IBM and McAfee both made moves Tuesday to acquire security information event management (SIEM) technology, with...
plans to integrate the reporting and event correlation capabilities into their product lines.
This is further evidence that SIEM vendors have proven themselves ... They’re creating revenue based on compliance mandates and so far there doesn’t seem to be an end in sight for the growth curve.
Andrew Hay, senior security analyst, The 451 Group
Big Blue announced plans to acquire Waltham, Mass.-based Q1 Labs and integrate it into a newly formed IBM Security Systems Division led by Q1 Labs CEO Brendan Hannigan. IBM said the Q1 Labs SIEM security analytics and correlation technology can detect and flag potential security policy problems to help prevent security breaches. Financial terms of the deal have not been disclosed.
Meanwhile, Santa Clara, Calif-based McAfee announced it agreed to acquire Portsmouth, N.H.-based SIEM vendor NitroSecurity Inc. McAfee indicated that following the completion of the acquisition, it will combine NitroSecurity’s technology with its own enterprise security management technologies to help customers asses network and endpoint vulnerabilities. Terms of the acquisition were not announced.
According to Stamford, Conn.-based IT research firm Gartner Inc., the SIEM market grew 15% last year, from $858 million in revenue to $987 million. The SIEM market, which has been characterized by Gartner and other research firms as being crowded, has been driven by compliance mandates -- mainly PCI DSS -- with enterprises deploying SIEM to take advantage of mainly reporting capabilities. Mark Nicolett, a Gartner Research vice president, said both Q1 Labs and NitroSecurity had strong technologies and solid customer bases, making them key acquisition targets.
IBM had SIEM technology in place when it acquired Consul Risk Management and Micromuse GuardedNet, wrapping the capabilities into its Tivoli Security Information and Event Manager. The acquisition of Q1 Labs may help bolster the Tivoli SIEM weaknesses, or the company could decide to let Q1 technology stand alone, Nicolett said. “They may continue on their merry way and sell [Q1] to customers and then as a side type of activity they would have to figure out how to integrate the strong, existing technology that they have with the core pieces of Q1 Labs,” Nicolett said.
McAfee had been partnering with SIEM vendors before its NitroSecurity acquisition. The company offers a set of APIs to enable SIEM vendors to tap into its E-Policy Orchestrator (EPO) centralized management console. McAfee has had a close relationship with NitroSecurity and shouldn’t have a difficult time integrating it into its product portfolio, Nicolett said. “It’s an exercise in leveraging the parsing and integration APIs that are already part of the product,” he said. NitroSecurity also gives McAfee access to potential customers; utilities and other critical infrastructure facilities have been a major part of NitroSecurity’s customer base.
While vendors tout event correlation, the vast majority of users indicate they are primarily using SIEM for reporting capabilities, said John Kindervag, a senior analyst at Cambridge, Mass.-based Forrester Research Inc. But security vendors see promise in the broader adoption of more advanced event correlation capabilities and have been quick to add the technologies to their portfolios.
The consolidation of the SIEM market gained traction last year, when HP acquired ArcSight for $1.5 billion. Trend Micro and Kaspersky Lab are the only remaining major security vendors lacking SIEM capabilities, said Andrew Hay, a senior security analyst at The 451 Group. Sophos, which acquired firewall vendor Astaro in May, also picked up log management capabilities from the acquisition, Hay said.
“This is further evidence that SIEM vendors have proven themselves,” Hay said. “They’re creating revenue based on compliance mandates and so far there doesn’t seem to be an end in sight for the growth curve.”
~SearchSecurity.com Senior Site Editor Eric Parizo contributed to this report