Interesting ArcSight Comments
So I was at RSA today talking to the various SEM/SIM vendors. I talked to one of the ladies at the ArcSight booth and I asked her whether ArcSight is a good solution for a company that’s got a bunch of Windows and UNIX servers and getting about 500 messages per second. The lady said several interesting things.
First, “we don’t play the numbers game.” I was actually told by High Tower to ask ArcSight this question coz High Tower kept saying ArcSight can’t handle the volume. I am not sure how to take it. Not sure if ArcSight can’t handle the volume or they just don’t want to measure their software that way.
Second, “we are not just a SIM vendor, we are in ESM. SIM’s just a component.” ESM being Enterprise Security Management. It’s ArcSight’s new marketing campaign but I am not sure what it exactly entails.
Third, she asked me “does the company have $1 BILLION in revenue?” I was like, what?! NO! She then said, “well, we really focus on LARGE enterprise customers with revenue over $1 BILLION. That company really should look at someone like LogLogic. They focus on the Global 2000 companies.”
I just thought these were interesting comments. Draw your own conclusions obviously.
Disclaimer: This is my personal blog. The opinions expressed in this blog are the views of the writer and do not necessarily reflect the views and opinions of VMware.
February 19th, 2005 at 4:15 pm
I don’t usually comment on things I read about ArcSight or claims I hear. However, in this case I am going to do it:
1. “Number game”: I somewhat like the answer you got, although there is none. There is a lot of “fuzz” about events per second (eps) and all that stuff. In my eyes it’s very hard to make statements about eps. Not that it’s impossible, but if I throw a number out there: 5000 eps. What does that mean? Nothing! NOTHING at all! Then company y tells you 10000 eps. Are they twice as fast? NO! How did I measure? How did they measure? You need a common platform that you measure on. Furthermore, do the two products conduct the same amount of work? Do they have the same features? Are the eps numbers measured on a machine that was under heavy load (e.g., someone running reports or live views in the background?) There are many many unknowns and therefore I like the answer from the lady you met. I can tell you and your friends from Hightower that ArcSight has made a huge leap when it moved from version 2.5 to version 3.0 of the product. We learned and increased the throughput a lot and at the same time we reduced the amount of space we take up in the database. Have an independent organization test all the players! NSS: *hint*!
2. ESM: I mentioned that to someone else as well. For once I am happy with the marketing department
SIM is a nice term, but it got overused. Event collectors/aggregators call themselves SIM. SIM is more. SIM has to do with correlation, it has to do with collecting security-related information from a network! But that’s also where it stops. ESM is more. ESM has to do with security management. Business value. Business processes. I am not in marketing… Hope this makes sense nevertheless.
3. The third one I hope you got a bit out of context. There is a reason why companies like loglogic, addamark (sorry, sensage), network intelligence, etc. have a place in the market. They are not ESM products and some customers don’t need/want an ESM solution. (Well, I believe every company should have an ESM solution, but that’s me.) You cannot get ArcSight for the price you get one of the other products I mentioned. That’s why ArcSight focuses on larger companies. Do I make sense?
– These were completely my opinions and clarifications. Don’t take them out of context! –