ArcSight assesses the 'true scope' of security threats

Information Age (London, UK), May 10, 2003

Aside from blocking hackers, the biggest headache in corporate computer security, according to computer security managers, is dealing with the overwhelming flood of data from the very devices that are supposed to help protect a company's network: firewalls, intrusion detection systems, anti-virus and access control programs.

Tuning such devices is a hit-and-miss affair. Set the parameters too low, and the organisation gets bombarded with a high number of false alarms, set them too high and there is an increased chance that genuine threats are missed.

Getting that balance right is made all the more difficult by the absence of any central management console capable of correlating data from all these sources, filtering it, analysing it and providing meaningful alerts, forensics and unified reports.

That is where ArcSight thinks it can play a significant role. "Before we built a product, we talked to [potential] customers, and what became clear was that what they really wanted was an 'air traffic control' for security," says ArcSight CEO Robert Shaw. The company's TruThreat console, released in January 2002, works by correlating the event logs of the different security devices on the network and filtering messages according to rules such as the scale of the supposed threat and the importance of the asset being protected.

For example, if the 'Slammer' worm that only affects Microsoft SQL Server databases is picked up by an intrusion detection device protecting a Linux server, the system knows to disregard the threat.

Such capability does not come cheap: TruThreat will set customers back about $0.5 million, and the company often requires the co-operation of security software vendors to help ensure support for their products. ArcSight currently has relationships with Check Point Software, ISS and Cisco, for example.

Such partners, however, may turn into competitors as threat management consoles become a central part of enterprise security.

Company: ArcSight

Main activity: Security management software console

Founded: 2000

CEO: Robert Shaw

HQ: Sunnyvale, California

Status: Privately held. More than $30 million raised in three rounds of venture capital funding.

Revenues: Not disclosed.

Key competitors: IBM Tivoli, CA, E-Security, NetForensics and Symantec.

Infoconomy comment: IT security managers have struggled for years to cope with the stream of information and alerts from security devices. Though early to market, ArcSight is not alone is spotting the requirement for a threat management console that provides rules-based filtering, analysis and reporting.

www.arcsight.com