Aside from blocking hackers, the biggest headache in corporate computer security, according to computer security managers, is dealing with the overwhelming flood of data from the very devices that are supposed to help protect a company’s network: firewalls, intrusion detection systems, anti-virus and access control programs.
Tuning such devices is a hit-and-miss affair. Set the parameters too low, and the organisation gets bombarded with a high number of false alarms, set them too high and there is an increased chance that genuine threats are missed.
Getting that balance right is made all the more difficult by the absence of any central management console capable of correlating data from all these sources, filtering it, analysing it and providing meaningful alerts, forensics and unified reports.
That is where ArcSight thinks it can play a significant role. “Before we built a product, we talked to [potential] customers, and what became clear was that what they really wanted was an ‘air traffic control’ for security,” says ArcSight CEO Robert Shaw. The company’s TruThreat console, released in January 2002, works by correlating the event logs of the different security devices on the network and filtering messages according to rules such as the scale of the supposed threat and the importance of the asset being protected.
For example, if the ‘Slammer’ worm that only affects Microsoft SQL Server databases is picked up by an intrusion detection device protecting a Linux server, the system knows to disregard the threat.
Such capability does not come cheap: TruThreat will set customers back about $0.5 million, and the company often requires the co-operation of security software vendors to help ensure support for their products. ArcSight currently has relationships with Check Point Software, ISS and Cisco, for example.
Such partners, however, may turn into competitors as threat management consoles become a central part of enterprise security.