1 of 1 people found this helpful
ArcSight provides three different log management products, so part of this question is dependent upon which ArcSight product is being compared. Those three products are Express, Logger, and ESM. Logger is a log-management tool only, and does not include the full suite of functionality one would expect in a SIEM product. Express is a price-scaled version of ESM. Presumably the product of interest is ESM.
As such, one of the first challenges out-of-the-box with both ESM and Express is the UI. The UI is designed for experienced security analysts, whereas LEM is built with an easy-to-use interface suitable for the IT generalist.
The second challenge is the pricing itself. ArcSight products are priced based on Events per Second (EPS) activity. The problem here is determining an appropriate licensing target. Do you overlicense for the days when you get slammed by extra activity, or do you license based on a normal activity. Furthermore, licensing based on EPS may or may not result in linear licensing costs as more nodes are added into the network, and adding a single node may actually result in an increase in EPS-based licensing costs.
Now, extend that into the MSSP environment. Here are some questions to further consider:
- What if the customer wants some form of console access to monitor their own network's events? (Even though it's a "managed service" does not necessarily mean the customer wants to remain oblivious to ongoing activity.)
- What resources would be required to train the customer to use the console?
- What are the implications of managing a collection of deployed appliances in the customers' environments and the licensing models appropriate for each customer. Is it easier to sell the service by event load (which may be volatile even in a small organization), or by the number of managed nodes (which will remain fairly static in almost any customer of a managed provider).
- How complicated will it be to account for and bill for EPS to a customer's network, if that's the chosen licensing model? And even if you don't bill the customer by EPS, or service volume of some type, how difficult will it be to reconcile the licensing costs against the service fees, and determine whether a customer is profitable, or not?
I, also, look forward to the thoughts of any others who have hands-on experience with both and how they view the actual user experience.
Thanks Lawrence, that is great information to have in my back pocket as we move forward with LEM as our platform!
Hopefully others chime in with more details as the more information myself and the rest of the SolarWinds community has the easier it will make it when needing to make a good case for LEM.
1 of 1 people found this helpful
You're pretty close in the analogy of ESM to OpenView. ArcSight has become to many people the de-facto choice for SIEM in the enterprise. Express is the attempt to push that down-market, but that doesn't make it appropriate. Logger is more focused on the log management use cases, less on the SIEM side.
Thanks Nicole! Your take on it is consistent with what I had suspected from what I have been able to read and see with a bit of web surfing.
Thus far I am very happy we have made the choice to go with LEM as our service platform for log management and SIEM. I just found out today we are beginning work on a new PCI environment which will be another LEM appliance that I get to deploy. That will make 6 in production so far!