Another interesting news item during the RSA show that I am just getting time to comment on is LogLogic’s announcement they have acquired Exaprotect. When LogLogic announced a partnership with Exaprotect a few months back, my initial reaction was “Who”? Actually, I had heard of the company, but knew very little about the technology. I had not heard any of the companies I speak with on a regular basis mention them, so I had not been paying very close attention to this small firm. When I went to Exaprotect’s website to see what products they offered, I really was unable to tell. It looked like a carbon copy of the LogLogic product benefits summary! It is amazingly difficult to understand what differentiates one product from another on corporate web sites when they are all attempting to cover the current market drivers, and do so at the expense of explaining what they actually do. The company is not very well known by those of you who do not follow this space closely, but they do offer a security event management product, along with a couple of other interesting pieces in the areas of configuration management and policy management.

The reason this acquisition is important is two-fold. First, this is the removal of the last line of distinction between log management vendors and SEM vendors. ArcSight, LogLogic, eIQ Networks, Q1Labs, LogRhythm, NitroSecurity, and so on are all covering log management and security analysis. Granted, the degree to which each vendor provides the respective capability varies, and each has its own strengths. All in all, these systems collect disparate events, analyze the events in relation to some policy, and provide storage and reporting. The difference was the type of events collected, the speed with which the analysis was conducted, and the audience for the results. These distinctions were usually split down the middle, either near-real-time security response or a forensic analysis and event correlation. What we will see in the coming quarters is adjustment in vendor architectures for these offerings to be efficiently merged into seamless offerings, continuing to provide evolutionary updates to near-real-time and forensic offerings, and looking for ways to differentiate from their competitors.

The second reason is that it spotlights the technical and value path this market segment is (and needs to be) headed down. The tough question, now that the vendors collect just about every relevant piece of security & operational data available, is what do you do with that data? How do you differentiate yourself? How do you provide the customer more value? Sure we are going to see new features appended to the core offerings, a la database protection, but the more important feature/functions will have to do with configuration management, business process verification, and policy management/enforcement. Configuration management provides the vendors with a big missing piece of preventative control and baselining of systems that are critical for most compliance efforts. It’s not that difficult to implement, fits nicely within a log management architecture, and offers value to several buying centers. Policy management, provided the vendors actually can take a business policy and automatically map that to the underlying data streams available, will also provide a huge leap in value to customers and speak to non-technical audiences. The final piece of the puzzle is a flexible analytics engine, so policy verification can be performed in an appropriate time-frame in the specific customer environment, in order to verify business continuity and efficacy. I use the word ‘verification’ because enforcement is not really the customer requirement, and more importantly blocking is not typically the appropriate way to remediate problems – the solution is often more complex. All three of these offerings show SEM moving up the stack and making sense of business processing and compliance in the business context. I look at the LogLogic acquisition as a step necessary to compete, not just the in basic SEM infrastructure of near-real-time event processing, but in all three of the evolutionary ways security event management is heading. That’s not an endorsement of the Exaprotect technology – I have not gotten my hands on it and could not tell you how well it works – but it does encapsulate the segment trends.

I intend to delve into each of these trends in more depth.