Whither Cisco MARS?

Cisco System's Security Monitoring for Threat Identification, Mitigation, and Compliance (aka MARS) product is the company's offering for security and compliance management, competing with the likes of ArcSight, RSA Security, and Symantec. The MARS product came via Cisco's acquisition of Protego for $65 million in December 2004.

Through 2005 and 2006, Cisco pushed this product into end-user accounts through an aggressive scorched-earth effort. Cisco intended to get the product out into the market quickly, establish a base, and then continually add product enhancements over time. This seems to be where the strategy hit a speed bump.

The product languished behind competitive offerings, causing problems with the installed base. This opened the door for aggressive competitors: Enterasys, Juniper, and Nortel established partnerships with Q1 Labs in a direct attack on MARS. Log management vendors like LogLogic and LogRhythm out-flanked Cisco with incremental products. Worst of all, some Cisco sales executives and channel partners eschewed MARS in favor of more popular Cisco products. When you have a portfolio of hundreds of products, it is easy to lead with your best stuff and never mention those in the doghouse.

This brings up a reasonable question: What should Cisco do with MARS? As I see it, Cisco has three choices:

1. Admit defeat and get out. Cisco could bury MARS and partner with others in the industry. GE would take this route but I can't imagine that Cisco will.

2. Double down on MARS development. MARS 6.0 was released earlier this year and it did move the ball forward but the product remains way behind others in the market. Management software has always been a bit of an Achilles' heel for Cisco.

3. Replace MARS with another acquisition. There are plenty available at bargain prices. Cisco could bid on publicly traded ArcSight, grab a legacy Security Information Management vendor like Intellitactics or NetForensics, pick up a log management player, or take a chance on a wildcard like Nitro or Splunk.

There may be some analysis paralysis going on within Cisco as this issue has been lingering for a while. With security one of the only IT bright spots for 2009, Cisco should probably address this issue soon.

[TheVirtualDC]

Nice post, and completely agree. It's a shame, too, b/c we saw Chambers demo this at RSA 2-3 years ago. Granted it was huge then and required all kinds of agent management, but still, they've had plenty of time.

Maybe option 1a? Admit defeat and let others take over outside the Cisco management domain, ala VMware's security approach (well, not factoring in Blue Lane yet).

-Alan

[Schratboy]

MARS is a joke. Another example of a vendor over-reaching their core competency and trying to be everything for everybody. Sure, Cisco has done well with numerous technologies they've bought and integrated. Problem with MARS, like their endpoint efforts....it's overwrought and expensive.

Actually, sound network management processes can address most of what MARS promises without all the integration,management and overhead necessary to manage it. This story was long overdue since Cisco and it's resellers have been blowing MARS' smoke for years now while continuing to forklift their way around the world....and customers are no better off for it.

[bobrampart]

Article makes a great point. Schratboy ... not so much. Sound network management processes will not address the core strength of MARS and that's correlation while not needing a doctorate in event analysis to get it to work. This remains the biggest challenge of tools like ArcSight. Man, it has lots of great pretty reporting, but it was a bear to set up and maintain. Expensive compared to what? Kiwi? My perception is that the value and potential of MARS is both misunderstood by those who have never used it and probably too many decision makers within Cisco.

[Schratboy]

Throwing technology at the network is not substitute for management. Automated Incident response? Well, if someone has done their homework and communicated clear policy expectations and educated users, a prudent monitoring program can keep operations well in check. Of course, a large wild-West type operation may be more difficult to corral, but the same premise still applied. Big honking, expensive solutions aren't all they're cracked up to be....ergo I stand by by Cisco Mars commentary.

[bobrampart]

But how many companies/organizations have a prudent monitoring program or the amount of money to apply to do it correctly, especially these days. 10%? 15%? We try but don't have the time/resources. MARS simply gives us better visibility and context into what's going on to help us prioritize. Regardless, MARS applies. A perfectly managed environment and mature prudent monitoring program would simply be better able to take full advantage of capabilities like what MARS can provide.

[Stephano21]

Interesting article, however I reckon all of the vendors mentioned (with the exception of Arcsight) have a far smaller market share in revenue that MARS -- even taking into consideration the CISCO slash and burn tactices. I bet the gap is even bigger in numbers of customers. Sure Loglogic might have outflanked MARS on some compliance deals but Loglogic is growing by spending $2 to make $1 (wonderful VC money) while vendors like Logrhythm are not even a pimple of MARS' backside. Then again you have to wonder how much MARS is simply shelfware...