Network and systems management vendors have been on a shopping spree of sorts for some time now, and the current must-have item on their list is security information management.
Following Micromuse’s announcement earlier this month that it would acquire GuardedNet for US$16.2 million, industry watchers speculate the purchase might mark the beginning of the end for pure-play SIM vendors.
In Micromuse’s case, the purchase would augment that company’s Netcool for Security Management offering with more-sophisticated correlation and reporting tools, the company says. The acquisition also contributes to a trend that Cisco kicked off last December when it acquired SIM vendor Protego Networks.
“Systems management and other vendors are looking at SIM as an area with high growth potential, and they will work to sell integrated products to their installed bases,” says Stephen Elliot, a senior analyst with IDC. “Computer Associates may do SIM on its own, but acquisition could provide the fastest time to market for other vendors.”
Acquisition isn’t the only route vendors are taking to deliver SIM.
Cisco also licenses SIM technology from netForensics to augment its network security plans; HP last month announced it had partnered with ArcSight to provide OpenView Compliance Manager; and storage giant EMC joined forces with SenSage to couple its Centera storage products with SenSage’s event log collection and retention features. CA and IBM Tivoli separately offer stand-alone or bundled management applications that deliver SIM capabilities.
Management vendors cite obvious synergies between the two technologies as the reason why security events should be managed alongside network events to best protect against threats and to optimize network performance.
Others think vendors could be motivated by potential revenue. The Yankee Group estimates the US$330 million SIM market could grow to close to US$800 million by 2009.
Yet industry watchers say tackling security will require management vendors to do more than develop an add-on software module. The differences between security events and network events could require vendors to enhance their event correlation, data warehousing and storage capabilities.
“Security information should definitely be integrated with network management information in terms of common workflows and databases, and the market will consolidate,” says George Hamilton, a senior analyst with The Yankee Group. “But management vendors may not be taking into account the fact that security has the steepest innovation curve of any technology out there.”
Not only would tackling SIM challenge network management vendors to bone up on their security skills, but it also would require them to change the way their products work. While SIM products typically consist of software, servers and agents, or probe appliances that collect logs from devices, the resemblance to network management tools could end there. SIM tools contain more intelligence specific to security events and are geared toward reacting to constant change, whereas network management software works to document approved changes and prevent unwanted alterations to device and software configurations.
“Management vendors will contend that security is a sub-element of management, but the whole goal for the [network and systems management] vendors is to fight change, to make sure everything stays the way it’s supposed to and to reduce the cost of manual repetitive actions,” says John Pescatore, a vice-president at Gartner. “Security management is the opposite. It requires the ability to react quickly to constant change. There are only a few repetitive actions on the security side.”
With several competitors — ArcSight, e-Security, Intellitactics, netForensics, Network Intelligence and OpenService, to name a few — and little differentiation in the SIM market, industry analysts say pure-play vendors will have to fight to remain profitable and to contend with larger management vendors aggressively working to incorporate the security-specific tools into their product suites.
“SIM vendors are going to have to find a way to expand their capabilities and expand their reach within the enterprise,” says Scott Crawford, a senior analyst at research firm Enterprise Management Associates. “SIM does help to simplify security event collection and analysis, but it also requires a fair amount of resources and staff to get it implemented.”
The Yankee Group estimates that for midsize to large organizations, the software, hardware and implementation costs to get SIM rolled out can reach close to $400,000. The escalating cost of a niche product doesn’t appeal to users, but neither does the idea of rolling out an entire management framework to get the benefit of automated event collection, filtering and analysis.
“Network management products are just so big and all-encompassing that it would take a long time to get what you wanted from them for a SIM rollout,” says Adam Hansen, security manager for Sonnenschein, Nath & Rosenthal, a law firm in Chicago. He uses OpenService’s Security Threat Manager to keep up with security logs on more than 100 managed devices.
Hansen says he can see the benefits of tying together security and network monitoring tools to better align alerts from the separate systems, but for now he says network management products lack the in-depth security knowledge and correlation capabilities to make sense of alerts for security staffers.
“If the management vendor doesn’t fundamentally understand what it is looking for in the security events, then all the data collection will just become another case of ‘garbage in, garbage out,’” he says.