In-Depth

Beyond Logs: Security Event Management Market Heads For Shakeout (Part 2 of 2)

Experts predict imminent SEM market consolidation. The upside: lower software costs, easier usability, and improved efficiency. Even so, users will be faced with a dizzying array of options.

• By Mathew Schwartz
• 06/27/2006

Does your company have a log-management program?

In this age of rampant audits and regulatory requirements, companies are increasingly studying their security and event logs to learn who accessed a system, why, for how long, what they altered, and if any of that activity looks suspicious.

The prospect of corralling all of the logs generated by a company’s firewalls, intrusions detection and prevention systems (IDS/IPS), gateway antivirus, host-based IPS, Active Directory, and server operating systems often fills IT managers with dread.

To help, companies are increasingly turning to security event management (SEM) software, security information management (SIM) software, or a combination of the two—security information and event management (SIEM)—to filter, consolidate, and analyze logs from many different sources. Yet this group of software solutions is far from a one-size-fits-all proposition, and before implementing it, you must decide why you need it, and how you plan to employ it.

The SEM Market

Gartner Group, in its “Magic Quadrant for Security Information and Event Management” for the first half of 2006, says 19 vendors offer SIEM technology, with options ranging from full-featured enterprise SIEM software to point solutions more focused on compliance requirements, from network behavior analysis (NBA) to just-centralized log analysis. Some newer SIEM tools are now also targeted explicitly at the needs of medium-size enterprises.

According to the Gartner report, the current SIEM market leaders are ArcSight, CA, Novell, Intellitactics, NetIQ, netForensics, and IBM, all of which sell SIEM software; plus Network Intelligence, which sells appliances.

Gartner notes, however, that four companies are challenging those leaders: Cisco, with its MARS appliance; Consul, which tackles “the audit and compliance aspects of SIEM”; InTrust, from Quest Software; and Symantec, which recently released an SIEM appliance. Note, however, the efficacy of Symantec’s new appliance—“a replacement for a marginal software offering that had scalability and functional limitations”—is so far unknown.

Compliance and ROI Drive SEM Software

As the number of SIEM vendors suggests, more companies than ever need to extract information from their logs, and many have realized manual log-management processes aren’t sufficient. According to a January 2006 survey conducted by Forrester of 149 “technology decision-makers” at North American companies of all sizes, “30 percent said that they were likely to purchase or implement a security information management (SIM) solution this year,” though over 60 percent aren’t purchasing it for security detection and alerting capabilities. “Rather, they state a primary interest in SIM to help with a variety of issues, including incident response, compliance, and measuring security effectiveness.”

While security concerns drove initial SEM adoption, that’s changed. “It’s really been driven by two things: regulatory compliance and being able to prove to an auditor that you have certain controls in place. The other part of that is just the return on investment question—being able to prove that you’ve stopped or caught this many things,” says Rob Ayoub, an industry analyst for network security with Frost & Sullivan.

Andrew Lark, chief marketing officer of LogLogic, echoes that observation. “About 70 percent of the people who come and talk to us do it because they have a very specific compliance requirement, failed an audit, or need to implement COBIT or another specific control.”

Selecting SEM Software

Some SEM software vendors—including many of the market leaders—offer software with very broad capabilities. Such an approach, however, might not be ideal for your company, notes Gartner. “A product that can address many use cases is likely to be more expensive to deploy and maintain than a product that is optimized for a narrower set of functions.” In other words, only buy as much as you need.

Beyond full-featured SIEM products, Gartner says other options include products with tie-ins to vulnerability management software; identity management software—especially for compliance audits; and NBA tools. Beyond that, SIEM software categories include dedicated log analysis software; syslog or syslog-like tools for collecting and analyzing log data (typically in ASCII format); plus “lighter” types of SEM software designed just to analyze logs.

Not all SIEM products need work exclusively. For example, “if there’s a network-oriented or firewall-oriented SEM/SIM in place, we co-exist with that, but really focus more on the compliance or user-oriented information,” says Marc van Zadelhoff, vice president of marketing and business development of Consul Risk Management.

Competition Breeds Usability

While SIEM software has historically had a reputation for being difficult to install, train, and maintain, newer technology is trying to compete with easier usability. “Cisco and Check Point and several others have entered this market with a focus on ‘it’s not plug and play but here are a lot of predefined rules and reporting and setups that are coming straight out of the box,’” says Ayoub. By contrast, “many other vendors are basically just using a software installation you run on a server.”

While some companies—especially larger enterprises—will no doubt want to run their own software, “the world likes appliances,” he notes. Furthermore, just the prospect of SEM software that’s more “plug-and-play” is attractive to many and should be a competitive differentiator.

Beyond easier usability, with so much competition between vendors, experts say forthcoming generations of SIEM software will continue to merge SIM and SEM capabilities, and do so at a fast pace. For example, Forrester Research analyst Thomas Raschke predicts “we will see vendors like BMC, CA, HP, IBM Tivoli, and Sun—but also McAfee, Cisco, and Symantec—offering bundled solutions or integrated products by expanding through acquisition and/or consolidating their existing product portfolios.” The result? “Better visibility, cost savings, and higher efficiency when protecting and managing enterprise-wide IT systems.”

Given current SIEM software market competition, and numerous experts forecasting market consolidation, when will the shakeout occur? “It’s going to happen sooner than later,” predicts Ayoub.

Related Article:

• Beyond Logs: Creating a Log-Management Program (Part 1 of 2)