Tuesday, January 12, 2010

The 2010 SIEM Winter Olympics Preview

A "point in time" snapshot of how I think 2010-2012 looks in the SIEM Market. A much more detailed analysis will be available soon (on request).

Some highlights of the preview:
1. Many companies are focused on rationalizing recent acquisitions or focusing on making their current product scalable and/or bullet-proof. I think that this is absolutely crucial for these organizations but it does create an opportunity for ArcSight to further separate from the pack in 2010.

2. Formally "niche" players are taking the lead in 2010. Q1, Tenable, Nitro all have a legitimate change to overtake their peers in terms of functionality and more importantly marketplace. Each has their own approach, all are led by very capable teams - I'm interested to watch and see what the market does with these three.

3. I don't expect all of these SIEM players to survive to the 2012 Winter Olympics. In fact, I'd guess at least three of them will be consumed or fail completely. Many have other products that have helped them sustain, but not necessarily grow when compared to SIEM competition.

4. Most of the larger organizations have had serious setbacks with their acquisitions in this space. Based on functionality limitations and these organizations losing significant market share I expect some of these organizations to take a serious look at replacing those products (or portions of the products) with more competitive options in the market today.

5. SIEM will certainly grow into interesting areas in the next 24 months as vendors look toward cloud based solutions, supporting virtualized systems and networks, and as more mature users push these products to solve problems other than the basic Security Operations and Compliance based Use-Cases.

6. I do expect the larger picture to come in focus around SIEM soon. RSA's acquisition of Archer is indicative of things to come. The larger companies are focused on presenting Enterprise Risk to the business and not just speeds and feeds anymore. Certainly better reporting, integration with enterprise apps and usage of other technologies will continue to evolve but I believe it will finally be centered on the user's functional purposes and not just marketing hype.

7. SIEM also needs to evolve downward as well. Yes positioning relevant information upward in the business is the ultimate goal, but we can't forget the analyst. The SIEM must continue to support the analytical needs of its core user base. Deeper integration with other analytical tools and resources (Content Inspection, CMDB, Custom DB's, etc) and facility that interaction intuitively.


Tom Grabowski said...


How do you define SIEM? Are you using Gartner's definition?

I am surprised you don't include LogRythm or Splunk in this list. I've seen a lot more customers using those solutions than Teneble and Nitro.

I also think you may be overestimating the power of creating the platform for bolt on applications by ArcSight. LogLogic and Splunk have had that functinality for several years. I don't see ArcSight opening up their customer base to 3rd party software companies or developers very easily.

The only ones getting medals from me would be ArcSight, Q1, LogLogic, Splunk, and possibly EMC/RSA. Size matters when the field is crowded.

Rocky DeStefano said...


First thank you for taking the time to read and respond.

The exclusion of LogRhythm was an oversight - I meant to count them as a "rest of the field" team. I haven't seen them anywhere in a long time. They started to make noise about this time last year, but kind of fell off the map. I'll look more closely at them in the future.

I don't count Splunk as a SIEM - it's a Search tool - perhaps Log Management Plus is a better category. When it comes down to it I'm not sure RSA qualifies as as SIEM either - they fall much more solidly as a Log Management Plus type of tool. Size does matter so for now I'll leave them in SIEM and they can continue to figure out how to compete more aggressively on functionality in that space.

RE: bolt-on applications. This is an interesting topic one that perhaps deserves it's own series of whitepapers. Splunk allows it, but only pushes a very small set of solutions (Glasshouse). A decision, rumor has it they are starting to regret. I think you'll see more providers in the near future.

ArcSight has been saying they want people to build "apps" onto their platform for about 2 years. Very few have, mostly because ArcSight hasn't found a way to push those apps on behalf of partners from a marketing/sales perspective. This is a very ripe area, well at least if the solution includes content and continual refinement together.

As far as the overall post, I wasn't handing out medals just yet - just handicapping the field for now. In all honestly the current separation between the tiers is a lot broader than Gold to Silver and Silver to Bronze can accurately represent.

Jimmy said...


long time reader, first time poster.

Having spent the last 3 months in SIEM heaven/hell (heaven since we are finally doing something about log management/SIEM or hell since we are finally doing something about log mgmt/SIEM), I can agree with most of what you have here (and in your other posts)... I definately think that Nitro and Q1 are going to be movers and shakers in the coming year... but I am wondering how RSA ended up in the Bronze category.

To qualify, I have been hands on for the last 2 months with Q1 Radar, Symantec and RSA. They all have met our primary technical and functional requirements... some easier than others and all three show capability to support some 'out of the box' functionality that I have the need for as well.

While RSA has made me think I need to go back to school to get an engineering degree to actually use the tool, I found it's functionality around log management and event correlation to be in line with the Q1 system. If it is the usability aspect (which you do highlight in your blog posts) then I can see that being a critical factor... but were there others that maybe I missed in our limited PoC or just hadn't though of?

Any information that you would be able to share in regards to that would be appreciated.