Monday, November 9

Implication of Cisco MARS decision on SIEMs?

Notice the question mark first. I'm interested in what you think this means. This isn't me trying to make any great claims.

Cisco has acknowledged that it will stop adding support for additional devices on its MARS SIEM platform. While the plan is to continue providing updates for already-supported devices, it's difficult to argue that this isn't a strategic move toward completely dropping support for the product (in it's current form).

I, of course, wanted to use a title like "The END of SIEM", but it's hard to make that leap given that one of the biggest SIEM players was ranked among Deloitte's 2009 Technology Fast 500 with over $100 Million in revenue for 2008. And ArcSight has shown 32%, 34%, and 25% year over year growth in its last three quarters respectively.

Still, Cisco is thought to be the most widely deployed SIEM with over 4000 installations. For them to make a strategic move to discontinue addition of future platforms means (and read this with your favorite accent) something doesn't smell right in Denmark.

As I speak to organizations about NetVision (and we are clearly NOT a SIEM player), I hear concerns about SIEM tools and log management applications that are big, complex, difficult to implement, expensive, and not user-friendly. I have nothing against SIEM tools or the role they play. In fact, many of our customers integrate our product with SIEMs. ...which is why the topic comes up. But, I've been wondering if the fire-hose approach to data collection is proving to be too much. i.e.) too much data and too much complexity given the problem at hand.

I sense that the SIEM approach is troublesome and that SIEM vendors who can't adapt to changing market expectations for more readily available answers will start making announcements like Cisco's indicating that they won't be around forever continuing to support an ever-growing number of devices. There will likely continue to be a market for large scale event data collection into the foreseeable future. I'm not arguing against that. But a segment of the market seems to be defining itself as a group that wants easy answers in lieu of a data flood.

Am I reading too much into it? What do you think?


John Burnham said...

Hi Matt,

The problem with the perception of SIEM tools today is that some observers and customers, as you note, believe that SIEM tools and log management products are big, complex, difficult to implement, expensive, and not user-friendly. And these problems do exist, if they’re evaluating first-gen SIEM or log management providers. Q1 Labs (full disclosure: I’m their VP of corporate marketing) is a next-gen SIEM and log management provider. We’ve removed the false choice by eliminating the high cost and complexity of deploying SIEM solutions, and turned the ‘fire-hose’ approach of data collection into something that customers can easily use every day to make their networks secure.
My concern with your statement about the fire-hose approach proving to be too much, is that you’re implying customers shouldn’t implement a technology to capture all of the information on their network, essentially leading them to ignore what could be very harmful activity taking place on or against their networks.

As you note, the SIEM market isn’t slowing down anytime soon. According to Gartner, the SIEM market grew about 30% in 2008, with total revenue at about $1 billion, and is expected to continue to grow due to the following drivers:
• compliance has been driving growth in the log management and SIEM market for the last couple of years;
• there's more federal regulation than ever, and in the current economic climate and administration, more is sure to follow;
• states are creating regulatory pressures to protect personally identifiable information in the wake of a half-dozen high profile data breaches;
• independent standards organizations and verticals are drafting their own compliance mandates;
• cyber warfare has been joined by for-profit cyber crime, and the attacks are increasing in volume and intensity.

As a member of the Q1 Labs team, I have to point you to our exceptional growth over the past three quarters:
• 106 new customers, including many large enterprises, in recent third quarter
• 278 new customers over last three quarters
• Total customer count is now 778
• 72% four year growth rate
• Increased employee base by 40% and customer base by 60% in 2009
• Customers are choosing Q1 Labs 3 to 1 over competitors

SIEM is going mainstream, and next-gen companies like Q1 Labs are out-innovating Cisco – and other SIEM providers – where they’re not successfully executing, providing an opportunity for competitors like Q1 Labs to erode competitors’ market share.

John Burnham
VP of Corporate Marketing, Q1 Labs

Matt Flynn said...

Thanks for the comments John. I appreciate the view from down in the trenches.

Iqlas Ottamalika said...


There are few things I really like about this article.

It's true that most of these SIEM products are very complex, expensive and cumbersome user interface. They are bogged down by ever growing need to support new devices. At the same time, the user (SOC/NOC) requirements of typical SIEM products are evolved. The administrators are not just trying to find simple security issues. They are more concerned about the SLA, business service impact and how to protect the assets. Along with these new challenges, a typical IT or datacenter is evolved with the new technologies such as virtualization, new devices etc. Also still lot of first generation SIEM products needs two different products to do real time event management and long term log management.

Also it's very difficult to predict for the administrator, whether one particular issue is strictly security issue or not. It may be because of a performance issue with a VM server or availability of an application or a network device. This may be caused by a "unapproved" Change by a network operator or a real new security threat in the network. How an IT operator will find out what exactly what is the root cause of a problem without spending countless hours digging through logs, looking at different silo-ed tools and trying to correlated between them.

We at accelOps Inc, a start-up ( focussing on the datacenter/IT monitoring is trying to come up with a solution for the above problem. (Disclaimer: I work for AccelOps, as the director of Engineering). Instead of focussing on the siloed approach, why we can't bring 'availability, performance, security and change' monitoring into a single console and thus provide what IT operator needs in a single UI. On top of this framework, add the "business service awareness", so that companies can focus on what they really care. And use the technical advances in the last 4-5 years into this framework including the virtual appliance model, Cloud architecture, scalable, hybrid datastorage and a dynamic Web2.0 RIA UI.

We truely believe that this is the next generation framework not just for SIEM, but for IT/datacenter monitoring.

On a side note, accelOps is started by the same founders who created the popular Cisco MARS (Protego Networks).

Please see for more info.

Thanks for the inspiring blog article and keep on writing.