We are a leading provider of compliance and security management solutions that protect enterprises and government agencies. Our products help customers comply with corporate and regulatory policy, safeguard their assets and processes and control risk. Our platform collects and correlates user activity and event data across the enterprise so that businesses can rapidly identify, prioritize and respond to compliance violations, policy breaches, cybersecurity attacks and insider threats.
Our security information and event management, or SIEM, platform delivers a centralized, real-time view of disparate digital alarms, alerts and status and activity messages, which we refer to as events, across geographically dispersed and heterogeneous business and technology infrastructures. Our products collect and correlate massive numbers of events from thousands of security point solutions, network and computing devices and applications, enabling intelligent identification, prioritization and response to compliance and corporate policy violations, and external and insider threats. We also provide complementary software that delivers pre-packaged analytics and reports tailored to specific compliance and security initiatives, as well as appliances that streamline event log collection, storage, analysis and reporting.
We have designed our platform to support the increasingly complex business and technology infrastructure of our customers. Our platform ships with over 275 pre-built software connectors for products from more than 80 vendors. It also integrates easily with products for which we do not provide pre-built connectors and with proprietary enterprise applications to ensure that event logs from these products are seamlessly integrated into our platform for intelligent correlation and analysis. As of April 30, 2009, we have sold our products to more than 725 customers across a number of industries and government agencies in the United States and internationally, including companies in the Fortune Top 5 of the aerospace and defense, energy and utilities, financial services, food production and services, healthcare, high technology, insurance, media and entertainment, retail and telecommunications industries, and more than 20 major U.S. government agencies.
No customer accounted for more than 10% of our revenues in fiscal 2009, 2008 or 2007. Our top ten customers accounted for 23%, 26% and 31% of our product revenues during fiscal 2009, 2008 and 2007, respectively. See Note 10 of the notes to our Consolidated Financial Statements for a discussion of total revenues by geographical region for fiscal 2009, 2008 and 2007.
Our Solutions and Products
The primary components of our SIEM platform are our ESM products, which collect streaming data from the devices and applications in an organization’s architecture, which we refer to as event sources, translate the streaming data into a common format, and then process the data with our correlation engine in which complex algorithms determine if events taking place conform to normal patterns of behavior, established security policies and compliance regulations. A single device or application can generate thousands of events in a single day, most of which are low priority and typically provide information about a narrow aspect of the infrastructure or only a portion of the threat or compliance risk involved. Our ESM products identify and prioritize high-risk activity and present a consolidated view of threats to, and compliance risks and other events in, the business and technology infrastructure in rich, graphical displays. In addition, through our ArcSight Logger appliances, we enable efficient and scalable collection, storage, analysis and reporting of terabytes of enterprise log data for compliance requirements or forensic analysis. Our customers enhance the value of other compliance and security products in their business and technology infrastructure by integrating them with our platform. Key benefits of our solutions include:
Enterprise-Class Technology and Architecture. We design our solutions to serve the needs of the largest organizations, which typically have highly complex, geographically dispersed and heterogeneous business and technology infrastructures. We deliver enterprise-class solutions by providing interoperability, flexibility, scalability and efficient archiving.
Intelligent Correlation. Our correlation engine intelligently distills millions of events occurring daily into information that allows customers to identify, analyze, prioritize and respond to specific threats, compliance violations and other events of interest.
Cost-Effective Storage. Our log management suite provides easy, scalable, cost-effective storage and enables customers to demonstrate the integrity and availability of log data both in transit and at rest, facilitating automated compliance reporting and reducing the cost of audits.
Reporting and Visualization. We present threat, compliance risk and other event information through a rich and intuitive graphical user interface, through which customers can view risk across their organization in a variety of ways, address internal and external compliance requirements and communicate the value and effectiveness of the organization’s security operations.
Customers can enhance these key benefits through deployment of one of our solution packages, which are combinations of leading compliance and security management products that focus on security or particular compliance needs, ranging from Sarbanes-Oxley (SOX) to Federal Information Security Management Act (FISMA) to Payment Card Industry (PCI). For example, our recently launched solution package for North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection, or CIP, includes ArcSight ESM, ArcSight Logger, ArcSight Connectors, ArcSight TRM (Threat Response Manager), ArcSight IdentityView and ArcSight Compliance Insight Package for NERC CIP standards 002-009. These components allow a variety of deployments for compliance with NERC CIP standards 002-009. Our family of leading compliance and security management products include:
ArcSight ESM. ArcSight ESM, our flagship product, is designed specifically to address the compliance, security and business risk concerns of large, geographically-distributed organizations with complex, heterogeneous IT environments. ArcSight ESM serves as a centralized system for understanding and managing risks across an organization’s entire business and technology infrastructure. In conjunction with our ArcSight Connectors and ArcSight Compliance Insight Packages, the key elements within ArcSight ESM include:
ArcSight Manager. ArcSight Manager is server-based software that manages event aggregation and storage, controls the various elements of our platform and provides the engine for high-speed real-time correlation and incident response workflow. In 2008, we made an appliance version of ArcSight Manager available to facilitate procurement and provide turnkey deployment to address the needs of some mid-market customers. ArcSight Manager comes with standard rules that address common compliance and security issues and business risks. It also provides an intuitive system that enables customers to write customized rules that apply an organization’s compliance and security policies into the real-time analytics of the correlation engine as well as seamless integration with rules generated by our ArcSight Pattern Discovery product. ArcSight Manager enables real-time collaboration and case management among security analysts, to track risk-prioritized response and remediation. In addition, it provides case resolution metrics to demonstrate compliance and security process and control effectiveness. Our case management system also can integrate with third-party trouble ticketing systems, such as BMC Software. Our architecture was designed to allow customers to scale from a single centralized deployment to a distributed, global deployment by deploying additional Managers that work in concert.
ArcSight Console, ArcSight Web and ArcSight Viewer. ArcSight Console is the primary user interface to interact with and control ArcSight ESM. Through its intuitive interface, the Console provides administrators, analysts and operators with graphical data summaries and an intuitive interface to perform tasks ranging from real-time monitoring and analysis to incident investigation and response to system administration and authoring of new content. The Console is highly configurable to reflect individual customer environments and can display threat and risk information in a wide variety of formats including by geography, by division or line of business, by type of threat, and by compliance or policy initiative. With ArcSight Console, customers can run a wide variety of reports to answer internal and external compliance audits and communicate the value and effectiveness of the organization’s security operations. We also provide an authoring system that customers can use to create new reports to meet their specific business needs. ArcSight ESM contains hundreds of standard report templates that immediately address common compliance, security and business risk reporting requirements. To facilitate remote access for IT administrators as well as provide a portal for line-of-business viewing of status summaries and scheduled reports, our ArcSight Web product provides browser-based access to all Console functions and content, except administration and authoring, and our ArcSight Viewer product provides browser-based read-only access to all Console content.
ArcSight Logger. ArcSight Logger, a suite of appliances available in a variety of feature sets and capacities, enables organizations to collect and store event data in support of compliance and security requirements. Our ArcSight Logger appliances provide customers with an easily searchable log data repository, together with reporting capabilities, that can be leveraged across networking, security and IT operations teams. As with ArcSight ESM, ArcSight Logger provides administrators, analysts and operators with graphical data summaries and an intuitive interface to perform search, reporting and management tasks. Access controls and intelligent search technology enable customers to interact with historical raw event data for insight into specific events. ArcSight Logger currently captures raw logs at sustained rates of up to 100,000 events per second per appliance and provides approximately 10:1 compression capability of event data, storing 30 terabytes or more of data per appliance. Multiple ArcSight Logger appliances can be deployed to linearly scale both storage and performance. Large organizations with multiple administrative domains or managed security service providers can choose to deploy multiple ArcSight Logger appliances in a hierarchical or peer-to-peer manner to extend capacity and performance as needed. Because multiple ArcSight Logger appliances operate as an array, a comprehensive view into enterprise-wide log data remains available. ArcSight Logger can flexibly and selectively forward security events to ArcSight ESM for real-time, cross-device correlation, visualization and threat detection. In turn, ArcSight ESM can send correlated alerts back to ArcSight Logger for archival and subsequent retrieval. As with our ESM products, our ArcSight Logger products are deployed in conjunction with our ArcSight Connectors and are also the basis for their own add-on Compliance Insight Packages.
ArcSight Express. ArcSight Express is a pre-packaged set of appliances, and designed to serve as a “security expert in a box” for mid-sized organizations without the resources or in-house compliance and security expertise needed to deploy a large enterprise-scale system and to build custom threat detection rules, dashboards and reports. Our ArcSight Express products provide a simplified, easy-to-use correlation appliance coupled with a similarly simplified and easy-to-use log management appliance for long term storage, as well as pre-built expert rules, dashboards and reports that were developed through years of advanced deployments targeted at the compliance and security needs of mid-market organizations. These appliances work with our ArcSight Connector and ArcSight Compliance Insight Package products and are available with a variety of feature sets and capacities allowing rapid procurement and deployment at a cost appropriate for a range of mid-market customers.
ArcSight Connectors. Connectors are software or appliances that collect event data streams from sources across an organization’s business and technology infrastructure and feed that event data to our ESM, ArcSight Logger and ArcSight Express products. Our connector appliances are available in a range of feature sets and throughput capacities. These connectors implement extensive normalization and categorization capabilities to restructure event data into a common taxonomy so events from hundreds of different sources can be compared meaningfully and queried systematically irrespective of which device is reporting the information. The normalized event data stream is then intelligently aggregated and compressed to eliminate irrelevant and duplicate messages and reduce bandwidth and storage consumption. Our SmartConnectors receive and translate event data streams from over 275 different devices and applications from more than 80 vendors and in more than 36 different solution categories. Further, using our FlexConnector toolkit, our customers can create custom connectors tailored to their environment, such as for new products, proprietary applications and mainframe and other legacy systems. Our connectors can be deployed on intermediate collection points, such as third-party management consoles, where available, avoiding the requirement to provision our connectors directly onto end devices.
ArcSight Compliance Insight Packages. We offer pre-packaged software solutions that enable our ESM, ArcSight Logger and ArcSight Express products to provide technical-and business-level checks on corporate compliance with regulatory and policy requirements for perimeter security, protection of key business processes, threat management and incident response. These packages comprise relevant rules and reports to accelerate implementation by our customers and can be customized or extended by the customer, and include tailored monitoring, assessing and reporting to address specific security, regulatory or policy concerns, including IT governance, SOX and the Japanese analogue of Sarbanes-Oxley (J-SOX), FISMA, PCI, NERC CIP standards 002-009, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Basel II Framework, International Standardization Organization/International Electrotechnical Commission (ISO/IEC 27002:2005) and National Institute of Standards and Technology (NIST 800-53) compliance.
ArcSight IdentityView. ArcSight IdentityView is an off-the-shelf add-on module for our ESM products that increases the value of customers’ existing identity and access management, or IAM, systems, allowing enterprise customers to address the insider threat and fraud risks they face as well as their compliance and audit needs. IdentityView includes specialized connectors to leading IAM systems and pre-built capabilities for correlating multiple user identities to a single identity key. Using that single identity key and the event data collected from the wide variety of data sources available to our ESM products, beyond those connected to IAM systems, IdentityView collects all of a user’s activity information and analyzes it to determine if the user is performing unauthorized activities. The pre-packaged reports and dashboards include activity-based modeling to reflect activities for a particular role, comprehensive activity reporting to track user activity across systems, automatic watch lists to track unauthorized actions, separation of duty tracking for internal control compliance, application usage tracking for license compliance and role tracking of the rights available to particular users across systems. IdentityView also utilizes the technology underlying our ArcSight Pattern Discovery module to utilize machine learning to automatically create new risk profiles employing IAM information.
ArcSight Discovery Modules. Our ArcSight Discovery modules, which provide additional advanced analytics and visualization on our ESM products, include:
Our ArcSight Pattern Discovery software is a powerful complement to our correlation engine. It is an advanced pattern identification engine that retrospectively examines large amounts of security events previously collected and processed by ArcSight ESM to discover patterns of activity that may be characteristic of threats, such as emerging worms, new worm variants, self-concealing malware, and low profile, slowly developing attacks. ArcSight Pattern Discovery proactively alerts the security operations analyst about existing or emerging patterns that are not comprehended by any rules in our correlation engine, and provides the customer the option to classify the patterns and also to optionally or automatically generate new rules for our ESM products that will detect and respond to similar threatening patterns in the future.
Our ArcSight Interactive Discovery visualization software helps IT security professionals pan, zoom and switch perspectives across complex technical data to perform in-depth analysis of security data as well as featuring visuals and drill-down capabilities that enable non-technical employees to see relevant threat information in a non-technical format.
ArcSight TRM (Threat Response Manager). ArcSight TRM is an appliance that enables customers to quickly and precisely reconfigure network control devices to remediate compliance, security and business risks, consistent with an organization’s policy directives. ArcSight TRM profiles a network’s topology through communication with devices without the need to install a software agent on the device. Through advanced algorithms, it can identify the exact location of any node (wireless, wired or VPN) on the network, analyze, recommend and, at the customer’s option, execute specific, policy-based actions in response to a threat, attack or other out-of-policy situation. ArcSight TRM can block, quarantine or filter undesirable users and systems at the individual port level. ArcSight TRM integrates seamlessly with ArcSight ESM to accelerate incident response by facilitating the coordination between the security and networking groups, thus improving the effectiveness of the response and acute remediation function.
ArcSight NCM (Network Configuration Manager). ArcSight NCM is an appliance that automates the audit of network topology, maintaining protected records of all prior configurations for purposes of rollback, audit and compliance reporting. ArcSight NCM presents network topology in a visual format, allowing organizations to identify mis-configurations, redundant links and multiple wide area network (WAN) access routes. ArcSight NCM dynamically compares existing device configuration and highlights discrepancies from desired configuration policies that generally map to regulatory requirements, operational guidelines and business rules.
Maintenance and Professional Services
We offer a range of services after a sale occurs, principally installation and implementation, project planning, advice on business use cases and training services that complement our product offerings. Initial implementation of our SIEM platform typically is accomplished within two to four weeks, while our ArcSight Logger, ArcSight Express and other appliance products are typically implemented in a matter of days. On an ongoing basis, we offer consulting services and training related to application of our SIEM platform to address additional or customer-specific compliance and security issues and business risks. Following deployment, our technical support organization provides ongoing maintenance for our software and appliance products. We provide standard and, for customers that require 24-hour coverage seven days a week, premium tiers of maintenance and support, which include telephone- and web-based technical support and updates, if and when available, to our software and appliances during the period of coverage. Our three major support centers are located in Hong Kong, London and Cupertino, California. In addition, we sell an enhanced maintenance service that provides security content updates for our ESM products and extended hardware maintenance for our appliance products.