IBM And Intel Jump Deeper Into Security Event Management Market

Both IBM and Intel's security arm, McAfee, are going the acquisition route to beef up their security information and event management (SIEM) capabilities. Big Blue is buying Waltham, Mass.-based Q1 Labs, a provider of security intelligence software, while McAfee is purchasing NitroSecurity, a SIEM developer based in Portsmouth, N.H.

Once the deal closes in the fourth quarter of 2011, Q1, which has almost 2,000 customers globally, will become part of the IBM Security Systems division, and Q1's CEO, Brendan Hannigan, will head up the new business unit. The unit will consist of more than 10 security acquisitions IBM has made in the last decade and its more than 25 analytics-related purchases, including the recently announced acquisition of security analytics software firm i2. According to IBM, the division will target a $94 billion opportunity in security software and services, which has a nearly 12% compound annual growth rate.

IBM has been addressing SIEM with a product called Tivoli Security Information and Event Manager (TSIEM). The company says Q1 Labs' QRadar product is already integrated with many IBM security products and platforms, including IBM Security SiteProtector and IBM Security Network IPS, IBM Websphere, AIX, Domino and RACF.

McAfee states that once the NitroSecurity acquisition is closed, the combination will give organizations greater visibility into their endpoint assets, underlying network infrastructure, specific security threats and risks, and system vulnerabilities across their entire IT environment. NitroSecurity's SIEM management has already passed integration testing with McAfee ePolicy Orchestrator (ePO), and the integration will expand the capability of the ePO platform to view events, activity and logs created by networks, databases and applications. According to McAfee and Gartner, last year the SIEM market grew from $858 million to $987 million, achieving a growth rate of 15% (Gartner Magic Quadrant for Security Information and Event Management, by Mark Nicolett and Kelly Kavanagh, May 12, 2011, RV4A105172012).

SIEM represents a new market for McAfee. Previously, its customers could utilize partners--such as NitroSecurity, which has been a partner for three years--that had passed interoperability testing through McAfee's Security Innovation Alliance (SIA). In addition, McAfee has been using NitroSecurity as its own SIEM solution.

These acquisitions should come as no surprise, according to EMA's Scott Crawford, managing research director, security & risk management. He writes that IBM has taken heat for its relative acquiescence in the SIEM space compared to some of its most direct competitors, while McAfee has long had a SIEM gap in what is otherwise a fairly comprehensive strategy for centralized enterprise security management anchored on ePolicyOrchestrator. He says having substantial weaknesses in this area is perceived as an oversight for any security vendor whose strategy embraces the enterprise to any significant degree.

Crawford says SIEM is undergoing changes as vendors try to make it more accessible, and credits the companies being acquired with helping to lead the way. Q1 was one of the first to recognize that application flow data could be used to identify security-relevant events and make for more efficient deployments. NitroSecurity "rattled incumbents" with data management technology that it brought to bear not only on SIEM but on intrusion detection and prevention.