Guide to Security Information Management
Security-information market continues to flourish
Start-ups and trusted management vendors vie for businessBy Denise Dubie
Security information management (SIM) products began to emerge earlier this decade because security professionals needed an alternative to manually sorting through the ever-increasing volume of security alerts generated across various network and security devices.
SIM technology is designed to automate the collection of event-log data from security devices and help users make sense of it through a common management console. SIM uses data- aggregation and event-correlation features similar to those of network-management software and applies them to event logs generated from security devices, such as firewalls, proxy servers, intrusion-detection systems and antivirus software. What's more, SIM products can normalize data -- that is, they can translate Cisco and Check Point Software alerts into a common format to correlate the information.
There is a marketing battle in the industry over what to call these products. The security event-management (SEM) and security information-management (SIM) markets emerged almost simultaneously, as vendors adopted different acronyms to describe similar capabilities.
"If you look at the [SIM and SEM] products, they are essentially identical -- it just depends on the acronym the vendor picked," says Joel Snyder, a senior partner with Opus One.
Yet others would say that SEM emerged first as a simpler feature set that expanded to become a standard component in more advanced SIM products. For instance, SEM applies to collecting log and syslog data from devices and systems, which is essential to any SIM product. But SIM proponents would argue that their technologies take the data collection to the next level.
For instance, SEM emerged to quiet the noise, so to speak, of all the events coming in from multiple devices and pinpoint which events were threats in real time. More recently, to address the timely need of compliance for IT executives, SIM added historical reporting, trend analysis and long-term data storage.
Today, these wares come from start-ups and existing management and security vendors alike. The flurry of start-ups that has emerged includes such companies as netForensics, GuardedNet, e-Security and Intellitactics. These companies ship products designed to marry the data collection, normalization and correlation capabilities of management software with the intelligence of security tools.
Bigger vendors picked up on the potential of this technology area and started shopping. For instance, Novell acquired e-Security, Micromuse acquired GuardedNet and IBM later acquired Micromuse.
According to a recently published Forrester Research report, the market for SIM technology is growing at a rate of about 50% and will continue to grow like that until 2009 -- reaching close to $1.2 billion by 2011. Because of pressures related to meeting regulatory standards, more companies need to perform log management and demonstrate the integrity of their business processes -- "which means they are monitoring applications and the underlying infrastructure for improper behavior," the Forrester report states.
Another factor that will drive the growth in this sector, Forrester says, is small-to-midsize businesses taking a look at SIM. As the products become easier to use and more affordable, SMBs will start to invest in the technology. Right now, Forrester estimates, companies with fewer than 1,000 employees account for about 1% of the market, but by 2011 they could make up about 30%. And SIM technology could become a bridge between IT and business operations, the research firm speculates, saying it will foster more collaboration as it flourishes in companies of all sizes.
"SIM will be the primary tool for enabling operations teams and security teams to collaborate on: turning business policy into specific configurations and requirements; assessing the risk of ongoing security issues; and coordinating the response to security incidents," the report reads.