美国时间2012年5月29日,McAfee发布了《2012年风险与合规展望》调查报告。这里有中文报道。这份调研报告McAfee雇佣了专门的调查公司,访谈了438名来自全球多个国家的IT中高层人士。

对于这份报告,我比较关注其中对SIEM的调查部分。也许这也可以看作是McAfee收购NitroSecurity的动因,或者是收购之后对SIEM市场的特别关注吧。

调查报告显示,大约60%的受访组织把SIEM看作是实现全网的应用、数据库、系统性能和事件的实时可视性的重要手段。而获得对IT安全的可视性是IT风险管理的关键要素,超过81%的受访者都认同可视性的重要。

调查显示,大约有一半的组织每月花费6到10小时用于风险管理的活动之上。约40%的企业正在计划实施或更新SIEM解决方案。

当被问及SIEM的能力和属性的时候,三分二的受访者表示性能分析、实时分析、易管理性、应用监控、DAM十分重要。

报告对SIEM进行了一番宣传:A SIEM enables security/network administrators to collect log data from a wide variety of servers and devices across the whole network to identify security threats and suspicious behavior. This type of tool also facilitates forensic investigations to determine “who did what to what, when, and where,” and to manage the collection, storage and archival of all log data generated by numerous devices over a long period of time.The purpose of a SIEM is not to mitigate network threats by themselves, but to facilitate the timely identification of and alerting to (potential and real) threats. This is done by correlating data from multiple devices and looking for anomalous patterns from hundreds and thousands of devices in near real-time so that appropriate actions can be taken to prevent threats from inflicting further damage.