Thursday, August 5, 2010

Razorback and IF-MAP?

I was reading about the new framework from SourceFire, Razorback, and I realized it has a lot of similarities with TCG's  IF-MAP. There is a lot of vendors mentioning things go beyond the simple correlation so common in the SIEM tools. It is a drive from CORRELATION to COOPERATION between security tools. That's awesome. Instead of having several tools waiting to receive data from different places, we need a security metadata bus that can be used by other tools. In that way a lot of things that make security hard to do will become far more easy. Firewall rules won't be " to using TCP4567" anymore, but "users from Finance going to the Finance App". We can build blocking and response rules using definitions such as "users infected with malware", "servers containing sensitive information", and far more interesting stuff. What's most important is to have those things following standards, in a way that the infrastructure will become less important, making it easier to apply security independently if things are running in your data center or in the cloud.But, again, only if initiatives like Razorback start working with standards like IF-MAP...