Nitro & Q1: SIEM/Log Management vendors dropping right and left

By Mike Rothman

It must be SIEM acquisition Tuesday. McAfee hit first by announcing their expected deal with Nitro Security. But then IBM surprised pretty much everyone by acquiring Q1 Labs. Don’t blink or you may miss another 2-3 SIEM/Log Management vendor acquisitions. Obviously we have been talking about consolidation in the SIEM/Log Management space for quite a while – there are about 20 vendors left now – but it’s strange that deals involving the two most significant independent vendors happened on the same day. Coincidence? Our pal and contributor James Arlen doesn’t believe in it, and neither do we…

Hot Tamales

First let’s discuss why these SIEM/LM players are such hot commodities. As many of us have been whining, compliance drives security nowadays, and log management is a must-have technologies for compliance. So almost everyone has some kind of log aggregation capability to cover the basic requirements. Most customers are thinking about enterprise-class options, which is driving business in the SIEM/Log Management space, as they want to do stuff with the vast amounts of data they collect. At the same time, the products are maturing. They aren’t easy to use, but they are getting better, and vendors’ ability to support enterprise-class requirements has improved, especially for Q1 and Nitro. That’s it.

Also consider that security management was always destined to become part of the IT management and operations stack. That’s what drove the EMC/RSA/Network Intelligence and HP/ArcSight deals of yore, and is driving today’s deals. In simplest terms, SIEM/LM was never destined to be an independent technology over the long term, so these deals are just the logical conclusion of a 3-4 year consolidation.

Why Buy?

Let’s look at the buyer profiles – why did both McAfee and IBM buy the leading (independent) players in this market? In McAfee’s case the answer is simple. They had NOTHING to address this client requirement. They needed something – not having either LM or SIEM was forcing their customers to buy other solutions, such as ArcSight and RSA – which is unacceptable if your goal is to own the entire security stack. McAfee had to buy something, and frankly they should have done this a long time ago.

IBM, on the other hand, had a number of SIEM-type platforms, most buried within the Tivoli group. But none were competitive, and I can’t tell you the last time I heard an end-user organization taking an IBM SIEM offering seriously. They do a bit of security management as a managed service (using the former ISS platform), but that wasn’t an answer. The real kicker, and what forced IBM’s hand, was clearly HP. HP’s ownership of ArcSight as the cornerstone of its enterprise security strategy put IBM at a clear disadvantage. Eventually not having a competing offering would have hurt them. I’m sure they did the math and decided it was easier to buy Q1 now (even for a pretty big number), than to wait until Q1 went public. Clearly IBM was going to pay to get into this market, so they decided to pay now.

Why Sell?

You always have to wonder why companies with clear momentum in a growing market sell. But don’t worry about it too much – I suspect it just came down to economics. Every company has a price, and clearly since it took so long for McAfee to consummate the Nitro deal, they finally reached it. This is actually a great outcome for Nitro, given that they were a couple of years behind Q1 on pretty much every enterprise front (revenue/bookings, channel, enterprise deployment), so getting taken out was a better option. McAfee was the likely candidate in light of their successful coordination as part of SIA (Security Innovation Alliance), as well as Nitro’s more reasonable price tag. McAfee has never really broken the bank for technology acquisitions since DeWalt came to power. Based on technology, sales model, and price, Nitro was a better fit for McAfee.

Likewise, Q1 is the best fit for IBM. IBM is a huge company, and when they buy, they need to move the needle. Or at least have a chance to move the needle. Q1 was clearly on a path to go public, with speculation that the IPO would happen in early 2012. But every company goes into a deal with stars in their eyes, and Q1 is no different. IBM is giving Q1 CEO Brendan Hannigan the keys to a new combined security group. So they hope IBM will have a big group like HP does, which obviously dramatically increases the Q1’s impact on the market. Speaking of HP, we really cannot overstate the impact of the HP/ARST deal on this week’s events. From everything we’ve heard, after a little integration heartburn, HP is now driving ARST into deals that none of the other players are seeing. IBM gets a similar benefit with Q1. Clearly Q1 needs IBM’s reach to accelerate their growth path and impact. Will it happen? Who knows? But IBM gives the Q1 team their best chance.

What about the customers?

As with every deal, customers will suffer. The question is how much and for how long. All things considered, HP actually did a decent job with their ARST integration, so if IBM leaves Q1 alone, they have a chance. But there will be disruption – there always is. Q1 is now selling to IBM’s field sales force, and less directly to end users. It will take some time for IBM to figure out what they have, and the Q1 team needs to focus on teaching them – which means something will fall through the cracks. If you are a Q1 customer, and your implementation is working well, you should see little impact. If your implementation isn’t working well, start pushing for additional services to fix it. That will push Q1 to train IBM’s services teams, which is a good thing.

McAfee historically has bought technology and just plugged it into their channel. SIEM is not AV, nor is it vulnerability management, nor anything else that McAfee is proficient at selling. That will be a big challenge for Little Red, especially given their limited professional services capabilities. Customers probably need to make sure to work with decent resellers, because it will be a while before McAfee figures out how to support and implement a SIEM. Given Nitro’s less robust balance sheet (compared to a public company, anyway), customers should be happy that now Nitro has stability.

Technology disruption should not be a problem in either case. Both Q1 and Nitro have advanced back-end platforms, so unlike ArcSight and RSA – which are both undergoing disruptive and risky back-end data model evolutions (akin to a brain transplant) – neither Q1 nor Nitro needs much evolution. Yes, both can improve in ease of use and all that other good stuff, but neither is a steaming pile of FAIL. Even with the expected lack of innovation once a start-up gets swallowed by a huge company, there is less risk with both of these deals.

Of course, both IBM and McAfee risk alienating customers because they may have pushed alternative platforms in the past. In IBM’s case, it could be one of the handful they already have, which basically need to go away in lieu of QRadar and quick. With McAfee, it’s about the other SIEMs they may have pushed as part of the SIA sales teaming program. Now they’ll want customers to move to their new Nitro platform. Isn’t it great that Adrian and I did that work on Security Management 2.0, which lays out how to replace a SIEM?

Be sure to watch for brain drain. Many start-up folks wait to vest out, and then move onto the next deal. That is likely to happen, and if the IBM/BigFix deal is any indicator, sooner rather than later for the Q1 folks. But that’s the logical order of things and shouldn’t surprise anyone. But it will impact customers.

If you are looking at Q1 or Nitro, you need to decide whether IBM and/or McAfee are companies you want to do business with. In reality, most organizations already do some business with IBM, so that’s less of an issue. But if you have no McAfee and were looking seriously at Nitro, it’s time to decide whether you want to go down that path. Or you could look at an alternative, which brings up…

Post-deal competitive landscape

This clearly hurts pretty much all the players except Q1 and Nitro. First off, they have always been positioning for an exit. With IBM and McAfee now off the market, there aren’t many buyers out left with either the need or the deep pockets to do a deal. There is an old story about being the last company standing, and now there are a dozen or so left without many options.

But I don’t think this is a big deal right now – there aren’t really any SIEM/LM vendors that could get a high value deal now anyway. We don’t consider Splunk a pure SIEM/LM play, and they are the one left with the most buzz. SIEM/LM is a small part of TripWire and Tenable’s respective businesses, so we don’t see a lot of impact to them. Then there are a bunch of niche players, some strong in technology, others which play in certain niches, all running a race to the bottom. It’s hard to say how many of these companies are waiting to die vs. carving out a defensible positions. Although we have been saying that for a while, and many are still around. Still, the post-acquisition space will be tougher for the remaining vendors.

All things considered, this is where we all knew we’d end up for SIEM and Log Management. Besides the wackiness of both big deals happening on the same day, mostly we just want to ask IBM and McAfee, “What took you so long?”

No Related Posts

Great analysis, I’m a week or two from concluding a project to bring SIEM under our roof. Being new to the product offerings having used Kiwi/Snare till now I started out skimming Gartner reports etc. and eventually ended up doing PoC’s on models from Q1, Nitro and RSA.
Currently it’s down to Q1 and Nitro and I’m strongly leaning towards Q1 so you could say this post was timely!

By Nick

“Current turn-around time for adding new devices to our SIEM is 4+ months”

Whaaaaaat? What kinda vendor you are using?

Now, Windows 2003 -> 2008 might take that long, but under most circumstances this is waaaay too long.

I am angry as hell when ...mmm… “vendor X” took 7 months to develop mainframe support, but this is probably the hardest integration ever.

Simple devices or simple device changes would often take days (and rarely hours + some QA time, if needed)

By Anton Chuvakin

Bill makes a good point—where are the big guys going to put their SIEM device-support development efforts? Most likely behind their own products, the ones they can easily access in their subsidiaries labs.

Current turn-around time for adding new devices to our SIEM is 4+ months, and often that long for support of a new OS rev on device that’s already supported at rev-1. There’s little way to know if your device-support request is 1 of 100 (lots of folks want it) or 1 of 1 (meaning support will probably never happen). Requests that get attention often lead with a “we don’t have one of those, would you be willing to share some logs?” request from engineering….

By Paul

“brain transplant”

Maybe more like STOMACH TRANSPLANT, since it is about storage changes? :-)

By Anton Chuvakin

Excellent analysis. Until recently, SIEM vendors were a kind of “Switzerland” with respect to third party event sources, i.e, treating them all the same for the most part. I think customers will become concerned if the big three manufacturers start favoring their own complementary security products. What do you think?

By Bill Frank

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.