The 2010 SIEM Winter Olympics Preview (
From my NEW BLOG: securityoperations.blogspot.com
A “point in time” snapshot of how I think 2010-2012 looks in the SIEM Market. A much more detailed analysis will be available soon (on request).
Some highlights of the preview:
1. Many companies are focused on rationalizing recent acquisitions or focusing on making their current product scalable and/or bullet-proof. I think that this is absolutely crucial for these organizations but it does create an opportunity for ArcSight to further separate from the pack in 2010.
2. Formally “niche” players are taking the lead in 2010. Q1, Tenable, Nitro all have a legitimate change to overtake their peers in terms of functionality and more importantly marketplace. Each has their own approach, all are led by very capable teams - I’m interested to watch and see what the market does with these three.
3. I don’t expect all of these SIEM players to survive to the 2012 Winter Olympics. In fact, I’d guess at least three of them will be consumed or fail completely. Many have other products that have helped them sustain, but not necessarily grow when compared to SIEM competition.
4. Most of the larger organizations have had serious setbacks with their acquisitions in this space. Based on functionality limitations and these organizations losing significant market share I expect some of these organizations to take a serious look at replacing those products (or portions of the products) with more competitive options in the market today.
5. SIEM will certainly grow into interesting areas in the next 24 months as vendors look toward cloud based solutions, supporting virtualized systems and networks, and as more mature users push these products to solve problems other than the basic Security Operations and Compliance based Use-Cases.
6. I do expect the larger picture to come in focus around SIEM soon. RSA’s acquisition of Archer is indicative of things to come. The larger companies are focused on presenting Enterprise Risk to the business and not just speeds and feeds anymore. Certainly better reporting, integration with enterprise apps and usage of other technologies will continue to evolve but I believe it will finally be centered on the user’s functional purposes and not just marketing hype.
7. SIEM also needs to evolve downward as well. Yes positioning relevant information upward in the business is the ultimate goal, but we can’t forget the analyst. The SIEM must continue to support the analytical needs of its core user base. Deeper integration with other analytical tools and resources (Content Inspection, CMDB, Custom DB’s, etc) and facility that interaction intuitively.