Where on Earth is MARS?

"When MARS was first released to the market, it was a pretty compelling piece of technology”, says Dionex's Eric Hoy
"When MARS was first released to the market, it was a pretty compelling piece of technology”, says Dionex's Eric Hoy

Silicon Valley startups are typically the incubators of the next great tech product, security tools included. This same old story played itself out when Imin lee and Partha Bhattacharya, two former Cisco employees, struck out on their own to create Protego in 2002.

The pair was looking to take advantage of the nascent SIEM market, competing against other like-minded startups. Their creation, MARS (Mitigation, Analysis, and Response System), sought to combine network, log, and security event correlation into one hardware appliance.

A track record of MARS success ensued, and Protego and its flagship product were eventually scooped up by networking giant Cisco in 2005. Soon after acquiring the Protego in what it called an imperative move in its “self-defending networks” initiative, Cisco re-branded the product as Cisco MARS and, for the next few years, promoted it as a necessary component of its network security bundles.

Same Product, New Owner

According to Jon Oltsik, senior analyst and research director with Enterprise Strategy Group, Cisco MARS was “touted as an essential piece of the puzzle” when Cisco unveiled its latest network security initiative in 2006: SONA, or services-oriented network architecture. This program, said Cisco, would mean that security was “built into the network”.

Oltsik states that Cisco promoted MARS heavily, “using its enterprise network dominance to get MARS installed everywhere” by including it as part of many package deals. The analyst says, however, that Cisco was not keeping up on the development of its MARS SIEM, as reports about MARS issues kept coming his way.

After some investigation Oltsik found that, after touting the product so heavily, Cisco sales staff abstained from promoting it further. Cisco responded to his findings by saying that MARS was not a “general purpose SIEM, and that it is part of a Cisco security architecture”. So, unless you have a full-service Cisco shop, what the vendor was insinuating is that you may not be getting exactly what you thought you paid for.

Fast-forward to 2009, and MARS appeared to be on its technological death bed. As Oltsik notes: “Through this period, MARS went from critical component of Cisco’s ‘self-defending networks’ to the digital dustbin”.

So why exactly did Cisco pull the plug on MARS so quickly, especially with so many new users of the appliance in the marketplace? “MARS did not fit well into Cisco’s security portfolio as it has evolved”, says Richard Martinez, an analyst with Frost & Sullivan and resident expert on the SIEM market. Although MARS was a “major player in the SIEM market” according to Martinez, who says that Cisco’s original plans for the product never materialized due to overhead, implementation, and maintenance costs, in addition to integration challenges.

Martinez adds that Cisco originally intended “to develop additional features and add-ons to MARS from the features it acquired from Protego”. However, when Cisco confirmed in 2009 that MARS would no longer support non-Cisco devices, existing MARS customers found themselves out in the cold, unable to integrate additional third-party devices with their existing SIEM appliance.

“Cisco made the decision to end third-party product support to increase development and integration with its own security management products”, Martinez contends as part of his post-mortem assessment.

The cutting-edge features that made Protego’s MARS appliance so attractive to Cisco failed to ensure its longevity within the company’s product portfolio. So what are former MARS customers to do, especially if they maintain a shop that is not purely Cisco-based?

Is There Still Life in MARS?

If you ask Scott Gordon, VP of marketing and business development at AccelOps, the driving force behind MARS is very much alive and has led to vast improvements over the product’s previous incarnation. He relays the recent exploits of Lee and Bhattacharya, the same duo – and former Cisco alums – who started up Protego.

Their new start-up, AccelOps, is a result of a vision to combine various SIEM product ‘wish lists’ says Gordon, who is himself a CISSP. “Beyond compliance, security professionals wanted broader operational details as threats, both internal and external, were more sophisticated. Even with a SIEM, many times infosec professionals have to interface with other departments and tools to complete many tasks.”

To address these and many other issues, Lee and Buttacherya assembled a development team “to apply their prior event correlation, network and systems development expertise” into one appliance with an easy-to-use dashboard recalls Gordon. The product, which took the company’s namesake, began shipping in early 2009.

When asked what makes AccelOps a better product than its Cisco forerunner, Gordon believes the highlights are numerous. “AccelOps takes off where MARS left off by not only providing a more expansive SIEM, but also by merging performance, availability, change and service management into a highly integrated, scalable monitoring platform.”

All that marketing speak is quite nice, but Infosecurity asked Gordon to be a bit more specific. One of the features he emphasizes is its built-in, customizable dashboards, rules and reports, which he says “provides end-to-end visibility for the security analyst as well as IT staff”. And, of course, the product is offered as a virtual appliance, or SaaS offering, “negating traditional upgrade, capacity and scale limitation of conventional appliances”.

But Don’t Take the Marketing Guy’s Word for It

The superlatives Gordon outlines are interesting enough, but how does AccelOps work in the real world? For a bit of insight, we spoke with Eric Hoy, global IT manager for Dionex, a manufacturer of chemical analysis supplies.

Hoy oversees a Cisco shop that uses Cisco routers, firewall, and Cisco IOS Web Servers, in addition to 1500 employee users worldwide. Dionex has seven engineers who actively login to AccelOps to monitor from an operational standpoint, and two users who perform regular analytics for compliance.

His company chose the AccelOps virtual appliance offering, rather than the SaaS product, which Dionex purchased in February of 2010 after a brief trial period.

“When MARS was first released to the market, it was a pretty compelling piece of technology”, Hoy recounts. “It was a game changer – being able to correlate logs and ascertain where the event occurred, and see the vector path. But operationally it wasn’t very functional. There wasn’t any kind of dashboard.”

He called Cisco MARS a very reactive tool, not a proactive one. He also added that it was not very cross-functional between teams and was very network-focused.

Hoy says MARS met all his compliance requirements. “But from an operational standpoint, or [with respect to] a future-proofing technology, AccelOps definitely wins hands down.”

The IT manager called AccelOps customer service and technical support “top-notch” during its trail phase, which only increased since Dionex purchased the product and became a customer.

“The MARS support is very clunky, and slow moving”, notes Hoy. “If I need an enhancement or a feature request, I’m not sure I’m going to be heard.”

Still, Hoy says that using AccelOps is not quite as simple as removing the Slinky from its box. “The analytics takes a little time to get use to”, however, he says with MARS “it was like creating a wheel” each time you needed to produce a new report. Regardless of the learning curve, Hoy contends that AccelOps is very easy to use, and he knew it was the tool for his organization within 5 to 10 minutes of seeing a product demo.

What the Future Holds

AccelOps’ Gordon says that transitioning from Cisco MARS to his company’s appliance is a snap, but one can’t help but wonder, will the company survive to make good on its promises to deliver a more customizable SIEM appliance? Given the track record customers may have experienced with MARS, it’s an extremely valid question.

“The handling of sensitive information is a top priority, with the increase of cybercrime, fraud, and theft and the complexities of these attacks”, says Frost’s Martinez. He adds that where vendors tend to trip up is in offering the proverbial ‘one-size-fits all’ product, and that several vendors specializing in the mid-market “are finding much success”.

What AccelOps has going for it as a company is that it tends to target larger to mid-market enterprises and, now, service providers. The company aims to offer these organizations a range of solutions to fit their SIEM, operational monitoring, and cloud monitoring needs. So if the product delivers on these promises, then the future of AccelOps should remain bright.

What’s hot on Infosecurity Magazine?