This is a question I have a tough time with and frankly drives me a little crazy. Actually, the question can be legit; its the various offshoots of the question implying ArcSight IS hard to use that I have trouble with. Outside of a conversation of GUIs and interface ease of use issues (which certainly can make a huge difference) I mainly have 2 thoughts about the whole thing.
The first is the question has weight really only while you are going through the process of picking out a SIEM. Once you have pulled the trigger you are stuck with whatever product was chosen; at least for a couple years simply because of cost. In that sense – square your shoulders and suck it up. All tools require you to get over a learning curve. This leads directly into the second thought.
Don’t whine about how hard something is to use if you never use it! Crazy thought chain here: more than occasional use leads to familiarity which leads to greater and greater ease of use not to mention better results. This obviously applies to more than just your SIEM. If you have tools in your cyber or garage tool chest that you never use why are you surprised when they are “hard to use” or you can’t get the results from them you would like.
Now, you will have to forgive me if that seems a little direct. I attended a Dave Ramsey EntreLeadership event which sort of inspires one to be so. At the same time I’m passionate about what I do; ArcSight is simply the tool by which I work on cyber stuffs. If you aren’t passionate about being in this industry or doing this sort of work….why the hell are you still doing it? I have heard things like “our product is easier to use than ArcSight” from a few of their various competitors (who also focus on only a segment of the events in the IT world or OSes out there) and have even heard “I wish ArcSight was easier to use” internally. In the interest of full discloser I have even said it myself a time or two. In my mind though the question and implication fall into a category similar to asking if driving a manual transmission car is hard; if riding a bike is hard, if working on a car, gutting a fish, or managing a firewall are hard things to do. Are you asking a qualitative or quantitative question here?
The overarching challenge isn’t ArcSight or your SIEM of choice being “hard to use” – generally speaking – it’s the mission and what is hoped to be accomplished through it. On top of that people generally are under the impression they bought something that is a cross between a magic 8 ball and one arm bandit. You ask the SIEM a question, shake it a little, pull the arm and out drops evidence to support something has or has not happened (always a fun thing to do – showing evidence of a null event). The reality is not only are you sucking in events from multiple and disparate systems and vendors but somehow are trying to make a correlation between apples and oranges…and grapes…and giraffes and monkeys. From a myriad of examples that could be used, tracking user movement and everything they did while at work is one of those conceptual goals that is (surprising to some) painful to achieve technically – even if you are in a ridiculously locked down environment. For almost two years I drove my truck with a busted fuel gauge so I used the trip meter on my odometer to estimate when I needed to visit the gas station. Take the complexity of that relationship and multiply it by 100 and you start to approach where SIEM begins to operate. Throw in a hundred million or several hundred million events per day and combine that with not devoting enough time and effort to the tool (not an uncommon story from what I have heard) and is it any wonder why “SIEM is hard” or you don’t get the performance you had hoped to get from your magic 8 ball-esque thing-a-ma-dubie?
Don’t get me wrong - ArcSight isn’t all gum drops and sunshine. Without spending more than a minute on it I can think of a half dozen things I would like it to be able to do, fixed, worked/reworked. But why be surprised or complain about ArcSight not being as good your vendor specific, single event type tracker when that isn’t the level at which it is designed to operate?
So whom am I talking to here? Me. You. Them. Probably “them” most of all.
Would be interested in your take on this.
Mark,
ReplyDeleteI think there are two reasons for having the feeling the tool is difficult to use.
The first reason only impacts people using the tool extensively. For these guys, each small bug, each badly designed part of the gui, each missing feature can drive you crazy because you have to perform a lot of manual actions, find workarounds, and wait for bug fixes. This can be very frustrating at some point especially when bugs are not solved for years but I don't think Arcsight is different of any other software from that point of view.
The second reason will impact less experienced users. Some people can find the tool to be difficult to use while these are the concepts which are difficult to understand. SIEM technology is relatively new and people are not getting used to it yet. Most of the AS users discover the correlation/log management/SIEM world at the same time they discover Arcsight and they can associate the complexity of the field with the product itself. There are so many possibilities, so many ways to explore that you can only see the tip of the iceberg when you start working in this field and the product can seem to be too complex for what you want to achieve. Some time later, when you start to masterize the possibilities, you will get exactly the opposite feeling, you will feel like the product is missing some features and should be even more complex.
Gaetan