There’s not really any such thing as an isolated security incident. Any breach or attack will leave fingerprints all over your network, flagging log files, IDSes, firewalls and network monitors. Without some way to consolidate and analyze those alerts, you’re largely helpless when determining the impact of an event. And that ignores the difficulties in actually making sure you’re generating alerts and not blindly ignoring an attacker who’s made it past the perimeter firewall.

This is the space filled by security agents and alert analyzers such as ArcSight’s eponymous flagship. ArcSight is designed to distribute agents throughout the network, which will report events to central management stations. Administrators can then view events, control security policies and even replay a sequence of events to watch the attack unfold.

Because the software arrived preinstalled on a laptop, we didn’t test the actual install procedure. The final result is simple enough - the components are Java applications called from batch files, which do a fair bit of integrity checking when they start up, a consideration I was glad to see. The company provides support for AIX, Solaris, Linux and Windows, though not every component is currently supported on every platform.

The software is multi-tier, with components performing specialized tasks. Because it’s intended to be distributed, these components will usually be scattered across your network. In testing, with all the components running concurrently on a laptop, the database performance wasn’t great. Despite that, the software was responsive enough, and in the field, with a decent database server backend and separation between the components, it’s reasonable to expect those performance barriers to fall away.

The actual information gathering is done by SmartAgents, which collect data from events and logs on network devices. There are agents for a broad array of different devices, and the management window provides a tree listing of them, allowing default parameters to be set per agent. ArcSight says it can produce new agents for unsupported products in the space of a week, which is an impressive claim, though one we didn’t put to the test.

The agents can get information from a variety of different places - by monitoring logs (either from devices or from log servers), via SNMP or directly from agents on the devices themselves.

Managers are components that gather and analyze data from agents. The managers should be placed on servers at strategic locations on the network so that data can be correlated from nearby agents. As a group, the ArcSight managers should correlate information on every security-related network event. The managers store events in databases, currently supporting Oracle and MySQL, though ArcSight says support for others is coming.

The data is extracted either through the ArcSight Console or via a browser interface, though the latter can perform only certain functions. The console itself can get pretty cluttered, since this is a complex environment to be managed. The core tasks are divided up into four areas, each of which can be opened and closed as needed.

The Navigator panel is a window controlling all the core functions of the product, with access to rules, reports, configuration and all the underlying mechanics. It’s easy to manage, and offers keyboard shortcuts to most views, which makes swapping from one place to another very efficient.

The Viewer panel is where all the data is presented. You can examine individual events, run correlations against the database, examine historical trends and all the slicing and dicing you could want. It’s neatly divided into tabs, which lets you have a lot of information up without it getting overwhelming. It easily could get that way - even relatively small-scale incidents will have a lot of associated events and alerts.

I particularly like the dashboard view, which gives a customizable set of ‘most-active’ values: IP addresses being targeted, types of attacks, busiest agents and so on. If you have big network this would get very complicated, and unfortunately there’s no way to build custom views and swap between them (version 2.0 of the product will support just such a feature - ArcSight has demonstrated this and other updated features to SC Magazine). That could be a down for an administrator with a broad remit, and a real chore for several administrators sharing a console. You can save and load console environments (which agents to monitor, etc.) but not views.

Then there’s the Replay panel, which is used to turn back the clock and watch - VCR-style - as events occur. This is particularly useful, since it’s not always obvious what events are connected. With the ability to apply filters to the data you’re watching, it’s easy to narrow down, for example, the sequence of events from a DNS attack, through a spoofed session to an FTP exploit to see just how the attack was crafted. On their own, each incident is just an isolated security alert. Altogether, you can see the attack pattern and plan accordingly.

Lastly there’s the Inspect panel, which does just what it says on the tin. This provides details of particular alerts, as well as an editor for rules, reports and ‘cases,’ which are mechanisms for grouping alerts together into a ‘case,’ which can then be assigned to a security administrator for investigation and control. It’s a handy way to keep tabs on incidents without the viewer turning into a spaghetti mess of threaded alerts.

The browser interface is much simpler than the console; it’s just there to provide remote administrators with a facility to view data, and to acknowledge notification events. So, while you can examine the status of events, cases and reports, you can’t contribute to them. For field administrators, though, it’s an invaluable tool.

The product documentation could be better. The online help isn’t particularly strong, though there is a good knowledge base built into the console and browser interface that wins a few points. ArcSight provides a large number of predefined reports (and the ability to build your own), which generate concise, clear reports of events, trends, cases and anything else the console can manage.