eIQviews

integrate
verb [ trans. ]
1 combine (two things) so that they become a whole

Based on market dynamics and confirmed with the recent Gartner MQ criteria, there are no longer separate log management and SIEM markets. Thus,

Oil and Water: Not Integrated

every vendor is talking about their “integrated” solution. What’s comical is how many of the players in the market define “integrated.” So before I define our idea of integrated, let’s talk about what integrated is NOT.

1. If a vendor requires you buy two different technology hardware platforms, with (at least) two different data stores – it’s not integrated.
2. If a vendor requires two platforms, one to collect data at high speed and another to analyze the data because they can’t analyze fast enough – that’s not integrated either.
   
3. If the vendor’s correlation engine is outsourced, acquired, or licensed from another technology vendor , the solution is not integrated.
4. If the vendor has totally different interfaces for their SIEM and log management offerings, that’s not integrated by a long shot.
   
5. If the product doesn’t correlate all data because that’s too hard and their product would require a Cray supercomputer to keep pace, which forces a log-only collection layer to capture all that data – it’s not integrated.
6. If a product needs to archive data off their platform after 30 days because it slows down the correlation engine, and then forces you to use a separate appliance to do a forensic search of the archived data – you got it, it’s not integrated.
7. If the vendor talks about network configuration management, but it’s nothing more than a bolt-on of a failed product they acquired for cents on the dollar – that’s not really integrated either.
8. If a vendor talks about an integrated solution, yet their design looks like the schematic of a nuclear reactor – you got it, it’s probably not integrated.
   

So what does eIQ mean when we say “integrated.”

1. Single platform and single data store – SecureVue is one INTEGRATED product. You buy it once, deploy it once and both the SIEM and log management capabilities are built into the platform natively. No separate boxes or different interfaces are required.
   
2. Scalable from the entry level to the largest enterprises – Data collection can happen on same box or within a multi-tier architecture, with same level of correlation, reporting, dashboards. SecureVue is linearly scalable, there is no need to deploy a front end logging layer to overcome a dog-slow correlation engine.
3. Correlation is done on ALL data – SecureVue uses all data in its correlation analysis, there is no “selective” data forwarding from the logging layer to reduce the amount of data to correlate.
   
4. Reports and Compliance Audits are pulled from ALL data – Similarly some of the competition basically discards data they don’t term as “relevant” for reporting and audit information. SecureVue doesn’t have those limitations, so reports can be pulled on all data collected and archived.
   

Delivering an integrated system is hard. That’s why most of the vendors out there wave their hands a lot, but don’t really want you to look behind the curtain. Integration requires a single interface, not a cobbled together console with totally different user experiences. Integration requires a purpose-built data store, not your favorite relational database. These folks built on a relational back-end would need a brain transplant to do all the processing required to do integrated SIEM/log management on a single platform. Brain transplants are hard too.

So they don’t DO integration, they just talk integration. They just glue an “integrated” sticker in the front of the multiples of boxes and hope no one really asks what integrated means.

Hopefully Mr. market is smarter than that.