PathSolutions has released an extension to its TotalView product called Security Operations Manager aimed at helping mid-market IT folks gain better situational awareness of what’s happening in their network. It’s also aimed at helping security analysts do investigation and diagnostics with fewer tools. The fragmentation in the security market is pretty extensive, and while I am on-record as sceptical of any single-glass-of-pain solving the entire problem, some consolidation would be helpful.
Security Operations Manager is designed to help you quickly gather a certain amount of base-level knowledge in response to a security risk that has been identified, either within the tool itself, or from some external source like your SIEM or intrusion detection system. Things like which switch port the device with this IP is connected to, its operating system, who’s logged in, what it’s communicating with, and so on.
The idea is to help admins quickly orient themselves to what’s happening in the often messy and under-resourced world of mid-market IT. This is not a market with huge teams of dedicated security analysts. With luck, you’ll have a small team of IT people with generalist skills and a few specialists in key areas, hopefully one of them security. They need practical tools with a lot of bang for buck.
TotalView has an nmap integration that helps you do a quick scan of a remote host to get more information about what’s connected to your network. It also integrates with Active Directory so you can query AD to find out what a device is, if it’s joined to the domain. It’s all just practical, no-nonsense stuff that looks obviously useful. In a market seemingly obsessed with the magical panacea of AI/ML, it’s refreshing to see.
TotalView uses an embedded SQLite database to track data, and while it supports multiple pollers/collectors, it seems that the use of data from these multiple collection points involves an aggregation server that opportunistically aggregates data in real time as you view it. This is likely to slow down for large or complex queries, but for the kinds of environments TotalView is aiming for, I don’t see this is a major problem.
I’m a little concerned with how what Path Solutions calls its Global Footprint Search works in this distributed design. The example provided was to find vulnerable Acme webcams after a new CVE is announced, which requires talking to all the pollers (that have this data) in order to find them all, but it’s not an insurmountable problem. Mostly my questions are fairly academic ones about cache coherency in distributed systems and some operational ones about backup and recovery of the distributed data stores that are embedded into the product, but I can readily see low-fuss ways to make this work at the scale that’s needed for these environments.
TotalView could also benefit from a bit of time with a UX designer to help declutter the interface a little and streamline the information architecture before too much more gets added into the tool. This is mostly to make the tool easy to use for the most common tasks. It’s tempting to just keep adding functionality, but avoiding a messy interface requires a lot of discipline and careful planning, and it’s usually easier to start this once the base product has stabilised. However, I definitely want them to keep the personality that lead to a Gremlins tab in the product.
I have a special place in my heart for mid-market vendors that provide practical, no-nonsense products that demonstrate they really know their customers, and that they’re a company staffed with regular human beings. I spend most of my time in enterprise and startup tech land, and there’s a disturbing amount of nonsense and waffle you have to wade through to find something that solves your problem. And then when something goes wrong you have to run the gauntlet of robotic gatekeepers (some of whom are, or at least claim to be, human) to get stuff dealt with.
I particularly liked to see PathSolutions’ CTO Tim Titus’ immediate reaction to my fellow delegate Becky Elliot‘s question about adding metadata to the asset information recorded in TotalView.
“No. That is a phenomenal idea and I’m writing it down. That’s a great idea that we should add,” Titus said.
No waffle, just simple plain language and thanks. This is the kind of behaviour that makes me want to work with a vendor because sooner or later I’ll need to interact with the humans there, and I want to know that experience won’t suck.
For more information about PathSolutions Security Operations Manager, I recommend watching the Security Field Day demo video of the product.
Pingback: PathSolutions Security Operations Manager Helps Humans Find Security Gremlins - Tech Field Day