Be On The Alert

Every second of every minute of every day, network security information and event data piles up into log files, as routers, switches, IPS boxes and applications spit out a continuous stream of alerts. Some of these alerts represent real attacks, but the vast majority do not, and it's up to security administrators to figure out which is which.

Up until about a year ago, the only way to address this challenge was by choosing among a large number of small startups fielding security information and event management (SIEM) products.

But that was before big vendors began buying their way into the market, snapping up smaller SIEM tools vendors left and right. Major SIEM deals have included EMC's September acquisition of Network Intelligence, IBM's purchase of Consul and Micromuse, and Novell's buyout of eSecurity. Meanwhile, entrenched players like Symantec and Check Point Software Technologies have also recently updated their SIEM offerings. In short, SIEM is now a major focus for all the top security players.

Click here for a SIEM Market Snapshot

Proactive VARs have also jumped on the technology early on, fashioning solutions to help their customers get a handle on the volumes of data they're forced to process, while at the same time using the technology to differentiate themselves from slower-footed channel competitors.

Adam Gray, CTO of Novacoast, a Santa Barbara, Calif.-based solution provider, is one of those early movers. He says having SIEM solutions in his toolbox not only sets Novacoast apart from competitors, but the complexity of SIEM, and the fact that it can touch every asset in an organization, translates into a big services opportunity.

Novacoast began selling SIEM solutions three years ago and is now pulling in between $40,000 and $50,000 in services revenue for simple, one-month SIEM deployments, said Gray. In that month, Novacoast assesses the client's specific needs, provides training and documentation, and handles implementation of the SIEM solution, he said. "We're definitely looking at the beginning of a large market," said Gray.

Today, SIEM is one of the fastest-growing sectors in the security industry, and the market is expected to grow from nearly $380 million in 2006 to $873 million in 2010, according to IDC. Research from RSA, the security division of EMC, indicates that the SIEM market is currently growing at a rate of between 25 percent and 35 percent.

But there are serious risks for VARs looking to differentiate themselves and rake in the bucks with SIEM. Deploying SIEM requires a high level of technical expertise, and SIEM vendors have begun demanding extensive certifications and training and, sometimes, the purchase of evaluation units. If a SIEM vendor demands extensive certifications or training and then gets bought by another vendor with a different philosophy, the end result could be a wasted investment for the VAR, said Allen Allison, vice president of security at MTM Technologies, a Stamford, Conn.-based solution provider. In many cases, the impact of a buyout will depend on whether the acquiring company has its own services arm, Allison said.

"If the acquiring company doesn't currently have a services arm, then it could be very good for us. But if they do, then there's a big risk of conflict," he said.

The potential for continued market consolidation makes choosing a vendor partner in today's market a tricky decision. One of the major risks of SIEM consolidation, said Michael Bruck, president of BAI Security, a Warrenville, Ill.-based MSSP, is that the correlation rules that form an important part of a solution provider's SIEM consulting work could be deemed irrelevant by an acquiring vendor. "You can invest a lot of resources and time into tweaking the systems and developing rules around correlating events and triggers for specific types of events," Bruck said. "But after an acquisition, all this work can go down the drain because there aren't always clear migration paths from one vendor to another, and your system may not be as functional."

Next: Complexity Equals Opportunity