Data Sherlock: ArcSight Replacement

The following case occurred during a break after our Data Sherlock led a breakout session at a regional Splunk event. A client patiently waited to talk to him and when she did she was clearly flustered and launched right into her pressing topic.

She indicated that her company has been a happy Splunk client for five years and that they had integrated Splunk software with ArcSight about three years ago and everything was working well. “But now,” she said, “all of that that has to change given ArcSight was recently sold and analyst reports have stated that research and development (R&D) dollars are going to be severely restricted and new development will be slowed to a crawl.” Now clearly upset, she further bemoaned the fact that, “my executive team can’t allow their company to run on a security platform that is not keeping up with the evolving threat landscape.”

She went on for several more minutes, but the story was pretty simple. Her executive team was going to mandate a change because, as she said, “if the software vendor doesn’t have faith to invest in their own R&D, my company can’t have faith in the solution and it has to go.” She was nervous about what that meant for her team as many of them have never known a different security solution and they thought their jobs would be in jeopardy. 

Our Data Sherlock had seen this before. Many clients have realized that an old legacy security platform that is getting limited investment needs to be retired. And this needs to happen before a security event occurs—and is missed—because of the out-of-date security platform.

Sherlock said to her, “I want to give you five pieces of advice because the situation is not new and you are not the only company reviewing options and planning to retire a legacy solution.

1. I strongly suggest you adjust any mental block you have to changing vendors because what you are really paid to do is protect your company. You might think you are paid to run or manage this security platform or that security platform, but you are not. The company wants to be as secure as possible and they pay you to do that. Yes, you happen to have a set of tools to do that today, but there was never a promise that those tools would stay the same in the future. I fear if you stay stuck in the past you could put yourself and your team at risk by holding on to tight to a technology that is no longer the best solution for your company.

2. You and your team are in a great spot because you know what works and doesn’t work in the current environment. For example, I strongly suspect there are lots of rules and configurations in the legacy solution that may have worked well years ago, but today they are just overhead you need to manage. You have known for years the rules needed to be pruned and new ones adopted but your team never had time. I suggest you and your team get proactive and figure out what the ideal solution looks like now, and take your plan to management.

3. Another thing to remember is that you already have experience with another security solution given your use of Splunk. You have been using Splunk for years and it is only because you called that other legacy solution a SIEM that you have not appreciated that Splunk has been doing the heavy lifting for your security needs the last couple of years. Where do you go when a security event occurs? I’m guessing the answer is Splunk. Where do you go to investigate? Again, likely Splunk. I suggest you review with your team what happens every day and see where you could extend your use of Splunk for security given your success with it to date. For example, check and see what happens if ArcSight is turned off this week. That will give you a great example of how to move forward and what should be configured in Splunk.

4. I suggest you look at this situation as a unique opportunity. The old world of legacy SIEMs that rely on inflexible databases is over. The threat landscape is changing too fast for these legacy vendors. Analysts now say your vendor is going to slash R&D to meet some capital goals. When you add this all together, it would be foolish to stay wedded to a platform that was out of date on its best days and now is guaranteed to be a dinosaur in a blink of an eye. Time to move on and be thankful you were given such clear signs that it was time to go.

5. For my last piece of advice, I suggest you reach out to the Splunk sales team as Splunk has solutions for SIEM replacement. You will need to self-assess your environment, invest in some additional Splunk education and, finally, create a plan to get off your legacy SIEM and on to a trusted platform that will provide protection for your company moving forward.”

After our Data Sherlock ran through his advice with the client, you could almost see the weight of the world leave her shoulders. Now she knew what she needed to do, and she was relieved to hear that lots of other organizations were seeing the warning signs around the future of ArcSight and moving to Splunk.

She closed by saying, “I need to call my Splunk sales rep and get a meeting to talk about creating a plan to retire our SIEM and move forward with Splunk. Thank you.”

Case Closed.

Z – Data Sherlock

Michael Zuber

Posted by