ENTERPRISE SECURITY
INFORMATION MANAGEMENT
Since 2007, a shift has occurred in the ESIM marketplace. Changes to the regulatory and
security environment for enterprises resulted in higher spending, shorter sales cycles and
more hype. As customers began to seek more value for their converged security-compliance
dollar, log management eclipsed correlation as the primary feature or value driver for ESIM
deployments. This has changed the competitive landscape.
Analyzing the Business of Enterprise IT Innovation
JUNE 2009 ©2009 THE 451 GROUP ENTERPRISE SECURITY PRACTICE
ESP
ENTERPRISE
SECURITY
PRACTICE
4 FINDINGS
• ESIM’s value is now less aboutcorrelation and more about log management. PAGE 8
• Log management, once a complementary and separate product set, is now the prime driver of new ESIM sales.
PAGE 8
• Correlation is not dead: smart correlation is the key to a successful deployment. PAGE 9
• Ease of deployment and management is nearly as important as the features of the ESIM product – while customers are done devoting significant FTE resources to get these products to process logs, they are willing to spend on professional services or consulting to make deployment less painful. PAGE 11
5 IMPLICATIONS
• ESIM vendors previously able toget by with relational database back-ends must update their storage and retrieval systems and schema to provide proper log management functionality.
PAGE 2
• Vendors unable to so invest will die; their correlation assets are worth far less than they were two years ago. PAGE 2
• We have seen the winnowing of the field begin through bankruptcy, asset sales and mergers. More will follow.
PAGE 13
• Log management vendors must upgrade their correlation capabilities. PAGE 9
• Enterprise-class, scalable log management and correlation that is easy to deploy and maintain is the new marching anthem.
PAGE 8
1 BOTTOM LINE
• Customers bemoan the din of alerts, alarms, ‘FYIs’ and other tips that promiscuous ESIM correlation brought. Similar to the intrusion-detection failure, security operations centers were overwhelmed with information spew from the system designed to reduce information spew. The new strategy: alert selectively, then dive into the log pile. Once the increased scope and reduced set of event sources is matched with smart correlation rules, the strategy comprises smart alerts followed by a deep dive into the log corpus with an array of tools.
REPORT SNAPSHOT
TITLE
ESP: Enterprise Security Information Management
ANALYSTNick Selby, Research Director,
Enterprise Security Practice
RELEASE DATE
June 2009
LENGTH
33 pages
ABOUT THIS REPORT
Since our last report in 2007 on the enterprise security information management (ESIM) industry, a decisive shift has occurred in the marketplace. Where real-time correlation was the primary value proposition for many vendors and their customers, the difficulty in achieving the panacea promised by correlation was in feeding data that provided relevant business context into the system - we know what they say about ‘garbage in.’ A string of changes to the regulatory and security environment for enterprises resulted in higher spending, shorter sales cycles and more hype. As customers began to seek more value for their converged security-compliance dollar, log management eclipsed correlation as the primary feature or value driver for ESIM deployments. This has changed the competitive landscape, caused leading players to introduce new product features, and contributed to bankruptcies, asset sales, mergers and acquisitions.
2 THE 451 GROUP:ENTERPRISE SECURITY INFORMATION MANAGEMENT
TABLE OF CONTENTS
EXECUTIVE SUMMARY 1 1.1 INTRODUCTION . . . 1 1.2 KEY FINDINGS . . . 3 1.3 METHODOLOGY . . . 41.4 451 ENTERPRISE SECURITY PRACTICE . . . 6
ANALYSTS. . . 7
ASSOCIATES . . . 7
CUSTOMERS LOOK TO SMARTER CORRELATION 8 2.1 ORGANIZATIONAL CONTEXT . . . . 10
2.2 INTO THE REAL WORLD . . . . 10
2.3 EXCEPTIONS TO THE RULE . . . . 12
2.4 FORENSICS TOOLS . . . . 12
WHITHER CONSOLIDATION? 13 3.1 CHANGING DYNAMICS AND OPPORTUNITIES . . . . 14
3.2 SPOOK CITY . . . . 15
3.3 GOVERNANCE, RISK AND COMPLIANCE . . . . 16
COMPANY PROFILES 17 4.1 ARCSIGHT . . . . 17 4.2 ALERT LOGIC . . . . 18 4.3 CISCO SYSTEMS . . . . 19 4.4 DECURITY . . . . 20 4.5 EIQNETWORKS . . . . 21 4.6 INTELLITACTICS . . . . 22 4.7 LOGLOGIC/EXAPROTECT . . . . 23 4.8 LOGRHYTHM . . . . 24 4.9 NETFORENSICS . . . . 25 4.10 NITROSECURITY . . . . 26
4.11 NOVELL . . . . 27
4.12 Q1 LABS. . . . 28
4.13 SENSAGE . . . . 29
4.14 TENABLE NETWORK SECURITY . . . . 30
4.15 SPLUNK INC . . . . 31
4.16 TRIGEO NETWORK SECURITY . . . . 32
4.17 VIGILANT . . . . 33
4 THE 451 GROUP:ENTERPRISE SECURITY INFORMATION MANAGEMENT
ABOUT THE 451 GROUP
The 451 Group is a technology analyst company. We publish market analysis focused on innovation in enterprise IT, and support our clients through a range of syndicated research and advisory services. Clients of the company — at vendor, investor, service-provider and end-user organizations — rely on 451 insights to do business better.
ABOUT TIER1 RESEARCH
Tier1 Research covers consumer, enterprise and carrier IT services, particularly hosting, colocation, content delivery, Internet services, software-as-a-service and enterprise services. Tier1’s focus is on the movement of services to the Internet — what they are, how they are delivered and where they are going.
Please note that the following 451 report is copyright protected and is being provided to you on a limited, licensed basis. By viewing this document, you consent to and agree to abide by the terms of this license and the general Terms of Use (below) for users of services of The 451 Group. Only authorized, licensed users may access this and other content from The 451 Group.
If you have any questions about this license or terms of use for your organization, please contact your account manager directly. Alternately, you can contact a general representative of The 451 Group directly via phone at 212-505-3030 or via mail at 20 West 37th Street, 6th Floor, New York, N.Y. 10018.
Analyzing the Business of Enterprise IT Innovation
