The good news is security vendors are moving toward offering more multifunction, integrated suites. And to hear the Burton Group's Daniel Blum tell it, it's also the bad news.

With heavy hitters like Cisco, Microsoft, and Oracle joining the security market through strategic acquisitions -- and some new development -- enterprises should get some price breaks on security tools, says Blum, senior vice president and research director with Burton.

"The security market is drifting toward lower prices and large, integrated suites," Blum says, with antivirus and anti-spyware companies converging their products, as well as network security vendors like Cisco and Juniper doing the same on their end, adding features such as network access control to their network devices.

Blum will talk about this and other security trends in his "Security Landscape: Market in Flux" session on Monday at the Computer Security Institute's 33rd Annual Conference and Expo in Orlando, Fla.

This integration is also expected to simplify security oversight, with fewer tools and easier management of all that data they generate. But there are trade-offs, he says. "If you had one vendor provide everything for you, then it wouldn't [be able to easily] keep up with change and new attacks," he says. "And if you have too many different vendors' products, you can't keep up with the burden of integrating" it all and you're probably not getting the best bang for your buck because you'll also have to invest in integrating the tools.

Blum recommends narrowing it down to one "primary" security vendor plus a limited number of others to fill in and ensure better security coverage. Larger security vendors are likely to remain more stable than smaller ones that could get acquired, repurposed, or worse, edged out by the big boys, so they make the best primary vendor, he says.

The key is not getting trapped on a treadmill of having to buy a new security tool every time a new attack vector is discovered, or a new compliance requirement comes along, he says.

Meanwhile, there's still no easy way to manage -- nor sift through the false alarms -- the data security tools generate. Today's network operations centers don't typically encompass all of an organization's security management, Blum says. "Most of us don't have security in the NOC. You see security teams playing more strategic roles than operations, such as compliance, high-level risk management, etc. And they need to be able to exert control through distributed points as well... You can't do it all from one NOC."

But that doesn't mean security management is a done deal today. You need a layered architecture that monitors intrusions and attempts to provide audit evidence, for instance, operations management, change management, and policy management, too, he says. Blum calls this a "control system," which is collection of layered tools such as policy management, detection, audit, and repository components that monitor real-time intrusions as well as tracks historical audit evidence you can use to report to upper management, he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading