Keeping track of all the data generated by firewalls and security devices can be tricky. So much, in fact, that monitoring and interpreting all of that data can be virtually impossible.
Start-up ArcSight hopes to change all that with the release of its inaugural product, ArcSight 1.0. The product allows companies to get their arms around all of their security devices from firewalls to intrusion detection servers, said Larry Lunetta, a spokesperson for the Sunnyvale, Calif.-based company.
ArcSight 1.0 is made of three components: agents to collect data from devices, a server based manager to analyze the data and a console (or consoles) that allow users to see all the collected data.
Such an approach provides users with a holistic view of their infrastructure in real-time, which is good for thwarting attacks, said Matthew Kovar, director of security solutions & services consulting at Boston-based Yankee Group. ArcSight also collects enough data that in-depth forensic analysis can also be done. For example, a user can see if a certain port was probed once a day for the past six months. Such activity may not set off an Intrusion Detection System (IDS) device, but could still be worrisome.
Products such as ArcSight 1.0 gives users context for the information generated by firewalls and other devices, Kovar said. For example, an IDS system may report an attack but one would need information from the firewalls and routers to figure out where
How ArcSight does all the collecting
ArcSight 1.0 uses SmartAgents, which are small software programs that collect data from the devices. They can collect using everything from simple log parsing and loading to network listening. The collected data then travels (encrypted) to a database based on the server-mounted ArcSight Manager. The data is then analyzed to see if anything suspicious is occurring.
The manager looks for correlation between two or more events to determine an incident. Rules determine whether two events such as a buffer overflow and a FTP out equal an attack, Lunetta said.
Pre-set rules for common events are included in the product but users can set develop their own either by tweaking the pre-existing ones or starting anew. As new vulnerabilities and attacks are known, ArcSight may release some "rules packs" to address them, Lunetta said.
ArcSight 1.0 also comes with Knowledge Base, which allows users to set up their own policies and procedures for dealing with certain events. For example, who should be contacted in the event of the attack?
Users can view all the collected information in a work station-based console. A slightly scaled back Web interface is also included. ArcSight 1.0 can also produce a variety of reports from a pre-set list of over 100 or users devise their own.
Essentially companies with a lot of devices or those producing a lot of information would benefit. To put it another way, companies with the need for employees with "infrastructure security" in their titles or who spend more than 50% of their day on complex network security issues, should consider such management software.
The market for such monitoring products is still rather small, Kovar said. The market should be about $45 million but it should rise to $90 million next year, he said. Companies shouldn't be skittish about implementing such products, he said.
"You should bring in a couple of vendors and evaluate what they have. It wouldn't cost you anything. The vendors are pretty eager for customers," Kovar said.
Generally, ArcSight installations will cost between $100,000 and $500,000, Lunetta said. Pricing for the product depends on how many agents are needed, the power of the host server and the number of consoles needed. The Java-based application runs on Linux, Windows NT and Unix.
FOR MORE INFORMATION: