ArcSight Updates SIEM Platform

September 21, 2010 Alex Woodie

ArcSight, which is being acquired by Hewlett-Packard for $1.5 billion, last week unveiled enhancements to its security information and event management (SIEM) platform, including its Enterprise Security Manager (ESM) offering and its log management solution, called Logger.

Several inter-connected products make up ArcSight’s SIEM platform, which the company claims is the most widely used SIEM solution in the world. When you consider that the company claims more than 100 banks, the government systems of over 30 nations, more than 55 U.S. Federal agencies, and more than 50 telecommunication service providers as customers, then you’re forced to conclude that ArcSight really know its stuff.

At the core of the suite is ArcSight ESM, a Windows-, Unix-, or Linux-installed product that does the grunt work of chewing through millions of security log files collected from customer’s networks, databases, IBM i and mainframe apps, and physical security devices; connecting suspicious events through advanced correlation algorithms; and then alerting administrators to potential security events. All this is done fairly automatically and in real-time, which means it takes a lot of iron and is not cheap to install or run.

ArcSight ESM 5.0 features a new user risk monitoring framework that’s designed to analyze the behavior of users, and ferret out possible threats emanating from inside the organization. Security studies repeatedly show that about two in three security breaches are perpetrated from internal users, even though hackers coming in over the Internet get most of the media glory.

Tom Reilly, president and CEO of ArcSight, says organizations are realizing they need to become “multidimensional” in how they build security protections. “Organizations can no longer simply look for external attacks as the only threat,” Reilly says in a press release.

Other enhancements in ESM 5.0–including a new Web services API, a new developer framework, and the addition of industry-specific field sets for the creation of custom SIEM applications–are geared toward making it easier for other vendors to tap into the ArcSight SIEM, and building out the ArcSight partner base. HP, as the world’s largest IT vendor, will undoubtedly look to leverage these new third-party hooks far and wide.

With Logger 5.0, ArcSight has worked to simplify searching and report generation. The company added the capability to create reports against structured and unstructured data, and also introduced a new search language for people who prefer “iterative” searches, the company says. It also added new capabilities for tracking application build errors, failed log in attempts, and CPU utilization.

The vendor also expanded the ways in which people can use Logger. The product, which was previously sold only as an appliance, is now available as downloadable software, as a Web-based service accessed from Amazon, or as an appliance. Downloads start at $49, while the appliance version starts at $20,000.

ArcSight also unveiled IdentityView 2.0, a new release of its user activity monitoring solution. Version 2.0 bring enhancements that will enable customers to “better understand who is on the network, what they are doing, and how that affects business risk,” the vendor says.

ArcSight made the product announcements from ArcSight Protect ’10, its annual user conference, which is being held this week in Washington, D.C. The company, which went public in 2008 and brought in about $181 million in revenue last year, announced last week that it’s being acquired by HP for $43.50 per share. The acquisition is expected to be completed by the end of 2010.