A Return to ArcSight, and the Expanding World of CyberRes

by in Security

Why I Left

I joined ArcSight two years before the IPO and stayed through the Hewlett Packard (HP) acquisition and split. With seven years in as a security content developer and lead in R&D, I became a principal technical consultant for the Professional Services consulting group.

A Return to ArcSightI needed to see ArcSight in production environments!

About three awesome years later, I was asked to return to R&D. I reluctantly did, with the condition that I could still work with the Professional Services group and customers. It was a great move for me, partly because the spin-merge with Micro Focus gave me further insights into the machinations of large corporate enterprises that would have been unavailable to me as a consultant.

I worked with a lot of cool people, both customers and folks from the other security companies acquired by HP. I would never have met some of the brilliant people from Fortify and Atalla if ArcSight hadn’t been acquired.

With the spin-merge completed, it was time for major changes. I never lost faith in ArcSight, but thirteen years with the SAME product line! As many experience in our careers, I needed a change of perspective and time to learn about topics new to me.

Kicking off a short sabbatical, I started with a two week decompression period; I then began learning Python and ML via Coursera. I visited friends not seen in too long. I talked with a lot of ArcSight colleagues and partners. After a couple months, I started interviewing for my next adventure. I took an opportunity to work with the brilliant man who hired me into ArcSight (now with Sumo Logic, an exciting company founded by other ArcSighters). The project was one I had dreamed of, led by someone I respected and admired.

Everything went well, until COVID-19. Many of us were invited to find other opportunities, far more than one might suspect. The job market got rather weird.

Given my military, government civilian, and defense contractor background, I ended up at Pinnacle, with AT&T Cybersecurity, supporting the U.S. federal government. The role gave me new perspective on CSfC and cybersecurity needs and challenges that federal, DoD, DHS, NSA and other IC organizations are facing.

Along came another opportunity! There are ArcSight veterans almost everywhere cybersecurity products can be found. My colleagues offered stories of how ArcSight’s advance and how well the newly-named CyberRes security products were performing, especially in the DoD and IC. (CyberRes is now a Micro Focus line of business). And that is how, following three exciting years of growth, I find myself working for MFGS, Inc., as a Chief Technologist, focusing on CyberRes (this includes the Fortify, ArcSight, Voltage, and NetIQ product lines).


Why I Returned

Having worked on and with several SIEM products, I know ArcSight is still the best there is. In my time away, I missed working with a lot of the incredible people who are still driving ArcSight. Micro Focus has made deeply impactful investments in the program’s future, including many of the features I hoped for over three years ago.

Micro Focus acquired Interset in 2019, now named ArcSight Intelligence. It is awesome! They acquired SOAR, and it is beautiful. They have seriously updated the user interface (see ArcSight Fusion!). But, those are not the major factors contributing to my return...

I saw CyberRes advancing ArcSight, and not only the ESM product. Friends were returning, and others were asking me what I thought about them going back. Good things were happening!

Since I left, ArcSight has delivered some significant improvements and continues to make major strides in terms of providing the services that government agencies need to succeed in today’s changing threat landscape.

The unification of the data store is a major activity. It is mostly accomplished.

The move to cloud has advanced more in the last year than in the previous five. The sense of where our customers, commercial and government are in their cloud migrations, are major driving factors. CyberRes will not abandon customers who are not yet ready to completely migrate to the cloud. SIEM as a service is not just a dream. The ArcSight roadmap is both ambitious and headed in the right direction, which is cloud first.

Many former ArcSight advocates lost battles (roadmap failures, politics, etc.), to newer “SIEMs.” If you were a fan of ArcSight, now is the time to look into ArcSight again.

Of course, ArcSight is not the only CyberRes product. When I first worked with the Fortify researchers and developers, I learned a lot more about application security monitoring as we built ESM content to integrate with Fortify. The Fortify folks are not resting on their laurels!

I like Voltage (funny how being a former NSA employee makes people think you’re a crypto expert) for data privacy and protection and Format Preserving Encryption (FPE). This is more than “icing on the cake” for encryption products. It not only protects data if there is a breach, but safeguards against the ever worrisome “insider threat.” More importantly, it allows security analysts to work with log messages with FPE protected PII related fields.

I haven’t yet had a chance to work with NetIQ for Identity and Access Management, but based on what I’ve learned since my return, I cannot imagine implementing zero trust without it.

Between CyberRes and many of Micro Focus’ other products, there is a massive toolset for DevOps and DevSecOps, for cloud as well as traditional on-prem security and application development. I have barely begun scratching the surface of possibilities for how we can help improve the U.S. Government’s security posture, from application and security lifecycle management to cybersecurity protection, monitoring, and response.

Three years ago when we were going through the spin-merge process, there was a lot of confusion about Micro Focus. They have Visual COBOL? Don’t scoff, COBOL is strongly in use in many unexpected places. Master COBOL and you can increase your salary significantly, compared to most other languages. Further, the U.S. Government is recognizing the importance of these legacy IT programs in critical infrastructure with the Grace Hopper Code for US Act.

My new adventure is proving to be every bit as fun and exciting as anything I’ve done in my career. I am looking forward to the challenges and opportunities. The best part? I will be working with talented friends and colleagues, at MFGS, Inc., and CyberRes.

What about You?

I’ve talked about my journey with ArcSight from being a pre-IPO security content developer to my current adventure. Whatever your relationship was or is with ArcSight, I would love to hear about your experiences and thoughts. Log in and comment below. 

More information:

Have technical questions about Security Operations? Visit the ArcSight User Discussion Forum. Keep up with the latest Tips & Info about Security Operations. Do you have an Idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange.


Security Operations