SIEM In The Spotlight With ArcSight Acquisition

As the one-ton gorilla in the highly crowded but lucrative security information and event management (SIEM) market, ArcSight this week stirred up a commensurate amount of speculation and chatter within the security community with its announcement that it would be purchased by HP for $1.5 billion.

The high valuation of the deal validated the market, which has as many as 20 different vendors, and put security monitoring directly in the IT spotlight. "We're not surprised the deal took place because of the increasing importance of SIEM within the overall IT infrastructure," says Jerry Skurla, executive vice president of marketing for NitroSecurity.

HP says the deal makes sense because of its strong investments in overall IT information management and its ability to bring SIEM into that fold. But security experts -- particularly competitors -- wonder how well HP will be able to do that while still maintaining the heterogeneous support that SIEM customers require.

"It's going to be a bit of a challenge for HP to go to the customer or the VAR and say, 'No, no, no. We're neutral. We're Switzerland. Our SIEM is agnostic to any infrastructure," says John Burnham, vice president of marketing for Q1 Labs.

Some IT experts point to the struggles Cisco faced with its own SIEM due to this very issue. "It's just a challenge to achieve the level of integration and achieve the level of expected correlation and the level of functionality you really expect for that type of solution while maintaining heterogeneity," says Scott Crawford, an analyst for Enterprise Management Associates.

Perhaps even more top-of-mind about the deal, however, is the question: What's next for SIEM now that ArcSight has been gobbled up? How are vendors differentiating themselves, particularly as the field has shaken out into the large IT providers, such as HP, EMC, IBM, and CA, which have fit SIEM into their overall frameworks, and the niche SIEM players? And will the market see more consolidation?

Keep It Simple
Regardless of M&A activity, one of the biggest challenges SIEM vendors have mostly failed to overcome is complexity: Many of these monitoring and event management tools are still too complex for most organizations to fully leverage.

"Although the space is probably 10 years old, [the technology is] still not easy enough to use," says Mike Rothman, analyst for Securosis. "If you're just trying to check the compliance box, gather some logs from some of your devices, and run a report, yeah, a lot of the tools can do that. But if you really want to get actionable type of information, it's really a journey -- it's not a two-week project."

Many SIEM vendors maintain that since the first generation of SIEM, they've done a good job simplifying their offerings and easing customers' deployment transitions. "I would say the first generation of SIEM products were hard to deploy, and we certainly now have second-generation products that are simpler," says Bill Mann, senior vice president of security strategy for CA Technologies. "The market has changed somewhat."

However, Rothman believes all SIEM vendors have a long way to go to help improve the ease-of-use equation, which has given the SIEM category a black eye. "It would be real nice to see vendors offer, say, a set of 10 rules, which could make sense for any customer, or a quick set of tutorials that better helps customers understand how to tune these things over time," Rothman says. "Some of the vendors say they have this so-called analyst-in-a-box right now, but unfortunately they seem to pack three or four professional services folks into the box with the actual equipment in order to get it up and running."

While simpler-to-use SIEM is an obvious differentiator in the market, there are a number of ways that ArcSight's (and now HP's) competitors are making themselves stand out from the crowd. Much of that is in specialization: either through better alignment to specific verticals or compliance mandates, improved scalability to deal with larger sets of data for information-centric organizations, or through cross-functional integration with such capabilities as vulnerability management, content awareness, or identity and access control.

"All of the first-generation vendors were trying to solve those complex problems, and as in any kind of software market, after a couple of years people look at that and conclude that they're trying to solve a complex problem and make it simpler by finding a niche in a market," Mann says. "There is ample opportunity for vendors to show innovation by providing a lot of depth in certain areas."

Some say that the depth can be found in the vendors' ability to drill down directly into that logging and monitoring that brought SIEM to prominence in the first place -- especially as vendors get distracted trying to add more differentiating bells and whistles.

"If you're a SIEM and log company, there's a huge temptation to try to help be part of the solution in terms of enforcement, be it vulnerability assessment, be it NBAD [network behavior anomaly detection], or some other aspect of the solution, as opposed to sticking to your knitting and doing a great job monitoring everything," says Joe Gottlieb, CEO of SenSage. "I believe there is plenty of value and plenty of opportunity for us to do a really good job with the logging, the retention, the real-time analysis, as well as the forensic investigation and compliance reporting."

"Even those big vendors that can get a little bit distracted by their own strategy have thought about whether they would be torn between supporting the heterogeneous value proposition or not, or whether they'd even be effective at doing it," he says.

Securosis' Rothman says the specialization strategy isn't a bad one for companies seeking to tailor their solutions with real analytical best practices for organizations that need improved correlation and prevention support. But there is definitely a need for those pure logging and monitoring companies, particularly among the companies seeking the compliance reporting only, he says.

"I think combined with more reasonable pricing, easier and more accessible technology, as well as an expansion of the use cases, make this technology applicable to the folks who have already made the investment," he says. "[That will] continue to provide the good opportunities for growth in the market."

The midmarket is a particular weak spot for SIEM. Simplification will help vendors of all stripes -- including HP with ArcSight -- break into this sector.

"In the midmarket, deployment of a full-scale SIEM is probably beyond the reach of a lot of organizations," EMA's Crawford says. "That area is really still a target of opportunity for the SIEM market and has been really tough for it to adapt solutions for that niche, as much as SIEM vendors have tried." So even though analysts believe SIEM has room to grow and that there is plenty of room for smaller players to continue to compete, does that mean many new vendors will emerge in the space? Probably not, says Rothman, who believes the field is already pretty glutted.

"I do think if someone were to come in with a very low-cost toaster type of thing that only did a few things and did them very, very well and very, very easily, there would be an opportunity for something like that," he says. "You still have 20 players in the space. You've got a whole mess of them that are struggling and a couple that are doing very well. And that to me means you're going to continue to have consolidation, and you're probably going to have some erosion as well."

The market is bifurcating, Rothman says. "The big companies in the space, whether they're public or not, are showing good growth whereas a lot of the smaller companies are having a hard time because they're not big enough, they don't get into enough deals, and once they get into a deal, the deal viability issue comes up and makes it hard for them to win it," he says.

SenSage's Gottlieb tends to agree, saying this is one of the reasons there's more room for consolidation. "I think the bigger players that have made acquisitions are going to do a better job going down-market than the smaller players because they can get the scale and they can bring a broader portfolio of things to smaller [enterprises] and leverage their account control and there's less best-of-breed type obsession."

There's also more room for acquisitions because not all of the big vendors have yet completed their SIEM vision, even those with some logging capabilities.

"There are other vendors in that market that are likely to be seen as candidates for someone's arsenal," says Andrew Jaquith, analyst for Forrester Research. "SIEM is part of the security portfolio of some of these large security vendors and companies that want to have an information story. Partly because SIEM plays so well in the compliance market and compliance is a great market for any large company to be providing solutions for.

"Because the product is so complex, you need somebody to tie them together, so if you're IBM or Microsoft or Symantec, for purposes of consolidating what you already have or for gluing some of your own acquisitions together, it certainly would make sense," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.