A recent report by Frost & Sullivan's Network Security research practice estimates that when all is said and done for 2010, the SIEM and log management market will have achieved a 15.8 percent growth rate. That's good for an overall IT marketplace that has experienced relatively flat growth in the small single-digit percentage range. At the same time, though, the market's growth rate slipped slightly compared to 2009's 18.5 percent rate.
In truth, however, 2009 was a bulwark year for SIEM, and the slight dip in growth could be viewed less as a downward trajectory and more like a slight adjustment following a breakthrough in technology adoption.
"Two years ago, vendors had to evangelize SIEM and make the case for it," says Chris Poulin, chief security officer for Q1 Labs. "Now it is seen as a critical part of the architecture for a mature security organization -- it is baked into the architecture."
Perhaps no better evidence of IT's embrace of SIEM as a mainstream, everyday necessity was HP's $1.5 billion acquisition of market leader ArcSight.
The ArcSight buy was actually just the latest endcap to a long stream of SIEM consolidation moves that can be followed as far back as 2006 with the IBM purchase of Consul and the RSA pickup of Network Intelligence. Within the past 18 months alone, the market has seen ArcSight gobbled, Cisco discontinue its MARS product line, and Trustwave purchase Intellitactics. And yet, even as the market has consolidated, the SIEM landscape is still relatively cluttered, with more than 20 players vying for the $785 million market.
This leaves a bit of a paradox: How can the market have consolidated so much and yet the number of vendors still continue to grow? The answer is bifurcation, says Mike Rothman, analyst and president of Securosis. With such a strong growth rate, SIEM continues to attract new start-ups, but that doesn't mean they're necessarily succeeding at the same rate as the rest of the market. Instead, the SIEM pie is growing, but the biggest slices are increasingly being hoarded by a very short list of market leaders.
"From a lot of the conversations I'm having, we are starting to see that kind of bifurcation where the big companies in the space, whether they're public or not, are showing good growth, whereas a lot of the smaller companies are having a hard time because they're not big enough, they don't get into enough deals, and once they get into a deal, a deal viability issue comes up and makes it hard for them to win," he says.
According to Q1's Poulin, the most successful vendors are the ones that have been able to most easily help customers come to grips with the inundation of security data that they need to make sense of. After all, in the sixth annual SANS Log Management survey out earlier in 2010, IT professionals said the top two challenges they faced in this arena was searching through reports and having the ability to interpret reports.
"The vendors that have pulled away from the pack are the ones who understand that different sources of telemetry need to be treated as more than just another event feed: Network flows need to be stitched together to get the full picture, VA data is context to add to or build up as an asset database, and configuration data at the host level and along the network path is critical to not just incident impact analysis, but also incident fidelity," Poulin says.
At the same time, though, there could still be room for new players that can find a way to service nontraditional SIEM markets -- SMBs, and enterprise outside the financial services sectors -- with easy-to-use solutions that deliver targeted security intelligence. Analysts say growth rates within SIEM hosted and managed services are strong and could soon greatly outstrip the growth of traditional SIEM offerings.
Frost & Sullivan says this year the services subcategory within SIEM grew by $21 million, up to $121 million this year. Next year it expects this market to grow by another $26 million.
"In order for this market to continue to grow and to continue to drive value to customers, it has to be easier to use, and it has to be much more applicable to the midmarket customer," Securosis' Rothman says.
At the same time, don't expect SIEM vendors to be sidetracked from their main missions of serving their core constituency. The vendors are likely to focus in 2011 on offering more sophisticated products that dive deeper into the data already at hand.
"The next step for SIEM is to go further with feed, interpreting nontraditional telemetry in a way that makes sense for specific customer needs," Poulin says. "Many vendors have focused on SCADA, currently the media darling due to Stuxnet and fears of state-sponsored attacks on utilities. However, the use cases simply aren't that exotic."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.