It's easy to see why once you take a close look at the company. When I asked them what, in their view, makes them innovators, the answer was: “We cover the whole range of SIM to SEM, plus log management.” Nice marketing words, but what do they mean? Well, quite a lot, actually.
First, they mean that ArcSight products provide the reporting speed of a SEM – their reporting is up to 100 times faster than their competitors – and the capture speed of a SIM. They do all of these things while they still are performing full correlation of data from a variety of sources.
Second, they mean that this is a very pragmatic company. ArcSight acknowledges that users are becoming more sophisticated about their needs. That means that the problem of correlation is becoming more complicated and the company needs to stay on top of it. There now are dozens of log sources. That complicates correlation significantly.
One particular challenge always has been with us, but with more complicated networks it is exacerbated considerably. That challenge is false positives. By combining threat logs with pre-known vulnerability scan results, an improved level of false positives is possible. While it is unlikely that a 0 percent false positive level ever will be achieved, ArcSight has had good results reducing the level from previous highs. The problem, of course, is that most SIEMs are at the mercy of logs they are correlating. That means that to add value the SIEM needs to do something special that can't be done with simple log correlation and analysis.
When I asked ArcSight innovators about the future, I was a bit surprised at their answer. First, they see the low and high ends of the market converging. Second, they were a bit blasé about such new directions as cloud computing (“good for experimenting, but not ready fy for mission critical uses”). Finally, they don't see virtualization as par as particularly challenging from a SIEM perspective. Time willl help us respond to all three.