The acquisition announcements aren't the first SIEM buys by heavy-hitters; HP last year purchased ArcSight, and RSA bought NetWitness earlier this year. At a time when traditional SIEM technology's event-driven approach is under the harsh glare of the spotlight for its inability to catch so-called advanced persistent threat (APT) attackers, the deals underscore the need for more useful, detailed, and expedient information and intelligence for inevitable attacks against organizations.
Catching an APT requires real-time monitoring that detects and provides analysis of the various anomalies or events under way in the attack, experts say, rather than inundating organizations with raw log data or a pure SIEM that only flags known threats. "That is the future -- the ability to analyze this data in real-time," says Joe Gottlieb, CEO of Sensage, an indie SIEM vendor that focuses on security data analysis. "There's too much data to look at."
Both IBM and McAfee had noticeable gaps in the SIEM area, and despite a recent "SIEM-is-dead" campaign by eIQnetworks, these major vendors say SIEM is poised to enter a new generation that addresses so-called situational awareness.
"I don't think SIEM is dead at all. I think a lot of companies have leveraged SIEM only to be a compliance management reporting tool. They've lost a lot of the potential value proposition of what SIEM can deliver," says Dave Anderson, senior director of solutions marketing for McAfee. "Our acquisition of NitroSecurity speaks to that forward-thinking opportunity of SIEM combined with McAfee's overall security portfolio, ePO [ePolicy Orchestrator] management and risk and compliance, that [SIEM] can start to deliver."
Robert LeBlanc, senior vice president of IBM middleware software, said in a press conference today that its deal to buy Q1 Labs reflects a shift in security overall. "The data to react to threats and events and [other] capabilities we got with Q1 Labs is taking security to the next level," LeBlanc said, with the ability to apply analytics and intelligence to threat detection and prevention.
IBM, which wouldn't release the financial details of the purchase of the privately owned Q1 Labs, expects the deal to wrap up in the fourth quarter. The company also announced that Q1 Labs would be part of a new division it was establishing, the IBM Security Systems Division, and that Brendan Hannigan, Q1's CEO, will head it up. The division will integrate IBM's Tivoli, Rational and Information Management security software, appliances, and services, and incorporate Q1's analytics into its identity and access management, database security, application security, network security, risk management, IPS, and endpoint management products.
And IBM is also now offering a cloud-based version of Q1 Labs' SIEM product through its IBM Managed Security Services.
But the concept of security intelligence isn't just about SIEM. Says Scott Crawford, managing research director at Enterprise Management Associates, who blogged on the announcements today, other areas like forensics analysis and "big data" are also part of the puzzle.
"Today’s acquirers of new approaches to SIEM -- and other technologies that disrupt legacy approaches to security data management -- should therefore be watched closely for the directions they take these assets, as part of larger initiatives to both broaden and deepen the nature of data-driven security. Rarely has there been a greater need for more responsive insight and much-needed maturity in management than in information security today," Crawford said in his post. "SIEM is certainly not the only segment to watch in this regard."
Q1's Hannigan echoed the same sentiment. "At the end of the day, SIEM is the anchor tenet … but in reality, the end point is security intelligence," Hannigan said. "It's broader then SIEM, log management, network activity monitoring, and it includes every one of the above. We will include database activity monitoring and application vulnerability scanning. That's what security intelligence is … it should be the end goal."
Meanwhile, McAfee's planned purchase of the privately held NitroSecurity is also expected to close in the fourth quarter; NitroSecurity will become part of McAfee's risk and compliance business unit headed up by Stuart McClure, general manager and senior vice president at McAfee.
NitroSecurity's NitroView SIEM, which already was integrated with McAfee's ePolicy Orchestrator, will now help McAfee provide a single platform for security analysis and management, according to McAfee, although details on the ultimate architecture are still not finalized. "It's going to be a platform for correlating IT events, leveraging our current bidirectional integration [between NitroView] and ePO," McAfee's Anderson says.
The dueling SIEM announcements today basically demonstrate more consolidation in the market. "A lot of companies are seeing a strong value proposition of having some type of SIEM solution. We looked at several SIEM solutions, and based on NitroSecurity's underlying technology and performance, we are extremely confident that we picked the right technology to acquire," Anderson says.
According to Mike Rothman, president and analyst with Securosis, the IBM and McAfee deals are a continuation of a market consolidation that has been going on for nearly four years. "Pure and simple, SIEM/LM was never going to be a long-term independent technology, so these deals are just the logical conclusion of a three- to four-year consolidation," Rothman said in a blog post today.
Jerry Skurla, executive vice president of NitroSecurity, says the acquisitions by McAfee and IBM validate the technology. "What it means is that it's an absolute core technology for cyberdefense in 2012 and beyond," Skurla says.
Real-time visibility into the IT infrastructure with SIEM is crucial, he says. And adding new capabilities to SIEM, such as the ability to draw from years' worth of log data for analysis, can help with stealthy APT attacks. "A good APT attack may take a year or two to wind its way into the organization before it goes active," Skurla says. "You need both good rules and baselining and correlating" to spot and stop these attacks, he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.