Market SIEMplification or More of the SEIM?

Blog Post created by smalm on Oct 10, 2011

Last week was a busy M&A week for SIEM, with IBM announcing the acquisition of Q1 Labs and McAfee acquiring Nitro Security.  We’ve been watching this unfold with interest as both SIEM companies are Rapid7 technology partners. We’ve had SIEM integration for our vulnerability management solution Nexpose for some time, and back in August we introduced APIs for integrating SIEM solutions in version 4.0 of our professional penetration testing solution, Metasploit Pro. Nitro Security was the first to complete a Metasploit Pro integration, and feedback from customers and community has been extremely positive.


We take an open and collaborative approach because we believe that organizations benefit from the greatest possible contextual intelligence about their situational awareness and security posture. The more insight defenders have into their environments, the better they can determine how to improve security: what steps need to be taken, what assets can be better utilized, and what gaps require new investment.  With last week’s announcements, it seems that IBM and McAfee agree with us on this view as they expand their offerings in an effort to deliver more comprehensive security risk intelligence.


The data correlation and presentation promise of SIEM is ultimately tied to the comprehensiveness and accuracy of security intelligence sources like vulnerability management and penetration testing solutions.  Increased focus on SIEM technologies puts Rapid7 in a very unique position, given the breadth, depth, and precision of our security intelligence data. Simply put, inaccurate or incomplete data stifles advanced correlation; better source data enables better context, so we’ve been a natural partner for SIEM vendors.


Beyond quality of source data, it’s no surprise to those of us in the industry that two major stumbling blocks in the SIEM space have been runtime performance and ease-of-use. These latest acquisitions suggest that the acquirers understand the first of those challenges … Nitro and Q1 have both demonstrated that they are among the market leaders in runtime performance, and this is a technology upgrade for IBM. Whether performance relative to the rest of the SIEM industry is sufficient is another question altogether, but it is good to see acquisitions based on sound technology and market leadership rather than bargain hunting to tick the SIEM box as we’ve seen in the past. I sincerely hope that both companies will accelerate innovation and raise the bar on runtime performance rather than maintaining their current position in the pack with little more than shiny new logos on their bezels.


Ease-of-use continues to be a complaint we hear often from customers when we talk about SIEM. In far too many cases, customers tell us that they are using these solutions as simple log aggregation and reporting utilities because optimization and inclusion of additional source data is cost-prohibitive. This is a familiar phenomenon from the Identity Management (IdM) challenges we saw a decade ago, when custom connector development limited the effectiveness of IdM projects. Common orchestration standards helped to enable Identity Management projects and reduce professional services costs, and while SCAP attempts to provide similar interoperability advantages to the threat and vulnerability space, key components are U.S. Federal centric or misaligned with the operator’s perspective. As with the runtime performance challenge, we hope that the latest round of SIEM acquisitions will prompt increased usability and lower operating costs for folks longing to get more value out of a relatively expensive technology investment.


As I mentioned, we already have strong relationships with just about everyone in the SIEM space, and particularly with IBM and the folks at Nitro Security.  We expect those strong relationships to continue, delivering even more value to our customers and the community.


Congratulations  to Q1 Labs and Nitro Security: this is great news for them and for their investors. We also think it could be good news for the industry if the acquirers are truly committed to the market strategically. There has been limited innovation in the SIEM space over the last few years and we very much hope that these acquisitions will trigger renewed innovation that specifically addresses customers’ most pressing needs.


Look for more collaboration between Rapid7 and these vendors, and you can expect to see more Metasploit Pro integrations with SIEM solutions in the near future.