It must be SIEM acquisition Tuesday. McAfee hit first by announcing their expected deal with Nitro Security. But then IBM surprised pretty much everyone by acquiring Q1 Labs. Don’t blink or you may miss another 2-3 SIEM/Log Management vendor acquisitions. Obviously we have been talking about consolidation in the SIEM/Log Management space for quite a while – there are about 20 vendors left now – but it’s strange that deals involving the two most significant independent vendors happened on the same day. Coincidence? Our pal and contributor James Arlen doesn’t believe in it, and neither do we…

Hot Tamales

First let’s discuss why these SIEM/LM players are such hot commodities. As many of us have been whining, compliance drives security nowadays, and log management is a must-have technologies for compliance. So almost everyone has some kind of log aggregation capability to cover the basic requirements. Most customers are thinking about enterprise-class options, which is driving business in the SIEM/Log Management space, as they want to do stuff with the vast amounts of data they collect. At the same time, the products are maturing. They aren’t easy to use, but they are getting better, and vendors’ ability to support enterprise-class requirements has improved, especially for Q1 and Nitro. That’s it.

Also consider that security management was always destined to become part of the IT management and operations stack. That’s what drove the EMC/RSA/Network Intelligence and HP/ArcSight deals of yore, and is driving today’s deals. In simplest terms, SIEM/LM was never destined to be an independent technology over the long term, so these deals are just the logical conclusion of a 3-4 year consolidation.

Why Buy?

Let’s look at the buyer profiles – why did both McAfee and IBM buy the leading (independent) players in this market? In McAfee’s case the answer is simple. They had NOTHING to address this client requirement. They needed something – not having either LM or SIEM was forcing their customers to buy other solutions, such as ArcSight and RSA – which is unacceptable if your goal is to own the entire security stack. McAfee had to buy something, and frankly they should have done this a long time ago.

IBM, on the other hand, had a number of SIEM-type platforms, most buried within the Tivoli group. But none were competitive, and I can’t tell you the last time I heard an end-user organization taking an IBM SIEM offering seriously. They do a bit of security management as a managed service (using the former ISS platform), but that wasn’t an answer. The real kicker, and what forced IBM’s hand, was clearly HP. HP’s ownership of ArcSight as the cornerstone of its enterprise security strategy put IBM at a clear disadvantage. Eventually not having a competing offering would have hurt them. I’m sure they did the math and decided it was easier to buy Q1 now (even for a pretty big number), than to wait until Q1 went public. Clearly IBM was going to pay to get into this market, so they decided to pay now.

Why Sell?

You always have to wonder why companies with clear momentum in a growing market sell. But don’t worry about it too much – I suspect it just came down to economics. Every company has a price, and clearly since it took so long for McAfee to consummate the Nitro deal, they finally reached it. This is actually a great outcome for Nitro, given that they were a couple of years behind Q1 on pretty much every enterprise front (revenue/bookings, channel, enterprise deployment), so getting taken out was a better option. McAfee was the likely candidate in light of their successful coordination as part of SIA (Security Innovation Alliance), as well as Nitro’s more reasonable price tag. McAfee has never really broken the bank for technology acquisitions since DeWalt came to power. Based on technology, sales model, and price, Nitro was a better fit for McAfee.

Likewise, Q1 is the best fit for IBM. IBM is a huge company, and when they buy, they need to move the needle. Or at least have a chance to move the needle. Q1 was clearly on a path to go public, with speculation that the IPO would happen in early 2012. But every company goes into a deal with stars in their eyes, and Q1 is no different. IBM is giving Q1 CEO Brendan Hannigan the keys to a new combined security group. So they hope IBM will have a big group like HP does, which obviously dramatically increases the Q1’s impact on the market. Speaking of HP, we really cannot overstate the impact of the HP/ARST deal on this week’s events. From everything we’ve heard, after a little integration heartburn, HP is now driving ARST into deals that none of the other players are seeing. IBM gets a similar benefit with Q1. Clearly Q1 needs IBM’s reach to accelerate their growth path and impact. Will it happen? Who knows? But IBM gives the Q1 team their best chance.

What about the customers?

As with every deal, customers will suffer. The question is how much and for how long. All things considered, HP actually did a decent job with their ARST integration, so if IBM leaves Q1 alone, they have a chance. But there will be disruption – there always is. Q1 is now selling to IBM’s field sales force, and less directly to end users. It will take some time for IBM to figure out what they have, and the Q1 team needs to focus on teaching them – which means something will fall through the cracks. If you are a Q1 customer, and your implementation is working well, you should see little impact. If your implementation isn’t working well, start pushing for additional services to fix it. That will push Q1 to train IBM’s services teams, which is a good thing.

McAfee historically has bought technology and just plugged it into their channel. SIEM is not AV, nor is it vulnerability management, nor anything else that McAfee is proficient at selling. That will be a big challenge for Little Red, especially given their limited professional services capabilities. Customers probably need to make sure to work with decent resellers, because it will be a while before McAfee figures out how to support and implement a SIEM. Given Nitro’s less robust balance sheet (compared to a public company, anyway), customers should be happy that now Nitro has stability.

Technology disruption should not be a problem in either case. Both Q1 and Nitro have advanced back-end platforms, so unlike ArcSight and RSA – which are both undergoing disruptive and risky back-end data model evolutions (akin to a brain transplant) – neither Q1 nor Nitro needs much evolution. Yes, both can improve in ease of use and all that other good stuff, but neither is a steaming pile of FAIL. Even with the expected lack of innovation once a start-up gets swallowed by a huge company, there is less risk with both of these deals.

Of course, both IBM and McAfee risk alienating customers because they may have pushed alternative platforms in the past. In IBM’s case, it could be one of the handful they already have, which basically need to go away in lieu of QRadar and quick. With McAfee, it’s about the other SIEMs they may have pushed as part of the SIA sales teaming program. Now they’ll want customers to move to their new Nitro platform. Isn’t it great that Adrian and I did that work on Security Management 2.0, which lays out how to replace a SIEM?

Be sure to watch for brain drain. Many start-up folks wait to vest out, and then move onto the next deal. That is likely to happen, and if the IBM/BigFix deal is any indicator, sooner rather than later for the Q1 folks. But that’s the logical order of things and shouldn’t surprise anyone. But it will impact customers.

If you are looking at Q1 or Nitro, you need to decide whether IBM and/or McAfee are companies you want to do business with. In reality, most organizations already do some business with IBM, so that’s less of an issue. But if you have no McAfee and were looking seriously at Nitro, it’s time to decide whether you want to go down that path. Or you could look at an alternative, which brings up…

Post-deal competitive landscape

This clearly hurts pretty much all the players except Q1 and Nitro. First off, they have always been positioning for an exit. With IBM and McAfee now off the market, there aren’t many buyers out left with either the need or the deep pockets to do a deal. There is an old story about being the last company standing, and now there are a dozen or so left without many options.

But I don’t think this is a big deal right now – there aren’t really any SIEM/LM vendors that could get a high value deal now anyway. We don’t consider Splunk a pure SIEM/LM play, and they are the one left with the most buzz. SIEM/LM is a small part of TripWire and Tenable’s respective businesses, so we don’t see a lot of impact to them. Then there are a bunch of niche players, some strong in technology, others which play in certain niches, all running a race to the bottom. It’s hard to say how many of these companies are waiting to die vs. carving out a defensible positions. Although we have been saying that for a while, and many are still around. Still, the post-acquisition space will be tougher for the remaining vendors.

All things considered, this is where we all knew we’d end up for SIEM and Log Management. Besides the wackiness of both big deals happening on the same day, mostly we just want to ask IBM and McAfee, “What took you so long?”