ArcSight Expands Log Management Offerings
November 13, 2007 Alex Woodie
ArcSight, an established vendor of security information and event management (SIEM) software that’s planning an IPO, this week announced a new appliance-based log management product it says will make it easier for companies to comply with mandates like Sarbanes-Oxley and PCI. The new offering, called the Log Management Suite, will do this by streamlining the collection and storage of log data from disparate sources, and then simplifying the generation of compliance reports and dashboards that auditors create from log data.
Since ArcSight was founded by security software veteran Hugh Njemanze in 2000, the Cupertino, California, company has been selling a lot of licenses for ArcSight ESM, its flagship SIEM product designed to alert administrators to break-ins and other violations of their security policy–hopefully as they occur, or soon thereafter. More than 350 organizations, including some of the biggest names in defense, energy, financial services, and healthcare, and about 20 major U.S. government agencies, have bought ArcSight ESM, and the product has received rave reviews from Gartner, among others.
While ArcSight has developed a solid reputation on the SIEM front and has good prospects in the field, which IDC says will grow from $993.6 million in 2007 to $2.2 billion in 2011, the company has worked to diversify its offerings by developing solutions in slightly different but related fields, including network and configuration management and the broad compliance management market. This shift was easier thanks to the rich assortment of connectors the company had developed for ArcSight ESM, which allows the SIEM product to process log data sent to it from various operating systems, databases, applications, and network devices. Currently, that connector collection numbers about 180, and includes connectors for IBM System i and System z servers, which the company views as a strategic advantage.
But having deep and broad access to log files stored on servers and network devices is a mixed blessing. While it’s mandated by regulations like SOX, PCI, HIPAA, FISMA, GLBA, and JSOX (Japan’s version of SOX), the flood of log data is swamping companies, says Ansh Patnaik, senior product marketing manager for ArcSight. “The fundamental challenge that organizations face is how do I capture all this data, especially from legacy sources, and then how can I automate audits and easily extend access to different consumers, in particular auditors, but also other constituents?”
About a year ago, ArcSight rolled out its first log management appliance, called the Logger. This product was designed to be installed at a company’s headquarters, where it stores terabytes worth of log data sent to it by agent-based software products installed on the target devices. It could process 75,000 events per second.
However, there were problems with the agent-based approach used with the first-generation product, according to Patnaik. Running more software on servers makes them run slower, and can interfere with the actual work. After all, you don’t buy a server to generate log files–you buy it to record your sales and process other transactions.
ArcSight addressed this problem with the new Log Management Suite, part of which includes three appliances that handle the log collection workload and compress and encrypt the data before sending it off to the big log archive located at headquarters. “The idea is to be within that trusted network so you’re collecting remotely, and you can ensure secure and reliable transfer of all logs from all sources back to the central site, but to do it off-board, so you don’t impact the actual servers that are generating the logs,” Patnaik says.
The appliances are rack-mountable servers powered by dual-core AMD Opteron processors and a Linux variant. They include the low-end L3000M appliance, which supports up to 2,000 events per second (EPS) and costs $20,000; the midrange L5000S, which scales up to 5,000 EPS and costs around $50,000; and the big dog, the L5000X, which can process up to 100,000 EPS and costs (you guessed it) $100,000. While the line has more high-end oomph than it did previously, ArcSight expects more success with the entry-level and midrange boxes.
The other side of the Log Management Suite is new software designed to make it easier for auditors to do their jobs. This includes a new reporting portal that gives auditors the capability to automate much of the work involved in creating their reports, so the IT department doesn’t have to do it for them.
The new software also provides auditors with personalized dashboard views, “so they don’t have to sift through hundred of reports that are device-specific and instead they get meaningful relevant views into the state of audits or the state of compliance,” Patnaik says. From there, “they can quickly drill down from the top-level view into more granular queries and investigate further and look for root-cause analysis or why the violations were occurring, so there’s a very intuitive view into compliance.” ArcSight also sells a variety of reporting packs for specific regulations.
ArcSight’s support for IBM System i and System z servers gives it an advantage as users of these systems look for ways to automate their compliance initiatives, Patnaik says. “The general trend in log management has been, for compliance you need to collect logs, and typically they’re protocol-level collection, so Syslog covers quite a few devices at the security and network layers,” he says. “We have support for mainframes and midrange servers as well, and that tends to be important in a compliance context because very often application data resides in these types of mainframes and midrange boxes.”
While the Syslog provides some commonality, the industry is far from settling on a single log event standard, which keeps the money flowing to companies like ArcSight that can smooth over the differences. “Each log has its syntax; each device has its own syntax. We’ve abstracted that by providing one common taxonomy, and that’s what all the reports and dashboards are built on,” Patnaik says.