ArcSight last week rolled out its bolstered security information management product used for aggregating data from multi-vendor equipment by adding a way for customers to spot patterns of attacks and automate a response. 

ArcSight’s SIM software today can aggregate security-related information from more than 50 different vendors to present data on a single management console. The company is adding the ability to correlate information it receives so that, for example, intrusion-detection system (IDS) activity can be matched with vulnerability assessment to reduce false positives in IDS.

The security firm’s CTO, Hugh Njemanze, said ArcSight 3.0 will include a pattern-discovery capability so the SIM software can recognize threats such as repeated attempts to break into a network from multiple sources over a designated period.

“ArcSight 3.0 will discover patterns of activity based on a sequence of events that share targeted IP addresses,” Njemanze says. “For example, if there is a repeated attempt at a brute-force break-in, it will use data mining to discover that.”

ArcSight software runs on several server platforms, including Microsoft Windows, Sun Solaris and IBM’s AIX. It has a management console that presents status reports that are based on data it collects from multiple vendor IDS, firewalls, routers, switches, servers and other vendor management consoles. The software stores the data it collects in an Oracle database or DB2 Enterprise Edition. Njemanze says ArcSight 3.0 will more actively use data mining of historical events to recognize patterns of attacks.

In addition, ArcSight 3.0 will be adding what he called “command-and-control” features that will let customers automate a response to an attack.

ArcSight customer Union Bank of California says it has already started making use of the automated response capability that will part of ArcSight 3.0.

If a person appears to be interacting with malicious intent against the bank’s e-commerce servers, for example, ArcSight can issue a command to block the user’s access to applications for at least a minute, says Bob Justus, senior vice president of corporate information security at the bank, which is based in San Francisco.

A Web server should not be originating an outbound packet, Justus says, and if that ever appeared to be occurring at Union Bank, ArcSight would help identify that and initiate a means to block an outbound connection.