Yesterday was a big day. To great fanfare, Apple announced the iPhone 5. No wait, that didn’t happen. But something else significant happened. Not one, but two different companies announced acquisitions of SIEM (Security Information and Event Management) vendors. IBM will acquire Q1 Labs and Intel’s McAfee will acquire NitroSecurity. Both Q1 Labs and NitroSecurity provides solutions for monitoring and analyzing security intelligence data across the enterprise. A year ago, HP acquired SIEM vendor ArcSight, and earlier this year RSA acquired NetWitness, a network monitoring platform that recently released Panaroma, a multi-source analysis product.

What’s going on here? As other analysts are pointing out, this consolidation is in direct response to the evolving security landscape, where advanced persistent threats (APTs) and nation-state enemy actors are wreaking havoc on traditional security solutions. Back in March, we posted a blog showing a graphic of how we see a new stack of technologies combining to combat today’s threats. In the center is the SIEM, where real time intelligence from sensors across the network can be combined to provide early detection of attacks and risk assessment. These recent acquisitions are a natural evolution towards realizing this vision. The SIEM is the central nervous system for a security operations center (SOC), around which next generation technologies can be integrated.

This is good news for consumers, but it is only a starting point. There are two major challenges for SIEM technologies today. The first is that simply gathering data is not enough. You need to analyze it in near real time in order to effectively respond to attacks. In most organizations, the SIEM consumes terabytes of data every day; hundreds of millions of events. Advanced threats are targeted in nature and specifically designed to avoid detection. They lie dormant until active periods and then hide in plain sight. Having all the data in a single pane of glass is great when you need to do forensic analysis after the fact, but finding the security anomalies in real time requires more than simple filtering. SIEM technologies must evolve to provide better analysis, faster analysis, and return far less false positives.

The second challenge is that the value you get from a SIEM is only as good as the data you feed into it. For most customers, the majority of data coming into a SIEM comes from sensors “on the wire” – firewall logs and intrusion detection and prevention systems (IDS/IPS). There are some very sophisticated technologies for dissecting network traffic, including deep packet inspection (DPI), sandboxing and decryption. But the overwhelming majority of traffic is benign and finding the needle in the haystack is more art than science. The other problem with network-only monitoring is that, by definition, when you detect something wrong, the attack is already in progress (e.g. a compromised system is communicating with a remote command-and-control server, or data is being actively exfiltrated). Most attacks have to first establish a foothold on a single system within an organization, an endpoint. Having active sensors on the endpoints, and correlating that data with network intelligence provides a far more complete picture and enables you to detect attacks earlier, focus on the truly suspicious activity, and investigate incidents far more quickly.

We are witnessing the evolution of security in response to the evolution of threats. Major security vendors are building out their solutions in response to this change, using a SIEM as their backbone. The focus now needs to be on providing more complete data to that engine, and enhancing the SIEM’s ability to process this data.