About Andrew Hay

Andrew Hay is an information security industry veteran with close to 20 years of experience as a security practitioner, industry analyst, and executive. As the Chief Information Security Officer (CISO) at DataGravity, Inc., he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy.

Andrew has served in various roles and responsibilities at a number of companies including OpenDNS (now a Cisco company), CloudPassage, Inc., 451 Research, the University of Lethbridge, Capital G Bank Ltd. (now Clarien Bank Bermuda), Q1 Labs (now IBM), Nokia (now Check Point), Nortel Networks, Magma Communications (now Primus Canada), and Taima Corp (now Convergys).

Andrew is frequently approached to provide expert commentary on security-industry developments, and has been featured in such publications as Forbes, Bloomberg, Wired, USA Today, International Business Times, Sacramento Bee, Delhi Daily News, Austin Business Journal, Ars Technica, RT, VentureBeat, LeMondeInformatique, eWeek, TechRepublic, Infosecurity Magazine, The Data Center Journal, TechTarget, Network World, Computerworld, PCWorld, and CSO Magazine.

Response to: Can be OSSIM considered a SIEM? Is it enterprise ready?

wha?It looks as though my comments on OSSIM did not fall on deaf ears. They have, in fact, caused my comments to be lumped in with Anton Chuvakin‘s and massaged into something that reads as “OSSIM is not a SIEM” and “OSSIM is too difficult for S/MB and not reliable enough for the Enterprise”. Ummm….alright. Let’s clarify a few things here:

I have never said that OSSIM was not a SIEM.

In fact I was a big supporter of it early on but fell out of love with it when there was no visible progress over a 2 year period. I’m not blaming the developers, and I totally understand the Open Source ideals, but you can’t argue that a product is as good or better than a commercial alternative just because it is free and Open Source. To quote a Southern friend of mine – that dog won’t hunt.

Is it an Enterprise SIEM?

No, I don’t believe it is (but am willing to be corrected). I see it as a great SIEM solution if you’re feeding it data from other Open Source products. Looking at the “collector” page, that lists the supported data sources, shows me that either the integration points are very generalized or the marketing material needs updating (for example it looks as though OSSIM can collect data from Microsoft Office and Netscape based on the logos). If I were in the market for a SIEM solution and saw the “collector” page I’d be just as confused as when I started looking.

When I last tried to use OSSIM I deduced it wasn’t user friendly enough for a SMB to use.

When I install a product, I don’t want to have to jump through numerous hoops to get it up and running. Back when I tried to install OSSIM I was sent all over hell and creation to find the required packages to get it up and running. This is not user friendly. Maybe I’m lazy…maybe I’m just too busy to screw around with a product to poke and prod it into working for me. Maybe this has changed since I last tried it but I’d need some serious convincing to go back.

Am I willing to give it a second chance?

Sure! I’m a big proponent of all SIEM technologies and would certainly open my mind to trying it again. I would, however, want to run it along side of a couple of enterprise SIEM solutions to see how it stacks up. I wouldn’t want to just evaluate the technology but would also like to see how the paid support stacks up against enterprise SIEM support channels.

Dom, If you’re up for the challenge, let me know 🙂

Andrew Hay