News about roadmaps, directions ArcSight is going, and Project Hercules?
I have been looking around everywhere to try to find some larger news on the future of ArcSight and where it is going, now that they are going over to Micro-Focus. I saw that there was a short video presentation about this, but i was hoping there would be some larger documentation or any actual planned roadmap?
Also when googling or searching here about Project Hercules, there is 0-1 hits, no documentation about it, and if it was replacing or working together with ArcSight.
Would someone be able to explain this a bit to me?
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
Re: News about roadmaps, directions ArcSight is going, and Project Hercules?
So lots to talk about, lots to cover and lots happening!
First off, there are things we can share and things we can't. As part of a public company (and will be with Micro Focus too), there are things we absolutely CANT talk about though. So things like pricing, product names, precise release schedules and so on. I am sure you get it, but just level-setting first.
But what is happening? Well, with the worlds premier information security show coming up shortly, its probably fair to expect to see something happen then! I dont know the details of what and where, but it makes a lot of sense to have something of a 'splash' here and to cover off what we are releasing.
I can share a few things though and answer your points:
1) Documentation - at the moment, its limited and internal only. As we plough towards the release date, a lot is being finalized and at the moment things could change. Therefore we need to tread carefully on what we are promising and what we release. The plan is to make some more detailed stuff in the coming weeks though, but dont expect documentation sets for the moment.
2) Replacement - this is a common question and something that we need to be very careful when we communicate this. Project Hercules, either in its first release or any later releases, isnt replacing anything directly. Its a complementary set of technologies and capability. We have to think of it as a wider set of functionality though - customers are demanding solutions to solve new and complex threat scenarios that require a new platform, but not at the cost of their existing one. And importantly, they may or may not have an ArcSight deployment already! Project Hercules will bring a huge amount of value to an existing ArcSight customer - think 1+1=3, but it will also bring a lot of value to a NON-ArcSight customer too. You can see a lot of these components in the architecture already with things like the Event Broker and direct integration with Hadoop. You can see where we are going and looking to embrace here.
3) Working with ArcSight components - this is a follow on from 2) above, but yes, the plan is absolutely to have a 1+1=3 story here. It is not a replacement for ESM, Logger, UBA or anything else. It is bringing a set of capabilities and functionality to bring these and other platforms together into a single cooperating platform (thats the longer term view by the way). It could be ArcSight ESM, UBA and a third party system, thats fine, but the idea is that you get MORE value and its EASIER if you have ArcSight components. But this is key though, a modern enterprise environment needs better integration, more flexibility and wider architectural coverage and options. That means we need to embrace what these customers want to do - and not lock out where they want to go. This is a big shift from where we have been.
4) Roadmap - as mentioned above, we can't share a detailed roadmap directly and we cant post it on a public forum (even though its moderated) either. However, we can share some specifics with you if you want - drop me a note and I will see what I can do though.
As for my points though:
1) Project Hercules is a wider platform - what has been shown as early mock-ups and demos at Protect 16 were for a wider platform, but to get there, we need to deliver the platform! This means that we are providing a flexible architecture as part of phase one which will expand to more over time. Don't expect the full set of functionality from day one, but expect it to roll-out pretty quickly from there though. The first component will be the platform and some core functionality that will address specific requirements that customers have asked for. This is great and we will have a VERY strong solution to address these. But its the flexibility and capability that this platform provides that will allow us to move forward on the rest of the capabilities in Hercules.
2) Customers have to do more - its interesting to see how some competitors talk about the SIEM market and what is happening. On one side you have some vendors still talking simple use cases, out-of-the-box content and fast installs. On the other side you have some talking about the ability to take in everything and do analysis later. The reality for pretty much most customers is in the middle. But, and this is the critical point that some competitors dont want to hear - ITS NOT GOING TO BE IN ONE PLATFORM. The idea of, and sorry for the daft film / book reference, but there won't be 'one data store to rule them all'. To expect one database to do everything is narrow minded, overly simplistic and severely limiting. Regardless of what happens and where we go, customers absolutely will have multiple data stores to address specific use cases, requirements and functional areas. We won't like it, but there will be graph databases, open source storage systems, high speed analytics platforms and compliance data stores. All different - but importantly, you will need to do more and address more. Customers want to do more, have to do more and this means they need to store more - Project Hercules is one part of this puzzle, but an open architecture is also another key element of this.
3) Detection is KEY - sat in on many meetings, calls and presentations with customers and seen how we all (and that includes us too) get distracted with some of the technical aspects. Ultimately we need to detect more. If its hackers, attackers, insiders or anything else, we need to detect this. And focusing on collection, storage and retention is only part of the puzzle. And while I am earning a little bit of a reputation here, lets be clear, security monitoring isnt about how much you can ingest and its not about how many days you can search across. Its about detecting things, which could use these technical aspects, but it also may not. This technology has to do something and drive our detection capability. At the moment, I see far too many customers launching projects to store Petabytes worth of data with no understanding of what they want to do it for, what the use cases are how they might address it. Collecting more data doesnt solve anything - it just makes the problem bigger. Project Hercules brings a fresh approach to this and provides flexibility, capability and high speed back-end, but also provides an open architecture to integrate and interoperate with other systems and tools. Its a piece of the puzzle, not the whole puzzle.
4) Open Architecture is the way forward - pretty obvious really, and following on from what I said before, but we MUST have an open architecture. Clearly, Hercules will be build on some of our technologies as well as some others that aren't directly advertised yet, but the key point is that it will be an architecture that will be open and that can embrace and integrate with other systems. Equally, customers will expect to see this going forward. One great example of this is that I simply never get asked about the 'security of the underlying database for ESM'. We used to get asked this with each and every customer around 3-5 years ago. These days, its absolutely not relevant. Odd that customers dont think that the single biggest collection of intelligence that could be used by an attacker isnt protected, but its a change in the approach - its better to share, integrate and interoperate than it is to lock up and secure. Its a change and we must address this.
5) Competitors - and finally, some cheap hits against competitors? Nah, not really. I made a comment above about a single data store and I absolutely stand by that. We have to remember what we are here for and thats to build a platform and strategy that allows to detect more, identify threats earlier and ultimately provide a system to reduce risk. What I do see is a lot of attempts by competitors to over simplify this area. And while our marketing might have been a little over enthusiastic in the past, building, running and exciting on a SOC strategy is not simple. Its not about collecting more and its not about how much content you have 'out of the box'. Its about how it works, who you have running it and how it integrates with the business (as well as many more aspects). The technology used is important, but is largely irrelevant when it comes to a larger set of requirements. Does it make a difference to deploy say IBM, McAfee or Splunk instead of ArcSight? Maybe, but with the right strategy they can and do work. BUT, there are strengths and weaknesses in all and knowing how to address these and how you solve them is key - for us, Project Hercules provides a new architecture, platform and capability to take customers to next stage - you will be surprised with the performance, capability and flexibility!
Anyway, thats enough from me for the moment. I am likely to be taken out of the back of the ArcSight offices and shot for providing too much detail, but hey, it is what it is...
And please do ask questions - cant say I can answer them all, but I am happy to try and elaborate on some stuff where I can.
Re: News about roadmaps, directions ArcSight is going, and Project Hercules?
Let me take this opportunity to assuage your fears about the upcoming Spin-Merge with MicroFocus and its impacts upon ArcSight. Our official position is that there will be no change (beyond logos and company name) visible to ArcSight's customers as a result of the Spin-Merge. ArcSight is still trying to maintain existing products and enhance them/innovate with new products, and this will continue even beyond the date the transaction closes. Our focus is to serve our customers as best as possible.
As for Project Hercules and the ArcSight Road Map, I am happy to coordinate presenting the road map as it is currently envisioned to you individually, and also individually to anyone else who may stumble upon this thread. In the interim, I will attempt to provide a glimpse into the way things with Project Hercules will look.
What Is Project Hercules?
As you may have seen in various forums, Hercules is our effort to create an entirely new application "workbench" to perform deep investigations based on the security event data and other collateral data, as well as serve as the platform for continued ArcSight Analytics innovations. In other words, investigation and hunt capabilities will be delivered, as well as new analytics to slice and dice the data as never before, with a slick new user interface to it.
What Does This Mean For ESM?
ESM isn't going anywhere. It serves a very important purpose in the SOC today and will continue to do so along our roadmap to what we call SOC 2.0 or Next Generation SOC. Initially, ESM will interact with Hercules via an Integration Command to launch the investigation functionality within a Web browser. Think of this as a way to "drill down" or "pivot" on the data we are used to seeing today in ESM. Future work is envisioned to more neatly integrate the systems together and form the backbone of a true "hunt" and analytics workbench capability.
What Does This Mean For ADP (Logger/ArcMC/Connectors)?
ADP isn't going anywhere, either. In fact, we view Hercules as a natural extension of the overall capabilities in our entire product portfolio.
Our goal is to enable the SOC to meet the challenges that are already known today, while having the room to grow to meet the unknown challenges of tomorrow. We remain committed to achieving this goal and setting our customers up for success with their own cyber security goals.
If you have any questions, please do not hesitate to contact me directly.
Thanks and Regards,
ESM Product Manager