SIEM M&A, MSSP and the Cloud

The big news today is the twin announcements in the SIEM space. First McAfee/Intel announced that they were buying Nitro Security. This was followed closely (or maybe IBM went first, but who cares) by IBM announcing they were gobbling up Q1 Labs. I am not a big believer in coincidence and I don’t think both of these deals being announced on the same day is totally random. But more on that later.

I do think that both of these deals have a lot to do with the cloud and the managed security services market. With so much of IT moving to the cloud – tracking, storing and analyzing data from disparate sources is more of a challenge, with a greater reward for those that do it successfully. We are reaching a point where you really can’t have an MSSP service business without some sort of SIEM capability.

There are other factors at play here. I think Q1 Labs was a highly sought after prize for some time. With their OEM and partner relationships with Cisco, Juniper and others, there were lots of potential suitors for Q1 and it was no secret that they were a hot commodity. I would bet Intel/McAfee was one of those suitors and when they saw themselves losing to IBM they quickly turned to Nitro to at least have a horse in the SIEM race.

Congrats to the Nitro team on the acquisition. It has been a long strange trip through the IDS/IPS days to today for them. They deserve kudos for staying the course and building a successful business.

As to IBM, how many SIEMs have they bought? This is probably the 3rd or 4th that I remember. To date none of them have provided them the answer they are looking for. I do think with Q1 they have a winner. If for no other reason than the pressure they can put on some competitors. Speaking of which, what are those competitors going to do? I am sure Juniper and Cisco are weighing their options.

I would think Cisco after the MARS debacle has learned its lesson. But never underestimate the herd mentality of large companies. If someone bought a shiny new trinket, they want one too. That could spell good news for other SIEM and Log vendors.

LogLogic CEO Guy Churchward had this to say:

The news by IBM and McAfee, and the increasing complexity of virtualization and cloud only elevates the need to centrally collect for not only security but IT forensics, but compliance and IT operational efficiencies. Overall today’s news says two things: First, this is an exciting space to be in, and it will continue to change rapidly. Second, as the largest independent pure play and leader in supporting managed and cloud services it really validates our strategy in centrally managing an IT data repository. We’d assume both Q1 and Nitro customers will see the same level of customer disruption seen with ArcSight.

Of course I guess he couldn’t help throwing the dig in about ArcSight and HP. But don’t think that the recent HP announcements around greater integration between ArcSight and other products doesn’t play a role in this. As SIEMs make it easier to collect data from a wider array of sources, their value increases. This is doubly important when talking about cloud and multi-tenant MSSP services.

The same is true for log management. The more logs from the greater amount of devices and programs, the more value that can be added by analysis of that data. Conversely the more logs, the harder to manage them all as well. I spoke to VP of Marketing and Product at Alert Logic, Urvish Vashi today and he had this to say:

The acquisition of NitroSecurity & Q1 Labs by industry majors like McAfee and IBM show the enterprise appeal of advanced SIEM solutions. While some of the analysis also points to the use of these SIEM tools in cloud and MSSP environments, I am not sure that either of these tools provide that functionality today. While making security services consumable by integrating managed services and providing flexibility around where infrastructure is deployed are worthy goals, I am not sure either of these products are as capable of providing that. Enterprises should demand answers to how they can get value from these solutions in a cost effective manner. At Alert Logic we have spent a long time developing services and solutions that do make security consumable as a service and flexible enough to collect data wherever infrastructure is deployed.”

I don’t think we are done with M&A in the SIEM space. One question is who will be next, but a bigger question maybe how do you get SIEM to really fulfill its mission.