Novell, ISS shake up the security information and event mgmt. market

In the recent months that I’ve written for this newsletter, I’ve commented from time to time on the security information and event management (SIEM) market. After years of speculation, many have wondered over the past year if consolidation will finally appear in this segment. My expectation was that consolidation would indeed take place, but because of the nature of the market and its players, it would probably be protracted over several months or even years.

In the last couple of weeks, the SIEM consolidation wheel has turned again – and this time, with some surprising twists.

With its acquisition of e-Security for $72 million in cash, Novell will enter the SIEM market. This has set not a few heads to scratching, as many wonder what a vendor seeking to morph its legacy success in the LAN into Linux dominance might have to do with security information and event management.

Of course, the fact that e-Security expects to bring in roughly $20 million in positive revenue over the next 12 months certainly plays a role. But the complementary aspects of this deal are having a hard time being heard above the questions – and it would be folly to ignore them in a highly competitive market.

With its early lead and long history in promoting the directory, Novell has sustained the visibility of its identity management offerings. To this, e-Security will add comprehensive monitoring and reporting that directly link security and compliance events and identity management: deep detail in event reporting, alerts when unauthorized access is detected, and the potential to integrate with identity provisioning processes when access denial could be turned into a positive benefit by initiating privilege modification.

Those who have difficulty seeing this possibility should take a closer look at the process management synergies between tools such as Novell’s identity provisioning and its Designer access management modeling tools, and e-Security’s iTRAC event resolution process functionality. EMA research indicates that enterprises still seek better, easy-to-use tools to manage compliance-critical processes. Together, Novell and e-Security could help deliver the integration of these values.

Don’t underestimate the value of this potential simply because Novell was not as visible in security before last week. This process management combination could pose the biggest threat to vendors with a message in both the identity and security management camps – particularly in markets most receptive to the Novell identity message, such as the midmarket increasingly targeted by major identity and management vendors.

There could also be potential for positioning e-Security as a comprehensive reporting and event alerting platform for Novell SuSE Linux platforms. This could help SuSE further penetrate compliance-sensitive environments, and could also conceivably be linked to broader Novell management assets such as the company’s ZENworks offerings, to streamline event remediation and improve security and compliance policy management. Such possibilities are only speculation at this point – but they represent potential that should not be lost on Novell customers and prospects.

Another interesting entry – or, more properly, broadening of presence – in the SIEM space this week is Internet Security Systems’ announcement of its offering of SIEM as a service. This announcement is significant, not least because the early success of ISS intrusion prevention products helped spur on the evolution of SIEM itself, as enterprises sought to prioritize and manage the intelligence provided by their security tools.

The differentiating combination that ISS brings to this offering is the expertise of the ISS X-Force security intelligence team coupled with service management credentials and market-recognized products. ISS’ existing SiteProtector product entry in this space is focused primarily on support of ISS products, but the SIEM service will broaden support to multivendor environments. To these service features will be added the ability of the ISS offering to give customers the ability to control how much information is managed by ISS, and how much the customer limits to corporate-only access.

The value of SIEM as a service likely has strong appeal. Security event management is, after all, one of the primary reasons enterprises engage with a managed security service provider (MSSP) in the first place – to take advantage of sophisticated and highly trained expertise in IT security management that can be expensive to maintain – and retain – even for the largest businesses. When issues of cost and complexity of managing multiple security tools and integrating correlated event output is factored in, the appeal of SIEM as a service may well have legs – and is a development long expected from the company whose early success in intrusion prevention played a direct role in giving rise to this market in the first place.