Wednesday, December 7, 2011

Oh the pain of marketing material

Ok I can’t resist. I tried but I can’t. Let’s just get it out of the way that I’m a big ArcSight fanboi. Does it have it’s faults, bugs, and places that could use some TLC work/rework?; you bet. What software doesn’t though? Is it a powerful platform that can act as a force multiplier when it comes to your InfoSec program?; absolutely! Does it do stuff natively that other products haven’t even thought of?; only in ways I didn’t fully realize until using other products that leave me scratching my head in wonderment. Would I like to work at ArcSight if the right position came up that didn’t require a ton of travel?; yup. Might this post kill that chance?; doh – maybe.


So I’m reading the July/August Information Security magazine (pdf link) and I come across a full page ArcSight ad with a line that reads “Finely tuned to combat cybertheft and cyberfraud, the ArcSight ETRM (Enterprise Threat and Risk Management Platform) gives you better visibility of real-time events and better context for risk assessment, resulting in reduced response time and costs.”

Here is the key – as a sentence fragment what is “finely tuned to combat cybertheft and cyberfraud” referring to? The way it is written it comes off as finely tuned and ready to rock out of the box. While the stock content has value there is no way it meets the expectations set by that statement. Does any tool work that way really? Really? How is that IPS that you don’t devote any resources for working for you these days? No 1/10th of an FTE doesn’t count. It finding a lot of cyber stuff you are running to ground? Part of the problem with the SIEM market as a whole is that THIS is the way it has been marketed which leads not to SIEM deployment failures as much as SIEM integration failures. Of course the distinction isn’t categorized correctly and now you have efforts to rip and replace tool X with tool Y because tool Y will solve all the problems tool X didn’t….other than the fact that we didn’t use, resource, or integrate tool X in any meaningful way.

Since I'm already ranting I might as well bring up another portion of the problem. For whatever reason there is a disconnect between getting visibilty to an issue/anomaly and then actually doing something about it. "We aren't satisfied with our SIEM because it didn't fix my cyber problems." Well....yeah.
ArcSight certainly isn’t a panacea for every cyber ill, nor is it the tool of choice for every company for a myriad of reasons but here is the deal though - if you as the user of ArcSight start to tune the engine it will start to kick so much ass you will have to won’t know what to do with it all. Further it has the ability to mature with your InfoSec program in a way that other point solutions can’t. I would go so far as to say the more strategic your program is the more use you can extract out of your ArcSight solution over the long haul.

ArcSight – maybe there have been changes since I used the product but just be aware of the subtle expectations you are setting and why what I hear time and again from potential customers is “I’ve heard ArcSight is hard/requires X so am a bit wary of using them.”

No comments:

Post a Comment