Incident Response Isn’t About Point Solutions; It’s About An Ecosystem

Today EMC announced the acquisition of Silicium Security.  Silicium’s ECAT product is a malware threat detection and response solution.  ECAT did not adopt the failed signature based approach to malware detection and instead leveraged whitelisting and anomaly detection.  Incident response teams can leverage ECAT to quickly identify and remediate compromised hosts.  ECAT joins NetWitness and enVision.  

The addition of Silicium to RSA’s security portfolio is significant and speaks to a new trend emerging within the incident response space.  Point solutions that don’t integrate into a company’s security portfolio have diminishing value.   Enterprises lack the resources to effectively respond to the overwhelming threat landscape and vendor solutions must expedite not impede incident response.  Incident response isn’t about point solutions; it’s about ecosystems.   I want an incident response ecosystem that has integration points between my: SIEM, Network Analysis and Visibility solution, intelligence platform, malware sandbox and endpoint security product.   If I detect suspicious network behavior from my NAV solution, I want to be able to quickly interrogate the source/destination and look for indicators of compromise.  If my malware sandbox detects a malicious pdf, I want to be able to confirm that the endpoint was actually compromised before I commit my limited resources to investigate or remediate. If I discover a compromised system, I must be able to quickly check all of my other systems to see if they are also compromised. If my incident response tools don’t enable these types of scenarios in a scalable manner, then I don’t have an ecosystem.   Vendors are beginning to understand this and are bringing legitimate integrations to market (Dear vendors, I mean actual product integrations, not “we are partners with a shared go to market strategy.”) Here are some recent some examples:

  • FireEye has partnered with Mandiant to provide network to endpoint breach detection.   
  • Solera Networks and LogRhythm partnered to enable the ability to perform deep packet inspection and analysis on LogRhythm alerts. 
  • Guidance Software partnered with HP to automate incident response to ArcSight alerts. 

There is too much at stake for companies, and these ecosystems are needed to quickly detect and respond to compromises.   I fully expect these integration and acquisition trends to continue as a result.  If RSA is able to successfully execute on the integration of ECAT, NetWitness and enVision into a comprehensive incident response ecosystem, it will be a very compelling story for customers.