Is ArcSight harder to use?

Interestingly enough (if I read Google Analytics correctly) the post I created back at the beginning of November related to the question of is ArcSight hard to use was the most visited page over the last month. In fact I think it has been on or towards the top of the list since I posted it. Since I have some time on my hands I figured I would write a sort of follow up to that post. Once again I will state that my only SIEM experience is with ArcSight so maybe someone will speak up for the other SIEM engines out there and/or tell me if I’m way off base.

I still maintain asking if something is “hard”, generally speaking, often only gets you only so far. Having some context implied in your question might get you an answer closer to what you really are looking for. Is calculus hard? Depends on who you are talking to. Is calculus harder than basic algebra? Yup. Is “ArcSight” hard to use? Depends on who you are talking to. Is ArcSight harder to use than some other SIEM? Ahh now we are getting somewhere. I did have sort of an interesting thought while reading the SIEM implementation book I wrote a review of back in January (at least it was interesting to me).

Two chapters are devoted to each SIEM covered in the book. Alphabetically they are AlienVault OSSIM, ArcSight ESM, Cisco MARS, and Q1 Labs QRadar. The first chapter for each basically covers implementation/basic installation; the second takes a deeper dive into the product. The second chapter usually starts by saying here is the default dashboard and navigation will lead you here, here, or hear and you can customize it thusly….except for ArcSight. The deeper dive into ArcSight stars with a discussion of what filters are. From there is goes into a decent bit of the backend structures. Now this book is written by multiple authors who likely focused on specific chapters. This chapter though is surprisingly different than its counterparts – at least it seems to me. In fact it doesn’t have a bolded section talking about dashboards at all even though there are quite a few dashboards included in the stock content that comes built into the ESM.

One might speculate a great number of things from this. It could be the different authors interpreted their writing assignments differently or this chapter’s author wanted to get to the meat and potatoes and be less sales pitchy. Of course you could speculate on the other end of the spectrum as well. The writer of this chapter is probably well familiar with ESM and perhaps at almost a subconscious or Freudian slip of the tongue level in carrying out the writing assignment is acknowledging that 1) ArcSight ESM is a deep, multi-faceted beastie with a lot of moving parts you should understand before we get into a discussion of actually looking at a pretty, bubbled up view of the data and/or 2) there really isn’t a centralized, intentionally developed methodology baked into the product on HOW you should be looking at the data. Many times I thought of ArcSight more in terms of a platform for developing content that was interesting to me/us if that makes sense. There is also the aspect of looking at each product’s roots. One aspect for example is that it is my understanding ArcSight comes out of a background of larger companies having multiple analysts using the ESM on a daily basis. When I went through training the emphasis was on the Active Channels (where you can watch events flow by in real-time or a historical replay mode) with a side dish of dashboards. Perhaps the fact that the other products reviewed in the book come out of more of a SMB setting with fewer FTEs so their focus was less on event flow as much as after the fact analysis.

All this to say that if you tend to equate “complex” with “hard” then ArcSight might indeed be harder to use than a different product simply because it requires perhaps a bit more upfront work. Gaetan posted an interesting comment on my “Is ArcSight hard” post. Here is an excerpt:

"There are so many possibilities, so many ways to explore [data] that you can only see the tip of the iceberg when you start working in this field and the product can seem to be too complex for what you want to achieve. Some time later, when you start to masterize the possibilities, you will get exactly the opposite feeling, you will feel like the product is missing some features and should be even more complex."

If the end of that is true – wanting ArcSight to be more complex after you have wrapped your arms around what it can do (note how to boil the ocean) – how much more so will that be the case with a different product? Don’t get me wrong, I’m not trying to bash the other products reviewed. I have little doubt they are good and have a lot going for them. Heck, at the end of the day ArcSight, or any SIEM for that matter, might NOT be the tool you really need for any number of reasons when it comes right down to it. Conversly, one of the other products might be a better fit for any number of reasons. While the picture below isn’t great it does speak to some of the semantic hairs and word relations I think of. What you really need though is more of a 3d sliding scale where time (months to years) is the third axis.

Am not really trying to say if something starts out easy(er – vs harder) it can’t become complex but perhaps there is less overall complexity potential or in our case maybe less potential customization longer term? Similarly while something may be conceptually simple it might be hard to actually implement.

To sort of wrap all this up then. Is ArcSight hard to use? Depends on how you define “hard.” Is ArcSight harder to use/more work is required up front than (insert product)? Maybe/probably. Now you have to ask the next question – Is it worth it? The short answer, to me, is a definite yes. The longer answer depends on many things: manning, management backup/buy in, tactical/firefighting mentality vs strategic vision, complexity and size of your environment, etc. I think ArcSight for a while now has been trying to crack the make-it-easier-to-use nut and is coming out with product offerings (ESM Express) and solution packs (content accelerator packs) aimed at shops with a smaller window of time they are able to devote to tool learning and ROI-esque curves. I think this is a good move. Will be interesting to see where the product goes under HP’s direction.