course of action…a niche player may support your needs better than a market leader. It all depends on how the provider aligns with your business goals.”

So, what does all of this really mean? It means that if you are a mid- or large size organization looking for a few sources to be collected into a set-it-and-forget-it real-time alerting system or a compliance reporting solution, there are fifteen other vendors that might be a better fit.

If your reality of data collection involves petabytes a day or week, Sensage is the only vendor who can meet your requirements. If you are building a single repository for the logging of all IT and security event data to support incredibly sophisticated correlation and analytics, Sensage was purpose-built for that. If you are building greater cyber awareness with the combination of real-time and historical context, Sensage can deliver.


Offensive Defense in the Enterprise

Posted: May 2, 2013 at 10:11 am | by Joe Gottlieb

Recently, the idea of Offensive Defense has become a hot topic in the security industry. In theory, the notion of going after an attacker that targeted your organization seems like a logical plan. However, there are a host of legal and ethical concerns with this approach.

For one, current legislation is vague when it comes to an organization’s ability to go after cyber attackers off-premises. Secondly, what if you unintentionally go after an innocent bystander and cause irrevocable harm to their infrastructure? Are you then legally liable for any damaged they incurred?

Because of this ambiguity, we urge our customers to focus on what they own in their own enterprise, where hidden intrusions and malicious codes can have long-term security ramifications.

According to Verizon’s 2013 Data Breach Investigations Report, 66 percent of attacks take at least two months or longer to discover. That’s considerably more so than in 2010, when 41 percent of attacks went undetected for that long. This further supports the need for SIEM analytics, which will sharply reduce the time that a threat can “hide” within enterprise infrastructure.

By leveraging advanced SIEM solutions, organizations can define the context of threats and enable an automated, active defense. With a deeper, richer understanding of the context of patterns and anomalies via the analytical capabilities which advanced SIEM solutions deliver, you strengthen the deployment of policy-driven controls that balance enterprise defense with corporate responsibility.

In a recent piece I did on this topic, I discuss the risks, the debates and the future of sharing information about cyber attacks.

While the idea of going off-premises to attack your attacker may sound appealing, the risks clearly outweigh the benefits. There’s a better way to keep your enterprise secure, while staying out of trouble—and an advanced SIEM will get you there.


Security Metrics - Truth in Data

Posted: August 17, 2012 at 10:06 am | by Joe Gottlieb

I am thrilled to share theThreatPost articleI wrote about the top ten tips security teams should consider as they evolve their metrics-driven practices. If video is your preferred format, I also shared details about these tips in this short piece.

These are not huge revelations or commandments - instead a set of principles proactive security teams should consider as they get serious about making the most of their event data.

I am passionate about this topic - as are many others in the security field. Without taking a more methodical and sustainable approach to analyzing our security posture, we will be in a constant knife-fight with cyber-criminals and we won’t win that one.

In fact, I will soon be sharing some details about some research we did that highlights the challenges faced by most security organizations. Some of the results were surprising, but my biggest take-away is that security teams are not armed with the right tools or processes to confidently stay ahead of threats.

Keep your eyes peeled for that report and let’s continue the dialog about improving our security posture with greater intelligence.


Operation High Roller: Lessons Learned

Posted: July 24, 2012 at 8:54 am | by Joe Gottlieb

Cybercrime has definitely become more profitable than old fashioned crime. Compare $38 million stolen through 2011 physical bank burglaries* with the recent report of the Operation High Roller attack, where up to $78 million may have been stolen by hackers targeting high balance bank accounts in 60 or more mid-sized banks.

We spent a little time researching this attack and, while initial reports were vague, we now understand this to be an interesting layering of multiple cyber methods in an attack that spanned many months.

Operation High Roller started with a basic phishing ploy, then leveraged several unique maneuvers once successfully in systems.  What was unique about this attack was not only the level of automation it used to distract its victims momentarily with a fake screen when hijacking their funds, but also the ability to compromise two-factor authentication for the first time – in this case a short-lived, one-time use password. With these new developments in bypassing two-factor authentication through automated sets of code, we can expect to see it used by cybercriminals in future hack attacks.

There was some good news about this attack (and most others): the operation left behind many logs which ultimately gave security experts insights on the anatomy of the attack, its migration pattern and which customers were compromised.

This is also another wakeup call that there needs to be more consistency in three key areas:

· Education – much like other attacks before this, High Roller started with a simple phishing scam. Employees need ongoing education about the new, innovative ways that attacks can take shape.

· Automation – when your organization knows that that updates of anti-virus software happen without action on their part, for example, they will distrust a pop-up from a supposed anti-virus application.

· Monitoring – it is not enough to do “spot checks” or rely on real-time alerts…clearly, cyber-criminals have figured out how to fool those processes. Develop a consistent monitoring process that looks for suspicious events, like connections to an unknown outside server at unusual times of day. There are many basic metrics you can establish baselines for, and then look for unexplained variances.

* Source: FBI


Gray Hat Reveals Data Breach

Posted: July 2, 2012 at 10:44 am | by Joe Gottlieb

I don’t know if “hero” is the right term for the hacker who recently announced that he was able to breach 79 banks and claimed to have access to more than 50 gigabytes of U.S. and foreign bank data.   At minimum, he provided another wake-up call to organizations around the world that they must be more aggressive with their security strategy.

The price for that reality check? It’s not just the data breach fines that the payment processor will pay. Let’s think about the painful customer service costs each of these banks and processing vendors will have to incur as consumers hear the news and call to find out if their personal data was stolen. Next, the costly process of changing payment processing vendors, which Visa and Mastercard will need to consider doing. And finally, the loss of brand and business productivity while all of the affected financial institutions manage the bad publicity.

Is PCI to blame? Do most organizations see PCI as a set of policies and procedures they prove they can meet once a year or so, and then set it aside? Are we creating a self-governing society, where eventually only vendors who demonstrate continuous evolution of their security practices will be left standing?

To get more on this story, visit


Next Page »