The Rocky Relationship of APM and SIEM

Application performance management (APM) and security information and event management (SIEM) might be great together in a technical sense, but it probably will be a while before they officially notice each other.

SIEM, first named by Gartner analysts in 2005, shares a number of business characteristics with APM: it

  • juggles emphasis on real-time response capabilities with long-term logging and correlation aspects;
  • leverages “dashboard” and “drill-down” metaphors not only to visualize real-time vs. long-term correlations in time, but also high-level vs. atomic symptoms for diagnosis;
  • largely builds on earlier network-focused specialties (in the case of SIEM, mostly previous generations of hardware incident and logging products);
  • manifests in the marketplace in a mix of appliances, licensed software suites, and managed services; and
  • continues to evolve rapidly in response to such technical challenges and market shifts as cloud, virtualization, mobile, SDN, compliance, and, especially for SIEM, voice.

With all this in common, what’s not to like about seeing the two get together? Apart from a few solvable engineering mismatches (historically, for instance, APM has often assumed programming in managed-code languages), it’s the usual problem with security: as Aberdeen Group Senior Analyst and APM specialist Jim Rapoza put it in a recent conversation, “security is the last thing anybody ever talks about.” Individuals and organizations habitually budget security only reactively; “[t]he effectiveness of prevention services is inherently difficult to demonstrate,” and even when recognized, the default arrangement of incentives “results in the underinvestment of information security”, in the words of a couple of articles on realms outside SIEM. Responsibility for performance and security rarely comes together in a single individual or even department, so APM and SIEM are not often consolidated or even co-ordinated.

Why mention them together, then? They do encounter each other, at least briefly. I know of installations where customers use APM to illuminate security management. While most of these remain proprietary, a few high-level sketches such as “Using APM for Security” and the older “Application Monitoring integrated with SIEM: NitroView APM” are publicly available. Compliance considerations raise attention on security, and have the potential to reward APM more for its security contributions. As hinted in the last bullet above, both APM and SIEM have to adapt themselves in similar ways to such new managed elements as cloud, mobile, and deeply-virtualized stacks; they have a lot to learn from each other. Perhaps most encouraging for the long term is that APM vendors are slowly responding to the complexity and rapid change in their domain in the same way application lifecycle management (ALM) vendors earlier did: progressively opening their products to integration. Customers know not to look for One Big Solution for all their APM needs, so much as a quality framework that permits adaptation and adjustment. In such frameworks, there’s room to experiment with ties between APM and SIEM, without having to wait on APM vendors.

For today, if you have a stake in both performance and security, there are few out-of-the-box solutions likely to help you. The situation appears to be improving, though, and you’ll certainly find precedents if you “roll your own” security monitors based on APM information.