Real Time Forensics from Log Data? ArcSight Says It's Got It

Published: August 26, 2008

by Alex Woodie

With the onslaught of identity theft and the increase in instances of corporate data loss these days, forensics is becoming a word more IT administrators are becoming familiar with. In the world of log management solutions, however, most vendors make users choose between speedy log collection and the capability to forensically mine for important system events. With the addition of "forensics on the fly" to its Security Information Event Management (SEIM) system, ArcSight claims users can now do both without compromise.

ArcSight sells several inter-connected products that make up its SIEM platform. It sells an Enterprise Security Management (ESM) product that is geared more toward security than the regulatory compliance end of the collective log. It also sells ArcSight Connectors, which collect logs from more than 275 applications and platforms, and the ArcSight Logger, an integrated appliance for managing logs. Regulatory compliance reporting packages and an identity monitoring product round out the vendor's offerings.

ArcSight says the addition of "forensics on the fly" to the Logger will enable IT and forensics teams to drill down into source events at a moment's notice. As a starting point to the forensics process, the vendor developed a new dashboard interface to the Logger that combines several pertinent reports into a single role-based view. From these dashboards, users can view detailed information, or utilize a new search capability designed to help with root-cause analysis.

When users find violations or other worthwhile events through the search function, they can automatically create alerts that will notify them in real time if the same or similar events occur on the system. ArcSight has also enabled users to drill down into the underlying events directly from the alert.

ArcSight, in effect, has closed the loop between the real-time alerting component of its compliance offering, which was primarily used to detect and notify administrators of regulatory policy violations, and the forensic component of its system, which used to be primarily an "after the fact" activity.

Reed Henry, senior vice president of marketing for ArcSight, provided this perspective: "Our ArcSight ESM [Event Security Management] customers have always enjoyed the ability to drill down from correlated notifications into the events behind those notifications," Henry says in a prepared statement. "With this release of ArcSight Logger, we have added this ability to mine events, or as we call it, forensics on the fly, to our log management products, delivering much needed productivity to log analysis and forensic investigation. Now organizations of any size can quickly and cost effectively conduct informative investigations to determine the root cause of log alert events in real time."

The Cupertino, California, company also recently rolled out a new PCI Logger appliance, which is designed to help customers store log data pertinent to the Payment Card Industry's data security standards (DSS). PCI Logger includes 45 alerts that have been pre-mapped to DSS requirements, as well as the forensics on the fly capability.

ArcSight, which went public less than a year ago on the NASDAQ National Market, also announced its first shareholder meeting. Shareholders of the company, which has enjoyed a 50 percent increase in its stock value since May following flat growth over the first few months of the year, will meet September 25.

RELATED STORY

ArcSight Expands Log Management Offerings

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot