- Security information and event management (SIEM) market consolidation/evolution poses a different set of challenges and opportunities to enterprise security operations.
- It is important to adjust expectations and buying strategies in light of the consolidation.
The SIEM market, although mature, is evolving at a more rapid rate than it has for some time. Large IT vendors including HP and IBM are now throwing their weight around in the market, as is McAfee in the security market. This is putting greater pressure on other vendors that have sat on the sidelines to make a move. SIEM players are working to streamline deployments while at the same time scaling their ability to gather and correlate an exponentially larger data set. Furthermore, a new crop of startups have a clean slate to address the complexity issues of traditional SIEM products by enabling true cloud-based SIEM services that can reduce the heavy maintenance and operational costs of first-generation, premises-based SIEM architecture. Given such changes, here are a few practical recommendations for any current or prospective SIEM customer.
Think twice about expanding the scope of your SIEM deployment if your supplier is a smaller, regional SIEM vendor. The market will condense fairly significantly over the next 12 to 24 months, and the smaller ones will not make it. At the same time, if you are coming up on a contract renewal with a smaller and less financially secure SIEM provider, it would be in your best interest to evaluate other SIEM platforms from more established providers, especially if you have any doubts at all about the staying power of your current SIEM supplier.
Do not expect a SIEM system by itself to detect a targeted attack. It is impossible to write a rule to catch a security event when the attacker is doing everything possible to remain undetected. RSA, itself a SIEM supplier, used NetWitness’ network forensics tool to track the activities of the attackers that stole its SecureID source code. In fact, RSA bought the company and has integrated its technology into its Envision SIEM. HP, for its part, integrated its SIEM with Solera Networks’ DeepSee network forensics and analysis tool.
HP’s ArcSight typically generates much more business from existing customers, which often begin their implementations to meet compliance requirements, but expand their deployments as they look to implement a more comprehensive security monitoring operation. Such customers would do well to investigate whether their expansion plans are based on a scalable architecture. Compliance check box architectures and truly useful security monitoring architectures are not the same. It would be a shame to invest so much more only to find the system does not meet the objectives of getting better visibility into the security state of the corporate network and its valuable resources as well as more quickly shutting down the attacks that get through existing defenses.
Hold out for better price concessions: If you are a SIEM user today and are looking at a refresh or an expansion of an existing deployment, it is worthwhile to open the project to competitive bidding by several of the larger SIEM providers. Competition is stronger there than it has ever been, and it would not be surprising to see that competition result in better contract terms.