Today I started a 30 day evaluation of a SIM for work purposes. Various magazines have touted this product as being the be-all end-all of SIM products on the market. True to rumors, ArcSight's product is put it simply.

The utter crapload of useful/useless information that the Dashboard(s) of this thing provide is amazing. It's hard to take it all in initially and one comes to ask oneself "aren't these SIMs supposed to make life easier</strong>?" Getting over the initial shock of the application, you can more critically evaluate it.

Hands down this application is the "bomb-diggity" among SIM products. It correlates like a fiend, let's you trace and narrow down criteria for picking out attacks amazingly. The setup took ~2 hours which is a far cry less than some other SIM vendors. The product has consoles for every major OS. They also have agents for every major OS (also a far cry from what other SIM vendors have). Everything installed effortlessly, even on linux, that alone is amazing.

You are able to write custom filters using a pretty typical regex software. The beast runs on top of an Oracle 9i server and is amazingly fast with the results you ask for even though it's correlating hundreds of thousands (~3.2 mil a day for us) of events.

The whole console monster is written in Java, and while I'm not friendly towards Java, I really have to give the crew at ArcSight props for making an incredible architecture of software.

There are graphs out the wazoo, statistics, rows of alerts, almost everything is clickable, allowing you to build custom alert filters on the fly. The whole database is self optimizing as well and the Manager software apparently takes care of keeping the database healthy which is also a godsend because CST doesn't have a resident Oracle guru (however several sit down the hall). For 80 G's this bastard is expensive imho, but the price justifies the amazing amount of crap its able to give you.

Anyways, it left my head spinning after I left. I cant wait to poke with the rule creator and make a test rule for the KDC and ngrep logs. Now it's my job to find it's weaknesses >:-)