Increasingly sophisticated end-user applications are creating buoyant local demand for security information and event management (SIEM) solutions, driving rapid growth in a market that is steadily broadening its reach and capabilities.
That market, supported by progressively improving data analytics capabilities, has been supported by the ongoing – and increasingly pernicious – stream of high-profile hacks that has not only led to egg on the faces of executives at key businesses around the world, but gained new intensity recently with the furore around the hacking of Sony and the increasingly tense standoff between the United States and North Korea.
That such hacks could be perpetrated against high-profile targets at all, has sent many CSOs running to forge new ties with their CEOs and boards with a renewed sense of urgency around cybercrime strategies.
That the hacks are often, it is being discovered, being perpetrated without the target organisations even knowing about them – often for months or even years – is creating a new panic around information security.
In an increasing number of cases, the solution to that panic is the adoption of SIEM tools whose sole purpose is to scour through masses of security-related information to pinpoint attacks with urgent and decisive accuracy.
Market watcher IDC pegged the SIEM market at some $US4 billion in 2013, during which time it grew at an annual rate of 10.2 percent.
Year-end 2014 revenues are expected to hit $US4.4 billion globally, representing a further 9.7 percent increase – and revenues are expected to continue growing at an average 10.2 percent annually through 2018.
The trend has hit Australia, where general corporate imperatives are reinforced by a growing need for good information governance, particularly hard – and that has key players in the market moving quickly.
One major SIEM provider, LogRhythm, has seen a strong uptick in its Australian business and has recently moved to bolster its local operation after "years of dabbling", according to one senior company executive.
"The public disclosure of security breaches and data loss incidents results in ever-increasing usage of products that can create and enforce security policy and provide information required by auditors," the firm's analysis concluded, noting that products combining data and event management must also be able to identify and remediate threats based on user privileges.
Rapid evolution has kept the SIEM market quite diffuse, with the top 10 vendors accounting for just 49 percent of the overall market and only one vendor having more than 10 percent of the market.
Cisco Security Manager, EMC's RSA Security, HP ArcSight, NetIQ Sentinel, SolarWinds Log & Event Manager, Splunk!, and Tenable Network Security are amongst the many solutions competing to bolster their position.
The rapidly changing market posture has created a sense of urgency across the market, particularly in high-growth regions such as Australia. Speaking recently to CSO Australia, LogRhythm senior vice president of worldwide operations Bill Smith said the company's business in Australia would double this year and "double or triple" next year as its partner-focused delivery strategy gained further traction.
"As a small company we were growing and kept most of our resources in the US," Smith said, "but as we looked at expanding in the region our business began growing dramatically."
"We have forged some really strong partnerships with companies that are well known in the security business, and we've got a strong set of prospects and a good set of customers. We feel that we have the wind at our backs."
Engagements with customers were about much more than technology delivery, however: end-user education had become even more critical with the growing awareness of sensitivities around consumer, patient or other data requiring particular security and privacy controls.
Most violations of these controls were accidents, Smith said, with "poor education or understanding, or things happening behind the scenes that users are not aware of, or interesting threat tactics that we haven't seen before. It does happen."
Improving the analysis of security-related events would help organisations more quickly identify the things they don't know they don't know – but delivering this, Smith warned, requires careful attention to not only the back-end analytics but the overall user experience.
"We've got to find smart ways to protect this stuff that don't rely on an educated user," he said.
IDC's analysis agrees: security consists of products, people, and policy, the firm warns, noting that security analytics vendors "are able to provide many policy solutions that are used to supplement and validate other security defenses... [and] can be considered the 'brains' of an organization's security efforts."
Reflecting this position, LogRhythm is on the cusp of updating its tools to further strengthen its value proposition for businesses wanting to get a better grip on their security exposure.
Ultimately, making this happen requires a key philosophical recognition on the part of end users, Smith said: that there is no way to block all security attacks an organisation might have to deal with. Instead, the key is to focus on rapid detection – and, with analytics techniques improving all the time, this part of the formula has become much stronger over time.
"You're going to get breached," Smith said. "Your goal should not be to stop breaches because you're not going to do that. Your goal should be to detect it as quickly as possible."
"We believe it's possible to get average mean time of detection down from weeks to months, hours, minutes, or seconds. Prevention is futile, but quick detection is not."