Oxford-based Secerno has re-engineered parts of its product to integrate with the ArcSight centralised events monitor. This will enable alerts, which Secerno's product creates when it sees unusual database activity, to be more easily interpreted and correlated by ArcSight's information events management system.
"ArcSight is very good at collecting security alerts about malware and intrusions. But we are now seeing the focus moving away from those threats and to the data," Steve Moyle, chief technology officer of Secerno said. "Because we provide very high quality and trustworthy alerts relating to the way that data is being used, it makes sense to bring those into their centralised alerts and correlations."
This deal is part of ArcSight's Enterprise View partnership programme, which it launched a year ago to broaden the range of other products it can work with.
But Moyle insisted the arrangement was more than just adding Secerno to the list of products that can send alerts to ArcSight. "It is one thing to handle alerts, but you have to process them in some way. One of the challenges that all information event management vendors have is how to make sense of alerts from different vendors in different situations. It takes a lot of tuning," he said.
"We have a very succinct and accurate alerting policy framework, and they can get rich information from that. Our integration effort allows them to get more information value and knowledge from our alerts than just picking up the message that we send," Moyle said.
Secerno tracks database traffic and works by building up a picture of normal traffic on any network. This allows it to spot any deviation from normal behaviour and block it or send out an alert.
According to Ian Kilpatrick, managing director of distributor Wick Hill Group Plc., which recently took on the UK distribution rights for ArcSight, Secerno's approach puts the company in a strong position.
"With a lot of database monitoring products you have to define your policies, but as you move to bigger companies, trying to define a policy to cover what thousands of people should be accessing can become a life's work," Kilpatrick said. "With Secerno, you can just take a snapshot, check that it is alright, and set that as the benchmark for what is acceptable."
Clive Longbottom, an analyst with Quocirca Ltd., played down the importance of the deal to ArcSight and its customers. "ArcSight has to remain technology-neutral and work with a lot of other vendors," he said. The deal, however, would probably benefit existing Secerno customers by providing a more integrated view of systems activity, he added.