Ten years ago Hugh Njemanze felt that security professionals were missing something: accurate and easy to use tools to monitor network activity. The result was the founding of ArcSight and the introduction of SIEM technology. He spoke to SC editor, Paul Fisher about the early days of the business and the future of log management.
What inspired you to start this business ten years ago?
I talked to some key enterprises, pitching a couple of different ideas. What kept coming back was that they were interested in a better way to handle the security logs coming from their firewalls, IDS and operating system logs but there was no good way to capture all of that information on one screen.
I set out to build a tool to extract information out of the logs, report on actionable incidents and allow people to drill down into all this information.
From the beginning, I knew that the technology could be a more horizontal platform if we separated the capture of log data and the intelligent processing of it from the actual domain knowledge. So we set out to build a rules engine so that we would be able to apply domain vertical rules while building an infrastructure that was enterprise scalable and cross platform.
The first version came out as licensed software and supported multiple platforms, including Unix and Windows servers and ran across all the major product lines, Cisco, Check Point, etc.
Was it hard in the early days to make a case for this; it was seen as quite revolutionary at the time and probably not needed?
Actually, one of the most surprising things was that it wasn't hard to make a case. We hired a sales guy before we had a product, and he and I would go on the road and talk to prospects. He said he had never worked anywhere before where he was able to get meetings after one cold call, and he didn't even have a product yet, so there was strong interest.
What were they saying? What was their need then?
The situation would be that they had a team in-house that was tasked with security. At the time the CSO role was just starting to come into existence and uniformly, their first task would be to figure out a mandate.
They would say there aren't any good tools out there that can get us out of the business of writing our own scripts and let us focus more on providing information to upper management about the posture of network security efforts in our organisation.
You were one of the first to offer SIEM and log management but there are a number of competitors now, what has driven that growth?
As soon as we released our first product, we quickly became the dominant player, and initially the main focus from the customers was on perimeter defence. As various international incidents like Enron occurred, regulations started to be put in place with real teeth behind them.
It quickly shifted from self-motivated perimeter defence to complying with Sarbanes-Oxley, HIPAA, GLBA and other regulations.
Actually, by coming out with vertical packages on top of our platform to directly address initiatives like HIPAA and SOX we could provide a very rapid, instant gratification form of deployment that we would then extend to the specifics of the environment.
Is the post financial crash environment providing a similar stimulus today?
There are some similar dynamics at play. I would say the governance driver is still there and to a large extent what happened, especially for a product like ours, is that security processes ended up being driven by compliance funds, and so our product stood at a very good place.
It was both a strong security product and a good way to provide information to auditors up the food chain looking to verify compliance. So we killed two birds with one stone.
The downturn actually resulted in a fair amount of transactions, in terms of failures, mergers and other activities. Invariably for us, that resulted in either one or other of the institutions involved in a merger already having our software and extending it to the other partner.
Even if the partner that had our software was the one being acquired, they would still basically prevail and say, this software is a better solution, and we would end up being deployed across multiple organisations, so that ended up working out surprisingly well for us, in terms of weathering the downturn.
Log management tools enable businesses to 'eavesdrop' on employees. This could be abused by some companies. Is this a concern of yours?
Yes, absolutely, but I see us as part of the solution, rather than part of the problem, because typically what's happening is there are a lot of security and operational devices in any organisation that are generating logs and if left unmanaged, there is absolutely no telling where those logs end up and who might use them for what.
So actually having a policy on how to manage logs, gathering them all in one place, essentially managing them under lock and key, with a proper process, is the answer to that problem and the tools that we provide help people accomplish that.
That would only apply if the particular business felt like it. What worries some people is that some employers would then use it to just monitor everyone, whether they suspect them or not. Do you think that there should be legislation that would set some guidelines?
There are two aspects to that. One of them is that the tools that we provide allow you to encrypt the logs so that any unauthorised employee would not be able to derive any value from usurping them. So that just leaves it down to whether a company is willingly violating your rights? At that level you really do get into having to rely on legislation.
In some countries, for example, you're not allowed to store logs for more than 24 hours. With a product like ours, it's easy to configure a policy that will automatically expire the logs, but again you have to be willing to set up the policies to comply with your local regulations.
Is information security as a profession or as an industry focused too much on malware?
I don't know if it's focused too much on malware. Sometimes it feels as if malware is just a never-ending, unwinnable battle. I don't know if you can say we focus too much or too little. It's one of those things that's hard to prove a negative. We would be much worse off if we weren't paying attention. I think there are certainly aspects of the industry where you could say it's self serving for them to keep you afraid, but on the other hand, just because you're paranoid doesn't mean they're not out to get you.
What will we see from ArcSight in the future?
We're just about to come out with our fifth generation SIEM, and a lot of the work that we've been doing there is to enable our customers to go beyond straightforward perimeter defence and insider threats and compliance, and to start to actually build out into the actual business that they're in so that phone companies can deal with phone company issues and banks can deal with bank issues.
This allows the customer to leverage the power of the correlation engine into their business process. We are able to apply SIEM more broadly because our technology was essentially built to cope with the high volume data generated by automated network products, which is much different than the volume you get when you're just monitoring human transactions.
We had to build a very robust platform, and now we're finding that we can take that same engine and apply different domain information to it. This allows us to allow customers to leverage that engine directly into business problems.
What trends do you see outside, in computing in general, which will affect what you develop?
You really have to start treating the organisation as if it doesn't really have an inside and an outside anymore, and that informs how you want to deal with interactions on your network. You have to pretend everything is outside, including your building, and so I think that just means that there is more call for uniform capture and logging of all transactions, because you don't want to be the marshmallow at the top.
You need essentially a very small kernel of corporate IP, for example, and everything that can interact with it is essentially guilty until proven innocent.
Do you think businesses get that? Do you think that they really have grasped that?
I think at some level, some people in their security organisations do, but as an entity the whole organisation is not necessarily on the same page yet. There is typically tension between end-users and IT departments in that end-users just want to get stuff done and IT departments want to exert control. You have to find a way for the two sides to meet and realise that they're all serving the same purpose. There are quite a few CIOs that I talk to that seem very enlightened on this whole topic. The overall prognosis is probably better than one would assume.