Tripwire Inc. has announced plans to sell security information and event management (SIEM) technology, but analysts say it's entering an already chaotic and crowded market where it is sometimes difficult for enterprises to thoroughly evaluate vendors.
The Portland, Ore.-based configuration management vendor is introducing Tripwire Log Center, selling log and event management software that can tie into many different systems.
The biggest challenge for enterprises is to get SIEM software to tap into event data from a variety of proprietary data sources, such as network firewalls and intrusion detection systems. The goal of SIEM products is to help collect and analyze all the activity data to determine the overall health of a network. In addition, SIEM systems are being deployed to give compliance auditors evidence that a company is maintaining log data and that someone within the organization is minding the network.
"All these tools were originally designed to take logs from security devices and correlate them for threat purposes," said John Kindervag, a senior analyst at Cambridge, Mass.-based Forrester Research Inc. "There was never a movement to put payment application data into some of these things and with the various payment applications out there it can be a difficult process."
PCI forces companies to seek log management help: Hard-pressed corporations are turning to service providers as well as product vendors to bring log data together and make management easier.
Information Security magazine:
Mature SIMs do more than log aggregation and correlation: It's been almost a decade since security information management (SIM) systems were introduced. During that time, SIM products have evolved from relatively immature log aggregation products that were too expensive for all but the largest enterprises, to mature aggregation and management solutions that provide network and security insight to organizations of all sizes. But SIM solutions aren't done evolving.
With much of the interest in SIEM products driven by compliance initiatives, the market for SIEM products is jam-packed with vendors, many competing with similar products. Established names include Arcsight Inc., CA Inc., Intellitactics Inc., IBM, NetIQ Corp. and EMC's RSA Security division. Other vendors include LogLogic Inc., NetForensics Inc., Novell Inc., Sensage Inc., Symantec Corp. and TriGeo Network Security Inc.
Most vendors sell SIEM appliances and prepackaged software, though there are no advantages to choosing an appliance over a software package. Alternatively, Kindervag said small and midmarket companies may eventually choose SIEM in a Software as a Service (SaaS) package.
"There's probably too many vendors right now, and given the size of the market, it seems logical to assume that there will have to be more consolidation," Kindervag said. "The vendors see huge levels of distinction between themselves but that doesn't filter down to end user or buyer."
Tripwire's Log Center uses traditional log management capabilities to catalogue and index data and store it for compliance auditors. But like many SIEM vendors, the Tripwire software also combines threat monitoring with analysis to provide automated event-response capabilities. It can generate an event alert to network managers and has a search feature for incident investigation.
Dwayne Melancon, vice president of strategy at Tripwire, said the software has the ability to monitor and log up to 5,000 events per second. It also includes activity-analysis capabilities that, according to the company, include some standard policies that can check up to five servers for viruses and other issues in less than five minutes.
The Tripwire software will include an editor to enable companies to set their own policies. Melancon said customization shouldn't impact upgrades because the architecture was built so custom workflows won't get overwritten during the upgrade process. Melancon said Tripwire has been testing the software with 100 of its customers; reference customers didn't return phone calls for comment. The product's entry-level price is $20,000.
Mark Nicolett, vice president at Stamford, Conn.-based research firm Gartner Inc., said Tripwire could make the most headway with its current customer base, which is heavily involved in compliance projects.
Nicolette said Tripwire's entry into the market is compelling, because it has long established itself in the compliance arena, selling Tripwire Enterprise to monitor and maintain system configuration data. It offers a number of configuration-management tools, including some popular connectors to assess virtualization security configurations.
Tripwire appears to have a fully capable SIEM product with both log management and real-time event management, Nicolett said, adding that Gartner would need to test the product to see how it compares against the already established vendors in the space before offering a definitive assessment.
"There's going to be cases where they are dragged into head-to-head competition with all the other SIEM vendors," Nicolett said. "But there will be times where they can sell both pieces together."
Companies deploying a fully capable SIEM find that it takes time and some customization to get the product to tap into proprietary data sources. Other companies fail to use the data a SIEM provides to the fullest extent, only deploying it to meet a compliance requirement.
Some emerging SIEM features include application monitoring and exception monitoring, Nicolett said. Fully capable exception monitoring requires more work, he said, and involves creating and maintaining policies. Some vendors offer a standard set of out-of-the-box policies for dealing with failed login attempts and conducting resource access monitoring. But Nicolett said companies would be better off establishing their own filtering exceptions specific to their needs.
The technology has been used by financial-services firms for years, but other industries are now deploying it. Merchants are being introduced to SIEM, driven by the Payment Card Industry Data Security Standards (PCI DSS), but other regulations contribute to SIEM deployments as well, including the long-established Sarbanes-Oxley Act (SOX) requirements, which call for data monitoring, which can be proven through log management capabilities.
Forrester's Kindervag said he sees SIEM expanding its role in the enterprise by tapping into other data sources to provide device management, file integrity monitoring and data leakage protection capabilities.
"Sometimes people think of SIEM in its own bucket," Kindervag said, "but certainly SIEM can be the thing that has tentacles that grab onto lots of other technologies and gives you a more unified view of your environment."
Dig deeper on Security Event Management