[Infowarrior] - Cisco MARS shuts out new third-party security devices

Sat Nov 7 16:43:32 UTC 2009

This story appeared on Network World at
http://www.networkworld.com/news/2009/110609-cisco-mars.html

Cisco MARS shuts out new third-party security devices
Focus on supporting Cisco devices; some claim it's beginning of end  
for Cisco Security MARS as multivendor offering
By Ellen Messmer , Network World , 11/06/2009

Cisco has finally publicly acknowledged it won't add support for new  
third-party devices to its security information and event monitoring  
appliance, ending months of speculation about the future of its  
Monitoring, Analysis and Response System. Some claim it's the  
beginning of the end for MARS as a multi-vendor SIEM device.
"MARS customers can expect non-Cisco network device data and signature  
updates to continue for currently supported third-party systems, but  
no new third-party devices will be added," Cisco declared in a  
statement, noting that "Cisco MARS continues to focus on supporting  
Cisco devices for threat identification and mitigation."

MARS is used by about 4,000 customers and Cisco is regarded as the  
largest SIEM vendor. Cisco had been privately briefing at least some  
of them on its intentions to effectively freeze third-party device  
support, but until now had refrained from a public statement.

Since SIEM equipment is typically used to consolidate alert and event  
data from multiple vendor sources, the fact that MARS won't be  
supporting any new non-Cisco equipment suggests customers must now  
consider migrating from it if third-party vendor support is their  
chief concern. Analysts from Gartner and Enterprise Strategy Group are  
advocating that very thing.

"Cisco deserves credit for coming clean on MARS support," said Jon  
Oltsik, analyst with Enterprise Strategy Group (ESG). "That said,  
rumors of product, customer support and field sales have been  
circulating for more than a year. In the future, I would hope that  
Cisco would be more forward and clear on its product plans and address  
issues like these in a timely manner. The priority here must be on  
improved security and not proprietary business agenda."

Cisco's SIEM competitors this week have eagerly grabbed at the topic  
of Cisco MARS freezing third-party support because of a Gartner  
research memo published Oct. 29 in which analyst Mark Nicolett stated,  
"Cisco has quietly begun informing its customers of a decision to  
freeze support for most non-Cisco event sources with its [MARS]."

In the research note Nicolett said, "Although Cisco has not formally  
announced its intention to exit the SIEM market, the Cisco sales force  
is encouraging its MARS customers to find an alternative for log  
collection and event analysis of non-Cisco event sources."

In Gartner's view, the effect of all this is that MARS can no longer  
be viewed as a viable SIEM for anyone looking for third-party vendor  
support in the future. "Organizations that need support of non-Cisco  
event sources should plan to move to a viable SIEM solution," the  
Gartner research note states.

Nicolett says he issued the research note because of what he initially  
picked up from discussions he happened to have with Gartner customers  
using MARS, not Cisco directly, though Cisco did confirm the change in  
strategy when asked about it.

Since Cisco had been included in Gartner's influential "Magic Quadrant  
report on SIEM this spring, when Cisco had provided "no hint of change  
in strategy," Nicolett says he thought it important to immediately  
inform Gartner clients on what he had found out.

MARS has never been particularly wide in its support for third-party  
security devices, Nicolett says, but now it can no longer be  
considered in that role for the future. Gartner isn't going to go back  
and revise the SIEM Magic Quadrant, but its Oct. 29 research note has  
to be considered its current findings when it comes to MARS as a SIEM  
for other than Cisco-related gear.

"That note seems to have caused a lot of concern to MARS customers,"  
says Rick Caccia, vice president of product marketing at ArcSight, a  
SIEM vendor that supports 300 products, including MARS, with a  
connector toolkit for 1,500 others. Cisco is considered the largest  
SIEM vendor in the market, but Gartner "threw a bomb in the market  
with that note," Caccia says.