Comments on: Interesting ArcSight Comments http://www.zhen.org/zen20/2005/02/16/interesting-arcsight-comments/ Wed, 28 Jul 2010 14:02:13 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Raffy http://www.zhen.org/zen20/2005/02/16/interesting-arcsight-comments/comment-page-1/#comment-153 Raffy Sat, 19 Feb 2005 23:15:17 +0000 /?p=94#comment-153 I don't usually comment on things I read about ArcSight or claims I hear. However, in this case I am going to do it: 1. "Number game": I somewhat like the answer you got, although there is none. There is a lot of "fuzz" about events per second (eps) and all that stuff. In my eyes it's very hard to make statements about eps. Not that it's impossible, but if I throw a number out there: 5000 eps. What does that mean? Nothing! NOTHING at all! Then company y tells you 10000 eps. Are they twice as fast? NO! How did I measure? How did they measure? You need a common platform that you measure on. Furthermore, do the two products conduct the same amount of work? Do they have the same features? Are the eps numbers measured on a machine that was under heavy load (e.g., someone running reports or live views in the background?) There are many many unknowns and therefore I like the answer from the lady you met. I can tell you and your friends from Hightower that ArcSight has made a huge leap when it moved from version 2.5 to version 3.0 of the product. We learned and increased the throughput a lot and at the same time we reduced the amount of space we take up in the database. Have an independent organization test all the players! NSS: *hint*! 2. ESM: I mentioned that to someone else as well. For once I am happy with the marketing department :) SIM is a nice term, but it got overused. Event collectors/aggregators call themselves SIM. SIM is more. SIM has to do with correlation, it has to do with collecting security-related information from a network! But that's also where it stops. ESM is more. ESM has to do with security management. Business value. Business processes. I am not in marketing... Hope this makes sense nevertheless. 3. The third one I hope you got a bit out of context. There is a reason why companies like loglogic, addamark (sorry, sensage), network intelligence, etc. have a place in the market. They are not ESM products and some customers don't need/want an ESM solution. (Well, I believe every company should have an ESM solution, but that's me.) You cannot get ArcSight for the price you get one of the other products I mentioned. That's why ArcSight focuses on larger companies. Do I make sense? -- These were completely my opinions and clarifications. Don't take them out of context! -- I don’t usually comment on things I read about ArcSight or claims I hear. However, in this case I am going to do it:

1. “Number game”: I somewhat like the answer you got, although there is none. There is a lot of “fuzz” about events per second (eps) and all that stuff. In my eyes it’s very hard to make statements about eps. Not that it’s impossible, but if I throw a number out there: 5000 eps. What does that mean? Nothing! NOTHING at all! Then company y tells you 10000 eps. Are they twice as fast? NO! How did I measure? How did they measure? You need a common platform that you measure on. Furthermore, do the two products conduct the same amount of work? Do they have the same features? Are the eps numbers measured on a machine that was under heavy load (e.g., someone running reports or live views in the background?) There are many many unknowns and therefore I like the answer from the lady you met. I can tell you and your friends from Hightower that ArcSight has made a huge leap when it moved from version 2.5 to version 3.0 of the product. We learned and increased the throughput a lot and at the same time we reduced the amount of space we take up in the database. Have an independent organization test all the players! NSS: *hint*!

2. ESM: I mentioned that to someone else as well. For once I am happy with the marketing department :) SIM is a nice term, but it got overused. Event collectors/aggregators call themselves SIM. SIM is more. SIM has to do with correlation, it has to do with collecting security-related information from a network! But that’s also where it stops. ESM is more. ESM has to do with security management. Business value. Business processes. I am not in marketing… Hope this makes sense nevertheless.

3. The third one I hope you got a bit out of context. There is a reason why companies like loglogic, addamark (sorry, sensage), network intelligence, etc. have a place in the market. They are not ESM products and some customers don’t need/want an ESM solution. (Well, I believe every company should have an ESM solution, but that’s me.) You cannot get ArcSight for the price you get one of the other products I mentioned. That’s why ArcSight focuses on larger companies. Do I make sense?

– These were completely my opinions and clarifications. Don’t take them out of context! –

]]>