HPE Software is now Micro Focus
HPE Software is now Micro Focus
Protect Your Assets

What is SIEM Anyway? How the evolution of threats has changed Security Operations

What is SIEM Anyway? How the evolution of threats has changed Security Operations


How the evolution of threats has changed Security Operations:

What does “SIEM” mean to you? The SIEM, or security information and event management, is a decade-old term coined by Gartner analysts to describe the state of the art at the time for real-time monitoring and correlation of alerts that help organizations detect and respond to security threats. The SIEM is just one tool in the arsenal of modern Security Operations, where the sophistication, frequency and danger of threats has greatly exceeded what first-generation SIEM technologies of yesterday could handle. It might be the beginning of an effective security operations strategy, but it’s not the end. ArcSight has been leading the Security Operations market for more than 15 years, since before the advent of the SIEM term, and continues to thrive in the world’s largest, most hostile security environments.

With the publication of the latest Gartner Magic Quadrant (MQ) for Security Information and Event Management (SIEM), it has been important for us to reflect on our position in this particular view of the market. For the first time in the history of the SIEM concept, according to Gartner ArcSight is not a leader in the SIEM market. Has ArcSight truly missed the market and fallen out of our enterprise leadership position in Security Operations? Or has the Security Operations market evolved beyond a narrow view of the utility of the standalone SIEM technology and its effectiveness in the face of advanced threats to large enterprises?

I have been involved in a dozen MQ cycles as a security vendor over the years, across four different security markets, and in general the exercise ends up providing the buying public with a comprehensive view of a market for the neophyte. It is rare for the large enterprise customers that we deal with to use this as a primary buying criteria, but it’s certainly an influential and effective tool for short-listing and justifying investments during procurement processes when someone is making an initial entry into that particular technology. In my dozen MQs over the years, this is the first time that I’ve seen the perspective of the publication miss the enterprise market reality that we experience and the evolution that we see on the ground, battling adversaries alongside our thousands of enterprise customers every day.

Jason Blog.jpgJust as the threat landscape is rapidly evolving, global Security Operations has shifted beyond the basic SIEM capabilities suitable for small and mediums sized businesses. For large enterprises, the architectures have been forced to change. To keep pace with the amount of data and threats in today’s complex and hybrid IT environment, enterprises need a modular and open architecture that provides them with the speed and scale to quickly detect and address sophisticated attacks. The SIEM needs to be the foundation and central hub of an intelligence-driven Security Operations strategy that provides organizations with the flexibility to connect and normalize the data from their many security tools and data lakes across multiple vendors. Security Operations must have the full visibility across traditional, cloud, mobile, IoT and ICS, beyond what a SIEM can see. It must strike a balance between detecting known threats in real-time with a SIEM, while supporting advanced investigation, hunt and incident response processes to identify and act fast against the more dangerous unknowns of the enterprise. Powerful analytics, based on security experience from thousands of successful deployments across the largest and most complex organizations in the world, are necessary to enable these higher maturity security operation capabilities. 

ArcSight Delivers Customer-Centered Innovation

We’ve seen this shift in the threat landscape and customers’ requirements have changed, so we have introduced a transformative ArcSight suite designed for the enterprise Security Operations team.

The award winning ArcSight Data Platform (ADP) provides the foundation of the intelligent Security Operations Center (SOC) and opens up the data layer so that you can pull data from anywhere and send it to any location. Data is no longer trapped within the SIEM, giving you the flexibility and visibility to manage and monitor your entire environment, as well as respond to the most pertinent threats. Pair this with the integrated Kafka-based Event Broker that allows for the consumption of up to 1 million events per second, and now MSSPs and SOC have a solution that delivers the speed and scalability to manage today’s risk environment. 

More than 400 customers have adopted this new ArcSight architecture and we’ve already seen strong customer and industry validation. According to Eric Parizo, Global Data, “ArcSight Data Platform, the next-generation data collection and storage component of the ArcSight Platform, has been revamped to better integrate with third-party systems for data collection, data export, threat-hunting, and analytics tools from Micro Focus and third-party vendors. Now ArcSight is positioned to compete for a place in security operations centers (#SOC) for years to come.”

In continuing the theme of an open environment, we have continued to build a strong partner ecosystem. With more than 70 MSSP partners, as well as more than 130 integrations/partnerships through our Technology Alliances program and more than 400 Connectors, we help our advanced customers get the most out of their investments and ensure ArcSight is the central hub of their security operations strategy.

Earlier this year we also introduced ArcSight Investigate, a threat investigation and advanced analytics solution that enables you to proactively hunt for unknown threats. Powered by Vertica, one of the most powerful analytics platforms in the world, ArcSight Investigate delivers intuitive natural language search, intuitive visualizations and advanced detection analytics for supporting hunt team and investigation workflows without leaving the ArcSight platform. ArcSight Investigate helps address the talent shortage in the SOC and the opportunities provided by a true analytics platform to speed up and simplify the investigating and hunting process for both beginners and experts.

Evolving Beyond SIEM

The ArcSight portfolio has also entered an exciting new chapter as part of the new Micro Focus. Our security portfolio has expanded with the inclusion of NetIQ identity and access management solutions and the Sentinel SIEM, also featured in this MQ. We’re only at the beginning of leveraging these rich, innovative identity-centric security technologies for enriching security operations with real-time user context, as well as combining the best of the Sentinel SIEM platform to further enhance the power and scale of the open ArcSight platform.

As attackers continue to evolve, so too must our security solutions. A SIEM-centric view of Security Operations, while important for smaller, less mature organizations, misses out on the most important evolutions that our customers have come to trust ArcSight for. We believe today’s Security Operations begin with a “SIEM” that is scalable, and open, with integrated analytics and provides the full visibility needed to respond to both known and unknown threats in real-time. However, effective, mature Security Operations requires you to partner with an organization that has proven success in the most demanding environments, at massive scale. We invite you to turn away from the SIEM-centric past and experience the new ArcSight for yourself.

About the Author