Let's Archive the SEM Market

I have always regarded Security Event Management (SEM) as the most dysfunctional segment in the security industry. SEM vendors would always preach rapid response and attack prevention, even though they only examine log file entries written long after the attack has come and gone. Then they tried to promote being the independent command and control center, but of course they cannot control other vendor's products as effectively as the vendors themselves can. I used to think I was missing something obvious, but now, after reading comments from my good friend Mike Rothman and fellow re-born analyst Richard Steinnon, I realize that I am not alone. It has just been a brain-dead market segment. Now that Novell has bought e-Security, what can SEM be good at?

The answer is that SEM can be a good place to collect, filter, and manage audit logs of corporate activity. You wouldn't think of running your business without independent corporate auditing, you shouldn't think of running IT without auditing. Yes, the me-too marketers will trumpet compliance as the compelling reason to buy their product. They will be better served by thinking of themselves as IT auditing systems, of which security is just a component. This means the vendors should also be looking to collect and correlate events from business process sources such as application servers, web servers, and authentication systems. This adds data management, search, and reporting of active event archives to the real-time data collection capability. The intelligence gained would be appropriate for the C-suite. Yes, compliance is a benefit, but it is not the reason for SEM to exist.

Ducks do not fly well, swim well, or walk well, but there's a place in the world for ducks. The Security Information Management (SIM) space has needed redefinition for years. It would be nice if SEM can show how security integrates with and enables open business processes. Then perhaps there can be a true SEM acquisition binge.