Hey Rocky!
Not a bad analysis. Having watched and been part of the SIM market for many years I find the current state of both the vendor and the customer space indicative of a crux in this particular apostrophe. This year's MQ gives a reasonably good view if you have been following the progression.
Of the four fools behind Protego (RIP MARS, we loved you well) I was the most resistant to the SIM idea a decade ago. Prior to that as the PIX guy I had killed off management efforts (fyi - from 1998-2001 the PIX Firewall Manager did not actually work, and only a single customer in the entire world noticed ;~). In those days people did not manage security, they deployed devices. Actually integrating security management of a large number of devices was at the time a much larger issue in my opinion than people were aware of (you have to be able to say "billions of events" with a straight face or don't bother coming out), and earlier attempts were mere eye-candy without the scope to actually do the job.
Since then things have progressed in both the vendor and user space, to interesting extents.
o The SANS 2009 Log Management Survey shows a strong shift from a previous desire for folks to simply have their logs stored somewhere to much more focus on actually using them for something (a certain logging vendor's recent pant's-drop in pricing is an indication of the validity of that view, imho).
o The SIM (sigh, "SIEM") user community has become much broader and much more sophisticated. Even five years ago, it was rare to find an audience who came into the room with an existing understanding of what it meant. Today it is normal to find folks attending meetings or seminars who not only understand the ideas but have existing hands-on experience with a SIEM of some description.
o The size of the SIM user base is crossing over from being a niche group meeting in a broom closet off the main event to being one of the main topics. The early-mid Naughties (what the heck did we ever agree to call that decade?) was a battle for tens - nay, hundreds! - of customers. Today there seems to be about 20,000 (maybe 30,000 if you squint real hard) SIEM deployments out there, about half commercial and half open source (we at AlienVault thank the second half who love us and are busy sending greeting cards to the first half ;~). The adoption curve is perhaps analogous to firewalls circa 1994 or thereabouts, and the slope is still similarly steep. Inasmuch as those of us in the vendor space can continue to make our offerings more accessible to this broadening base the positive feedback of a large market will continue to accelerate the maturity of both the offerings themselves and the users looking to acquire them.
o Not unlike the early firewall market, the vendor landscape is beginning to morph. ANS Interlock, DEC Seal and Gauntlet could have been forecast to rule the firewall market in 2010, but that would have been an overly simplistic view. Whether our friends wearing the 800-lb gorilla suit in the SIEM space can avoid following the Check Point path in that analogy remains to be seen, but like CP they are driving awareness as only a large single-product specializing vendor can do, and that is good for the entire market.
We will see whether your comment about us pans out, but from my heavily-biased glasses I think you are dead on (we'd like to be upper-right from Rick in 2011, but we may have to wait one more year for that... ;~). The difference between the OSSIM I first noticed in 2006 and the AlienVault I joined forces with this year is instructive of the path that is ours to follow if we do the right things. Time will tell how we do with that, but if I didn't think we'd fulfill your prediction for next year I wouldn't be here this year.
I'll cross-post this comment on the new AlienVault blog and link back to your blog diary here. Good discussion, good comments and always good to share thoughts with you, Rocky!
-cheers!
-chris
