The past year has been eventful for security information and event
management (SIEM), a colorful security niche that continues to grow
at a healthy clip, but still remains in flux amid consolidation,
changing technological demands, and a push to service a wider
market base beyond SIEM's bread-and-butter financial services
enterprise customer.
A recent report by Frost & Sullivan's Network Security research
practice estimates that when all is said and done for 2010, the
SIEM and log management market will have achieved a 15.8 percent
growth rate. That's good for an overall IT marketplace that has
experienced relatively flat growth in the small single-digit
percentage range. At the same time, though, the market's growth
rate slipped slightly compared to 2009's 18.5 percent rate.
In truth, however, 2009 was a bulwark year for SIEM, and the slight
dip in growth could be viewed less as a downward trajectory and
more like a slight adjustment following a breakthrough in
technology adoption.
"Two years ago, vendors had to evangelize SIEM and make the case
for it," says Chris Poulin, chief security officer for Q1 Labs.
"Now it is seen as a critical part of the architecture for a mature
security organization -- it is baked into the architecture."
Perhaps no better evidence of IT's embrace of SIEM as a mainstream,
everyday necessity was HP's USD 1.5 billion acquisition of market
leader ArcSight.
The ArcSight buy was actually just the latest endcap to a long
stream of SIEM consolidation moves that can be followed as far back
as 2006 with the IBM purchase of Consul and the RSA pickup of
Network Intelligence. Within the past 18 months alone, the market
has seen ArcSight gobbled, Cisco discontinue its MARS product line,
and Trustwave purchase Intellitactics. And yet, even as the market
has consolidated, the SIEM landscape is still relatively cluttered,
with more than 20 players vying for the USD 785 million market.
This leaves a bit of a paradox: How can the market have
consolidated so much and yet the number of vendors still continue
to grow? The answer is bifurcation, says Mike Rothman, analyst and
president of Securosis. With such a strong growth rate, SIEM
continues to attract new start-ups, but that doesn't mean they're
necessarily succeeding at the same rate as the rest of the market.
Instead, the SIEM pie is growing, but the biggest slices are
increasingly being hoarded by a very short list of market
leaders.
"From a lot of the conversations I'm having, we are starting to see
that kind of bifurcation where the big companies in the space,
whether they're public or not, are showing good growth, whereas a
lot of the smaller companies are having a hard time because they're
not big enough, they don't get into enough deals, and once they get
into a deal, a deal viability issue comes up and makes it hard for
them to win," he says.
According to Q1's Poulin, the most successful vendors are the ones
that have been able to most easily help customers come to grips
with the inundation of security data that they need to make sense
of. After all, in the sixth annual SANS Log Management survey out
earlier in 2010, IT professionals said the top two challenges they
faced in this arena was searching through reports and having the
ability to interpret reports.
"The vendors that have pulled away from the pack are the ones who
understand that different sources of telemetry need to be treated
as more than just another event feed: Network flows need to be
stitched together to get the full picture, VA data is context to
add to or build up as an asset database, and configuration data at
the host level and along the network path is critical to not just
incident impact analysis, but also incident fidelity," Poulin
says.
At the same time, though, there could still be room for new players
that can find a way to service nontraditional SIEM markets -- SMBs,
and enterprise outside the financial services sectors -- with
easy-to-use solutions that deliver targeted security intelligence.
Analysts say growth rates within SIEM hosted and managed services
are strong and could soon greatly outstrip the growth of
traditional SIEM offerings.
Frost & Sullivan says this year the services subcategory within
SIEM grew by $21 million, up to USD 121 million this year. Next
year it expects this market to grow by another USD 26 million.
"In order for this market to continue to grow and to continue to
drive value to customers, it has to be easier to use, and it has to
be much more applicable to the midmarket customer," Securosis'
Rothman says.
At the same time, don't expect SIEM vendors to be sidetracked from
their main missions of serving their core constituency. The vendors
are likely to focus in 2011 on offering more sophisticated products
that dive deeper into the data already at hand.
"The next step for SIEM is to go further with feed, interpreting
nontraditional telemetry in a way that makes sense for specific
customer needs," Poulin says. "Many vendors have focused on SCADA,
currently the media darling due to Stuxnet and fears of
state-sponsored attacks on utilities. However, the use cases simply
aren't that exotic.