Micro Focus climbing to the top with product synergies.
Two recent reports from Gartner Inc. feature Micro Focus solutions. The first reviews Security Information and Event Management (SIEM) (1) and the second Enterprise Information Archiving (2). Looking at how both Micro Focus and HPE feature in these two market segments you can start to see the logic of the ‘spin merger’ between Micro Focus and the HPE Software Division.
SIEM
The SIEM market was valued at approximately $1.75 Bn in 2015, showing relatively low growth in the mature markets of North America and Europe. Gartner define the SIEM market as follows:
“ The SIEM market is defined by the customer’s need to analyze event data in real time for the early detection of targeted attacks and data breaches, and to collect, store, investigate and report on log data for incident response, forensics and regulatory compliance. The vendors included in the Magic Quadrant analysis have products designed for this purpose, and they actively market and sell these technologies to the security buying center.
“SIEM technology aggregates event data produced by security devices, network infrastructure, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data, such as NetFlow and network packets. Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time correlation of events for security monitoring, query and analytics for historical analysis and other support for incident investigation and compliance reporting.“
Gartner believe that many vendors can meet the basic requirements but the greatest area for improvement is effective targeted attack and breach detection. The primary driver is threat management with compliance a secondary factor. An emerging area is UEBA – User and Entity Behaviour Analytics. In 2015 HPE announced an integration between their ArcSight solution and Securonix to provide these new features.
Last year 14 vendors met Gartner’s requirements for the Magic Quadrant. The market continues to be dominated by relatively few large vendors including HPE. The HPE solution ArcSight is one of the software solutions due to be transferred to Micro Focus following the completion of the business deal announced in 2016. ArcSight and MF Sentinel will be a powerful combination.
Gartner’s Magic Quadrants
Over the years the annual Magic Quadrant reports published by Gartner Inc have become a leading way of comparing vendor solutions in a particular market sector. Gartner identifies the vendors and invites them to participate. However if a vendor fails to meet one or more of the criteria, e.g. actual sales, then they will not make it into the final report. Gartner then review each vendor separately identifying their strengths, weaknesses and roadmap. These reports rank vendors in terms of niche market v overall vision and the ability to execute their solution in the market – giving rise to challengers and market leaders. The top performers are in the top right quadrant.
Gartner reviews Sentinel from Micro Focus as follows:
“ Sentinel Enterprise is the core SIEM product from Micro Focus, complemented by Change Guardian (for host monitoring and FIM (File Integrity Monitoring)) and Secure Configuration Manager (for compliance use cases). Additional modules add a range of features covering threat intelligence feeds, exploit detection, and high-availability support. NetIQ Identity Manager and Aegis customers can also benefit from integration with Sentinel for enhanced identity tracking and workflow management capabilities. Log management is available as a stand-alone product (Sentinel Log Manager). Sentinel Enterprise is offered as software and as a virtual appliance.
Micro Focus made modest enhancements to Sentinel during the past 12 months, focusing on usability enhancements, platform health and management, visualizations, simplified deployment, and improved threat intelligence.
Sentinel is a good fit for organizations or MSSPs (Managed Security Service Providers) that require large-scale security event processing for highly distributed IT environments (for example, geographic or cloud), and is an especially good choice for organizations that have deployed NetIQ IAM and IT operations tools, which can provide enriched context to security events detected with Sentinel.
Strengths
- Sentinel Enterprise is appropriate for large-scale deployments that are focused on SEM and SIM threat monitoring capabilities, where contextual information is automatically added to any correlated event.
- Integrations with other NetIQ technologies provide capabilities to support user monitoring, identity and endpoint monitoring, and enforcement/response use cases.
- NetIQ’s architecture is one of the simpler available to deploy and manage. Scaling and distribution only require installation of more Sentinel instances.
- Sentinel supports monitoring of mainframe platforms in addition to standard Windows, Unix and Linux platforms.
NetIQ customers give Sentinel above-average or average marks for scalability and performance, ease of customizing existing report templates, and support experience.
Cautions
- NetFlow data can only be used to provide additional context for alerted events and cannot be used within correlation rules.
- Sentinel’s threat intelligence capabilities still lag the competition. Customers can purchase threat feeds from NetIQ. Additionally, there is basic support for a few open-source feeds, but third-party feeds require a software development kit (SDK)-based plug-in to be created and there is no support for open standards like STIX and TAXII.
- Support and integration with UEBA tools are lacking, and advanced analytics capabilities are lagging compared to competitors’ products.
- Usability and reporting of the results when replaying historical event data against correlation rules are limited when compared with some competitors.
- NetIQ Sentinel has low visibility in competitive evaluations of SIEM among Gartner clients. “
Arcsight is reviewed likewise:
“ Hewlett Packard Enterprise (HPE) sells its ArcSight SIEM platform to midsize organizations, enterprises and service providers. The platform is available in three different variations: the ArcSight Data Platform (ADP), providing log collection, management and reporting; ArcSight Enterprise Security Management (ESM) software for large-scale security monitoring deployments; and ArcSight Express, an appliance-based all-in-one offering that’s designed for the midmarket, with preconfigured monitoring and reporting, as well as simplified data management.
The ArcSight Data Platform (composed of ArcSight Connectors, ArcSight Management Center [ArcMC; a management console] and Logger) can be deployed independently as a log management solution, but is also used as the data collection tier for ArcSight ESM deployments. Premium modules, adding capabilities such as user and entity behavior analytics (ArcSight User Behavior Analytics [UBA]), DNS malware detection (ArcSight DNS Malware Analytics) and threat intelligence (ArcSight Reputation Security Monitor [RepSM]), can be used to extend the SIEM’s capabilities.
HPE ArcSight can be deployed as an appliance, software or virtualized instance, and supports a scalable n-tier architecture with HPE ArcSight Management Center available to manage large and complex deployments. HPE ArcSight Express is available as an appliance only. In 2015, HPE redesigned and simplified the ArcSight SIEM architecture and licensing model.
Further enhancements include new features in the analyst user interface allowing more granular control over incoming events and incidents. New module releases included HPE ArcSight UBA (licensed from Securonix); HPE ArcSight DNS Malware Analytics, providing malware detection based on DNS traffic analysis; HPE ArcSight Marketplace, a community exchange for integration with other vendor solutions; and SIEM context such as dashboards and report templates.
ArcSight Express should be considered for midsize SIEM deployments requiring extensive third-party connector support. HPE ArcSight ESM is a good fit for large-scale deployments and for organizations seeking to build a dedicated SOC.
Strengths
- ArcSight ESM provides a complete set of SIEM capabilities that can be used to support a large-scale SOC, including a full incident investigation and management workflow, and a dedicated deployment management console.
- HPE ArcSight User Behavior Analytics provides full UBA capabilities in conjunction with SIEM.
- HPE ArcSight has a wide variety of out-of-the-box third-party technology connectors and integrations.
Cautions
- HPE ArcSight proposals routinely include more professional services than comparable offerings.
- Customer feedback indicates that HPE ArcSight ESM is found to be more complex and expensive to deploy, configure and operate than other leading solutions.
- Although ArcSight is among the top four vendors in competitive visibility with Gartner clients, the trend is decreasing visibility for new installs and increasing numbers of competitive replacements.
- HPE is undertaking a development effort to redo the core ArcSight technology platform. Customers and prospective buyers should track development plans to ensure the availability of features and functions needed to support existing or planned deployments. “
Enterprise Archiving
As a result of the GWAVA acquisition, Micro Focus also feature in the Gartner Magic Quadrant for Enterprise Information Archiving. The relative strength of GWAVA is shown in the diagram below. GWAVA are placed in the Challenger quadrant – a niche player with an ability to execute. Look further and you will see that HPE are also featured in the Visionaries quadrant – a more complete vision but rated only to have mediocre execution.
HPE’s products in this market are Digital Safe and Verity – and yes they will soon join GWAVA in the expanded Micro Focus business. Further opportunities for synergy. Digital Safe, a SaaS offering, is positioned to meet the messaging data archiving demands of the most highly regulated and complex organizations.
Verity was introduced in 2016 as an overall unified information management and governance suite, and will be offered as public and private cloud deployment options globally. Verity is targeted at small to midsize enterprises, with archiving the first module introduced.
Gartner note that HPE receives high marks from customers for the scale of its offerings, and for the gathering and subsequent reporting of data in the archiving tools. However the product set is seen to have a high cost of ownership and a high level of complexity that requires training to get the best out of it.
So what do Gartner say about GWAVA – and here they are reviewing Retain.
“ GWAVA provides a multiplatform unified archiving solution for email, social content, IM and mobile communication data with Retain Unified Archiving. Deployed on-premises or in the cloud, Retain focuses on email archiving, with native support for Exchange, Office 365, Gmail, GroupWise and Domino, but also supports the archiving of electronic business communication, including data created on mobile devices and social media, and in IM and internet web searches. Built-in litigation support tools for performing e-discovery are also included at no additional cost.
Retain provides multiple ways to access the archive, including through Retain’s Web Access Archive Viewer and the Retain Archive App. File archiving is not supported at this time, but Retain does offer connectors to SharePoint and other enterprise content management systems, as well as EFFS solutions such as OneDrive, Dropbox, Box, etc.
Strengths
- GWAVA supports a wide array of social media content and mobile communication data for archiving within Retain Unified Archiving.
- GWAVA includes highly rated litigation support tools for e-discovery in Retain, at no additional cost.
- Retain Cloud brings new options to highly regulated industries and for data sovereignty requirements.
Cautions
- Future roadmap implementations are uncertain on the heels of the recent acquisition of GWAVA by Micro Focus.
- Retain Unified Archiving indexing speeds and end-user email access are pain points referenced by customers.
- File archiving support is missing, with no indication of future implementation. “
These two reports from Gartner do indeed shine a light on Micro Focus and the possibilities for the business in these two important market segments. There will undoubtedly be announcements in the coming months as the ‘merger’ completes.
References
- Magic Quadrant for Security Information and Event Management, Published by Gartner Inc., 10 August 2016, ID: G00290113. Analysts: Kelly M Kavanagh, Oliver Rochford and Toby Bussa.
- Magic Quadrant for Enterprise Information Archiving, published by Gartner Inc., 5 December 2016, ID: G00294240. Analysts: Alan Dayley, Julian Tirsu, Garth Landers and Shane Harris
This article was first published in OH Magazine Issue 36, 2017/1, p16-19.