advanced cyber-security intelligence

7/31/2019 Advanced cyber-security intelligence

1/14

Copyright Quocirca 2012

Bob Tarzey

Quocirca Ltd

Tel : +44 7900 275517

Email:[email protected]

Clive Longbottom

Quocirca Ltd

Tel: +44 771 1719 505

Email: [email protected]

Advanced cyber-security intelligence

Real time defence of business data and IT users through the use of next

generation SIEM

July 2012

Traditional IT security defences have been built using point security

products. These are good for protecting against specific threats; for

example firewalls limit access to networks, anti-virus software detects

malware on given devices and encryption protects stored data. However,

cyber security threats have now emerged that can only be detected by

correlating information from a wide range of sources, including point

security products themselves.

Most organisations already have much of the required data to achieve this

but not the tools needed to process it. This has led to the emergence ofnext generation SIEM (security information and event management) tools.

These enable the real time correlation of IT intelligence data and for many

advanced threats to be foiled or pre-empted that would have been

previously undetectable.

This paper presents a value proposition for investing in next generation

SIEM tools.It should be of interest to any business, security or IT manager

that wants to get ahead in the security stakes and make their organisation

less likely to be a victim than the next one.
mailto:[email protected]:[email protected]:[email protected]:%[email protected]:%[email protected]:%[email protected]:%[email protected]:[email protected]


2/14


Quocirca 2012 - 2 -


Real time defence of business data and IT users through the use of next generation SIEMCyber security threats are becoming increasingly complex and can often only be detected by looking at data from multiple

sources. This includes the logs from point security products, information about IT systems and the data that is used to store

knowledge of users and their rights and other contextual information. A correlated view of all this data enables unforeseen

attacks to be thwarted as they happen, as well as providing IT security teams with the insight to do their jobs more effectively

and improve base security.

Many security

threats cannot be

detected with point

products

Point IT security products, such as firewalls, anti-virus software and intrusion prevention

systems, aim to stop individual threats as and where they occur but do not provide the

advanced correlation needed to prevent many advanced cyber security threats. For example, a

user request to attach to the network with a known device may look normal, but would not be

valid if the device had been reported stolen the day before.

IT security has

become a big data

problem

Detecting complex threats in real time requires the cross correlation of large volumes of data in

real time. Those charged with ensuring the security of their organisations assets face a bigdata problem, similar to the broader business intelligence problem that comes with extracting

value from the rapidly increasing volumes of electronically stored information.

Analysing large

volumes of IT

intelligence data

requires new tools

The use of log management andsecurity information and event management (SIEM) tools hasbecome commonplace in larger businesses over the last decadefor reviewing events that havealready occurred. Now the next generation of SIEM tools has emerged. By processing and

correlating data in real time, enforcing pre-programmed rules and observing suspicious activity

these tools enable the mitigation of cyber security threats that may otherwise go unnoticed.

Next generation

SIEM tools need to

make finely balanceddecisions

If the tools are too sensitive then a valid, but unusual, action by a bona fide user may be

blocked, causing frustration and damaging productivity. Next generation SIEM tools not only

detect advanced threats but also enable quick decisions to be made about when to block

access, when to allow it and when to alert security staff. They also provide IT security teamswith the insight needed to know when human intervention is required.

IT intelligence data

can also be used to

improve base

security

It is not just about stopping individual events; the data gathered by such tools can provide a

continuous feed to enable any organisation to improve its security posture and to adjust policy

to allow users to work more effectively and reliably. IT intelligence data can also provide an

insight beyond IT security itself, enabling better management of IT systems and applications to

improve the efficiency of business processes and user productivity.

To justify required

investments it is

necessary to look at

added value as well

as reduced risk

Advanced cyber security intelligence is obviously about reducing risk, but that alone may not be

enough to win the backing for the required investment in next generation SIEM tools. There are

also cost savings that come from avoiding the clean up after cyber security failures and

avoiding potential fines if an event leads to a leak of regulated data. Value must also be added

to the equation; greater overall confidence in IT systems means business processes can be

pushed harder, increasing productivity and freeing IT staff to spend time focussed oninnovation rather than fire fighting.

Conclusions:

So much criminal activity and political activism has now been displaced from the physical world to cyber space, or at least extended

to cover both, that IT security employees are now in the frontline when it comes to ensuring that the businesses they serve have

the ability to function and that their continued good reputation is ensured. To this end they must be enabled with the tools that

give them a broad insight into IT infrastructure, applications and user activity to protect their business from attacks tomorrow that

no one can envisage today.


3/14


Quocirca 2012 - 3 -

Introduction; beyond point security products

Nation states have known for centuries that putting point security measures in place, such as border controls and

passports, to protect their territory, citizens and other assets is not enough. The best levels of protection are only

achieved through proactively monitoring potential enemies and foiling their actions in real-time or, better still, pre-empting them. There will still be security breaches, but the constant gathering and effective use of intelligence

ensures the number is minimised and that those with responsibility for security are able to make better informed

decisions.

Security failures have occurred in the past due to poor correlation of security intelligence. Some analysts consider

that the failure of the FBI and CIA to share intelligence meant the planning for Sept 11th

2001 terrorist attacks in the

USA went undetected1. Even if good intelligence exists, not correlating it well with other information can lead to

poor decision making with the consequent serious results.

Businesses have always had to focus on security too. For example, banks have always worried about armed robbers

walking through the doors of branches; to counter this threat point security products, such as bullet proof glass

screens and video surveillance cameras were installed. However, the effect was to displace the crime elsewhere;

when bank branches had become too hard to raid criminals started to target the vans that moved cash to and fromthem.

The past decade has seen a massive displacement of threats for both governments and businesses from the physical

to the virtual world. The savvy bank robber no longer covers their face with a stocking but hides behind an

anonymising internet proxy or passes themselves off as an insider on IT systems using a stolen identity. The opening

up of the online world is a reality that businesses have not been able to ignore, not least because they need to

exploit the opportunities that abound.

Businesses must also recognise that protection online requires going beyond the use of traditional point IT security

tools. That is not to say they are no longer necessary, but that they do not offer the level of defence required. For

example:

Anti-virus software may not detect a zero day attack on a given server. Correlating server access logs to identify

that the same server is being used to contact many other servers and user end-points on the same private

network and is sending messages home to an unusual IP address would give an early warning that something is

amiss (Figure 1). The recently identified Flame malware worked in a similar way to this.

An intrusion prevention system (IPS) may prevent multiple failed attempts to access a server from a particular

IP address, but may not see that data is already being copied from that server due to a single successful

penetration from the same IP address (Figure 2). Correlating log and event files could identify that two such

events are related and lead to the prevention of a data theft. A so-called advanced persistent threat (APT)

could have this sort of profile.


4/14


Quocirca 2012 - 4 -

Recent research conducted by OnePoll2

amongst IT decision makers at UK-basedorganisations suggests some

already understand these deficiencies; around half the respondents believed that it is doubtful breaches can be

prevented or are, indeed, inevitable regardless of the security measures in place (Figure 3). Proactive real time

intelligence gathering and correlation is needed to foil and pre-empt the wide array of increasingly sophisticated

threats. However, many businesses lack the necessary tools and visibility to achieve this; 47% admitted that data is

only analysed after an event has occurred (Figure 4).Good cyber security intelligence is fundamental to preventing advance security threats and enabling security staff to

do their jobs effectively. The real time use of correlated security intelligence can identify activities that may

otherwise go unnoticed and prevent them from happening in the first place. Such intelligence also enables good

decision making; IT staff need to react to fast moving events and be confident to raise the alarm and know how loud

it should be: however, they do not want to be accused of crying wolf.

This paper presents a value proposition for investing in next generation SIEM tools that enable a business to make

use of a wide range of information sources to achieve these goals. It explains how proactive use of IT intelligence

can counter threats as they happen rather than uncovering them after the event. It should be of interest to any

business, security or IT manager that wants to get ahead in the security stakes and make their organisation less

likely to be a victim than the next one.


5/14


Quocirca 2012 - 5 -

Sources of IT intelligence data

Businesses have a problem with data; they are increasingly overwhelmed by it and are often unable to extract the

expected value. This applies to both the business data that IT systems are there to gather, manage and provide

access to in the first place, and also the data gathered about the use of business data itself and the IT systems thatprocess and store it. This includes log data and audit trails; the gathering and analysing of all this IT intelligence data

is essential to protecting against advanced security threats.

IT intelligence data is the key to providing the insight that enables proactive threat mitigation and protection of

business data from theft and misuse. By understanding how IT systems are being used and the threats that surround

these systems and their users, the core security and value of IT can be better ensured.

The struggle to get to grips with, and extract value from, overwhelming volumes of business data has been dubbed

the big data issue in recent years. A similar struggle exists with IT intelligence data, which is also generated in large

volumes. For example, the latest high performance network routers and switches may have gigabytes of solid state

storage to hold log information about the millions of packets of data they process per second. Security products are

constantly generating log files too, whilst file servers and databases maintain logs of who has accessed what andwhen. All this can only be made sense of in the context of access rights extracted from identity and access

management systems and other contextual information.

Another complication is introduced by the increasing use of on-demand (cloud-based) services. Information needs

to be gathered from the providers of such services about the traffic flowing to and from them. Furthermore, to

provide pervasive security coverage, security staff also need to be aware of the use of these services directly by lines

of business and employees, something which is increasingly done without the upfront endorsement of the IT

department.

The growing diversity and mobility of devices used to access IT applications and data add more complexity (this

includes the growing use of employee-owned devices). User devices can be both a cause of data leaks and a source

of security threats. Point security products, including data loss prevention (DLP), end-point security tools andencryption can help, but recognising that a known device is being used in an unusual way requires reviewing it in the

context of broader network, geographic and temporal information.

Table 1 lists the range of sources for IT intelligence data. The need to gather, store and process so much IT

intelligence data from so many sources is the reason IT security has become a big data issue. Addressing the

problem requires new tools with the capability to process this data in real time. Some of the vendors of SIEM tools

are now adapting their products to address the problem; so-called next generation SIEM.


6/14


Quocirca 2012 - 6 -

Table 1: Sources of IT intelligence data

IT infrastructure

Network devices: logs from routers, switches,

information from network access control (NAC)

tools, NetFlow data

Security devices: logs from firewalls, IPS, other

security appliances

Servers: log files from servers in data centres,

branch offices; physical, virtual and public cloud

based

User end-points: device information, network

context, access history, records of ownership and

records losses

SCADA (supervisory control and data

acquisition) infrastructure: data about the

operation of and access to industrial control

systems, their network mapping and access history

Access data

Databases: access logs

Other data access information: monitoring the use

of content, data from data loss prevention systems

and content filtering systemsBusiness applications: access logs both for on-

premise and on-demand applications

Web access data: includes information about what

is being downloaded to and from web sites; feeds

from DLP tools and web filtering systems

Email records: who has been sending what to

whom?

Vulnerability information

3rd party feeds: from other IT vulnerability

assessment and mitigation systems, e.g. Rapid 7,

Qualys and FireEye

Software integrity information: patch state of

operating systems, firmware, database and

applications, list of known flaws

Known malware: List of known malware that may

be used as part of more complex attacks

User information

User records: data from directories that defines

who are authorised users and what groups they are

assigned to, this includes information about current

and past job roles

Access rights: current access rights for a given user

or group of users

Privileged access rights: records of the temporary

or permanent assignment of privileges to named

users

Guest access rights: information from networkaccess control systems about areas of networks

enabled for guest access

Third party access rights: records of outside

organisations and users that have been authorised to

access infrastructure and applications

Machine access rights: not all access is by

people; software applications and devices are also

regularly assigned access rights, for example to

carry out automated sys-admin tasks

Other data

Change control systems: list approved sys-admin

activities

Locational data: IP and cellular geolocation

where access requests are coming from

Regulatory/standard information: for example

IS0 27001, which many organisations have adopted

as an IT security baseline

Industry bodies: provide advice to members on

known complex attack types and how to coordinate

defence against them

Social media feeds: may identify that a givenorganisation is likely to be subject to attack,

pressure group campaigns etc.

Weather: unusual weather conditions in a certain

area may account for observed large scale changes

in user activity

Time: accurate coordination is not possible without

good timekeeping; an accurate source of time is

needed across different systems and often needs to

be added to records to make them useful


7/14


Quocirca 2012 - 7 -

Next generation SIEM defined

The capability to collect and analyse IT intelligence data has been available for a number of years, enabled by tools

for log file management, security event management (SEM), security information management (SIM) and file

integrity monitoring. One of the reasons that log management tools, in particular, emerged was that, due to thegrowing volumes of log data being generated, log files were being overwritten, especially on old devices with limited

storage; maintaining a central database is the only way to ensure log data is available in the long term for

compliance purposes.

In 2005, Gartner coined the term SIEM (security information and event management) to characterise products that

brought many of these capabilities together into an integrated product set. SIEM tools were mainly about taking a

retrospective view of what had happened for compliance and governance purposes. Pulling together information

from disparate sources could show auditors who had been accessing what and when. However, this was all after the

event; more timely use of IT intelligence data could prevent unwanted events happening in the first place. This

required an upgrade of existing SIEM tools to enable the real time processing ofbig data.

This has led to the emergence of next generation SIEM tools that can do just this; analyse and correlate IT

intelligence in real time. This includes data currently being generated and the huge volumes of existing log andevent data. By doing this it is possible to recognise and stop advanced threats as they happen. Of course, more than

fast processing is required; the tools must have the intelligence to evaluate irregularities and decide whether they

represent true threats or not; this is important as over sensitivity will lead to annoying disruptions in the day-to-day

use of IT and damage productivity.

Table 2 lists the capabilities to be expected in next generation SIEM tools.

Table 2: features of next generation SIEM tools

The ability to process and analyse large volumes of IT intelligence data in real time

Advanced correlation engine to process information from disparate sources The ability to enforce advanced rules that link disparate events and prescribe what should happen if

there is an anomaly

The intelligence and insight to act and prevent security breaches as they happen

The ability to adapt and improve future responses

The use of data from external sources to provide information on the new types of threat that have

been observed elsewhere

The capacity for the long term storage of IT intelligence data in a central repository

Intuitive interface to enable IT security staff with the insight into historic data and what is happening

now


8/14


Quocirca 2012 - 8 -

Applying next generation SIEM through advanced correlation

The key to understanding the value proposition for investing in next generation SIEM is to understand the insight

provided by correlating IT intelligence data. This includes finding links between seemingly disparate events and the

ability to apply policy in real time by linking existing logs, records of past events and other data with currentactivities. The ability to do this provides a new level of security that no individual security device or measure can

offer stand-alone. This is best illustrated through a series of examples of advanced cyber security threats and how

they can be countered through such correlations using

next generation SIEM.

Impossible access requests: it may be normal for a

known user to access a given application remotely and

out of office hours, but not if the request is coming from

a location where they cannot physically be (Figure 5).

Correlating each access request against the previous

successful access request and checking the geographic

location of the devices used can identify a physicallyimpossible event such as a user having moved from

London to Paris in the space a few minutes or hours,

even if the bona fide users job role could see them

legitimately in both locations. Mobile network service

providers use similar techniques for detecting fraud in

their networks.

Non-compliant movement of data: it might be usual for

an employee to access customer information; it may also

be usual for them to download it to a file for reporting

reasons. However, for them to copy the data to a non-

compliant location, for example a cloud storage resourcein a certain country, should raise an alarm (Figure 6).

There may be no malicious intent here; perhaps this is

an example of a line-of-business commissioning its own

cloud resources (an increasingly common practice). This

requires rules that understand user access rights and

compliance rules and the ability to correlate these in real

time with attempts to copy data and the location of the

target storage service.

Absence of an event: SCADA systems are often

controlled using human machine interfaces (HMI); this

requires someone to be present, which, with a physicalsecurity measure in place, should be preceded by a

record of the employee involved having used an ID

badge to enter the premises in question. So, if an action

is logged on an HMI system at a remote location that is

not preceded by a valid record of physical entry, then

either someone has gained unauthorised access or the

HMI has been hacked remotely. An advanced correlation

rule that looks for the presence of the badge reader log

within a specified time prior to and HMI access request

enables such a breach to be detected (Figure 7).


9/14


Quocirca 2012 - 9 -

Anomalous sys-admin activity: if a system

administrator account has been compromised there

may be an attempt to create a new account for future

use. Correlating this activity with a change control

system will identify that the creation of such accounts

has not been authorised (Figure 8).

Unexpected access routes: some databases are only

normally accessed via certain applications, for example

credit card data is written by an e-commerce

application and only read by the accounts application;

access attempts via other routes should raise an alarm

if the tools are in place to correlate such events and

observe that a rule about the normal access route is

being broken (Figure 9).

Sys-admin failures: next generation SIEM is not just

about preventing security breaches, it can also help

ensure sys-admin tasks are complete; for example a

backup process is started, but no log for backup

completed is generated (Figure 10). Searching logs and

correlating them to check the various events in the

backup process have all happened ensures that the

task has been successfully completed.


10/14


Quocirca 2012 - 10 -

Taking action

Detecting a threat in real time or in advance is all well and good, but what action should be taken? In some cases an

immediate and drastic action to block access to an individual or stop an application or process may be justified, but

this is not always the case. If security settings are over sensitive then this can lead to annoying disruptions to thevalid use of IT. Poor intelligence may lead security staff to hit the panic button too soon or too late. There may also

be good reasons for taking another course on certain occasions; for example, letting a criminal action continue long

enough to gather forensic evidence for a prosecution.

Furthermore, it may not be possible to stop complex attacks, such as those that form part of an APT, by taking any

one single action; this may require putting the whole organisation on alert including taking proactive PR measures to

limit reputational damage. If an attack is part of a broader campaign against an organisation then countermeasures

may be required at all sorts of levels beyond IT systems, including in the news rooms and law courts, and there must

be a team armed with necessary intelligence to coordinate this. Sonys slow and awkward response to an attack by

the hacking organisation Anonymous in 2011 is an example of an organisation failing to achieve these goals.

What should be done in all cases is that an alarm is raised to security staff, so that even if automated actions are nottaken they are in a position to intervene and make executive decisions as quickly as possible. They can also be better

informed when making those decisions. Over time, next generation SIEM tools can provide even greater insight as

they can adapt; recognising if anything similar has been seen before, what happened on the last occasion, the action

that was taken and what was the outcome.

Businesses know they cannot fend off every attack; 28% of respondents were so gloomy in the OnePoll research

that they said it is doubtful that breaches can be prevented (see Figure 3). Thankfully, many more are less

pessimistic, but even they must plan for falling foul of an advance cyber security attack at some point. Planning for

this means ensuring there is immediate access to the information required to provide forensic support for the clean-

up. However one of the main aims of having advanced cyber security tools in place should be to stop attacks in real

time or pre-empt them by improving an organisations overall security posture. To this end many IT security

managers will need to make the case for investment new or upgraded technology.


11/14



Conclusion: a total value proposition for next generation SIEM

Quocircas total value proposition (TVP) analysis looks

at the expected return from any given investment in

terms of risk reduction, cost saving and value creation.There are a number of factors in all three areas that

can be put into a proposition for the investment in

next generation SIEM.

The case certainly needs to be made. 52% of

respondents to the OnePoll research stated that the

proportion of IT budget spent on security had not gone

up in the last five years (Figure 11). However,

respondents felt that the emergence of new

regulations is one of the best ways of engaging with

senior level management involved in the IT security

decision making process (Figure 12).

Financial risk is also a good way to get the ear of those

who control the purse strings; 77% stated that the

growing threat of data breach penalties could help

motivate and increase spending (Figure 13). But once

the discussion is underway, a more positive case can

and should be made for the investment in proactive

cyber security intelligence.

This discussion should focus on reduction of business

risk, the control of business cost and the creation of

business value.

Risk reduction

From the evidence presented in this report it should be

clear where next generation SIEM tools could help

reduce risk. These include:

Insight into risks that cannot be seen using point

security tools

IT security teams empowered with the information

to act (or take no action) with confidence

Improved base security

Rapid response to limit reputational damage

Cost saving

Security failures can be an expensive business,

investing upfront to avoid them is far better than

unbudgeted spending to clear up the mess after the

event:

Avoidance of penalties for data breaches

Automation of time-consuming data analysis

Less money and time spent cleaning up incidents after they have happened


12/14



Value creation

The more confidence a business has in the use of IT the better positioned it is to exploit the huge business value that

it provides:

Better protection of IT assets means higher availability

More IT staff time is freed up to focus on core value

There is more confidence to innovate with IT in the knowledge that its use is more secure

Confidence to fully exploit business processes

An open communications environment for employees, partners and customers where the business is protected

from the potentially harmful actions of users, be they intentional or accidental

So much criminal activity and political activism has now been displaced from the physical world to cyber space, or at

least extended to cover both, that IT security staff are now in the front line when it comes to ensuring that their

businesses can continue to function and ensuring its continued good reputation. To this end they must be enabled

with the tools that give them a broad insight into IT infrastructure, applications and user activity to protect their

business from attacks tomorrow that no one can envisage today.

References

1Wedge: From Pearl Harbor to 9/11, The Secret War Between the FBI and CIA, Mark Riebling, 1994 (updated 2002)

2OnePoll research commissioned by LogRhythm, into 200 UK-based at businesses with more than 1,000 employees

(Spring 2012)


13/14

About LogRhythm

LogRhythm is the leader in cyber threat defence, detection and response. The companys SIEM 2.0 security

intelligence platform delivers the visibility, insight and remediation required to detect the previously

undetectable and address the mutating cyber threat landscape. LogRhythm also provides unparalleled

compliance automation and assurance as well as operational intelligence to Global 2000 organisations,government agencies and mid-sized businesses worldwide.

For more information on LogRhythm please visit http://www.logrhythm.com, follow on Twitter: @LogRhythm

or read the LogRhythm blog.

LogRhythm Inc.

4780 Pearl East Circle,

Boulder CO., 80301

Get Directions

[email protected]

LogRhythm Ltd.

Siena Court

The Broadway

Maidenhead Berkshire SL6 1NJ

United Kingdom

[email protected]

LogRhythm Asia Pacific Ltd

8/F Exchange Square II

8 Connaught Place, Central

Hong Kong

[email protected]

Phone: (303) 413 - 8745

Fax: (303) 413-8791Phone: +44 (0)1628 509 070

Fax: +44 (0)1628 509 100

Phone: +852 2297 2812

Fax: +852 2297 2289

LogRhythm France SARL

171 bis, Boulevard Charles de Gaulle

92200 Neuilly sur Seine

[email protected]

LogRhythm Germany GmbH

Landsberger Strasse 302,

D - 80687 Mnchen

[email protected]

Phone +33 1 40 88 11 80 Phone +49 89 90405 245
http://logrhythm.com/Applications/SIEM.aspxhttp://logrhythm.com/Applications/SIEM.aspxhttp://www.logrhythm.com/http://www.logrhythm.com/http://www.logrhythm.com/http://maps.google.com/maps?q=4780+Pearl+East+Circle+Boulder+CO+80301&hl=en&ll=40.021305,-105.242339&spn=0.005866,0.011834&sll=40.021152,-105.241951&layer=c&cbp=13,161.97,,0,0&cbll=40.021438,-105.242276&hnear=4780+Pearl+E+Cir,+Boulder,+Colorado+80301&t=h&z=17&iwloc=A&panoid=y13M0968Anuf4ToLwaNzPwhttp://maps.google.com/maps?q=4780+Pearl+East+Circle+Boulder+CO+80301&hl=en&ll=40.021305,-105.242339&spn=0.005866,0.011834&sll=40.021152,-105.241951&layer=c&cbp=13,161.97,,0,0&cbll=40.021438,-105.242276&hnear=4780+Pearl+E+Cir,+Boulder,+Colorado+80301&t=h&z=17&iwloc=A&panoid=y13M0968Anuf4ToLwaNzPwmailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://maps.google.com/maps?q=4780+Pearl+East+Circle+Boulder+CO+80301&hl=en&ll=40.021305,-105.242339&spn=0.005866,0.011834&sll=40.021152,-105.241951&layer=c&cbp=13,161.97,,0,0&cbll=40.021438,-105.242276&hnear=4780+Pearl+E+Cir,+Boulder,+Colorado+80301&t=h&z=17&iwloc=A&panoid=y13M0968Anuf4ToLwaNzPwhttp://www.logrhythm.com/http://logrhythm.com/Applications/SIEM.aspx


14/14


About Quocirca

Quocirca is a primary research and analysis company specialising in the

business impact of information technology and communications (ITC).

With world-wide, native language reach, Quocirca provides in-depth

insights into the views of buyers and influencers in large, mid-sized and

small organisations. Its analyst team is made up of real-world

practitioners with first-hand experience of ITC delivery who continuously

research and track the industry and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to

technology adoption the personal and political aspects of an

organisations environment and the pressures of the need for

demonstrable business value in any implementation. This capability to

uncover and report back on the end-user perceptions in the market

enables Quocirca to provide advice on the realities of technology

adoption, not the promises.

Quocirca research is always pragmatic, business orientated and

conducted in the context of the bigger picture. ITC has the ability to

transform businesses and the processes that drive them, but often fails to

do so. Quocircas mission is to help organisations improve their success

rate in process enablement through better levels of understanding and

the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC

products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of

long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that

ITC holds for business. Quocircas clients include Oracle, Microsoft, IBM, O2, T -Mobile, HP, Xerox, EMC, Symantec

and Cisco, along with other large and medium-sized vendors, service providers and more specialist firms.

Details of Quocircas work and the services it offers can be found athttp://www.quocirca.com

Disclaimer:

This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca has

used a number of sources for the information and views provided. Although Quocirca has attempted wherever

possible to validate the information received from each vendor, Quocirca cannot be held responsible for any errors

in information received in this manner.

Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and

reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details

presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented

here, including any and all consequential losses incurred by any organisation or individual taking any action based

on such data and advice.

All brand and product names are recognised and acknowledged as trademarks or service marks of their respective

holders.

REPORT NOTE:This report has been writtenindependently by Quocirca Ltd

to provide an overview of theissues facing organisationsseeking to maximise theeffectiveness of todaysdynamic workforce.

The report draws on Quocircasextensive knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficient

environment for future growth.
http://www.quocirca.com/http://www.quocirca.com/http://www.quocirca.com/http://www.quocirca.com/

advanced cyber-security intelligence

Documents