ENTERPRISE SECURITY INFORMATION MANAGEMENT Since 2007, a shift has occurred in the ESIM marketplace. Changes to the regulatory and security environment for enterprises resulted in higher spending, shorter sales cycles and more hype. As customers began to seek more value for their converged security-compliance dollar, log management eclipsed correlation as the primary feature or value driver for ESIM deployments. This has changed the competitive landscape. ESP ENTERPRISE Analyzing the Business of Enterprise IT Innovation SECURITY PRACTICE 4 FINDINGS ESIM s value is now less about correlation and more about log management. PAGE 8 Log management, once a complementary and separate product set, is now the prime driver of new ESIM sales. PAGE 8 Correlation is not dead: smart correlation is the key to a successful deployment. PAGE 9 Ease of deployment and management is nearly as important as the features of the ESIM product while customers are done devoting significant FTE resources to get these products to process logs, they are willing to spend on professional services or consulting to make deployment less painful. PAGE 11 5 IMPLICATIONS ESIM vendors previously able to get by with relational database back-ends must update their storage and retrieval systems and schema to provide proper log management functionality. PAGE 2 Vendors unable to so invest will die; their correlation assets are worth far less than they were two years ago. PAGE 2 We have seen the winnowing of the field begin through bankruptcy, asset sales and mergers. More will follow. PAGE 13 Log management vendors must upgrade their correlation capabilities. PAGE 9 Enterprise-class, scalable log management and correlation that is easy to deploy and maintain is the new marching anthem. PAGE 8 1 BOTTOM LINE Customers bemoan the din of alerts, alarms, FYIs and other tips that promiscuous ESIM correlation brought. Similar to the intrusion-detection failure, security operations centers were overwhelmed with information spew from the system designed to reduce information spew. The new strategy: alert selectively, then dive into the log pile. Once the increased scope and reduced set of event sources is matched with smart correlation rules, the strategy comprises smart alerts followed by a deep dive into the log corpus with an array of tools. JUNE 2009 2009 THE 451 GROUP ENTERPRISE SECURITY PRACTICE
REPORT SNAPSHOT TITLE ESP: Enterprise Security Information Management ANALYST RELEASE DATE June 2009 LENGTH Nick Selby, Research Director, Enterprise Security Practice 33 pages ABOUT THIS REPORT Since our last report in 2007 on the enterprise security information management (ESIM) industry, a decisive shift has occurred in the marketplace. Where real-time correlation was the primary value proposition for many vendors and their customers, the difficulty in achieving the panacea promised by correlation was in feeding data that provided relevant business context into the system - we know what they say about garbage in. A string of changes to the regulatory and security environment for enterprises resulted in higher spending, shorter sales cycles and more hype. As customers began to seek more value for their converged security-compliance dollar, log management eclipsed correlation as the primary feature or value driver for ESIM deployments. This has changed the competitive landscape, caused leading players to introduce new product features, and contributed to bankruptcies, asset sales, mergers and acquisitions. 2009 BY THE 451 GROUP. ALL RIGHTS RESERVED 1
TABLE OF CONTENTS EXECUTIVE SUMMARY 1 1.1 INTRODUCTION....................... 1 1.2 KEY FINDINGS....................... 3 1.3 METHODOLOGY....................... 4 1.4 451 ENTERPRISE SECURITY PRACTICE............... 6 ANALYSTS........................... 7 ASSOCIATES.......................... 7 CUSTOMERS LOOK TO SMARTER CORRELATION 8 2.1 ORGANIZATIONAL CONTEXT.................. 10 2.2 INTO THE REAL WORLD.................... 10 2.3 EXCEPTIONS TO THE RULE................... 12 2.4 FORENSICS TOOLS...................... 12 WHITHER CONSOLIDATION? 13 3.1 CHANGING DYNAMICS AND OPPORTUNITIES............ 14 3.2 SPOOK CITY....................... 15 3.3 GOVERNANCE, RISK AND COMPLIANCE.............. 16 COMPANY PROFILES 17 4.1 ARCSIGHT......................... 17 4.2 ALERT LOGIC........................ 18 4.3 CISCO SYSTEMS....................... 19 4.4 DECURITY......................... 20 4.5 EIQNETWORKS....................... 21 4.6 INTELLITACTICS....................... 22 4.7 LOGLOGIC/EXAPROTECT.................... 23 4.8 LOGRHYTHM........................ 24 4.9 NETFORENSICS....................... 25 4.10 NITROSECURITY....................... 26 2 THE 451 GROUP: ENTERPRISE SECURITY INFORMATION MANAGEMENT
4.11 NOVELL.......................... 27 4.12 Q1 LABS.......................... 28 4.13 SENSAGE......................... 29 4.14 TENABLE NETWORK SECURITY................. 30 4.15 SPLUNK INC........................ 31 4.16 TRIGEO NETWORK SECURITY.................. 32 4.17 VIGILANT......................... 33 TERMS OF USE 40 2009 BY THE 451 GROUP. ALL RIGHTS RESERVED 3
ABOUT THE 451 GROUP The 451 Group is a technology analyst company. We publish market analysis focused on innovation in enterprise IT, and support our clients through a range of syndicated research and advisory services. Clients of the company at vendor, investor, service-provider and end-user organizations rely on 451 insights to do business better. ABOUT TIER1 RESEARCH Tier1 Research covers consumer, enterprise and carrier IT services, particularly hosting, colocation, content delivery, Internet services, software-as-a-service and enterprise services. Tier1 s focus is on the movement of services to the Internet what they are, how they are delivered and where they are going. Please note that the following 451 report is copyright protected and is being provided to you on a limited, licensed basis. By viewing this document, you consent to and agree to abide by the terms of this license and the general Terms of Use (below) for users of services of The 451 Group. Only authorized, licensed users may access this and other content from The 451 Group. If you have any questions about this license or terms of use for your organization, please contact your account manager directly. Alternately, you can contact a general representative of The 451 Group directly via phone at 212-505-3030 or via mail at 20 West 37th Street, 6th Floor, New York, N.Y. 10018. Analyzing the Business of Enterprise IT Innovation 4 THE 451 GROUP: ENTERPRISE SECURITY INFORMATION MANAGEMENT