Bank of the West tilts from Cisco MARS to LogRhythm

When there was a hullabaloo last November over Cisco all too quietly ending any new third-party support for the Cisco Security, Monitoring, Analysis and Response System (MARS), analysts predicted IT managers might not be as eager to fly to MARS anymore since MARS would not be expanding log collection for non-Cisco equipment in the future.

The convergence of SIEM and log management

The experience of one customer, Bank of the West, bears that out.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

When there was a hullabaloo last November over Cisco all too quietly ending any new third-party support for the Cisco Security, Monitoring, Analysis and Response System (MARS), analysts predicted IT managers might not be as eager to fly to MARS anymore since MARS would not be expanding log collection for non-Cisco equipment in the future.

The convergence of SIEM and log management

The experience of one customer, Bank of the West, bears that out.

Bank of the West, a large commercial bank with locations mainly in the western U.S., recently decided to migrate away from Cisco MARS to a competitor, LogRhythm, to meet its log-management needs in terms of collecting data on security and network devices.

"We have a lot of non-Cisco events," says Wayne Proctor, vice president of IT at Bank of the West. Cisco's wavering support for third-party devices, which came to a head last November when Cisco admitted its salespeople were telling at least some customers that MARS was ending any new support for third-party equipment, was a key factor in the bank deciding to look for a new log-management system.

After a review of bids, the bank went with LogRhythm as its central log-collection repository for security and network events, due to factors that included ease of implementation. "We were looking for a tool that wouldn't increase headcount,"  Proctor says.

In addition, LogRhythm only requires one management console, while Cisco MARS, had required multiple management consoles, Proctor says. LogRhythm also seems to be better at defining views into data for individuals such as auditors or different department across the IT department.

The fact that consultancy Gartner quickly went from starring Cisco MARS in its much-coveted "Magic Quadrant" Security Information, Event and Management (SIEM) product analysis to ejecting MARS when word started to trickle out about Cisco ending new third-party support, was also influential at Bank of the West.

Jon Oltsik, principal network analyst at Enterprise Strategy Group, who has been doggedly tracking Cisco's product-development plans around MARS, and was critical of Cisco's lack of clarity about its intentions concerning MARS in the past, ripped into Gartner's "Magic Quadrant," saying the "lesson here about the Gartner MQ" is that "it should be utilized as a data point — and not a major requirement — for purchasing decisions."

For his part, Oltsik says, "By now, all users should understand Cisco's position. MARS is not a general-purpose SIEM and will be limited to supporting Cisco products henceforth."

Read more about security in Network World's Security section.