I’m very grateful that Tim Eades, CEO of vArmour, invited me to his CIO event in Palo Alto today. We had the chance to demo Verodin SIP (Security Instrumentation Platform) to about three dozen top CIOs from the UK.
Tim is a bit of a Silicon Valley entrepreneur legend so it’s always great to reconnect with him and share ideas. vArmour delivers a distributed platform with integrated security services including software-based segmentation, micro-segmentation, application-aware monitoring, and cyber deception to help organizations protect critical applications and workloads.
This group of CIOs was very engaged with tons of great questions – which I always enjoy. But what I was extremely excited about was their very enthusiastic reaction to seeing a demonstration of Verodin SIP for the first time.
Every CIO started commenting on how Verodin SIP could add value to their own organization from hiring and training talent and tuning products such as firewalls and IPS to retiring unneeded, expensive solutions and optimizing their SIEM.
But by far the most exciting Verodin SIP capability they saw, as demonstrated by almost unanimous glee, was the prescriptive nature of Verodin SIP for SIEM rules. As CIOs, this audience really understood both the promise of what SIEM can deliver and the gap that exists between that and what is actually delivered.
This gap doesn’t just mean that they aren’t getting ROI on their SIEM, but their entire security effectiveness is reduced, and because SIEM is a big-ticket security product, the time, resources and money that are wasted are of substantial concern.
I demonstrated that when you make changes to a firewall, IPS, SIEM, etc., that Verodin SIP can be used to validate that the changes actually work the way you intended. Beyond that, I demonstrated with Splunk ES and Qradar (because that’s what happened to be installed in my lab) the simple steps that allow Verodin SIP to be prescriptive for results instead of just letting you know what’s not working.
- Execute attacks with Verodin SIP to test endpoint and network security products
- Integrate Verodin SIP, through an API, with the SIEMs
- Illustrate for example what attacks were blocked by the firewall, what attacks were detected by the IPS, and how those events appear in the SIEM
- Reveal what events were just showing up as raw SIEM events – not correlated or notable events – meaning that the chances of the raw events being seen by a human are very low
- Prescribe the actual rules, searches that need to be deployed in the SIEMs in order to have a rule fire or create a notable metadata event
The best part is after Verodin SIP executes attacks to identify where the issues are, then prescribes how to fix those issues, you can use Verodin SIP to validate that the fixes were effective.
If you’ve ever operated security products like firewalls, IPS, and SIEMs, you know right away, that this is really, really, cool stuff.