Report Card: Incite #8 - Security Management (oxy)Moron

This is the last report card for today. Tomorrow you'll get the remaining 4 and I'll put a close on 2006.

Stand-alone security information management (SIM) plateaus in 2006, as consolidation continues and the need for large-scale system integration makes acceptable time to value out of reach for all but the largest enterprises. Closed correlation systems increasingly take root as users swing towards homogeneity and ratchet back expectations on which devices really need to be integrated into the management system, while leveraging the reporting infrastructure for compliance purposes.

Grade: A

Original Days of Incite post: here [0]
Incite Redux post: here [0]

There is not much to say here, but “I TOLD YOU SO!” The security management business (really I mean SIEM here) is made up of the lucky (e-Security and Network Intelligence - who got acquired this year), the survivor (ArcSight – who is moving into other businesses like log management and network configuration fast), and the walking dead (everyone else). And the shake-out will be severe in 2007.

It's not that the capability of correlation of security events isn't important. It's just not a stand-alone business. Cisco is moving a lot of their MARS appliances, mostly as a low-cost add-on to a network upgrade. So there is customer demand for a lower cost option to help correlate events a bit better.

Let me also touch on the futility of security “dashboards” as a market because the reality is the infrastructure vendors are going to provide that capability as well. Cisco is moving in this direction and everyone else needs to. So look for focused niche vendors that offer competing capabilities to something like MARS for a low price point to be in high demand next year.

The one opportunity that is real in the security management space, which I didn’t see a year ago is log management. Given forensic requirements and the need to do some of that correlation and analysis work, purpose-built log management products (not re-branded struggling SEM products) exit 2006 with a lot of running room.