Last week there was talk about the lack of recent in-depth conversation occuring in blogs.  This was attributed to at least partially to twitter dumbing down the conversation into bite size increments and that overall the larger stories may not be getting explored in depth.  I certianly found myself in that cycle.  For me sometimes it is easier to have a quick conversation and reset my thermastat by releasing steam on twitter than it is to create a post for the blog.  The downside to that has been lack of in-depth public conversation because twitter more a “live” communications mechanism.  So this last week I focused on blogging and engaging in conversation and “wow” - what a series of conversations I was able to be involved with.  Here is a sample of the public conversations that occured.

Topic 1:  LogLogic

LogLogic announed last week about slashing price on SIEM (well actually SEM) I posted my thoughts about their move here.  Who knew the response I’d get.  Here’s a sample of how the conversation exploded via blogs over the last week. 

The Response (so far):

LogLogic was nice enough to email and call me to help me understand their thinking, they also crafted 3 blog posts on the subject (Part 1, Part 2 and Part 3). 

Paul Melson enhanced the conversation (“Twitter Killed the Blog Star” and “SIEM Market Conversation Continues” and now Q1Labs jumps into the fray with their perspective.  There were plenty of private conversations from other vendors, analysts, end-users that occured off-line - I’m hoping more of those will see the light of day soon!

 Count: 1 post (6 Blog Responses + comments)

Topic 2: Tetragon

Then the real fun started.  Gartner released their Magic Quadrant for SIEM and I had a little fun with it and then I had an absolute blast with my Tetragon post.

The Response (so far):

Chris Blask on the new AlienVault Blog responded to my First MQ post with his insightful perspective.

Rich Mogull and Mike Rothman of Securosis had some fun with my Tetragon post and did a great job adding even more perspective to how and why these “tetragon’s” get so much attention. 

Anton Chuvakin made reference to the posts here.

Q1Labs talks about the MQ any my post here.

Count: 2 Posts (4 Blog Responses + Comments and more coming)

I’d like to thank everyone that participated in the conversations (public and private), everyone who publicized the conversation via blog, re-tweeting or email.  Analysts, Vendors and End-Users everyone was involved over the last week!

As numerous and insightful as the public blog and twitter conversations were, the private DM, Skype, Email and Phone call were also insightful and at times absolutely hilarious.  I wish I could share some of them, but I’m hoping some those conversation will take the form of a blog post or 12 soon.  There are a lot of great ideas waiting to push these conversations even further.  All in all it was an amazing experience to jump in, start a conversation or two and see where passionate people take it. 

Now that I know more people are paying attention and willing to join the conversation I think I’ll do this more often :) 

-Rocky

Today LogLogic announced it is attempting to push the market towards a more cost effective solution for SEM/SIEM.  On one hand I get “it” and applaud the attempt to push price downward, but on the other hand the overall strategy seems to me, albeit without the benefit of the larger picture, ill-conceived, ill-timed and in my opinion it may devalues the company’s effort in that space especially when you consider the quote at the end of the press release (more on that later).

Positive Reflections on this announcement:

LogLogic is a almost exclusively a channel driven sales entity and the “channel play” with a move like this makes perfect sense.  It allows even more flexibility by the channel to sell downmarket, but I would have expected an announcement like this to coincide with a major channel or partner strategy announcement.  A refreshed service offering being made available through partners or a partnership with several managed services to deliver more value, etc.  Something that would represent a larger strategy is in play.  Maybe I missed it?

Help me maybe I’m missing something:

If the focus of the pricing strategy was log management, storage or just about any product outside of SIEM that might be considered a commodity within the IT world I’d understand the pricing movement.  To me SIEM is much more complex and as such requires continuous effort and is not ready for this pressure.  Right strategy, wrong product.  In my opinion they should have lowered price on the commodity (Log Management / IT Search).

Very often I’ve heard of Symantec, RSA (via EMC), Q1 (through Juniper/Enterasys), SenSage (through HP) and of course Mars (via Cisco) basically giving SIEM away for free as a bundle with other products or services, yet companies like Q1 and ArcSight continue to knock the ball out of the park at a “premium” rate (via direct or indirect sales). 

If the leaders in the space can compete at that level with the huge machines in this environment how does LogLogic affect the market at all with this announcement?  Without the context of a larger product strategy or channel/partner offering this new pricing effort seems like a missed opportunity at best and a last ditch effort at worst.  (I hope it is not the latter).

As a company LogLogic seems to be doing well (43% year over year growth) but I think this SIEM pricing strategy confirms that the growth is relative to the strengths of their Log Management product.

Another Possibility:

Ok so there is another thread running through my head about this subject.  Which is that this pricing move simply reflects the reality of their effective price book.  Depending on the spin doctor this might be taken a few different ways:

1. SIEM has a ton of features that most users can’t quite implement because the vendors haven’t made it easy enough - so why charge a premium?

- or -

2. We don’t have the ability to do “x” or “y” so we can’t charge a premium and compete in that space.

Given what I know about the LogLogic team, it actually makes sense that this was the thought process.  They are sharp and motivated to do the right thing.  Even so, it doesn’t detract from some of the things I presented above as potential missed opportunities.  If this is true then does it also mean when (if) those advanced features are developed the pricing model gets complicated?

Misguided Quote:

The quote at the end of the press release is even more haphazard than the announcement itself.  (Paraphasing the quote by Mike Davis: “We see 80+% of the needs of the SIEM space being satisfied by log management. SEM fulfills a further 10+% of those needs” to be that quote is dangerously misguided on two fronts.

1. This quote signifies the lack of market understanding, a lack of appreciation of SIEM or maybe just an overestimation of Log Management. Perhaps the quote is relative to only the qualities of a SEM (versus SIEM), but that doesn’t reflect the reality of the market today (Log Management and SIEM) and serves no real purpose other than to discount the value of SIEM/SEM.
2. The quote also serves to invalidate a product that LogLogic invested in with the purchase of ExaProtect and continues to attempt to sell as a competitive offering in the space.  It seems odd to invest in a technology that only meets 10% of a market need (still leaving 10% unfulfilled).  It is my opinion that the quote does more damage than service to Log Logic.

Summary:

I don’t disagree that there should be pricing rationalization that occurs across the market, but I’m not convinced LogLogic took the best approach (or perhaps I simply don’t understand the strategy well enough at this point).  I’m hoping they’ll take the time to enlighten me!

Reference:  http://loglogic.com/news/news-releases/2010/05/loglogic-slashes-sem-prices/

Note:  I apologize I wasn’t able to get input from LogLogic in time for this initial post but I will update the comments of this post with any lessons learned from LogLogic.   I really do want to understand and not just seem like I’m beating them (or anybody) down.

The 2010 Gartner Magic Quandrant for Security Information and Event Management. 

I took some liberties with the MQ in order to segment it out the information in the report for my own analysis.  Simple geographical/mathmatical groupings were applied and a few notes added.

The cluser of providers in the middle was not unexpected as I have a similar group in my head as I think about this.  Having an outlyers like RSA to me means that RSA’s vision resonated very well with Gartner.  As it should, however I’d expect that to be meaningful once they get to that execution.  I can’t find the rationale for them escaping the “Clump”.  I did use RSA’s relative position as a measuring stick to divide the clump and segment out a couple of “Maybe’s”

The “Clump”: Symantec, IBM, CA, LogLogic, Novel, SenSage, LogRhythm, Trustwave, NetIQ, TriGeo, NetForensics, eIQnetworks

The “Maybes”: Nitro and Q1 Labs

The “Others” Quest, Prism, Tenable, LogMatrix

Next Year:  AlienVault and several others might add more to the middle of the page.  Splunk was left off of SIEM this year for a reason and I applaud Gartner for doing so!

Note:  I do beleive that the The Strengths and Cautions tell a little better story this year than previous years. 

Trends and Subplots:

1. The re-emergance of NetIQ & SenSage as a SIEM (and SenSage’s continued relationship with HP) is interesting.

2. The “Clump” is a great way to illustrate that there are way to many products that are virtually indistinguishable to the market.

3. I’d had expected more from Q1 via the Enterasys and Juniper OEM deals.  I also expected Tenable to fair a little better, but Security Center 4 was just released so I understand it’s standing based on a review of the older technology.

4. Enterprise Players (RSA, IBM, CA, Symantec) seperating out functionality into various products instead of having it all within the SIEM.  I think these guys are ranked a bit too high and right.  RSA with Archer will be a great improvement, someday.  Even more importantly RSA has a chance with EMC to really do well in virtualization if they focus on it.  We’ll see what happends.

5. The exists a Vast Ocean between ArcSight and the rest of the field.  Out of the “Clump or Maybe’s” I’d expect 1 or 2 to rise over the next year and begin to challenge more directly for #2 in the space.  This will require innovation on either User Anomaly/Behavior (beyond IAM), System Config (FIM?), Network Content (beyond netflow), and of course ease of use for Security Use-Cases such as Threat Monitoring and Dynamic Updates!

6. The inability to execute in a viable manner with applications, hosts attributes, vulnerability information or even get data out of the system still plagues many vendors in this space - whether or not they admit to it.  Read between the lines of the report to figure out who this affects.

You should read the report.  Each of the vendors will have copies linked off their webpages and with minimal registration you should have it in a matter of seconds.  Enjoy!

About Rocky