Deal: EMC/RSA buys Network Intelligence

Submitted by Mike Rothman on Mon, 2006-09-18 14:44.

As I alluded to in this AM's TDI, EMC has not let the grass grow under their acquisitive feet and acquired Network Intelligence for $175 million this morning (release here). This looks to be about 4-5x sales and it a healthy number given that SIM is clearly just a feature of security management. Stiennon may not want to call it consolidation, but there is no standalone market for SIM. So now we get to watch all the vendors run for the exits.

For EMC, the deal makes sense on a number of levels. First, EMC has spent a while aggregating some management technologies (notably SMARTS) and Network Intelligence fits into that model. They provide intelligence for what is going on from a security standpoint and I think there is leverage in the data and analysis that SMARTS brings to the table for the network folks. It also gives some additional capabilities to the RSA folks, who didn't have a SIM in their bag.

Ultimately, I think the most leveragable part of the deal is something that EMC neglected to spell out in their deal presentation - the role of log management in driving more storage consumption. In fact, I'm not sure EMC realizes they just bought into the log management space. This is a good thing for EMC because logs take up a crapload of space, especially forensically clean ones. Anytime you are storing 100,000 things a second, it's going to demand some space. Ergo more storage.

EMC painted Network Intelligence as a SIM because that's where they started and that fits better into EMC's stack chart of all the security markets they play in. Too bad it's wrong. If you look at NI's positioning of late and what problems they were trying to solve - it feels a lot more like log management to me. If they were going to go it alone, they'd need to morph their positioning and log management is where they would have ended up. They were already more than halfway there.

I also want to point out that log management, though a distinct market from SIM IS NOT a standalone market over time either. On LogLogic's blog (here) they go through their reasoning about why SIM is crap and log management is a standalone market, based on what SANS says. Besides the fact that SANS just put on a blow-out Log Management Conference, it just doesn't ring true to me. Over time log management is also a subset of a broader security management story. Like SIM, only different.

I'm not disputing that log management is different than SIM. I've written about that a number of times (here, here). It's about high volume log aggregation and forensic cleanliness to help in the event of an issue. Like every other security market, the log management folks have plastered a reporting engine on top of it to appeal to the compliance folks.

But I don't believe it's standalone ad infinitum. So the real question is when does someone like Network Appliance (who is also trying to break into the security market) take out LogLogic or some repositioned SIM-thing like SenSage to gain exposure both to security and to control a storage driver. Or maybe it's Cisco or Juniper, since you can just as easily aggregate network log data. Or even Symantec or McAfee, though neither one particularly understands appliances.

The only thing I do know is that it will be someone, you can take that to the (Log) Bank.