Security event management products have evolved from collecting logs to analyzing volumes of data and helping enterprises manage both network and security events. This week two vendors look to further expand their capabilities.
Competitors ArcSight and SenSage are set to separately announce new and upgraded products that promise to better secure and streamline enterprise networks for performance and compliance purposes. The companies compete in the SEM, or security information management (SIM), market with products that automate the collection, correlation and normalization of security logs from multiple devices.
To start, ArcSight this week will announce its plans to broaden its product portfolio with two new appliances -- Logger and Network Configuration Manager (NCM) -- that collect and store logs in line with regulatory requirements and automating network device configuration tasks, respectively.
"Our roots have historically been in SEM technology, which takes in information from multiple devices and reduces a lot of the noise to a few actual events and incidents," says Hugh Njemanze, ArcSight CTO. "Now we are looking to bridge the gap between network and security teams because events in each environment impact the other."
Logger, scheduled to be available this month for about US$75,000 per 1U appliance, is designed to collect and store network and security log data for compliance purposes. The appliance features 15Tbytes (or approximately two years) of storage for raw uncompressed data and a querying interface, which the company says makes it easier to narrow and expand search parameters across the data. Logger is installed on the network, typically in place of an in-house syslog server or in a convenient location to collect logs from myriad devices. ArcSight says one appliance can handle up to75,000 events per second, and multiple Loggers can be deployed for higher volume data collection in larger networks.
A second new product, NCM, falls more on the network side of the technology. The NCM appliance installs on a customer's management network or virtual LAN and taps into the configuration of network and security devices. Also scheduled to be available this month for about US$50,000, NCM is able to automate configuration changes, validation and documentation, ArcSight says.
"Logger lets you organize unstructured data and Network Configuration Manager allows you to take action and automate process that are typically very tedious and time-consuming," says Dean Coza, director of product marketing. "The manual process of verifying configuration checks on a router can take up to four hours."
NCM performs a network discovery and monitors managed devices for changes in real-time. Then the software checks the changes against real-time policies to verify if the changes are authorized and compliant. The product offers a Web-based interface in which NCM administrators can use pre-exiting scripts to create automated actions with a wizard-like tool on the appliance.
Logger and NCM can work standalone or with ArcSight's flagship SEM software. ArcSight's Enterprise Security Management (ESM) software runs on a server and collects security event data from multiple network devices and security tools. ArcSight late last year added to its software features that could pinpoint suspicious activity of monitored network equipment based on time patterns, insider activity in real time, and historical analysis.
With competition from network configuration management vendors such as AlterPoint, Intelliden, Opsware and Voyence, ArcSight's Coza says the company is expanding its capabilities, but working to keep the complexity of its products at a minimum. "Our customers have indicated that an appliance is the way to go, and we can leverage any third-party systems they already use for discovery," he says.