After HP Acquisition, ArcSight Lays Groundwork For Future At User Conference

HP exec says "a new approach is needed" for security
NATIONAL HARBOR, MD. -- ArcSight Protect '10 Conference -- Barely two weeks after Hewlett-Packard announced its intention to acquire ArcSight, the two companies appeared on stage here together before ArcSight users and talked about the future of security information and event management (SIEM).

In a surprise appearance at the annual ArcSight user conference on Monday, Bill Veghte, executive vice president for HP's Software and Solutions, Enterprise Business unit, said a "new approach is needed" for IT security, and HP's acquisition of ArcSight will make the combined company "better able to deliver on that approach."

Security "visibility" is a key element in HP's new approach, Veghte said. "You can't secure it if you can't see it," he said. The combination of HP's IT operations technology with ArcSight's SIEM technology will help companies correlate security information faster and remediate their security problems sooner, he said.

Because the merger between HP and ArcSight is not expected to be complete until the end of the year, executives from the two companies could not comment on their specific plans for integrating their respective technologies. But in an interview, ArcSight CEO Tom Reilly discussed his perspective on the future of SIEM.

"I believe that SIEM will move from being a point product to becoming a platform that every company will standardize in the near future," Reilly said. "IT operations and SIEM will interoperate more closely, but that doesn't mean you need to get them all from one vendor. The technologies of each will be a stand-alone decision.

The integration of SIEM and IT operations will speed the remediation process, Reilly said. "Once we've identified a threat, our job is over," he said. "What we need to do is hand that information over for remediation, through better integration."

At the conference, ArcSight introduced two new products, the Logger 5.0 log analysis tool and enhancements to its Enterprise Threat and Risk Management (ETRM) tool. Reilly said the new tools are part of ArcSight's new approach to SIEM.

"What we need to realize is that the old perimeter defense approach doesn't work anymore," he said. "You have to assume you've been breached, and then be able to respond." Log analysis helps identify the source of an attack or breach, while ETRM helps companies understand the potential risks associated with a compromise, he said.

But users say SIEM tools don't always provide the visibility they need. For example, most SIEM tools don't provide information about data traveling through third-party networks and systems, such as service providers and cloud environments, noted Blair Linville, vice president of enterprise technology at Harrah's Entertainment. "That's the worst blind spot for SIEM tools right now," he said.

Reilly agreed, but noted that many ArcSight customers are extending their environments to gain visibility into partners' networks. "We're seeing more and more customers doing it," he said.