Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘ArcSight’

Big Network Security Investments –And Market Opportunities — Ahead

Thursday, January 20th, 2011

Here is some interesting data that came out of the 2011 IT Spending Intentions report from ESG Research. In a global survey of 611 IT professionals from mid-market (i.e.,  100-1000 employees) and enterprise (i.e., more than 1,000 employees) organizations, 46% of all firms reported they will increase investment in networking products and services in 2011 while 58% said they will increase investment in security products and services this year.

What I found especially intriguing is that both networking and security professionals claim that their organizations will make their most significant investments in network security over the next 12-18 months. In other words, networking AND security folks believe that network security is their highest priority. This emphasis on network security also came out with regard to infrastructure management. When IT professionals were asked which areas of infrastructure management their organizations would make the most significant investments in, the top two responses were security management (31%) and network management (29%).

What does this data mean? It’s easy to dismiss firewalls, IDS/IPS and SIEM software as mature legacy technologies. The ESG data indicates just the opposite–these venerable safeguards are going through a metamorphosis. Why? Perhaps data center consolidation and rich-media applications are driving new scaling needs. It may be that the threat landscape demands new types of safeguards. It is possible that existing network security and management tools have simply grown long in the tooth. I believe that all of these factors are driving network security upgrades and new requirements.

From an industry perspective, there is a lot of opportunity here. Some possible winners include:

  • Cisco. Cisco always gets its share of the pie but the ESG data indicates a better than usual opportunity for Cisco initiatives like TrustSec and Borderless networks. Cisco is also back in the high-end with its AXA 5585X.
  • Crossbeam/Check Point and Juniper. These companies lead in large enterprise perimeter security–a nice place to be with data center consolidation, wireless carriers, and cloud computing investments galore. Crossbeam and Check Point work well together but Crossbeam is building its multi-platform status with relationships with other leaders like McAfee as well.
  • HP. HP paid a lot for ArcSight but the ESG data shows that the timing may be fortuitous. HP is also re-investing in TippingPoint after the company’s on-again-off-again relationship with 3Com. HP should look at acquiring as a complement to ArcSight in the federal and large enterprise space.
  • Sourcefire. When is someone (perhaps HP) going to buy this successful firm? Should be another good year for Sourcefire both inside and outside the federal market.
  • McAfee. Killing it with IPS/IDS and has something up its sleeve with Sidewinder integration. The ESG data indicates that the market is ready for new solutions so the timing may be perfect for a new visionary offering.
  • The App firewall crowd. Palo Alto leads here but I keep hearing that its acquisition price is too rich for anyone. Better hurry as Check Point, Juniper, and others are catching up quickly.
  • Other SIEM vendors. Many organizations will be upgrading old SIEM systems or migrating away from Cisco MARS. Good opportunity for upstarts like LogLogic, LogRhythm, NitroSecurity, and Q1 Labs.

Beyond these mainstream players, there is plenty of business for others like Blue Coat, Citrix, F5 Networks, and Riverbed.

The Many Reasons Why IBM/OpenPages Makes Sense

Wednesday, September 15th, 2010

Earlier today, IBM announced its intention to acquire OpenPages, a privately-held software company focused on identifying and managing risk and compliance.

There is obvious value in this deal based upon market interest in risk management alone. In the past ten years we’ve seen the subprime mortgage securities collapse, a rise in global terrorism, and explosive growth in cybercrime. Certainly businesses need better risk management tools to cope with these kinds of events.

With OpenPages, IBM gets to throw its hat further into the risk management ring, but that’s not all. OpenPages provides IBM with strong synergies around other IBM business opportunities like:

  1. Analytics. IBM has invested billions and dedicated thousands of people to create an advanced data analytics capability. Now that this expertise is in place, IBM has an analytics foundation to look at just about any type of data-centric issues. With OpenPages, IBM can combine risk management and analytics products with its existing IT and vertical industry strengths for new product and services sales.
  2. Information security. Over the past 10 years, information security has slowly evolved from tactical threat management to regulatory compliance controls. Given the global cybercrime wave, this is no longer enough — large organizations need real-time IT visibility and solid threat management analytics. IBM can combine OpenPages with the compliance management assets it purchased from Consul as well as its traditional Tivoli security products. If customers need help here, IBM Global and Managed services will be happy to chip in.
  3. “Smarter planet” projects. IBM has always told a great story around “smarter planet” projects like health care networks and next-generation smart grids. True, these visionary initiatives can cut cost and improve efficiency but what happens to the smart grid in the event of a Category 5 hurricane or a cyber supply chain attack that makes 1 million “smart toasters” part of a global botnet? With OpenPages, IBM can now build a “smarter planet” while keeping an eye focused on increasing risks.

Clearly the OpenPages wasn’t as newsworthy as HP buying ArcSight or Intel buying McAfee, but it certainly aligns with IBM’s strategy, complements existing products and services, and gives IBM sales reps another solution to sell to customers.

HP Buys ArcSight: More Than Just Security Management

Monday, September 13th, 2010

The waiting and guessing games are over; today, HP announced its intent to buy security management software leader ArcSight for $1.5 billion. I didn’t think HP would pull the trigger on another billion+ dollar acquisition before hiring a new CEO, but obviously I was wrong.

ArcSight is a true enterprise software company. As I recall, many of the early ArcSight management team members actually came from HP OpenView. With this model in mind, ArcSight went beyond technology and invested early in top field engineers, security experts, and sales people. This vaulted the company to a leadership position and it never looked back.

For HP, ArcSight fits with its overall focus on IT operations software solutions for Business Technology Optimization. In the future, security information will be one of many inputs that helps CIOs improve IT management and responsiveness. It won’t happen overnight, but think of all sources of IT management data (i.e., log data, SNMP, network flow data, configuration data, etc.) available for query, analysis, and reporting in a common repository. This is what HP has in mind over the long haul.

In the meantime, HP should get plenty of ArcSight bang-for-the-buck over the next 12-24 months by:

  1. Aligning ArcSight and EDS. Security is a top activity within professional services firms. Given ArcSight’s enterprise play, EDS will likely double down on IT risk management and push ArcSight wherever it can.
  2. Using ArcSight as a door opener in the federal market. Yes, HP already sells plenty of products and services to Uncle Sam, but it now has access to a CISO community with deep pockets. With CNCI 2.0 and FISMA 2.0 upon us, this will only increase.
  3. Bringing ArcSight into the virtual data center strategy. According to ESG Research, many enterprises don’t do a good job of coordinating security with server virtualization. This is a big problem given virtualization growth — which is why VMware was so vocal about its recent vShield announcement. HP can and should bring ArcSight into its strategic vision for CIOs with massive data center projects.

In spite of its security services and thought leadership, HP’s name has been notably absent from IT security leadership discussions in the past. ArcSight should change that.

A few other quick thoughts:

  1. In the past, ArcSight was built exclusively on top of Oracle databases. Great in terms of enterprise functionality, but it made the product expensive to buy, expensive to operate, and somewhat weak in terms of queries across large data sets. Look for HP to accelerate plans to decouple ArcSight from Oracle ASAP.
  2. If HP is still in buying mode, the obvious question is, “who is next?” Would anyone be surprised if HP made a move for Check Point, F5, or Riverbed soon?

WSJ Reports Imminent Sale of ArcSight: Handicapping the Suitors

Thursday, August 26th, 2010

An industry friend just sent me a story from the Wall Street Journal proclaiming that security management leader ArcSight will be acquired within the next week. The story goes on to say that the likely buyers include Oracle, HP, , IBM, and CA.

Hmm. First of all, anyone familiar with ArcSight was sure this was coming. The company is a leader in a growing market segment, has a great Federal business, and is one of few real enterprise players. It is interesting to me that the Wall Street Journal is spreading rumors but that’s another story.

Let me weigh in by handicapping the field:

  1. Oracle. This would be a bold strategic move as Oracle plays in security tools and the identity management space, but not the broader security market. ArcSight is an enterprise software company so it fits with Oracle sales and channels. ArcSight also runs on an Oracle database (for better and for worse). To me, Oracle makes sense as a potential suitor.
  2. HP. HP people always tell me that they want to be in the security services, not the security products business. The company backed this up when it sold its identity management portfolio to Novell. ArcSight fits with OpenView/Opsware as enterprise software so it may have changed its mind, but HP probably wants to be careful with acquisitions in the wake of the Mark Hurd scandal. Heck, HP put in a bid for 3PAR this week and Wall Street went nuts. Given these factors, I’d be surprised if it were HP.
  3. EMC. Forget this rumor. EMC already bought one of ArcSight’s primary competitors (Network Intelligence, now RSA EnVision). There are a dozen security acquisitions I could think of that would make more sense for EMC/RSA.
  4. IBM. Great fit in terms of enterprise software but this would be IBM’s third security management offering (the original Tivoli security manager and then GuardedNet which IBM got as a result of the Micromuse deal). Neither of these products have really resonated in the market. If anyone can erase two previous products, IBM can. I rate this one as likely as Oracle.
  5. CA. CA’s security presence is really limited to the identity space. Like IBM, CA has tried several times to penetrate the security management market with little success. I can see CA wanting ArcSight but if Oracle or IBM jump in, the price may quickly get too high for CA.

Given the Intel deal, McAfee is likely out of the running. I’ve heard through the grapevine that McAfee made several attempts at ArcSight but the price tag was just too big. Symantec, like IBM and CA, has also developed security management products that haven’t taken off in the market. If Enrique Salem is up for another big acquisition, ArcSight would be a great fit.

Finally, wherever ArcSight ends up, there are plenty of other innovative security management companies that may quickly follow. Feisty Q1 Labs would be a natural for Juniper. Brainy Nitro Security could be a fit for Cisco or CA. LogRhythm could be a good addition for HP, Check Point, Websense, etc.

ArcSight deserves what it gets as it really guided the security market moving forward. Its fate will greatly influence the enterprise security market moving forward.

Why Intel Bought McAfee, Hint: It’s All About Massive Changes In the Security Market

Thursday, August 19th, 2010

Before the bell rang on Wall Street, Intel shocked the army of Latte sipping financial wonks by announcing its intentions to buy security leader McAfee. The deal is valued at $7.7 billion or $48 per share, about a 60% premium on the stock price.

A few financial analysts who cover Intel say that this is about Intel’s mobile device aspirations. Maybe, but McAfee just got into the mobile device security market and my guess is that this business accounts for $5 million in revenue or less.

Sorry Wall Street but that ain’t it at all. I believe that Intel sees the same thing I see. The security market is wildly fragmented with vendors producing tactical point products for its customers. These point products can no longer address the environment of sophisticated and massive threats. In the very near future, enterprise and service provider security technologies must deliver unprecedented levels of scalability, manageability and integration.

Guess what? In today’s market there isn’t a single vendor who can deliver a security product suite anywhere near what’s needed in the market. Get it Wall Street? There is massive emotional demand but no supply. Here’s the kicker — without significant improvements in security, this whole Internet party hosted by companies like , eBay, , , etc. could get really, really ugly soon.

To be fair, McAfee can’t deliver the level of scale, manageability and integration that the market demands but it’s as close as any other vendor. Combine this with Intel hardware, money, and brainpower and you’ve gotten something.

I believe Intel sees a market opportunity, not a product opportunity. Yes, there is plenty of room to integrate McAfee with mobile phones, microprocessors, and NSPs but this is a footnote to the story.

A few other observations:

  1. With its deep pockets, Intel should free McAfee to continue to bolster its portfolio. McAfee should grab ArcSight soon to fill its security management gap with an enterprise leader.
  2. The next logical candidates to double down on security are IBM and /RSA. The next logical target, Check Point — maybe others like Fortinet, Sourcefire, RedSeal, Nitro Security, LogRhythm, etc.
  3. While Symantec’s position just got stronger, Wall Street is waiting to see how the company will digest, integrate, and build upon recent acquisitions PGP and Verisign.
  4. If there is a better CEO success story than Dave DeWalt’s, I’m not aware of it. DeWalt came in a few years ago when McAfee was knee deep in a stock options scandal. He took over, changed the culture, acquired well, pointed the company at the enterprise and voila, sells the whole enchilada to Intel. Not sure if Dave will stick around but I’ll bet HP’s interest in him is sky high.
  5. The combination of Intel and McAfee is a “dream team” for the Feds’ cybersecurity efforts. The two together have security software and can throw massive amounts of hardware at monitoring, filtering, and recording all of the traffic on Federal networks. McAfee already gets hundreds of millions from the Feds. I can see this revenue going beyond $1 billion over the next few years.

Log Management, The Next Generation

Wednesday, June 30th, 2010

Log management technologies have become a staple for regulatory compliance and security reporting. That said, most log management systems provide little more than triggers and alerts when something happens. What about security forensics? Yes, all the information is there but getting to it is a lot like the early days of the World Wide Web when you found information by following hyperlinks. Even a senior security analyst can wade through useless haystacks of security logs for days before discovering valuable needles.

So what’s needed? The next generation of log management featuring:

  1. Consolidation of logs and network flows. Some vendors collect both of these data sources but most don’t. Log and flow data together tells about individual network nodes and where they are connecting, helping me understand the origins and ramifications of an attack. Without this combination, I am filling in the blanks in one area or the other.
  2. Location awareness. Yes, I want to know what happened but I also want to know where it happened. An IP address is a piece of random evidence while an IP address in the Ukraine may constitute a crime scene.
  3. Deeper granular visibility. The system logs provide the big picture but researchers need to dig into particular sub-routines and processes to get a more accurate understanding of what happened. This requires the correlation of many types of data inputs and visual tools that make these relationships understandable.

Leading log management vendors like ArcSight, LogRhythm, Q1 Labs, and others realize that log management isn’t just about collecting and storing esoteric IT data, it is about providing organizations with the right data and tools to make this data actionable.

It’s time for users and other vendors to realize that the next generation of log management isn’t a visionary concept, it is an absolute requirement.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site