A buddy at work ran across a Wall Street Journal article that mentioned "Arcsight’s profits were up over 300% last year despite the recession and sales were up over 30%." This was basically attributed to FUD.
Of the many things you could say about those stats the one that is most on my mind is that I hope the companies that bought the software didn't just buy it to "do SIEM" or check a box and deploy it in a manner that will simply lead to failure or under utilization. At the very least I hope they have or are willing to set aside most of an FTE for care and feeding of the system.
I had a conversation with an ArcSight VP who mentioned one of their observations/frustrations is going back to a company two years after their professional services helped with an install and basically seeing no new content. To that end I think there is a very real effort within the company to make things easier and introduce some scaling (downward) for medium and smaller customers. The reality is though, imho, SIEMs aren't an InfoSec product like other point specific InfoSec solutions. In other words you buy AV, IPS, FW, etc to address a specific issue in your environment. A SIEM is really more of a platform you can use to survey normalized event data from across your network. To that end it requires effort to build and maintain content as well as effort to (crazy thought here) respond to the issues found.
No comments:
Post a Comment