Be On The Alert
Up until about a year ago, the only way to address this challenge was by choosing among a large number of small startups fielding security information and event management (SIEM) products.
But that was before big vendors began buying their way into the market, snapping up smaller SIEM tools vendors left and right. Major SIEM deals have included EMC's September acquisition of Network Intelligence, IBM's purchase of Consul and Micromuse, and Novell's buyout of eSecurity. Meanwhile, entrenched players like Symantec and Check Point Software Technologies have also recently updated their SIEM offerings. In short, SIEM is now a major focus for all the top security players.
Proactive VARs have also jumped on the technology early on, fashioning solutions to help their customers get a handle on the volumes of data they're forced to process, while at the same time using the technology to differentiate themselves from slower-footed channel competitors.
Adam Gray, CTO of Novacoast, a Santa Barbara, Calif.-based solution provider, is one of those early movers. He says having SIEM solutions in his toolbox not only sets Novacoast apart from competitors, but the complexity of SIEM, and the fact that it can touch every asset in an organization, translates into a big services opportunity.
Novacoast began selling SIEM solutions three years ago and is now pulling in between $40,000 and $50,000 in services revenue for simple, one-month SIEM deployments, said Gray. In that month, Novacoast assesses the client's specific needs, provides training and documentation, and handles implementation of the SIEM solution, he said. "We're definitely looking at the beginning of a large market," said Gray.
Today, SIEM is one of the fastest-growing sectors in the security industry, and the market is expected to grow from nearly $380 million in 2006 to $873 million in 2010, according to IDC. Research from RSA, the security division of EMC, indicates that the SIEM market is currently growing at a rate of between 25 percent and 35 percent.
But there are serious risks for VARs looking to differentiate themselves and rake in the bucks with SIEM. Deploying SIEM requires a high level of technical expertise, and SIEM vendors have begun demanding extensive certifications and training and, sometimes, the purchase of evaluation units. If a SIEM vendor demands extensive certifications or training and then gets bought by another vendor with a different philosophy, the end result could be a wasted investment for the VAR, said Allen Allison, vice president of security at MTM Technologies, a Stamford, Conn.-based solution provider. In many cases, the impact of a buyout will depend on whether the acquiring company has its own services arm, Allison said.
"If the acquiring company doesn't currently have a services arm, then it could be very good for us. But if they do, then there's a big risk of conflict," he said.
The potential for continued market consolidation makes choosing a vendor partner in today's market a tricky decision. One of the major risks of SIEM consolidation, said Michael Bruck, president of BAI Security, a Warrenville, Ill.-based MSSP, is that the correlation rules that form an important part of a solution provider's SIEM consulting work could be deemed irrelevant by an acquiring vendor. "You can invest a lot of resources and time into tweaking the systems and developing rules around correlating events and triggers for specific types of events," Bruck said. "But after an acquisition, all this work can go down the drain because there aren't always clear migration paths from one vendor to another, and your system may not be as functional."
Next: Complexity Equals Opportunity Complexity Equals Opportunity
As network attackers' tactics grow more sophisticated and the volume of log data steadily rises, SIEM's importance in IT infrastructure is growing dramatically.
SIEM solutions work by combining log data into a single consolidated database, giving users a unified view of all critical security alerts and reducing the time required to view individual log files from disparate systems. SIEM technology identifies potential security threats by correlating rules between network devices—for example, allowing firewall rules to be used as supporting evidence for application layer events.
Not only is the technology effective at pinpointing suspicious network traffic patterns, SIEM solutions can also store raw log data and provide tools for managing this data and creating reports, which are highly sought-after features for companies bound by regulatory compliance requirements.
The task of parsing security information and event data is expensive and time-consuming, but within this data lies the telltale signs of even the stealthiest of hacks. For example, hackers will often launch a denial-of-service attack on a network as a diversionary measure to mask an actual attack, and SIEM gives companies visibility into their networks and allows them to react more quickly, said Bill Tomlinson, national security practice director at Dyntek, Irvine, Calif.
For the channel, SIEM's complexity equates to healthy services opportunities, as well as the ability to gain an intimate knowledge of the customer's network that can be leveraged into additional sales.
Although the up-front investment is significant, companies can see immediate payoff from deploying SIEM technology, giving solution providers the ability to show value to customers at an early stage. MTM's Allison says installing a SIEM solution often leads to an epiphany for companies that have grown accustomed to devoting staff to tackle the task of analyzing log data.
One of Allison's early SIEM customers, a large pharmaceutical firm, was using two full-time engineers to analyze the millions of daily security alerts, with the goal of separating false alarms from actual attacks. After flipping the switch on a SIEM solution, the flood of alerts immediately slowed to a manageable stream, allowing the company to move the engineers back into more proactive security positions, Allison said.
The flexibility of SIEM technology gives it wide market appeal and allows the channel to package offerings as full-scale deployments or as managed services. Dyntek recently deployed a SIEM solution for an educational institution that was getting hacked repeatedly from inside the network. After installing the solution and having it scan the network for 15 minutes, the SIEM had identified seven Trojans that had been quietly wreaking havoc, Tomlinson said.
"When attacks originate from multiple different vectors and locations, SIEM is the only security measure that can provide companies with visibility into what's happening on their networks," he said.
After signing up 20 new clients in the past six months, Tomlinson expects to add between 40 and 50 more in the coming year. Customer size ranges from enterprises down to the 500-seat level, which he says is fast becoming the sweet spot. "When you get to the midmarket, companies just don't have enough resources to handle all of the SIEM data," Tomlinson noted.
In larger organizations, SIEM deployments can take up to six months, according to solution providers. Much of the groundwork involves building rules and correlation sets to allow the SIEM solution to draw inferences and correlate data between various network devices to determine when to trigger an alert. Later, the focus of a SIEM project shifts to developing compliance reporting templates and tailoring these to the specific needs of each customer, said Novacoast's Gray.
Also enhancing SIEM's appeal in the channel is its ability to translate well as a managed service. Cyberklix, a Mississauga, Ontario-based solution provider and MSSP, offers a managed SIEM service that logs security information and event data from customers' IPS, firewalls and vulnerability management appliances. The popular service has boosted Cyberklix's revenue by 150 percent in the past year, a growth rate that John Menezes, president and CEO, expects to continue this year.
Cyberklix, which also offers managed services that allow companies to meet PCI, Sarbanes-Oxley and other compliance requirements, uses SIEM vendor Network Intelligence's enVision product. An agentless solution, enVision speeds deployment because it eliminates the need to install software on every device in the customer's network, said Menezes. "EnVision has become the core piece of technology that connects all the disparate devices in the network," Menezes said. Network Intelligence was acquired in September by EMC and is now part of EMC's RSA division.
Next: Rapid Evolution/Tough Choices
Rapid Evolution/Tough Choices
But despite SIEM's promise, VARs looking to get into the game need to pay close attention to how the market is maturing and pick vendors that have a clear strategy for evolving their offerings.
For example, log management is becoming an important differentiator and is a must-have for companies that need to provide forensic data for compliance purposes, according to solution providers. Babak Pasdar, founder and CTO of igxglobal, Hackensack, N.J., says the reason why more organizations haven't pulled the trigger on SIEM is that the sales cycles are extremely long and projects are too complex, and vendors haven't done enough to make SIEM a strong market or to address the complexity and high cost of SIEM solutions.
It's crucial for SIEM solutions to correctly prioritize and categorize alerts, said Pasdar, but vendors have had problems with creating timely signature updates for application layer tools. The lack of a standard for log and event output from various vendors also forces vendors to constantly play a signature catchup game, he added.
Vendors have also made the road to SIEM a rocky one for VARs because they've generally chosen to sell direct. Yet, solution providers say SIEM vendors that adopt a more channel-friendly approach will benefit from a considerable amount of pent-up interest.
Arcsight, the SIEM market leader, uses a direct sales model to sell its flagship Enterprise Security Manager SIEM product, but the vendor also gets a "healthy contribution" from channel partners, said Tom Reilly, COO of the Cupertino, Calif.-based vendor.
Although Reilly declined to say how many channel partners Arcsight works with currently, or how many it plans to recruit, the vendor in December unveiled two SIEM appliances—one for log management, the other for network configuration. Reilly says plans are to use these products as the foundation for a planned channel program buildout in the coming year.
Solution providers told CRN that Arcsight's move to embrace the channel is interesting, but said they'd think twice about teaming up with the vendor in light of industry consolidation. "Arcsight is a giant target at this point," said a solution provider who requested anonymity. "They either need to get acquired by one of the big players or they'll get pushed out of the market."
Prior to the EMC acquisition, Network Intelligence was known to regularly take deals direct, according to solution providers. However, RSA is now selling the enVision SIEM product through its SecureWorld channel program—a development that bodes well for solution providers looking to embrace SIEM.
However, because Network Intelligence's roots are in direct sales, the vendor doesn't maintain or foster relationships with end users like a channel partner would, said a solution provider who asked for anonymity.
Historically, SIEM vendors have typically only embraced the channel when it is convenient for them, said Gary Fish, president and CEO of FishNet Security, Kansas City, Mo. However, RSA's decision to sell enVision through channel partners shows that vendors are beginning to realize this is the best path to follow to make SIEM a healthy market.
"By embracing the channel, SIEM vendors can significantly widen their market reach," Fish said.