Cisco Security System Shuts Out Third-Party Tools

alphadogg writes "Cisco has finally publicly acknowledged it won't add support for new third-party devices to its security information and event monitoring appliance, ending months of speculation about the future of its Monitoring, Analysis and Response System. Some claim it's the beginning of the end for MARS as a multi-vendor SIEM device. 'MARS customers can expect non-Cisco network device data and signature updates to continue for currently supported third-party systems, but no new third-party devices will be added,' Cisco declared in a statement, noting that 'Cisco MARS continues to focus on supporting Cisco devices for threat identification and mitigation.' Cisco's SIEM competitors this week have eagerly grabbed at the topic of Cisco MARS freezing third-party support because of a Gartner research memo published Oct. 29 in which analyst Mark Nicolett stated, 'Cisco has quietly begun informing its customers of a decision to freeze support for most non-Cisco event sources with its [MARS].'"

Re:This isn't new.

[Anonymous Coward]

Probably only be because they have to.

Thank Heavens for Competition

[chill]

Try something that works WITH you as a SECURITY appliance, as opposed to yet another sales opportunity. There is lots of competition that easily beats MARS in functionality, ease of use and comprehensive support. TriGeo [trigeo.com], for one.

Inaccurate blog title

[Anonymous Coward]

Cisco is not "shutting out third party tools," they are simply stopping official support of third party (non Cisco) devices and applications - they are not shutting anyone out.

However, this does cause some issues as SIEM platforms are meant to be multi-vendor, multi-platform security management solutions and the fact that Cisco will not support third party devices any longer does not bode well for their customers or the long term viability of the MARS offering.

A SIEM platform or any other security or performance management platform, like OpenView or SCOM, needs to have software that can "talk" to the managed system. Every device manufacturer, OS, application, database, etc. has a different API or way to collect logs - some have a standard event format or collection mechanism, but, many do not.

In order to officially support collection of these logs a SIEM vendor has to test their collection method against those devices or applications, which is a very expensive and time consuming process. As third party vendors (i.e. Microsoft) release new versions of their platforms (i.e. Windows 2008 vs 2003) the management platform also has to retest their monitoring against those new versions.

Oftentimes, the new third party version breaks the existing management capability, therefore, the management vendor has to go back and redesign how they "talk" to the platform.

Cisco has simply stated that they are no longer willing to support non Cisco platforms as part of their SIEM offering. There are plenty of other SIEM platforms out there that do support non native platforms, such as ArcSight, NetIQ, RSA, etc.

It sucks that Cisco customers now have to look for another solution for non Cisco devices, but, this is great news for other SIEM vendors as Cisco, by way of their huge client base and marketing clout, were able to amass over 4,000 customers for their SIEM offering. Many of these customers will now look for another SIEM vendor.

Re:Cisco is discontinuing MARS

[DarkOx]

Right, its not a big deal and anyone who has been making purchase decisions in IT long enough to know what MARS does knows you don't EVER EVER consider a Cisco solution unless:

They are giving you a sweat heart deal to run some other vendor off, so you don't care about scrapping it later.

They have been selling the product for at least two years, otherwise it has a 50pct change of just disappearing

Their offering still has the features that you are primarily interested in after they have existed in the product for two years, otherwise said product is likely to morph into something completely different in operational characteristics.