November 06, 2009, 3:10 PM — Cisco has finally publicly acknowledged it won't add support for new third-party devices to its security information and event monitoring appliance, ending months of speculation about the future of its Monitoring, Analysis and Response System. Some claim it's the beginning of the end for MARS as a multi-vendor SIEM device.
"MARS customers can expect non-Cisco network device data and signature updates to continue for currently supported third-party systems, but no new third-party devices will be added," Cisco declared in a statement, noting that "Cisco MARS continues to focus on supporting Cisco devices for threat identification and mitigation."
MARS is used by about 4,000 customers and Cisco is regarded as the largest SIEM vendor. Cisco had been privately briefing at least some of them on its intentions to effectively freeze third-party device support, but until now had refrained from a public statement.
Quiz: How much do you know about Cisco?
Since SIEM equipment is typically used to consolidate alert and event data from multiple vendor sources, the fact that MARS won't be supporting any new non-Cisco equipment suggests customers must now consider migrating from it if third-party vendor support is their chief concern. Analysts from Gartner and Enterprise Strategy Group are advocating that very thing.
"Cisco deserves credit for coming clean on MARS support," said Jon Oltsik, analyst with Enterprise Strategy Group (ESG). "That said, rumors of product, customer support and field sales have been circulating for more than a year. In the future, I would hope that Cisco would be more forward and clear on its product plans and address issues like these in a timely manner. The priority here must be on improved security and not proprietary business agenda."
Cisco's SIEM competitors this week have eagerly grabbed at the topic of Cisco MARS freezing third-party support because of a Gartner research memo published Oct. 29 in which analyst Mark Nicolett stated, "Cisco has quietly begun informing its customers of a decision to freeze support for most non-Cisco event sources with its [MARS]."
In the research note Nicolett said, "Although Cisco has not formally announced its intention to exit the SIEM market, the Cisco sales force is encouraging its MARS customers to find an alternative for log collection and event analysis of non-Cisco event sources."
In Gartner's view, the effect of all this is that MARS can no longer be viewed as a viable SIEM for anyone looking for third-party vendor support in the future. "Organizations that need support of non-Cisco event sources should plan to move to a viable SIEM solution," the Gartner research note states.
Nicolett says he issued the research note because of what he initially picked up from discussions he happened to have with Gartner customers using MARS, not Cisco directly, though Cisco did confirm the change in strategy when asked about it.
Since Cisco had been included in Gartner's influential "Magic Quadrant report on SIEM this spring, when Cisco had provided "no hint of change in strategy," Nicolett says he thought it important to immediately inform Gartner clients on what he had found out.
MARS has never been particularly wide in its support for third-party security devices, Nicolett says, but now it can no longer be considered in that role for the future. Gartner isn't going to go back and revise the SIEM Magic Quadrant, but its Oct. 29 research note has to be considered its current findings when it comes to MARS as a SIEM for other than Cisco-related gear.
"That note seems to have caused a lot of concern to MARS customers," says Rick Caccia, vice president of product marketing at ArcSight, a SIEM vendor that supports 300 products, including MARS, with a connector toolkit for 1,500 others. Cisco is considered the largest SIEM vendor in the market, but Gartner "threw a bomb in the market with that note," Caccia says.
