Report: SIM Market to Heat Up

The security information management market is about to undergo big changes, as vendors consolidate and integrate their products more closely with traditional security tools, according to a new report just released by The 451 Group.

Changes in SIM technology will also bring security management and network management closer together. (See Blurring the Line Between SOC & NOC.) But that doesn't mean the security operations center (SOC) and the network operations center (NOC) will merge, says Nick Selby, senior analyst and director of the enterprise security practice at The 451 Group.

"We don't believe it will be everyone whistling while they work in a converged NOC and SOC," says Selby, one of the authors of the "Security Information Management Moves Upstream" report. "The SOC won't be eliminated, but you'll see a tighter integration with ITSM [IT service management]."

The 451 Group splits the SIM market into two sectors: enterprise security information management (ESIM), the sector of large enterprises that wants both correlated real-time views of security data and correlated views of archived security events; and the SEM (Security Event Management) sector, which are mid-sized enterprises mostly focused on real-time security data.

"ESIM vendors are seeing they are running out of room in the security space, and that they have quite a bit to offer in network operations." That means SIM products will be more tightly integrated with management monoliths like HP OpenView, IBM/Tivoli, and BMC Patrol, he says.

This churn will come to a head in the next 18 months, according to the report. Mergers and acquisitions -- such as IBM's purchase of risk management firm Consul, which was finalized yesterday -- will intensify. "And enterprises will be slowly but surely adopting these [management tools] and enjoying better integration."

The security team typically has had no say or control over the network, even though security touches the network, he notes. "But the SOC is going to get a bit more control." The NOC has historically been queasy about allowing the security team the ability to make network configuration changes based on security problems, because such changes sometimes lock users out of their authorized applications.

So the integration between the ESIM and ITSM products must offer role-based controls to the security group, the report says, so that a security analyst automatically only sees what he or she needs to see in a network device when checking or fixing a security problem. That "sanitization" is done manually today by network administrators.

ESIM vendor ArcSight's NCM, for instance, includes a wizard-based interface that lets a senior NOC staffer "pre-authorize" certain actions by SOC members to ensure any changes they make don't hurt the network, Selby says.

And there still will be a healthy separation between the NOC and SOC. "For budgetary and organizational reasons, the two sides are completely different. The NOC is busy trying to speed things up. The SOC wants to slow things down and see relationships between things and events."

The 451 Group uses the analogy of traffic cops and homicide detectives to describe the similarities and differences between the NOC and SOC: "Both are for the common good -- to keep people safe -- but the NOC is the traffic cop trying to keep everyone moving, and the SOC is the homicide detective stopping everyone and asking questions."

— Kelly Jackson Higgins, Senior Editor, Dark Reading