This week saw another milestone in the consolidation of the
security information and event management (SIEM) market with the acquisition of
not one but two major players. On Tuesday, IBM announced that it would buy Waltham,
Mass.-based Q1 Labs and McAfee made a similar announcement of its own
acquisition of Portsmouth, NH-based Nitro Security. According to security
experts, the moves are an answer to the blockbuster acquisition of ArcSight by
HP last year and should be a further affirmation of the opportunities available
for channel partners looking deliver more security intelligence to their
customers.
"Both
IBM and McAfee had weaknesses in the SIEM market that they had to close to
sustain their enterprise strategy. With all its issues in deployment,
maintenance, architectural issues and cost, SIEM remains a focus of security
operations and management in the enterprise, and is therefore an asset major
enterprise players need in their portfolio," says Scott Crawford, research
director for Enterprise Management Associates. "The proximate driver
forcing this on IBM and McAfee in particular, however, was the acquisition of
ArcSight, which dominates this market, by HP last year. IBM could not
afford to sustain a weakness in that space against one of its most significant
competitors, and McAfee had a SIEM gap in an otherwise fairly comprehensive
portfolio centered on ePolicyOrchestrator."
While
IBM and McAfee both intend to fold the acquired technology into existing
product stacks, this is hardly the end to SIEM as we know it.
"You
need to separate out the vendors that sell SIEM and the customers that buy
SIEM. There is still a market for customers to buy SIEM/log management, so
that's not going away. I do think there will be fewer independent, stand-alone
SIEM/log management players," says Mike Rothman, president and analyst for
Securosis. "We are seeing that
consolidation now and most of the larger start-ups have been acquired at this
point. Over time, security management becomes part of the bigger IT management
stack, but that evolution will still take a while."
Both
Rothman and Crawford say that acquisitions in SIEM are likely to cool down for
a bit after the activity of this week.
"I
don't believe we'll see any (other) deals soon. It's more about the buyers than
the sellers. Most of the logical buyers already have products, so I don't
expect anyone to be snapped up quickly now," Rothman says. "But then
again, I'm no investment banker."
According
to Crawford the two acquisitions' consequences for the channel will depend upon
partners' target customer.
"SIEM
is typically an enterprise play, but more recent entrants such as Q1 and Nitro
have focused on approaches that are more readily adopted, deployed and
maintained. For the smallest customers, this may still place SIEM beyond their
reach – or perceived need," Crawford says. "But there are
alternatives, such as managed security services or hosted models of “SIEM as a
Service.” Channel partners should consider whether or not SIEM would be a
useful offering to their customers, as well as alternatives that may be a
better fit with their portfolios."
Rothman
agrees that services are definitely a viable option, so don't get caught up in
the post-acquisition hype if the product offering doesn't really suit the
customer.
"Channel
partners need to think less about what vendor to sell and more about what problem
to solve for the customer," he says. "There are strengths and
weakness of each product, so it's about finding the right fit for the customer,
regardless of who owns the technology."
