From my NEW BLOG: securityoperations.blogspot.com
A “point in time” snapshot of how I think 2010-2012 looks in the SIEM Market. A much more detailed analysis will be available soon (on request).
Some highlights of the preview:
1. Many companies are focused on rationalizing recent acquisitions or focusing on making their current product scalable and/or bullet-proof. I think that this is absolutely crucial for these organizations but it does create an opportunity for ArcSight to further separate from the pack in 2010.
2. Formally “niche” players are taking the lead in 2010. Q1, Tenable, Nitro all have a legitimate change to overtake their peers in terms of functionality and more importantly marketplace. Each has their own approach, all are led by very capable teams - I’m interested to watch and see what the market does with these three.
3. I don’t expect all of these SIEM players to survive to the 2012 Winter Olympics. In fact, I’d guess at least three of them will be consumed or fail completely. Many have other products that have helped them sustain, but not necessarily grow when compared to SIEM competition.
4. Most of the larger organizations have had serious setbacks with their acquisitions in this space. Based on functionality limitations and these organizations losing significant market share I expect some of these organizations to take a serious look at replacing those products (or portions of the products) with more competitive options in the market today.
5. SIEM will certainly grow into interesting areas in the next 24 months as vendors look toward cloud based solutions, supporting virtualized systems and networks, and as more mature users push these products to solve problems other than the basic Security Operations and Compliance based Use-Cases.
6. I do expect the larger picture to come in focus around SIEM soon. RSA’s acquisition of Archer is indicative of things to come. The larger companies are focused on presenting Enterprise Risk to the business and not just speeds and feeds anymore. Certainly better reporting, integration with enterprise apps and usage of other technologies will continue to evolve but I believe it will finally be centered on the user’s functional purposes and not just marketing hype.
7. SIEM also needs to evolve downward as well. Yes positioning relevant information upward in the business is the ultimate goal, but we can’t forget the analyst. The SIEM must continue to support the analytical needs of its core user base. Deeper integration with other analytical tools and resources (Content Inspection, CMDB, Custom DB’s, etc) and facility that interaction intuitively.
Personally, I’ll count 2009 as the year of lessons learned. I’m happy to start 2010 and begin anew. Many of you have reached out to me in twitter (@rockyd) or email, FB, etc and asked about my status, personally and professionally - for which I’m very thankful. It is awesome to see some many people and organizations genuinely care about me - I’m humbled. We did make some changes late in 2009 that for all intents and purposes brought an end to Decurity as it was known. The full plan never quite panned out the way we all hoped it would. I joined EMC/RSA for a while and worked alongside some fantastic people over there, but in the end it just wasn’t the right place for me. I resigned my position at RSA and took some time off to focus on my family, my health and to renew myself so that I could focus fully in 2010 and beyond.
Personally: I had let myself get way out of shape (mentally, spiritually and physically) and let my blood sugar reach levels that truly frightened everyone. I thought I was just more sweet, but when doctors start wondering why you’re not in a coma it’s time to pay attention. I joke about it a lot but I’ve learned to pay much closer attention now. Eventually, I hope to make it to P90X type workouts but for now I’m happy to be able to walk a few miles, a few times a week. It sucks when there is no one else to blame but yourself, but then again I know I can change my habits easier than trying to make many orgs think clearly about how to handle security risks.
Professionally: I’m currently in the midst of considering some fantastic opportunities from various organizations that have reached out to me. I can’t tell you how lucky I feel to have so many believe in me. I’m delaying making a final decision until I’m a little healthier (should only be a few days). I want to ensure that whichever route I take it makes sense for me, the company, their user-base and the segment of the security industry I can influence. I’ll let everyone know where I wind up once things settle down.
Another Note: I’m moving my personal blogging efforts over to securityoperations.blogspot.com. I’ll probably dual post for a while as Decurity’s blog has much more critical mass, but I’d imagine I’ll keep up with securityoperations.blogspot.com more often from now on.