arc sight info documents 10 21 2009

ArcSight Ranked Number 236 Fastest Growing Company in North America on Deloitte’s 2009 Technology Fast 500™

Attributes Revenue Growth to Need for Cyber Security and Compliance Solutions CUPERTINO, CA – October 21, 2009 – ArcSight, Inc. (NASDAQ: ARST), a leading global provider of security and compliance management solutions that protect enterprises and government agencies, today announced that it ranked number 236 on Technology Fast 500™, Deloitte LLP’s ranking of 500 of the fastest growing technology, media, telecommunications, life sciences and clean technology companies in North America. Rankings are based on percentage of fiscal year revenue growth during the five-year period from 2004 – 2008. ArcSight’s revenue grew from $15.3 million in fiscal 2004 to $101.5 million in fiscal 2008.

ArcSightCEO Tom Reilly credits the company’s growth over the past five years to the need for cyber security and compliance solutions to enable businesses and government agencies to reduce risk and increase visibility across their IT infrastructure. He said, "Cyber criminals continue to refine their tactics in order to take advantage of all the new opportunities afforded by the vast amount of valuable data housed online, made even more accessible by increasing connectivity. Companies are saying that they need to move beyond monitoring just the network infrastructure and look for threats and risks across the entire enterprise."

“Technology Fast 500™ recognizes innovative companies that have broken down barriers to success and defied the odds with their remarkable five-year revenue growth,” said Phil Asmundson, Vice Chairman and U.S. Technology, Media and Telecommunications leader, Deloitte LLP. "We congratulate ArcSight on this accomplishment."

“With its impressive five-year growth, ArcSight has earned its position among the fastest growing technology, media, telecommunications, life sciences and clean technology companies in North America,” said Mark Jensen, Managing Partner, Technology and Venture Capital Services, Deloitte & Touche LLP. ”Deloitte is proud to honor ArcSight for its achievement.”

Overall, Technology Fast 500™ award winners for 2009 had growth rates ranging from 212 to 146,050 percent over five years, with an average growth rate of 2,486 percent.

Technology Fast 500™ Selection and Qualifying Criteria Technology Fast 500™ provides a ranking of the fastest growing technology, media, telecommunications, life sciences and clean technology companies in North America. This ranking is compiled from nominations submitted directly to the Technology Fast 500™ website, and public company database research conducted by Deloitte. Technology Fast 500™ award winners for 2009 are selected based on percentage fiscal year revenue growth during the five year period from 2004 to 2008.

Deloitte’s 2009 Technology Fast 500TM Media Guidance 4 In order to be eligible for Technology Fast 500™ recognition, companies must own proprietary intellectual property or proprietary technology that contributes to a significant portion of the company's operating revenues. Using other companies' technology or intellectual property in a unique way does not satisfy this requirement. Consulting companies, professional service firms, etc. are not eligible unless they have proprietary technology that contributes to a significant portion of their operating revenues.

Technology Fast 500™ award eligibility requirements also include base-year operating revenues of at least $50,000 USD or CD, and current-year operating revenues of at least $5 million USD or CD. These revenues must have more than doubled between 2004 and 2008. Additionally, companies must be in business for a minimum of five years, and be headquartered within North America.

About ArcSight ArcSight (NASDAQ: ARST) is a leading global provider of security and compliance management solutions that protect businesses and government agencies. ArcSight identifies, assesses, and mitigates both internal and external cyber threats and risks across the organization for activities associated with critical assets and processes. With the market-leading ArcSight SIEM platform, organizations can proactively safeguard their assets, comply with corporate and regulatory policy and control the risks associated with cyber-theft, cyber-fraud, cyber-warfare and cyber-espionage. For more information, visit www.arcsight.com.

About Deloitte As used in this document, “Deloitte” means Deloitte LLP. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

Forward Looking Statement and Other Disclaimers This news release contains forward-looking statements, including without limitation ArcSight’s belief that cyber criminals will continue to refine their tactics in order to take advantage of all the new opportunities afforded by the vast amount of valuable data housed online, made even more accessible by increasing connectivity; and the company’s belief that companies will move beyond monitoring just the network infrastructure and look for threats and risks across the entire enterprise. These forward-looking statements are subject to material risks and uncertainties that may cause actual results to differ substantially from expectations. Investors should consider important risk factors, which include: the risk that cyber threats may not continue to rise or that potential customers may not perceive the benefit of addressing those threats with products such as ArcSight’s; the risk that organizations will not appreciate the value of monitoring beyond the network infrastructure; and other risks detailed under the caption “Risk Factors” in the ArcSight Quarterly Report on Form 10 Q filed with the Securities and Exchange Commission, or the SEC, on September 9, 2009 and the company’s other filings with the SEC. You can obtain copies of the company’s Quarterly Report on Form 10 Q and its other SEC filings on the SEC’s website at www.sec.gov.

ArcSight’s historical growth rates described in this release are not necessarily indicative of the results to be expected for any future period.

- How ArcSight Plans to Stay Ahead of the Curve – 10/13/09 http://www.thestreet.com/story/10610892/1/how-arcsight-plans-to-stay-ahead-of-the-curve.html - ArcSight rings the NASDAQ bell – 10/13/09 http://www.facebook.com/video/video.php?v=101829273169366&ref=mf - ArcSight’s CEO on Jim Cramer’s Mad Money – 10/12/09 http://www.cnbc.com/id/15840232?play=1&video=1293371632 - ArcSight’s YouTube Page: http://www.youtube.com/ArcSightVideo - ArcSight on TheStreet – 10/13/09 http://www.thestreet.com/video/index.html?bcpid=1459183594&bclid=0&bctid=44648841001

ArcSight FraudView in the News: ArcSight app cracks down on financial fraud http://www.infoworld.com/d/security‐central/arcsight‐app‐cracks‐down‐financial‐fraud‐756?source=rss_security_central By Jeremy Kirk, IDG News ‐‐ September 15, 2009 Syndicated in 8 publications: Computerworld, InfoWorld, ITWorld.com, The Industry Standard, Network World, PC World, CIO Germany and IDG Norway FraudView is designed to help banks and brokerage houses detect stock scams and other fraudulent financial transactions ArcSight Leverages Security Correlation Engine with FraudView http://www.channelinsider.com/c/a/Security/ArcSight‐Leverages‐Security‐Correlation‐Engine‐with‐FraudView‐356182/ By Ericka Chickowski, Channel Insider – September 15, 2009 [FraudView] could be a huge opportunity for systems integrators in the financial space who have been hit hard lately by customer’s cost cutting and cancellation of projects that do not offer high ROI. ArcSight launches financial fraud checking appliance <http://www.scmagazineuk.com/ArcSight‐launches‐financial‐fraud‐checking‐appliance/article/148949/> SC Magazine UK – September 15, 2009 Reed Henry, senior vice president of marketing, ArcSight, said: “We are seeing the rise and growth in sophistication of threats to sensitive financial information, infrastructure and operations. Organisations need advanced technology available to head off potential risk. “ArcSight FraudView is already being used to detect wire fraud in wholesale banks and ‘pump and dump' stock schemes in retail brokerages. In these cases, the combination of multiple bits of information into a single risk score provided by ArcSight FraudView aids the institution in preventing a fraudulent transaction from occurring.” Dark matter: Black gold for IT http://www.infoworld.com/d/data‐management/dark‐matter‐black‐gold‐it‐729 By Eric Knorr, InfoWorld – September 15, 2009 To take a timely example, ArcSight ‐‐ one of the leading SEM vendors ‐‐ just announced FraudView, which mines security log data for statistically significant patterns of nefarious activity. According to Reed Henry, senior vice president of marketing for ArcSight, FraudView is already being used to detect wire fraud in wholesale banks and "pump and dump" stock schemes in retail brokerages. Protect ’09 and Keynotes in the News: CEO Tom Reilly describes ArcSight’s strategies for combating rampant cyber‐security threats http://www.gsnmagazine.com/cms/features/news‐analysis/2649.html Government Security News – September 15, 2009 Having listed this formidable array of cyber‐threats, Reilly hastened to point out that with the evolving nature and scope of the threats, the ArcSight platform is evolving and changing as well. “Cloud awareness,” “Transaction Integrity” and “Log Management“ are all important considerations, he said, with a new “Fraud View” product being introduced at the Protect 09 event. Melissa Hathaway proposes cyber threat reduction through public‐private partnership http://www.gsnmagazine.com/cms/features/news‐analysis/2648.html Government Security News – September 15, 2009 Cyber security is everyone’s responsibility...That was the central thesis of Melissa Hathaway’s keynote speech on Day One of this week’s ArcSight Protect ’09 client symposium in Washington, DC. And as former Acting Senior Director for Cyberspace on the National Security Council and the Homeland Security Council in the Obama administration, Hathaway clearly knows what she’s talking about. Melissa Hathaway urges more cooperation, government attention to cybersecurity http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1368168,00.html By Michael Mimoso, SearchSecurity.com – September 14, 2009 Hathaway was the keynote speaker Monday at ArcSight's annual user conference, Protect '09. Much of Hathaway's address touched upon points she made in the Cyberspace Policy Review, released May 29.

Pressure builds on Obama to appoint cybersecurity coordinator http://fcw.com/articles/2009/09/14/web‐cyber‐coordinator‐urged.aspx By Ben Bain, Federal Computer Week – September 14, 2009 Meanwhile, in addition to speculation over whom Obama will pick, observers have also questioned whether the official will have enough power. James Lewis, who directs the CSIS Commission, said the new adviser will be taking a job “three months late, three layers down and after the ship has been shot full of holes.” Lewis made the comments today during a panel discussion at the ArcSight Protect ’09 conference near Washington. “It’s easier to herd cats on day one than it is to herd them on day 112,” said Lewis, who directs CSIS’ technology and public policy program. Hathaway: Feds Starting to Get Cybersecurity http://www.internetnews.com/security/article.php/3839001/Hathaway+Feds+Turning+a+Corner+on+Cybersecurity.htm By Kenneth Corbin, InternetNews.com – September 14, 2009 "The speed, scale and solutions need to outpace our opponents, and we're not doing a very good job right now," [Melissa Hathaway] said this morning at the ArcSight Protect 09 security conference. "The threat is outpacing our defenses. It's growing at a volume and velocity never imagined before." Outlook dim for international cooperation to fight cyber attacks http://www.nextgov.com/nextgov/ng_20090914_2629.php?oref=topnews By Jill R. Aitoro, NextGov – September 14, 2009 "It's one grid, one global network, and we're all stuck in the same boat," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "We need to establish some rules." Hathaway on cyber security for the first time after leaving the White House <http://www.net‐security.org/secworld.php?id=8092> By Zeljka Zorz, Help Net Security – September 15, 2009 internetnews reports that in her keynote at the ArcSight Protect 09 security conference she warned about the fast‐paced nature and the severity of cyber threats to digital networks.

ArcSight Reports 25% Year-over-Year Growth for Fiscal First Quarter Ended July 31, 2009 Company Posts Total Revenues of $34.6M for Fiscal First Quarter and GAAP and Non-GAAP Earnings per Diluted Share of $0.03 and $0.09, Respectively

For the Fiscal First Quarter:

• Total Revenue: $34.6M, a 25% increase year-over-year • GAAP Net Income: $1.0M or $0.03 per diluted share • Non-GAAP Net Income: $3.2M or $0.09 per diluted share • Positive Cash Flows from Operations: $9.0M

CUPERTINO, CA – September 3, 2009 – ArcSight, Inc. (NASDAQ: ARST), a leading global provider of security and compliance management solutions that protect enterprises and government agencies, today announced financial results for its fiscal first quarter ended July 31, 2009.

For the first quarter of fiscal 2010, ArcSight reported total revenues of $34.6 million compared to total revenues of $27.7 million reported in the first quarter of fiscal 2009. Net income on a GAAP basis for the first quarter of fiscal 2010 was $1.0 million, or $0.03 per diluted share, including $222,000 in amortization of intangible assets and $1.9 million in stock-based compensation expense. This compares to a GAAP net loss of $1.3 million, or $(0.04) per diluted share, reported in the first quarter of fiscal 2009, including $211,000 in amortization of intangible assets and $1.4 million in stock-based compensation expense.

Non-GAAP net income for the first quarter of fiscal 2010 was $3.2 million, or $0.09 per diluted share, excluding the above-mentioned amortization and stock-based compensation charges. This compares to a non-GAAP net income of $0.3 million, or $0.01 per diluted share, reported in the first quarter of fiscal 2009, excluding the above-mentioned charges.

During the first quarter of fiscal 2010, the company generated $9.0 million in cash from operations and closed the first quarter with cash and cash equivalents of $101.5 million.

“ArcSight’s strong first quarter reflects our continued execution of our three business imperatives for fiscal 2010, namely focusing on our customers’ success to drive follow-on product purchases, pursuing new high value opportunities by leveraging our platform for enterprise-wide threat and risk monitoring and extending our reach into the mid-market by leveraging our channel partners,” commented Tom Reilly, president and CEO of ArcSight. “We will continue to serve our customers effectively with a robust platform of product offerings that helps them mitigate risk and protect their most valuable assets in a constantly evolving regulatory and threat landscape.”

Business Outlook

The following forward-looking statements reflect expectations as of September 3, 2009. Results may be materially different and could be affected by the factors detailed in this release and in recent ArcSight SEC filings.

Second Quarter Expectations – Ending October 31, 2009

Based on current business trends and the visibility the company has from first quarter performance, including an anticipated seasonally higher second quarter relative to the company’s first quarter, ArcSight expects revenue for the second quarter of fiscal 2010 to be in the range of $38.5 million to $42.5 million, representing growth in the range of 17-30% over the same quarter of fiscal 2009.

ArcSight expects non-GAAP net income for the second quarter of fiscal 2010 to be in the range of $3.5 million to $4.9 million, or $0.10 to $0.14 per diluted share, which excludes stock-based compensation expense and amortization of intangibles.

Conference Call and Webcast Information

ArcSight will host a conference call and live webcast to discuss these financial results for investors and analysts at 2:00 p.m. Pacific Time on September 3, 2009. To access the conference call, dial 877-397-0284 for the U.S. or Canada and 719-325-4862 for international callers. The webcast will be available live on the Investor Relations section of the company’s website at www.arcsight.com. An audio replay of the call will also be available to investors by phone beginning at approximately 5:00 p.m. Pacific Time on September 3, 2009 until 9:00 p.m. Pacific Time

on September 10, 2009, by dialing 888-203-1112 for the U.S. or Canada or 719-457-0820 for international callers, and entering passcode 9868484. In addition, an archived webcast will be available on the Investor Relations section of the company’s website at www.arcsight.com. Use of Non-GAAP Financial Measures ArcSight reports all financial information required in accordance with generally accepted accounting principles (GAAP). To supplement the ArcSight unaudited condensed consolidated financial statements presented in accordance with GAAP, ArcSight uses certain non-GAAP measures of financial performance. The presentation of these non-GAAP financial measures is not intended to be considered in isolation from, as a substitute for, or superior to, the financial information prepared and presented in accordance with GAAP, and may be different from non-GAAP financial measures used by other companies. In addition, these non-GAAP measures have limitations in that they do not reflect all of the amounts associated with the results of ArcSight operations as determined in accordance with GAAP. The non-GAAP financial measures used by ArcSight include historical non-GAAP net income (loss) and non-GAAP basic and diluted earnings (loss) per share. These non-GAAP financial measures exclude amortization of intangible assets and stock-based compensation from the ArcSight statement of operations.

For a description of these items, including the reasons why management adjusts for them, and reconciliations of these non-GAAP financial measures to the most directly comparable GAAP financial measures, please see the section of the accompanying tables titled "Use of Non-GAAP Financial Information" as well as the related tables that precede it. ArcSight may consider whether other significant non-recurring items that arise in the future should also be excluded in calculating the non-GAAP financial measures it uses.

ArcSight believes that these non-GAAP financial measures, when taken together with the corresponding GAAP financial measures, provide meaningful supplemental information regarding the performance of ArcSight by excluding certain items that may not be indicative of the company’s core business, operating results or future outlook. ArcSight management uses, and believes that investors benefit from referring to, these non-GAAP financial measures in assessing operating results of ArcSight, as well as when planning, forecasting and analyzing future periods. These non-GAAP financial measures also facilitate comparisons of the performance of ArcSight to prior periods. Cautionary Statement Regarding Forward Looking Statements

This news release contains forward-looking statements, including without limitation those regarding ArcSight’s “Business Outlook” (“Second Quarter Expectations – Ending October 31, 2009”); ArcSight’s belief that continued execution against its three business imperatives for fiscal 2010 will result in continued financial performance; ArcSight’s belief that focusing on its customers’ success will drive follow-on product purchases; ArcSight’s intent to pursue new high value opportunities by leveraging its platform for enterprise wide threat and risk monitoring and extend its reach into the mid-market by leveraging its channel partners; ArcSight’s intent to continue to serve its customers effectively with a robust platform of product offerings that helps them mitigate risk and protect their most valuable assets in a constantly evolving regulatory and threat landscape. These forward-looking statements are subject to material risks and uncertainties that may cause actual results to differ substantially from expectations. Investors should consider important risk factors, which include: the risk that demand for our security and compliance management solutions may not increase and may decrease; the risk that competitors may be perceived by customers to be better positioned to help handle compliance violations and security threats and protect their businesses from major risk; the risk that the growth of ArcSight may be lower than anticipated; and other risks detailed under the caption “Risk Factors” in the ArcSight Annual Report on Form 10 K filed with the Securities and Exchange Commission, or the SEC, on July 9, 2009 and the company’s other filings with the SEC. You can obtain copies of the company’s Annual Report on Form 10 K and its other SEC filings on the SEC’s website at www.sec.gov.

The foregoing information represents the company’s outlook only as of the date of this press release, and ArcSight undertakes no obligation to update or revise any forward-looking statements, whether as a result of new information, new developments or otherwise.

About ArcSight

ArcSight (NASDAQ: ARST) is a leading global provider of security and compliance management solutions that protect businesses and government agencies. ArcSight identifies, assesses, and mitigates both internal and external cyber threats and risks across the organization for activities associated with critical assets and processes. With the market-leading ArcSight SIEM platform, organizations can proactively safeguard their assets, comply with corporate and regulatory policy and control the risks associated with cyber-theft, cyber-fraud, cyber-warfare and cyber-espionage. For more information, visit www.arcsight.com. (ARST-IR)

© 2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc.

ARCSIGHT, INC.

Condensed Consolidated Balance Sheets

(In thousands)

As of As of

July 31, April 30,

2009 2009

(Unaudited)

Assets

Current assets:

Cash and cash equivalents $ 101,460 $ 90,467

Accounts receivable, net 23,122 34,184

Capitalized software, current 2,303 -

Other prepaid expenses and current assets 3,953 3,861

Total current assets 130,838 128,512

Property and equipment, net 5,326 4,416

Goodwill 5,746 5,746

Acquired intangibles assets, net 1,097 1,319

Capitalized software licenses, non-current 1,913 -

Other long-term assets 1,166 1,168

Total assets

$ 146,086

$ 141,161

Liabilities and stockholders’ equity

Current liabilities:

Accounts payable

$ 3,613

$ 1,432

Accrued compensation and benefits 6,491 11,671

Obligations for software licenses 2,599 363

Other accrued liabilities 4,482 4,337

Deferred revenues, current 34,569 36,160

Total current liabilities 51,754 53,963

Deferred revenues, non-current 7,254 8,888

Obligations for software licenses, non-current 1,753 -

Other long-term liabilities 1,763 1,637

Total liabilities 62,524 64,488

Stockholders’ equity:

Additional paid-in capital 119,526 113,781

Accumulated other comprehensive loss (185)

(314)

Accumulated deficit (35,779) (36,794)

Total stockholders’ equity 83,562 76,673

Total liabilities and stockholders’ equity

$ 146,086

$ 141,161

ARCSIGHT, INC.

Consolidated Statement of Operations

(On a GAAP basis)

(In thousands, except per share amounts)

(Unaudited)

For the Three Months Ended

July 31, July 31,

2009 2008

Revenues:

Products $ 18,265 $ 15,802

Maintenance 11,919 8,568

Services 4,371 3,293

Total revenues 34,555 27,663

Cost of revenues:

Products 1,944 1,655

Maintenance(1) 1,925 1,631

Services(1) 2,630 2,043

Total cost of revenues 6,499 5,329

Gross profit 28,056 22,334

Operating expenses(1):

Research and development 5,598 5,315

Sales and marketing 14,785 14,868

General and administrative 6,018 4,349

Total operating expenses 26,401 24,532

Income (loss) from operations 1,655 (2,198)

Interest income 28 404

Other income and expense, net (117) (99)

Income (loss) before provision for income taxes 1,566 (1,893)

Provision (benefit) for income taxes 551 (563)

Net income (loss) $ 1,015 $ (1,330)

Net income (loss) per common share, basic $ 0.03 $ (0.04)

Net income (loss) per common share, diluted $ 0.03 $ (0.04)

Shares used in computing basic net income (loss) per common share 32,685 30,992

Shares used in computing diluted net income (loss) per common share 35,249 30,992

(1) Stock-based compensation expense as included in above

Cost of maintenance revenues 80 46

Cost of services revenues 33 33

Research and development 429 339

Sales and marketing 612 751

General and administrative 776 234

ARCSIGHT, INC.

Consolidated Statement of Operations

(GAAP to Non-GAAP Reconciliation)

(In thousands, except per share amounts)

(Unaudited)

For the Three Months Ended

July 31, July 31,

2009 2008

GAAP net income (loss) $ 1,015 $ (1,330)

Plus:

a) Stock-based expenses 1,930 1,403

b) Amortization of intangibles 222 211

Non-GAAP net income $ 3,167 $ 284

GAAP net income (loss) per common share, basic $ 0.03 $ (0.04)

Plus:

a) Stock-based expenses 0.06 0.04

b) Amortization of intangibles 0.01 0.01

Non-GAAP net income, basic $ 0.10 $ 0.01

Non-GAAP net income, diluted $ 0.09 $ 0.01

Shares used in computing basic net income (loss) per common share 32,685 30,992

Shares used in computing diluted net income (loss) per common share 35,249 33,114

Use of Non-GAAP Financial Information

In addition to the reasons stated above, which are generally applicable to each of the items ArcSight excludes from its non-GAAP financial measures, ArcSight believes it is appropriate to exclude certain items for the following reasons:

Amortization of Intangibles. When analyzing the operating performance of an acquired entity, ArcSight management focuses on the total return provided by the investment (i.e., operating profit generated from the acquired entity as compared to the purchase price paid) without taking into consideration any allocations made for accounting purposes. Because the purchase price for an acquisition necessarily reflects the accounting value assigned to intangible assets (including acquired in-process technology and goodwill), when analyzing the operating performance of an acquisition in subsequent periods, ArcSight management excludes the GAAP impact of the amortization of acquired intangible assets to its financial results. ArcSight believes that such an approach is useful in understanding the long-term return provided by an acquisition and that investors benefit from a supplemental non-GAAP financial measure that excludes the accounting amortization expense associated with acquired intangible assets.

In addition, in accordance with GAAP, ArcSight generally recognizes expenses for internally-developed intangible assets as they are incurred until technological feasibility is reached, notwithstanding the potential future benefit such assets may provide. Unlike internally developed intangible assets, however, and also in accordance with GAAP, ArcSight generally capitalizes the cost of acquired intangible assets and recognizes that cost as an expense over the useful lives of the assets acquired (other than goodwill, which is not amortized, and acquired in-process technology, which is expensed immediately, as required under GAAP). As a result of their GAAP treatment, there is an inherent lack of comparability between the financial performance of internally developed intangible assets and acquired intangible assets. Accordingly, ArcSight believes it is useful to provide, as a supplement to its GAAP operating results, a non-GAAP financial measure that excludes the amortization of acquired intangibles.

Stock-Based Compensation. When evaluating the performance of its consolidated results, ArcSight does not consider stock-based compensation charges. Likewise, the ArcSight management team excludes stock-based compensation expense from its operating plans. In contrast, the ArcSight management team is held accountable for cash-based compensation and such amounts are included in its operating plans. Further, when considering the impact of equity award grants, ArcSight places a greater emphasis on overall stockholder dilution rather than the accounting charges associated with such grants.

ArcSight believes it is useful to provide a non-GAAP financial measure that excludes stock-based compensation in order to better understand the long-term performance of its business.

Print Back to story

CUPERTINO, Calif.--(BUSINESS WIRE)--ArcSight, Inc. (NASDAQ:ARST - News), a leading global provider of security and compliance management solutions that intelligently identify and mitigate cyber threat and risk for businesses and government agencies, today announced it was named top “in use” vendor for both event log management system and security information event management (SIEM) product categories among Fortune 1000 (F1000) security professionals in TheInfoPro’s™ Information Security Study: Technology Roadmap (Wave 11, Q2 2009).

TheInfoPro’s Information Security Study: Technology Roadmap (Wave 11, Q2 2009) is based on interviews with 246 information security professionals at F1000 and MSE organizations in North America and Europe that were completed in May 2009. The study provides detailed plans about usage patterns for 43 information security technologies that fall under the following categories: network access, network malware protection, network communication content protection, identity management, vulnerability management, access management, data protection and outsourced security services.

Log management solutions ranked among the top of both the study’s Fortune 1000 (F1000) and Midsize Enterprise (MSE) Security Management Solutions Heat Indices, which gauges the immediacy of user need and planned spending.

Other findings of note from TheInfoPro’s Information Security Study: Vendor Performance Report (Wave 11, Q2 2009) include:

100 percent of the current ArcSight customers who took part in the study indicated that they have no plans to switch to a competitor.

50 percent of participants that rated ArcSight plan to spend more money on its products in 2010 than they did in 2009.

ArcSight received the highest possible ratings in the areas of “delivery as promised” and “brand / reputation,” and solid customer ratings in the areas of “technical innovation,” “features / functions” and “product quality.”

“We’re happy that TheInfoPro’s Information Security Study recognizes again how important ArcSight’s compliance and security management solutions are to the industry and more importantly, our customers,” said Tom Reilly, president and CEO of ArcSight. “In the current economic environment, we are seeing a barrage of sophisticated cyber attacks. We’re working closely with our customers to give them real-time awareness of cyber threats and risks that occur within and outside the organization.”

“Each year, respondents to our Information Security Study continue to give ArcSight high results in the “delivering as promised” and “brand reputation” categories for their SIEM and event log management solutions,” said Bill Trussell, Managing Director of Information Security Research at TheInfoPro. “Our interviewees indicate that organizations are choosing the ArcSight brand to give them the tools they need to protect their business from cyber threat and risk.”

About TheInfoPro

TheInfoPro is the only independent research network for the Information Technology (IT) industry. Through a peer network of over 1800 of the world’s largest buyers and users of IT, including Citigroup, FedEx, McGraw-Hill, MasterCard, Pfizer, Vodafone, PepsiCo, JPMorgan Chase, and Harvard University, TheInfoPro delivers detailed budget, vendor performance and technology roadmap data without spin or bias. Known as the “voice of the customer,” TheInfoPro helps IT professionals, technology providers, and institutional investors make sound decisions on technologies, vendor relationships and investments. TheInfoPro was founded in 2002 by alumni of Gartner, Giga, EMC, and Bell Labs. To learn more, visit www.theinfopro.net or call 1-212-672-0010.

About ArcSight

ArcSight (NASDAQ: ARST - News) is a leading global provider of security and compliance management solutions that protect businesses and government agencies. ArcSight identifies, assesses, and mitigates both internal and external cyber threats and risks across the organization for activities associated with critical assets and processes. With the market-leading ArcSight SIEM platform, organizations can proactively safeguard their assets, comply with corporate and regulatory policy and control the risks associated with cyber-theft, cyber-fraud, cyber-warfare and cyber-espionage. For more information, visit www.arcsight.com.

Forward Looking Statements

This news release contains forward-looking statements, including without limitation those regarding findings from TheInfoPro’s Information Security Study that 100 percent of the current ArcSight customers who took part in the study indicated that they have no plans to switch to a competitor and that 50 percent of respondents who rated ArcSight plan to spend more money on its products in 2010 than they did in 2009. These forward-looking statements are subject to material risks and uncertainties that may cause actual results to differ substantially from expectations. Investors should consider important risk factors, which include: the risk that demand for our compliance and security management solutions may not increase and may decrease; the risk that competitors may be perceived by customers to be better positioned to help handle compliance violations and security threats and protect their businesses from major risk; and other risks detailed under the caption “Risk Factors” in the ArcSight Annual Report on Form 10-K filed with the Securities and Exchange Commission, or the SEC, on July 9, 2009 and the company’s other filings with the SEC. You can obtain copies of the company’s Annual Report on Form 10-K and its other SEC filings on the SEC’s website at www.sec.gov.


ArcSight Ranked as Top "In Use" Vendor for Event Log Management System and Security Information Event Management According To TheInfoPro's Information Security Study Press Release Source: ArcSight, Inc. On Tuesday July 28, 2009, 8:00 am EDT

Page 1 of 2ArcSight Ranked as Top "In Use" Vendor for Event Log Management System and Securit...

7/28/2009http://finance.yahoo.com/news/ArcSight-Ranked-as-Top-In-Use-bw-2757755562.html/pri...

mdriscoll

Highlight

mdriscoll

Highlight

mdriscoll

Highlight

June 19, 2009 Scott Zeller • [email protected] • 617-457-0903

Infrastructure Software / Software

ArcSight, Inc. (ARST) – Buy ARST: Reiterate BUY, raise target from $19 to $21 after positive investor meetings We hosted ArcSight management on Thursday for investor meetings; investor interest was quite strong. We found discussions to be positive, with the questions noticeably shifting away from a focus on earnings and margins, and focusing more often on drivers for revenue growth. Our view is investors are weighing the fundamentals of demand for ARST products vs. ability to scale the company, and also the timing of such revenue growth (near-term vs. long-term). Our impression is investors view last week’s quarterly guidance as conservative, yet appropriate – as evidence, we point to the flattish recent performance of shares, despite conservative guidance below consensus for F1Q. We believe near-term (FY10) revenue growth is likely to be driven by continued growth in the public sector and enterprise appliances; longer-term growth (FY11, beyond) is likely to be driven by utilities/power grid/infrastructure, as well as certain just-initiated government agency projects, called out by management as important contributors, yet still too early for FY10 contribution. On the earnings picture, we believe the company has moderated expectations for margins with last week’s comments about FY10 being an investment year for the company; investors may find this passable, so long as the revenue growth remains robust. Reiterate BUY, upping target from $19 to $21, no change to our above-consensus estimates, which are likely conservative. • Focus on revenue growth – near-term vs. long term. A nuance we had

not previously understood is that although government is the biggest revenue vertical at ARST, several government projects were started in the most recent two quarters, and have “seeded” large projects for the future; we were encouraged by this because it suggests FY11 revenue strength, and at the same time explains why currently 70% of revs come from existing customers.

• Customer “lifecycle” revenue growth grabs attention. We believe management’s emphasis on how an initial $300k deal grows over a few years to be 3x original investment (or greater) caught investor attention and is a positive of the ARST long term growth story.

• Reiterate BUY, raise target from $19 to $21, no change to our above-consensus estimates, which are likely conservative. Our $21 target is 3.0x EV/FY11 revenue, and 30x our FY11 $0.70 EPS estimate. We chose to up our target from 2.7x up to 3.0x EV/FY11 revenue, based on similar valuations for revenue growth comps, including RVBD (now 3.1x EV/revs) and VMW (now 5.2x EV/revs).

Price Target Change

Price (06/18/09) $17.4812-Month Price Target $21.0052-Week range $18.72-4.74Shares Out. (MM) 34.4Market cap (MM) $601.6Avg. daily volume (000) 562.7Financial DataTotal Debt/Cap. 0.0%Price/LTM Rev. 4.4xTangible BVPS $2.02Net Cash Per Share $2.63

Market Data

ArcSight, Inc. participates in the security software market, where it is a leader in the event management market. ArcSight products help customers manage IT performance alerts by collecting, correlating and prioritizing risk items.

ArcSight, Inc. Price 06/18/09

4

6

8

10

12

14

16

18

20

Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

Volume (000)

05001,0001,5002,0002,5003,0003,500

Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

FY FY FY04/30/09 A 04/30/10 E 04/30/11 E

Old New Old NewRev. (MM) $136.2 $159.2 $159.2 $189.0 $189.0Growth 34.1% 16.9% 16.9% 18.7% 18.7%Op. Mar. 13.8% 18.2% 20.8%EPS: 1Q 0.01 0.08 0.08 0.15 0.15EPS: 2Q 0.11 0.13 0.13 0.17 0.17EPS: 3Q 0.21 0.16 0.16 0.19 0.19EPS: 4Q 0.18 0.17 0.17 0.20 0.20

EPS: Year 0.51 0.54 0.54 0.70 0.70Growth nm 7.1% 7.1% 29.9% 29.9%

P/E Ratio 18.0x 32.3x 32.3x 24.9x 24.9x

Note: Pro forma earnings estimates displayed above do not include one-time items or any stock compensation expenses.

Disclosures applicable to this security: B, G.Disclosure explanation on the inside back cover of this report.

2 An Investment Analysis by Needham & Company, LLC

Summary We hosted ArcSight management on Thursday for investor meetings; investor interest was quite strong. We found discussions to be positive, with the questions noticeably shifting away from a focus on earnings and margins, and focusing more often on drivers for revenue growth. Our view is investors are weighing the fundamentals of demand for ARST products vs. ability to scale the company, and also the timing of such revenue growth (near-term vs. long-term). Our impression is investors view last week’s quarterly guidance as conservative, yet appropriate – as evidence, we point to the flattish recent performance of shares, despite conservative guidance below consensus for F1Q. We believe near-term (FY10) revenue growth is likely to be driven by continued growth in the public sector and enterprise appliances; longer-term growth (FY11, beyond) is likely to be driven by utilities/power grid/infrastructure, as well as certain just-initiated government agency projects, called out by management as important contributors, yet still too early for FY10 contribution. On the earnings picture, we believe the company has moderated expectations for margins with last week’s comments about FY10 being an investment year for the company; investors may find this passable, so long as the revenue growth remains robust. Reiterate BUY, upping target from $19 to $21, no change to our above-consensus estimates, which are likely conservative Focus on revenue growth – near-term vs. long term. A nuance we had not previously understood is that although government is the biggest revenue vertical at ARST, several government projects were started in the most recent two quarters, and have “seeded” large projects for the future; we were encouraged by this point because it points to FY11 revenue strength, and also answers how revenue from existing customers has climbed to 70% range in recent two quarters (customer wins healthy, yet some newer gov’t wins generating moderate/early revenue). Margin story consistent with recent call – this year is an investment year. As described on last week’s earnings call, FY10 is an infrastructure growth year for ARST as it focuses on international revenue growth and domestic channel partner programs; this is baked in shares, as FY10 EPS growth now sub 5%. Focus is on revenue growth. Customer “lifecycle” revenue growth caught attention. We believe management’s emphasis on how an initial $300k deal grows over a few years to be 3x original investment (or greater) caught investor attention and is a positive of the ARST long term growth story. Follow on purchases include: additional endpoint tracking, new geographies, and additional appliances. Field info encouraging. Our view is fundamental demand for ARST’s compliance security software remains solid; we base this view on field discussions with several private company competitors to ARST. As CEO Tom Reilly has said, (paraphrase) “audit occurs during a down economy as well as a good economy”, and ARST software supports compliance and audit, making it less discretionary in IT budgets. Reiterate BUY, raise target from $19 to $21, no change to our above-consensus estimates, which are likely conservative. Our $21 target is 3.0x EV/FY11 revenue, and 30x our FY11 $0.70 EPS estimate. We chose to up our target from 2.7x up to 3.0x EV/FY11 revenue, based on similar valuations for revenue growth comps, including RVBD (now 3.1x EV/revs) and VMW (now 5.2x EV/revs) Risk statement: Buyers of ARST shares face risks including but not limited to: a continued challenging IT spending environment, competition from larger better

An Investment Analysis by Needham & Company, LLC 3

capitalized participants in the network equipment and enterprise software markets; the challenge of growing international revenues.


Income Statement: Arc Sight, Inc. (ARST)

F1Q F2Q F3Q F4Q F1Q F2Q F3Q F4Q F1Q F2Q F3Q F4QFY08 July 08 Oct 08 Jan 09 Apr 09 (A) FY09 July 09 (E) Oct 09 Jan 10 Apr 10 FY10 July 10 Oct 10 Jan 11 Apr 11 FY11

Products 63.765 15.802 19.169 21.775 23.870 80.616 19.000 22.000 23.000 25.000 89.000 20.000 24.000 26.000 28.000 98.000Maintenance 27.607 8.568 9.530 10.004 10.419 38.521 11.000 12.000 13.000 14.000 50.000 15.000 16.000 17.000 18.000 66.000Services 10.173 3.293 4.136 4.613 4.989 17.031 4.500 4.800 5.200 5.700 20.200 5.500 6.000 6.500 7.000 25.000 TOTAL REVENUE $101.545 $27.663 $32.835 $36.392 $39.278 $136.168 $34.500 $38.800 $41.200 $44.700 $159.200 $40.500 $46.000 $49.500 $53.000 $189.000 cost of product 4.767 1.655 1.844 2.637 2.459 8.595 2.100 2.300 2.400 2.500 9.300 2.200 2.500 2.500 2.700 9.900 gross mgn product 93% 90% 90% 88% 90% 89% 89% 90% 90% 90% 90% 89% 90% 90% 90% 90%cost of maintenance 5.585 1.585 1.609 1.581 1.870 6.645 1.900 2.000 2.200 2.400 8.500 2.500 2.700 2.900 2.100 10.200 gross mgn maint 80% 82% 83% 84% 82% 83% 83% 83% 83% 83% 83% 83% 83% 83% 88% 85%cost of services 5.685 2.010 2.348 2.553 2.822 9.733 2.500 2.700 2.900 3.200 11.300 3.000 3.300 3.600 3.900 13.800 gross mgn svcs 44% 39% 43% 45% 43% 43% 44% 44% 44% 44% 44% 45% 45% 45% 44% 45% Total Cost of Revenue 16.037 5.250 5.801 6.771 7.151 24.973 6.500 7.000 7.500 8.100 29.100 7.700 8.500 9.000 8.700 33.900 Cost of Sales as % of Revenue 16% 19% 18% 19% 18% 18% 19% 18% 18% 18% 18% 19% 18% 18% 16% 18%

Gross Profit 85.508 22.413 27.034 29.621 32.127 111.195 28.000 31.800 33.700 36.600 130.100 32.800 37.500 40.500 44.300 155.100 GROSS MGN 84.2% 81.0% 82.3% 81.4% 81.8% 81.7% 81.2% 82.0% 81.8% 81.9% 81.7% 81.0% 81.5% 81.8% 83.6% 82.1%

OPEX R & D 18.406 4.976 5.089 4.879 6.251 21.195 5.500 6.000 6.000 6.500 24.000 6.000 7.000 7.000 8.000 28.000 S & M 50.768 14.117 13.605 11.832 14.276 53.830 13.500 14.000 14.500 16.000 58.000 14.000 16.000 17.000 18.000 65.000 G & A 12.758 4.115 4.503 4.157 5.495 18.270 5.000 5.000 5.000 5.000 20.000 5.000 5.500 6.000 7.000 23.500 Other (e.g., amortization) (0.573) (0.211) (0.238) (0.210) (0.211) (0.870) (0.200) (0.200) (0.200) (0.200) (0.800) (0.200) (0.200) (0.200) (0.200) (0.800) Total OPEX 81.359 22.997 22.959 20.658 25.811 92.425 23.800 24.800 25.300 27.300 101.200 24.800 28.300 29.800 32.800 115.700

Loss/Profit From Operations 4.149 (0.584) 4.075 8.963 6.316 18.770 4.200 7.000 8.400 9.300 28.900 8.000 9.200 10.700 11.500 39.400 OPERATING MGN 4.1% -2.1% 12.4% 24.6% 16.1% 13.8% 12.2% 18.0% 20.4% 20.8% 18.2% 19.8% 20.0% 21.6% 21.7% 20.8%Other Income & Interest expense 0.472 0.305 0.300 0.157 (0.068) 0.694 0.000 0.000 0.200 0.200 0.400 0.200 0.200 0.200 0.200 0.800

Pretax Income 4.621 (0.279) 4.375 9.120 6.248 19.464 4.200 7.000 8.600 9.500 29.300 8.200 9.400 10.900 11.700 40.200Taxes 1.131 (0.563) 0.795 2.183 0.149 2.564 1.428 2.380 2.924 3.230 9.962 2.788 3.196 3.706 3.978 13.668 Tax Rate 24% NM 18% 24% 2% 13% 34% 34% 34% 34% 34% 34% 34% 34% 34% 34%

Net Income 3.490 0.284 3.580 6.937 6.099 16.900 2.772 4.620 5.676 6.270 19.338 5.412 6.204 7.194 7.722 26.532

Diluted Shares Outstanding 25.936 33.114 32.780 33.494 34.416 33.451 35.000 35.500 36.000 36.500 35.750 37.000 37.500 38.000 38.500 37.750

EPS $0.12 $0.01 $0.11 $0.21 $0.18 $0.51 $0.08 $0.13 $0.16 $0.17 $0.54 $0.15 $0.17 $0.19 $0.20 $0.70

Total Revenue Y/Y 45% 39% 33% 32% 34% 34% 25% 18% 13% 14% 17% 17% 19% 20% 19% 19%Total Revenue Q/Q NA -6% 19% 11% 8% NA -12% 12% 6% 8% NA -9% 14% 8% 7% NAEPS Y/Y #VALUE! 321% 7% 30%

R&D as % of revenue 18% 18% 15% 13% 16% 16% 16% 15% 15% 15% 15% 15% 15% 14% 15% 15%S&M as % of revenue 50% 51% 41% 33% 36% 40% 39% 36% 35% 36% 36% 35% 35% 34% 34% 34%G&A as % of revenue 13% 15% 14% 11% 14% 13% 14% 13% 12% 11% 13% 12% 12% 12% 13% 12%

CY08 Revenue $126.266 CY09 Revenue $153.778 CY10 Revenue $180.700EPS $0.34 EPS $0.54 EPS $0.67

FY 2011FY 2010FY 2009


Balance Sheet: Arc Sight, Inc. (ARST)note: figures are cumulative FY 2009

F1Q F2Q F3Q F4Q F1Q F2Q F3Q F4QFY06 FY07 July 07 Oct 07 Jan 08 Apr 08 FY08 July 08 Oct 08 Jan 09 Apr 09 (A) FY09

AssetsCurrent Assets Cash and cash equivalents 16.443 16.917 21.231 71.946 71.946 74.172 75.678 82.891 90.467 90.467 Accounts Receivable, net 12.247 15.554 9.399 26.658 26.658 17.323 23.192 22.223 34.184 34.184 Capitalized software licenses, current 0.000 0.249 1.998 1.900 1.900 0.000 Other prepaid expenses, current assets 1.277 2.207 2.786 3.665 3.665 5.886 4.152 3.176 3.861 3.861 Other 0.000 0.000 0.000 0.000 Total Current Assets 29.967 34.927 0 0 35.414 104.169 104.169 97.381 103.022 108.29 128.512 128.512

Restricted Cash 0.000 0.842 0.842 0.842 0.842 0.000Income taxes receivable 1.020 0.761 0.738 0.391 0.391 0.000Property and equipment, net 1.925 2.753 4.915 4.834 4.834 5.479 5.226 4.749 4.416 4.416Goodwill 0.000 5.746 5.746 5.746 5.746 5.746 5.746 5.746 5.746 5.746Acquired intangible assets, net 0.000 2.734 2.304 2.161 2.161 1.950 1.740 1.530 1.319 1.319Capitalized software licenses, non-current 0.000 0.394 0.589 0.144 0.144 0.000Other 0.014 0.833 3.863 0.292 0.292 1.422 1.411 1.391 1.168 1.168

TOTAL ASSETS 32.926 48.990 0.000 0.000 54.411 118.579 118.579 111.978 117.145 121.706 141.161 141.161

Liabilities and Stockholders' EquityCurrent Liabilities Accounts payable 0.647 2.846 0.834 3.115 3.115 2.548 3.349 1.230 1.432 1.432 Accrued compensation and benefits 3.384 6.678 6.154 11.864 11.864 5.591 6.529 7.757 11.671 11.671 Obligations for software licenses 0.000 0.551 2.427 2.222 2.222 0.000 Other accrued liabilities 2.845 3.869 3.590 3.745 3.745 6.435 6.110 6.485 4.700 4.700 Deferred revenues, current 17.714 24.794 28.678 36.512 36.512 35.613 34.777 33.524 36.160 36.160 Other 0.000 0.000 0.000 0.000 Total Current Liabilities 24.590 38.738 0.000 0.000 41.683 57.458 57.458 50.187 50.765 48.996 53.963 53.963

Deferred revenues, non-current 6.903 4.794 2.734 4.754 4.754 5.152 4.685 3.970 8.888 8.888Other 0.000 0.328 1.709 1.598 1.598 1.643 1.626 1.687 1.637 1.637

TOTAL LIABILITIES 31.493 43.860 0.000 0.000 46.126 63.810 63.810 56.982 57.076 54.653 64.488 64.488

TOTAL STOCKHOLDERS EQUITY 1.433 5.130 0.000 0.000 8.285 54.769 54.769 54.996 60.069 67.053 76.673 76.673Convertible preferred stock 26.758 26.758 26.758 0.000 0.000 0.000Common stock 0.000 0.000 0.000 0.000 0.000 0.000Additional paid-in capital 19.383 23.479 27.391 101.574 101.574 103.087 106.518 108.531 113.781 113.781Deferred stock based compensation (0.396) (0.554) (0.169) (0.053) (0.053) (0.009) (0.002) 0.000Accumulated other comprehensive income (0.003) 0.013 (0.048) (0.045) (0.045) (0.045) (0.255) (0.349) (0.314) (0.314)Accumulated deficit (44.309) (44.566) (45.647) (46.707) (46.707) (48.037) (46.192) (41.129) (36.794) (36.794)

TOTAL LIABILITIES & STOCKHOLDERS' EQUIT 32.926 48.990 0.000 0.000 54.411 118.579 118.579 111.978 117.145 121.706 141.161 141.161

FY 2008


ArcSight, Inc.($ in MM, except per share data) Annual Quarterly

Fiscal Year Ending April 30 FY FY Ending Ending Ending Ending4/30/2008 4/30/2009 7/31/2008 10/31/2008 1/31/2009 4/30/2009

BALANCE SHEETASSETSCash & Short-term Investments 71.9 90.5 74.2 75.7 82.9 90.5Receivables 26.7 34.2 17.3 23.2 22.2 34.2Inventory 0.0 0.0 0.0 0.0 0.0 0.0Other Current Assets 5.6 3.9 5.9 4.2 3.2 3.9 Current Assets 104.2 128.5 97.4 103.0 108.3 128.5Property and Equipment 4.8 4.4 5.5 5.2 4.7 4.4Goodwill and Intangibles 7.9 7.1 7.7 7.5 7.3 7.1Long-term Marketable Securities 0.8 0.0 0.0 0.0 0.0 0.0Other Assets 0.8 1.2 1.4 1.4 1.4 1.2 Total Assets 118.6 141.2 112.0 117.1 121.7 141.2

LIABILITIES AND SHAREHOLDERS' EQUITYCurrent Liabilities 57.5 54.0 50.2 50.8 49.0 54.0Short-term Debt 0.0 0.0 0.0 0.0 0.0 0.0Long-term Debt 0.0 0.0 0.0 0.0 0.0 0.0Shareholders' Equity 54.8 76.7 55.0 60.1 67.1 76.7 Total Liabilities + Shareholders' Equity 118.6 141.2 112.0 117.1 121.7 141.2

INCOME STATEMENTRevenue 101.5 136.2 27.7 32.8 36.4 39.3Gross Profit 85.5 111.2 22.4 27.0 29.6 32.1Operating Income 4.1 18.8 (0.6) 4.1 9.0 6.3Pretax Income 4.6 19.5 (0.3) 4.4 9.1 6.2Net Income 3.5 16.9 0.3 3.6 6.9 6.1Shares Outstanding 25.9 33.5 33.1 32.8 33.5 34.4

CASH FLOW STATEMENTDepreciation and Amortization 2.5 0.0 0.8 1.6 2.5 0.0Cash Flow from Operations 13.5 0.0 3.8 4.5 12.3 0.0Capital Expenditures (4.0) 0.0 (1.2) (1.6) (1.8) 0.0

CASH MANAGEMENT*DSOs 75.9 81.5 71.5 55.5 56.2 64.6Inventory Days 0.0 0.0 0.0 0.0 0.0 0.0Days Payable 67.8 33.2 48.5 45.7 30.4 16.8Cash Conversion Cycle 8.0 48.3 23.0 9.8 25.7 47.9

PROFITABILITYGross Margin 84.2% 81.7% 81.0% 82.3% 81.4% 81.8%Operating Margin 4.1% 13.8% (2.1%) 12.4% 24.6% 16.1%Net Margin 3.4% 12.4% 1.0% 10.9% 19.1% 15.5%Return on Assets* 4.2% 13.0% 1.0% 12.5% 23.2% 18.6%Return on Equity* 11.7% 25.7% 2.1% 24.9% 43.7% 33.9%Total Debt/Capital 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

PER SHARE DATATangible Book Value 1.81 2.08 1.43 1.60 1.78 2.02Cash 2.81 2.70 2.24 2.31 2.47 2.63Net Cash 2.81 2.70 2.24 2.31 2.47 2.63EPS (Pro Forma) 0.12 0.51 0.01 0.11 0.21 0.18EPS (Pro Forma Including Option Expenses)EPS (GAAP)


ANALYST CERTIFICATION

I, Scott Zeller, hereby certify that the views expressed in this research report accurately reflect my personal views aboutthe subject company (ies) and its (their) securities. I also certify that I have not been, am not, and will not be receivingdirect or indirect compensation in exchange for expressing the specific recommendation(s) in this report.

4

6

8

10

12

14

16

18

20

22

Dec 07 Mar 08 Jun 08 Sep 08 Dec 08 Mar 09 Jun 09

Price, Rating, and Price Target History: ArcSight, Inc. (ARST/NASDAQ) as of 6-18-09

Source: Factset (Prices) / Needham (ratings and target price)

9/29/08 B : $11.0

12/10/08 B : $8.0

1/13/09 B : $11.0

3/6/09 B : $13.0

3/26/09 B : $14.0

6/12/09 B : $19.0

6/18/09 B : $21.0

Disclosures applicable to this security: B, G.


% of companies under coveragewith this rating

% for which investment banking serviceshave been provided for in the past 12 months

Strong Buy 4 0Buy 47 6Hold 42 4Under Perform <1 0Rating Suspended 4 0Restricted <1 33Under Review <1 50

Needham & Company, LLC. (the Firm) employs a rating system based on the following (Effective July 1, 2003): Strong Buy: A security, which at the time the rating is instituted, indicates an expectation of a total return of at least 25% over the next 12 months. Buy: A security, which at the time the rating is instituted, indicates an expectation of a total return between 10% and 25% over the next 12 months. Hold: A security, which at the time the rating is instituted, indicates an expectation of a total return of +/- 10% over the next 12 months. Underperform: A security, which at the time the rating is instituted, indicates an expectation that the price will depreciate by more than 10% over the next 12 months. Under Review: Stocks may be placed UR by the analyst, indicating that the stock rating and/or price target are subject to possible change in the near term, usually in response to an event that may effect the investment case or valuation. Rating Suspended: Needham & Company, LLC has suspended the rating and/or price target, if any, for this stock, because there is not a sufficient fundamental basis for determining a rating or price target. The previous rating and price target, if any, are no longer in effect and should not be relied upon. Restricted: Needham & Company, LLC policy and/or applicable law and regulations preclude certain types of communications, including an investment recommendation, during the course of Needham & Company, LLC’s engagement in an investment banking transaction and in certain other circumstances. For disclosure purposes (in accordance with FINRA requirements), we note that our Strong Buy and Buy ratings most closely correspond to a “Buy” recommendation. When combined, 51% of companies under coverage would have a “Buy” rating and 5% have had investment banking services provided within the past 12 months; Hold mostly correspond to a “Hold/ Neutral” recommendation; while our Underperform rating closely corresponds to the Sell recommendation required by the FINRA. Our rating system attempts to incorporate industry, company and/or overall market risk and volatility. Consequently, at any given point in time, our investment rating on a stock and its implied price appreciation may not correspond to the stated 12-month price target. For valuation methods used to determine our price targets and risks related to our price targets, please contact your Needham & Company, LLC salesperson for a copy of the most recent research report on the company you are interested in.

To review our Rating system prior to July 1, 2003, please refer to the following link: http://www.needhamco.com/Research_Disclosure.asp. Stock price charts and rating histories for companies under coverage and discussed in this report are available at http://www.needhamco.com/. You may also request this information by writing to: Needham & Co. LLC, 445 Park Ave., 3rd Floor (Attn: Compliance/Research), NY, NY 10022

ANALYST CERTIFICATION By issuing this research report, each Needham & Company, LLC analyst and associate whose name appears within this report hereby certifies that (i) the recommendations and opinions expressed in the research report accurately reflect the research analyst’s and associate’s personal views about any and all of the subject securities or issuers discussed herein and (ii) no part of the research analyst's or associate’s compensation was, is or will be directly or indirectly related to the specific recommendations or views expressed by the research analyst or associate in the research report. The following disclosures (as listed by letter on the cover page) apply to the securities discussed in this research report: “A” The research analyst and/or research associate (or household member) has a financial interest in the securities of the covered company (i.e., a long

position consisting of common stock). “B” The research analyst and research associate have received compensation based upon various factors, including quality of research, investor client

feedback, and the Firm’s overall revenues, which includes investment banking revenues. “C” The Firm has managed or co-managed a public offering of securities for the subject company in the past 12 months. “D” The Firm and/or its affiliate have received compensation for investment banking services from the subject company in the past 12 months. “E” The Firm and/or its affiliate expect to receive or intend to seek compensation for investment banking services from the subject company in the next

three months. “F” The analyst or a member of the analyst's household serves as officer, director or advisory board member of the covered company. “G” The Firm, at the time of publication, makes a market in the subject company. “H” The Firm, and/or its affiliates beneficially own 1% or more of any class of common equity securities of the subject company. “I” The analyst has received compensation from the subject company in the last 12 months. “J” The subject company currently is or during the 12-month period preceding the date of distribution of this research report was a client of the Firm and

received investment banking services. “J1” The subject company currently is or during the 12-month period preceding the date of distribution of this research report was a client of the Firm

and received non-investment banking securities related services. “J2” The subject company currently is or during the 12-month period preceding the date of distribution of this research report was a client of the Firm

and received non-securities related services. “K” Our affiliate has received compensation for products and services other than investment banking services from the subject company in the past 12

months. This report is for informational purposes only and does not constitute a solicitation or an offer to buy or sell any securities mentioned herein. Information contained in this report has been obtained from sources believed to be reliable, but Needham & Company, LLC. makes no representation as to its accuracy or completeness, except with respect to the Disclosure Section of the report. Any opinions expressed herein reflect our judgment as of the date of the materials and are subject to change without notice. The securities discussed in this report may not be suitable for all investors and are not intended as recommendations of particular securities, financial instruments or strategies to particular clients. Investors must make their own investment decisions based on their financial situations and investment objectives. The value of income from your investment may vary because of changes in interest rates, changes in the financial and operational conditions of the companies and other factors. Investors should be aware that the market price of securities discussed in this report may be volatile. Due to industry, company and overall market risk and volatility, at the securities current price, our investment rating may not correspond to the stated price target. Additional information regarding the securities mentioned in this report is available upon request. © Copyright 2009, Needham & Company, LLC., Member FINRA, SIPC.

445 Park Avenue, New York, NY 10022 (212) 371-8300

ResearchPublication Date: 29 May 2009 ID Number: G00167782

© 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Magic Quadrant for Security Information and Event Management Mark Nicolett, Kelly M. Kavanagh

Broad adoption of SIEM technology is driven by compliance and security needs. New use cases in areas such as application activity monitoring are emerging.

Publication Date: 29 May 2009/ID Number: G00167782 Page 2 of 22

© 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

WHAT YOU NEED TO KNOW

Security information and event management (SIEM) technology provides real-time monitoring and historical reporting of security events from networks, systems and applications. SIEM deployments are often funded to address regulatory compliance reporting requirements, but organizations should also use SIEM to improve security operations, threat management and incident response capabilities.

SIEM technology can be deployed to support three primary use cases: compliance reporting/log management, threat management, or a SIEM deployment that covers both use cases. Most organizations require a general SIEM deployment that implements capabilities in all three areas, but there is variation in use case priority and capability requirements.

The SIEM market is composed of vendors with products that can provide at least basic support for all three use cases, but there is wide variation in the architectural approach and the relative level of support for security event management (SEM), security information management (SIM), user activity monitoring and compliance reporting. (For an evaluation of 11 SIEM products with the largest installed bases with respect to these use cases, see "Critical Capabilities for Security Information and Event Management Technology.")

Security managers considering SIEM deployments should first define the requirements for compliance reporting, log management, user and resource access monitoring, external threat monitoring, and security incident response. This may require the inclusion of other groups in the requirements definition effort, including audit/compliance, IT operations, application owners and line-of-business managers. Organizations should also describe their network and system deployment topology, so that prospective SIEM vendors can propose a solution to a company-specific deployment scenario.

The 2009 Magic Quadrant for SIEM evaluates technology providers with respect to the most-common technology selection scenario — an SIEM project that is funded to solve a compliance reporting issue, but with secondary requirements for effective threat monitoring and SEM. There are numerous variations in SIEM product architecture and deployment options, and wide variation in capabilities for log management, SEM and user monitoring.

Organizations may need to evaluate SIEM products from vendors in every quadrant to best meet specific functional and operational requirements. Product selection decisions should be driven by organization-specific requirements in areas such as the relative importance of SIM and SEM capabilities; the ease and speed of deployment; the IT organization's support capabilities; and integration with established network, security and infrastructure management applications.



MAGIC QUADRANT

Figure 1. Magic Quadrant for Security Information and Event Management

Source: Gartner (May 2009)

Market Overview The SIEM market grew about 30% in 2008, with total revenue at approximately $1 billion. Demand for SIEM remains strong (there is still a growing number of funded projects), but we are seeing a more tactical focus, with Phase 1 deployments that are narrower in scope. Despite a difficult environment, we still expect healthy revenue growth for 2009 in this segment.

The current economic situation constrains external funding for SIEM vendors and raises viability concerns for some privately funded vendors that:

• Are not yet cash-flow positive and will not receive further funding

• Have current investors that need to pull their money out

During 2008, High Tower ceased operations (its assets were acquired by netForensics), and a few smaller, privately held SIEM vendors pared back staffing and channel expansion initiatives to control costs.

SIEM Vendor Landscape



Twenty-one vendors meet Gartner's inclusion requirements for the 2009 SIEM Magic Quadrant. Nine are point-solution vendors, and 12 are vendors that sell additional security or operations products and services. Because SIEM technology is now deployed by a broad set of enterprises, vendors are responding with a shift in sales and product strategy. Larger vendors are working to integrate their SIEM technology with related products or service portfolios, so that they can sell SIEM to existing customers. Vendors of all sizes are developing sales channels that can reach the midsize market in North America, and are developing a presence in Europe, the Middle East and Africa, as well as the Asia/Pacific region, as SIEM deployments increase in these regions.

Some SIEM technology purchase decisions are noncompetitive, because the technology is sold by a large vendor in combination with related security, network or operations management technology. CA, IBM and Novell have integrated their SIEM products with related identity and access management (IAM) offerings, and are selling their SIEM solutions as part of an IAM-related deal. NetIQ has integrated its SIEM technology with its security configuration management and file integrity monitoring technologies. Symantec sells SIEM to large enterprises that use its endpoint security products, and has integrated its SIEM and IT governance, risk and compliance management offerings. Cisco positions its Monitoring, Analysis and Response System (MARS) as a centralized monitoring and automation platform for its self-defending network, and the majority of Cisco MARS sales are part of an equipment acquisition.

In addition to the 21 vendors evaluated, a number of other companies' solutions have SIEM capabilities but do not fully meet our inclusion criteria. However, these vendors sometimes compete with the SIEM vendors in this Magic Quadrant.

Splunk provides event collection, log management and search technology that is sometimes used by customers to investigate security incidents, to gain some of the capabilities provided by SIEM technology, or to complement their SIEM investments. Splunk has released predefined reports for security and compliance use cases. In April 2009, Splunk announced Splunk Enterprise Security Suite — a collection of security applications consisting of packaged searches, correlations, reports, dashboards, visualization and analysis that support security use cases, including compliance reporting, event monitoring, incident response, log management, user and system access reporting, and forensics. Splunk is not included in this evaluation because Enterprise Security Suite was released after our evaluation, and the monitoring Splunk provides is not in real time.

Four vendors are not included in the Magic Quadrant because of their regional or vertical market focus and/or SIEM revenue level:

• S21sec provides an SIEM solution, endpoint protection technology and managed security services to Spain and Latin America, and is planning to expand to additional geographies.

• Tango/04 provides SIEM, operations monitoring and business process monitoring solutions with customer concentrations in Europe and Latin America.

• Tier-3 is an Australian-based company that provides SIEM technology to the Asia/Pacific region. It is increasing its visibility in Europe.

• FairWarning provides user activity and resource access monitoring at the application layer for the healthcare vertical market.

A few vendors sell solutions that are based on licensed SIEM technology. Q1 Labs licenses its technology to vendors that implement the Q1 Labs technology on their own appliances and add specific integrations with their respective management infrastructures. The Enterasys Security Information and Event Manager appliance (also known as Dragon Security Command Console)



has been using the Q1 Labs technology since 2005, and delivers workflow integrations with Enterasys Network Access Control and NetSight Automated Security Manager for Distributed Intrusion Prevention. The Juniper Networks Security Threat Response Manager is an appliance solution that was released early in 2008 that uses the QRadar technology, and is also integrated with Juniper's policy management subsystem. Nortel has discontinued the QRadar for Nortel appliance.

HP has an appliance-based offering that uses technology licensed from SenSage, and is building up an initial installed base. Although the HP Compliance Log Warehouse (CLW) solution is targeted at the broad compliance and SEM market, HP is also using the technology to enable SEM capabilities across its portfolio. HP has made CLW a core element of its Secure Advantage program, and has completed integrations with its ProCurve line of network and security devices, encryption, and software configuration management technologies. In April 2009, HP released an updated version of the CLW product that uses SenSage v.4, which provides major user interface and SEM improvements.

Customer Requirements — Compliance, Log Management, Security and Fraud Detection

Although compliance drives SIEM project funding, most organizations also want to improve external and internal threat-monitoring capabilities. As a consequence, there are requirements for user activity and resource access monitoring for host systems, and real-time event management for network security. Adoption of SIEM technology by a broad set of companies has fostered demand for products that provide predefined compliance reporting and security monitoring functions, and ease of deployment and support. The primary driver of the North American SIEM market continues to be regulatory compliance. More than 80% of SIEM deployment projects are funded to close a compliance gap. European and Asia/Pacific SIEM deployments have been focused primarily on external threat monitoring, but compliance is becoming a strong driver in these regions as well.

Log management functions have become a more important customer requirement because of the following factors:

• Payment Card Industry Data Security Standards (PCI DSS) requirement for log management

• The usefulness of detailed and historical log data analysis for breach investigation and general forensics

• The ability to employ log management in front of a SEM-focused deployment to enable more-selective forwarding of events to correlation engines (thereby, reducing the load on the event manager and improving its scalability)

Application layer monitoring for fraud detection or internal threat management continues to evolve as a use case for SIEM technology. SIEM technology is being deployed alongside fraud detection and application monitoring point solutions to broaden their scope. These projects have been undertaken by large companies in industry vertical markets, such as financial services and telecommunications, as an internally justified security measure. A number of SIEM vendors are beginning to position their technologies as "platforms" that can provide security, operations and application analytics.

An optimal SIEM solution will:

• Support the real-time collection and analysis of log data from host systems, security devices and network devices

• Support long-term storage and reporting



• Not require extensive customization

• Be easy to deploy and maintain

Ease of deployment, ease of support and log management functions are weighted more heavily than advanced event management functions or the ability to heavily customize an SIEM deployment.

SIM as a Service

Most managed security service providers have service offerings for SIM, in addition to their long-standing SEM services. These new services include the collection, analysis, reporting and storage of log data from servers, user directories, applications and databases. SIM services typically forgo real-time monitoring and alerting, and focus on compliance-oriented reporting on exceptions, reviews and documentation, with the ability to store and archive logs for later investigation and for data retention requirements. These offerings are being driven by clients that need to meet compliance requirements and are seeking an alternative to buying and implementing an SIEM product. We do not include an evaluation of the service delivery capabilities of managed security service providers (MSSPs) in this Magic Quadrant.

Market Definition/Description The SIEM market is defined by the customer's need to analyze security event data in real time for internal and external threat management, and to collect, store, analyze and report on log data for regulatory compliance and forensics. SIEM products provide SIM and SEM:

• SIM provides log management — the collection, reporting and analysis of log data (primarily from host systems and applications, and secondarily from network and security devices) — to support regulatory compliance reporting, internal threat management and resource access monitoring. SIM supports the privileged user and resource access monitoring activities of the IT security organization, and the reporting needs of the internal audit and compliance organizations.

• SEM processes log and event data from security devices, network devices, systems and applications in real time, to provide security monitoring, event correlation and incident response. SEM supports the external and internal threat monitoring activities of the IT security organization, and improves incident management capabilities.

Inclusion and Exclusion Criteria The following criteria must be met for vendors to be included in the SIEM Magic Quadrant:

• The product must provide SIM and SEM capabilities.

• The product must support data capture from heterogeneous data sources.

• The vendor must appear on the SIEM product evaluation lists of end-user organizations.

• The vendor must supply production reference accounts for SIEM deployments.

• The solution must be delivered to the customer environment as a product.

Vendors are excluded if:

• The vendor provides SIEM functions that are oriented exclusively to data from its own products.



• The vendor positions its product as a SIEM offering, but the product does not appear in competitive shortlists of end-user organizations.

• The vendor has less than $4 million in SIEM product revenue.

• The solution is delivered exclusively as a managed service.

Added No vendors were added to this update of the SIEM Magic Quadrant.

Dropped High Tower ceased operations in 2008 and has been dropped from this update of the SIEM Magic Quadrant.

Exaprotect was acquired by LogLogic in May 2009 and has been dropped from this update of the SIEM Magic Quadrant.

Evaluation Criteria Ability to Execute

• Product/service evaluates product function in areas such as SIM, SEM, log management, incident management, workflow and remediation support, and reporting capabilities.

• Viability includes an assessment of the organization's financial health, the financial and practical success of the overall company, and the likelihood of the business unit to continue to invest in the product.

• Sales execution/pricing evaluates the technology provider's success in the SIEM market and its capabilities in presales activities. This includes SIEM revenue and the installed base, pricing, presales support and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.

• Market responsiveness and track record evaluates the match of the SIEM offering to the functional requirements stated by buyers at acquisition time, and the vendor's track record in delivering new functions when they are needed by the market. Also considered is how the vendor differentiates its offerings from those of its major competitors.

• Customer experience is an evaluation of product function or service within production environments. The evaluation includes ease of deployment, operation, administration, stability, scalability and vendor support capabilities. This criterion is assessed by conducting qualitative interviews of vendor-provided reference customers. It uses feedback from Gartner clients that are using or have completed competitive evaluations of the SIEM offering.

• Operations is an evaluation of the organization's service, support, and sales capabilities.

Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting

Product/Service High




Overall Viability (Business Unit, Financial, Strategy, Organization)

High

Sales Execution/Pricing High

Market Responsiveness and Track Record High

Marketing Execution No Rating

Customer Experience High

Operations High Source: Gartner (May 2009)

Completeness of Vision • Market understanding evaluates the ability of the technology provider to understand

buyers' needs and translate those needs into products and services. SIEM vendors that show the highest degree of market understanding are adapting to customer requirements in areas such as log management, simplified implementation and support, and compliance reporting, while also meeting SEM requirements.

• Sales strategy evaluates the vendor's use of direct and indirect sales, marketing, service, and communications affiliates to extend the scope and depth of market reach.

• An offering (product) strategy is the vendor's approach to product development and delivery that emphasizes functionality and feature set as they map to current requirements for SIM and SEM. Development plans during the next 12 to 18 months are also evaluated.

• Innovation evaluates the vendor's development and delivery of SIEM technology that is differentiated from the competition in a way that uniquely solves critical customer requirements. Product capabilities and customer use in areas such as application layer monitoring, fraud detection and identity-oriented monitoring are evaluated, in addition to other capabilities that are product-specific, and are needed and deployed by customers.

Table 2. Completeness of Vision Evaluation Criteria


Market Understanding High

Marketing Strategy Standard

Sales Strategy Standard

Offering (Product) Strategy High

Business Model No Rating

Vertical/Industry Strategy No Rating

Innovation High

Geographic Strategy No Rating Source: Gartner (May 2009)



Leaders The SIEM Leaders quadrant is composed of vendors that have been the most successful in building an installed base and revenue stream within the SIEM market, have a relatively high viability rating (due to SIEM revenue or SIEM revenue in combination with revenue from other sources), and provide products that are a good functional match to general market requirements.

Challengers The Challengers quadrant is composed of vendors that have a large revenue stream (typically because the vendor has multiple product and/or service lines), at least a modest-sized SIEM customer base, and products that meet a subset of the general market requirements. Many of the larger vendors in the Challengers quadrant position their SIEM solutions as an extension of related security and operations technologies.

Visionaries The Visionaries quadrant is composed primarily of smaller vendors that provide SIEM technology that is a good match to general market requirements.

Niche Players The Niche Players quadrant is composed primarily of smaller vendors that provide SIEM technology that is a good match to a specific SIEM use case or a subset of SIEM market requirements.

Vendor Strengths and Cautions ArcSight ArcSight is the most successful and visible SIEM point solution vendor with very broad function. ArcSight has the largest installed base of its point solution competitors. It provides Enterprise Security Manager (ESM) software, which is oriented to large-scale, SEM-focused deployments, and a line of log management and collector appliances that can be implemented stand-alone or in combination with ESM. In April 2009, ArcSight announced general availability of ArcSight Express, an appliance-based offering for ESM designed for the midmarket with preconfigured monitoring and reporting, and simplified data management. Version 3 of the ArcSight Logger appliance line (released in November 2008) provides reporting and collection performance improvements.

Strengths

• ArcSight provides the broadest SIEM function set.

• It has recently introduced an appliance that provides a simpler deployment option for SEM.

• ArcSight continues to be the most visible SIEM point solution vendor in competitive evaluations.

Cautions

• ArcSight's ESM software is oriented to environments that need capabilities that support a security operations center, and it requires substantial end-user expertise in areas such as database tuning.



CA CA has been successful in selling its security information management (SIM) solution as an audit enhancement to its identity and access management (IAM) customers, but has not been competitive in use cases that require SEM. During 2008, CA sold two SIEM products: CA Audit (which CA has successfully sold to its IAM customers) provides basic log data collection and analysis for host systems; Security Command Center (SCC) provides SEM functions. On 20 April 2009, CA announced general availability of CA Enterprise Log Manager, a software appliance that provides log management, compliance reporting and analytics for applications, hosts, network devices and security devices. The product integrates with CA's IAM portfolio and is intended as a replacement for CA Audit. SCC is not widely deployed and requires extensive customization.

Strengths

• CA's SIM solutions are tightly integrated with the IAM technology provided by CA and are most commonly deployed for user activity monitoring on host systems.

• CA's SIM solutions are especially well-suited for organizations that have already implemented other CA IAM or system management products.

• Enterprise Log Manager provides simplified deployment options and better log management for use cases that require a combination of compliance reporting and general log management.

Cautions

• Organizations that require SEM capabilities should also evaluate SEM alternatives from other vendors.

Cisco Cisco provides a widely sold solution that is primarily oriented to network security. Cisco has built the largest SIEM customer base for its Cisco Security Monitoring, Analysis, and Response System (MARS) appliance by positioning it as a component of its self-defending network strategy, and selling it to its network-focused buyers. The technology provides a combination of SEM, SIM and network behavior analysis (NBA) capabilities, and provides effective out-of-the-box network security monitoring and host activity monitoring for the platforms that it supports. Cisco has not done much to expand network device source support beyond its own devices, and MARS is limited in host platform, security device and application support. Cisco continues to have a large effect on all other SIEM vendors because of its SIEM technology presence in such a large number of customer sites.

Strengths

• The MARS SIEM appliance provides "out of the box" network SEM capabilities and is integrated with Cisco Security Manager.

• MARS should also be considered by organizations that want to gain some NBA capabilities from their SIEM deployments.

Cautions

• Although MARS supports basic compliance monitoring for servers, it is not optimal for SIM deployments that require highly customized audit/reporting functions.



• Larger enterprises with heterogeneous network device data source requirements, and those that require consolidated correlation or reporting across multiple appliances will find MARS insufficient for their specific needs.

eIQnetworks eIQnetworks is building an installed base in the enterprise SIEM market with its SecureVue software and appliance. The company licenses SEM technology to MSSPs and also to network security vendors that use it to build SEM capabilities for their product sets. eIQnetworks' SecureVue offering is unique in that it provides broad capabilities that include SEM, SIM, security configuration policy compliance, operational performance functions and some NBA capabilities in a single product. eIQ has been able to win competitive evaluations against other SIEM vendors, especially when the customer has a need for capabilities in these adjacent areas.

Strengths

• The SecureVue offering provides network SEM and compliance-oriented SIM capabilities that are easy to deploy.

• SecureVue provides a broad function set that includes SIEM, performance, security asset and configuration policy compliance capabilities.

Cautions

• eIQnetworks is establishing a market presence for enterprise SIEM and needs to develop broader sales capabilities.

• SecureVue capabilities are broad in areas that are not part of the typical SIEM problem set, and eIQnetworks needs to continue to find prospects that value expanded functions in competitive evaluations.

• SecureVue does not yet have IAM integration beyond active directory and general Lightweight Directory Access Protocol support.

IBM IBM's overall SIEM strategy is further integration with its IAM, security and service management technologies; leverage of ISS-managed services; and development of appliance-based offerings. IBM has three SIEM offerings. IBM Tivoli Compliance Insight Manager (TCIM) is SIM-focused and primarily oriented to user activity monitoring and compliance reporting. Tivoli Security Operations Manager (TSOM) is SEM-focused and primarily oriented to external threat management. Tivoli Security Information and Event Manager (TSIEM) is a loosely integrated bundle of TSOM and TCIM that enables select event sharing and common reporting from TCIM. Further integration is planned.

Strengths

• TSIEM integrates with a wide set of IBM and third-party IAM technologies and applications.

• TSIEM provides strong reporting capabilities for compliance and user activity monitoring.

• IBM is expanding the integration of its SIEM offerings with its operations management technologies.



Cautions

• Although TSIEM provides basic integration between TSOM and TCIM, organizations that need real-time event monitoring of host log events still need to deploy two technologies.

• Although TSIEM implements a log management tier via software, a log management appliance is not yet available from IBM.

Intellitactics Intellitactics has rearchitected its SIEM offerings and now provides both software and appliance-based solutions for security event management compliance and log management. Intellitactics Security Manager (ISM) is a software offering that is highly customizable and optimal for large-scale SEM-focused deployments. The SAFE line of appliances provides data collection, log management and basic SEM. The new appliances address current market requirements for simplification and rapid deployment.

Strengths

• The current Intellitactics SIEM product line provides user interface improvements, and expanded, predefined functionality that reduces deployment and support labor when compared with previous releases.

• Intellitactics provides solutions for large-scale deployments that require customization and solutions for midsize companies that require predefined function and simplified deployment.

Cautions

• Intellitactics must continue its effort to develop sales channels that are effective in reaching a critical mass of midsize companies.

LogLogic LogLogic has expanded from its position as the major log management provider, into direct competition with the broader SIEM providers. LogLogic has expanded its functional capabilities to include SEM, database activity monitoring and network security configuration management. In May 2009, LogLogic closed the acquisition of Exaprotect, which provided SEM and network security configuration management technology. Prior to the acquisition, LogLogic had released its Security Event Manager appliance, which used technology licensed from Exaprotect. In addition, LogLogic has released Database Security Manager, which provides database activity monitoring and security management. This solution uses agent technology in combination with a specialized appliance. LogLogic has also released the Compliance Manager appliance, which provides compliance dashboards and workflow.

Strengths

• LogLogic has augmented its log management functions with taxonomy-based event correlation and management through the acquisition of Exaprotect.

• LogLogic provides the capability to monitor and shield Oracle, SQL Server and Sybase DBMS through the use of specialized agent technology.



Cautions

• LogLogic needs to continue efforts to extend SEM knowledge to its sales force, sales channels and presales support.

LogRhythm LogRhythm's SIEM technology provides SEM and log management capabilities, as well as compliance and security operations reporting. During the past 18 months, the company has expanded beyond its primary installed base of midsize organizations to include larger enterprises. The technology can be delivered in several formats. The Dashboard, Event Manager and Log Manager formats are available as software images, as an all-in-one appliance or as separate appliances for each function. LogRhythm supports agent-based and agentless collection for many host, network and application sources, and the agent also provides basic file integrity monitoring.

Strengths

• LogRhythm's appliances provide a combination of log management and SEM functions that are most appropriate for midsize organizations that require both functions but have limited support capabilities.

Cautions

• Although LogRhythm is growing rapidly, the company is still among the group of smaller vendors in the market and needs to continue to develop its sales channels to maintain its growth.

netForensics netForensics is a SIEM point solution vendor that has a mix of end-user and MSSP customers. Its SIEM solution is composed of three components: (1) nFX SIM One software provides full-function SEM that has traditionally competed with point solutions from vendors such as ArcSight, Intellitactics and Novell. (2) nFX Log One provides log management. (3) nFX Data One provides network and agent-based database activity monitoring. nFX log One and nFX Data One are available as software or an appliance and can be deployed stand-alone or loosely coupled with other nFX components. In January 2009, netForensics acquired the assets of High Tower and will position the Cinixi appliance as a combined log management and event management solution for the midmarket.

Strengths

• The netForensics nFX SIM One software is best-suited for deployments where real-time monitoring is required, flexible reporting is needed, and modest resources exist for customization and support.

• The nFX Log One and nFX Data One appliance components broaden supported use cases to those that require basic log management and database activity monitoring capabilities.

Cautions

• netForensics needs to broaden its presence on competitive evaluations.



NetIQ NetIQ is a business unit of Attachmate. It has a portfolio of security and operations technologies, with a moderately sized SIEM customer base. NetIQ provides operations and security management software products that are integrated but typically deployed individually over time. NetIQ sells its security management products into its operations management installed base, but also to new accounts. The NetIQ Security Manager SIEM product has a large installed base that is primarily oriented to SIM, user activity monitoring and compliance reporting. The technology can be used for network and security device sources, but it is not widely deployed for this use case, because NetIQ does not typically sell to the network security buying center. The core offering is designed to process a filtered subset of log data, but integrated log data collection and archiving capabilities can be used to collect and analyze all log data from every source.

Strengths

• NetIQ Security Manager is most appropriate for deployments that are focused primarily on host log analysis for user and resource access monitoring and regulatory compliance reporting.

• Security Manager is tightly integrated with the Change Guardian product line that provides monitoring and change detection for active directory and file integrity monitoring for host systems.

Cautions

• NetIQ is not optimized for deployments that are primarily focused on event management for network and security devices.

NitroSecurity NitroSecurity is expanding into the SIEM market from its core intrusion detection system (IDS)/intrusion prevention system (IPS) business. The vendor sells SIEM technology into its IDS/IPS installed base and is also selling both solutions to new customers.

The NitroView line of SIEM appliances uses the high-speed event storage and query technology from its IDS/IPS products. NitroView Receiver provides log collection and event correlation. NitroView ESM provides cross-source correlation and a consolidated back store to support high-speed search and reporting.

During 2008, NitroSecurity acquired Rippletech and integrated its database activity monitoring technology with NitroView. Early in 2009, NitroSecurity also acquired Chronicle and is working to enable its network data analysis capabilities with its real-time monitoring.

Strengths

• NitroView provides a mix of SIM and SEM, and its repository can sustain high real-time event insert rates, while supporting high-performance report generation and analytics.

• Database activity monitoring (network monitor and agent-based) is available as an integrated option.

Cautions

• NitroView's embedded incident management support is limited.



Novell Novell's Sentinel software offering is integrated with Novell's IAM solutions, and Novell is actively selling Sentinel as a complementary monitoring and automated remediation technology to its IAM customers. Novell's Compliance Management Platform is an integrated bundle of IAM and SIEM technology. Sentinel is designed for large-scale deployments that require broad and flexible SEM capabilities, but it is complex to deploy and, therefore, is not a good match to Novell's strategy of selling SIEM to its IAM customers. Late in 2008, Novell released the Novell Identity Audit package, which provides basic log management and reporting for Novell's IAM products. At the time of this evaluation, Novell was planning the release of two enhancements: (1) the Sentinel 6.1 Rapid Deployment option — intended to provide simplified deployment and support (2Q09 release); and (2) Sentinel Log Manager — a log management tier for Sentinel (release planned later in 2009).

Strengths

• Sentinel is most appropriate for large-scale SEM-focused deployments where selective collection and analysis of event data are acceptable.

• Sentinel is based on a message bus architecture that provides flexibility and scaling for large deployments.

• The Identity Audit solution is well-suited to organizations that use Novell IAM products and need broader audit capabilities.

Cautions

• Organizations that require log management functions will need to wait for Novell's Sentinel Log Manager release or will need to augment their SEM deployment with third-party log management technology.

• While the Sentinel 6.1 Rapid Deployment release is intended to provide simplified deployment and support, it was not generally available at the time we conducted our evaluation, and we had not yet spoken to production references.

OpenService OpenService provides event management software that covers system management and security management use cases. The technology is scalable, easy to deploy and differentiated in its approach to correlation. Despite its differentiated technology and some very large referenceable customers, OpenService was slow to adapt to the shift in demand to a compliance focus, and has suffered from ineffective sales and marketing. In 2008, the company received additional funding and has a new management team in place. OpenService's InfoCenter is composed of the InfoCenter console, ThreatCenter (risk-based correlation/analysis), LogCenter (log storage), NerveCenter (availability and performance monitoring) and Event Collectors.

Strengths

• OpenService is a good choice for organizations that are looking for an out-of-the-box SEM solution with modest server-side resource requirements.

• OpenService has improved InfoCenter's reporting and user interface features.

• Risk-based correlation evaluates events with respect to threats, vulnerabilities and asset attributes, and is an alternative to rule-based approaches.



Cautions

• Open Service still has limited visibility among Gartner customers in competitive evaluations and must develop broader sales channel partnerships.

• OpenService needs to strengthen its direct sales and marketing capabilities.

Prism Microsystems Prism Microsystems EventTracker software is targeted primarily at midsize commercial enterprises and government organizations with security and operations event management and compliance reporting requirements. Prism continues to improve the event management and compliance reporting capabilities of EventTracker, and the software now supports scalability through virtualization and through hierarchical or multisite deployment. EventTracker includes specific monitoring support for virtual environments. The EventTracker agent also provides support for file integrity monitoring.

Strengths

• EventTracker software is suited for midsize businesses that require one product that provides log management, SEM, compliance reporting and operations monitoring.

• Prism's EventTracker is easy to deploy and maintain, especially in Windows environments, where EventTracker supports centralized agent deployment and management.

• Knowledge Packs provide EventTracker with prebuilt correlation, alerting and reporting for specific compliance regimes or operations requirements.

Cautions

• EventTracker is not well-suited for implementations that require security operations center capabilities or integration with configuration/asset management databases.

• Some Windows vulnerability assessment functions are provided in EventTracker, but the product does not integrate vulnerability assessment data from other vulnerability assessment products.

• EventTracker does not have integration capability with IAM products.

Q1 Labs Q1 Labs' QRadar appliance line provides a combination of SIEM, log management and NBA. The company is growing rapidly through direct sales to large customers, through the use of channel partners, and by licensing the technology to network and security vendors. While Q1 Labs competes in the overall SIEM market, the company also positions QRadar specifically as a competitive alternative to Cisco MARS, and licenses the technology to some Cisco competitors (such as Juniper Networks and Enterasys). The QRadar technology provides an integrated view of the threat environment using NetFlow and direct network traffic monitoring, in combination with host activity monitoring and reporting from log data. QRadar Simple Log and Information Management (SLIM) is a log management appliance that can be upgraded to full SIEM capabilities. The vendor has actively pursued deployments that require user-oriented monitoring and deployments that are compliance-focused.



Strengths

• Q1 Labs' QRadar provides a combination of SEM, SIM and NBA capabilities, which can be used by IT security and network operations.

• NBA capabilities can be applied to host breach discovery.

• The collection tier can be used to provide log management functions, and the log data is indexed and accessible for reporting.

Cautions

• Organizations that are evaluating QRadar for identity-auditing-focused deployments should also evaluate the SIEM offerings of incumbent IAM vendors.

Quest Software Quest Software provides an SIEM offering that is complementary to its line of Active Directory and Windows Server management products, and is typically implemented by customers that have deployed those products. The InTrust software solution for SIEM includes data analysis, reporting and log collection. The SIEM product favors Microsoft environments. Plug-ins and additional Quest Software products are often deployed to expand monitoring functionality specific to Microsoft platforms, including Active Directory, Exchange and file servers. InTrust is primarily oriented to host log data, but has some support for network devices and network-based security technology. Quest Software has a large installed base for InTrust, but narrow source support limits its applicability to a subset of SIEM technology buyers.

Strengths

• Organizations with a predominantly Microsoft-based IT environment will be able to extend the native audit capabilities of Microsoft products with InTrust and related plug-ins.

• Quest Software has extensive monitoring capabilities for Microsoft Active Directory, Exchange and file servers that can be applied to user activity reporting.

Cautions

• Organizations that need to enable a full-function security console for a security operations center should consider solutions that provide more function or flexibility in this area.

• InTrust is not well-suited where monitoring requirements include operating systems other than Windows and major Unix distributions, nor where monitoring firewall, IDS/IPS or a broad range of network devices is an important consideration.

RSA (EMC) RSA, the Security Division of EMC, sells the enVision appliance, which provides a combination of SEM, SIM and log management. enVision has one of the largest installed bases, and RSA uses its direct sales force and its channel partners to sell enVision. Although enVision has not been as capable in SEM as best-of-breed (and more-complex) point solutions, it has provided function in all three areas that was "good enough" for common use cases in an appliance form factor that is easy to deploy. In March 2009, RSA released enVision v.4, which has improved correlation capabilities for external threat management, privileged user monitoring and system monitoring.



New correlation rules fully use the enVision taxonomy (as opposed to referencing source-level events).

Strengths

• RSA enVision should be considered in cases where all data needs to be collected and available for analysis, and where a need exists for SEM and SIM capabilities in a single appliance.

• Because of its ease of deployment, the appliance should also be considered in environments where customers have limited personnel resources to manage servers and databases as part of their SIEM implementation.

Cautions

• Application-layer monitoring is limited when compared with solutions that are best of breed in this area.

SenSage The SenSage solution is optimized for analytics and compliance reporting against a large log event data store, and the company has successfully pursued large deployments that require this capability. The company has also successfully pursued use cases that require application layer and/or user-oriented monitoring. The 2008 release of SenSage v.4 enables the company to compete more broadly in the SIEM market, because it solved limitations in real-time collection and event management capabilities. Version 4 also delivered improvements to the user interface that ease deployment and administrative tasks, and has also improved the usability of report generation functions. SenSage has OEM arrangements with Cerner (healthcare applications) and HP (the HP CLW appliance).

Strengths

• SenSage is optimized for organizations that require high-volume event collection, monitoring, analytics and reporting for large amounts of log data over long periods for audit, compliance and internal investigation.

• SenSage has explicit support for SAP, Oracle (PeopleSoft and Siebel), Lawson, Cerner and other packaged application providers, and its technology supports precise analytics needed for use cases, such as fraud detection.

Cautions

• Organizations that require only basic log management functions should consider simpler and less-expensive offerings that focus on collection and basic reporting.

Symantec Symantec Security Information Manager (SSIM) is delivered as a software appliance and provides SIM, SEM and log management capabilities. SSIM is dynamically updated with threat and vulnerability data content from Symantec's DeepSight security research and managed security areas. Symantec also provides managed service offerings that use the soft appliance for on-site data collection and analysis. Symantec has integrations between its SIEM and Security Endpoint Protection (SEP) technologies, and will focus on selling its SIEM offering into its SEP customer base.



Strengths

• The SSIM appliance provides SIM, SEM and log management functions that are scalable and easy to deploy.

• The dynamic DeepSight content enables real-time identification of active external threats and known malicious sources.

Cautions

• Symantec needs to improve predefined reporting and analytics functions to accommodate the needs of stakeholders outside the IT security technical areas.

Tenable Network Security Tenable Network Security's SIEM solution is tightly integrated with the company's active and passive vulnerability scanner products, and its SIEM customers tend to also use the vulnerability scanning and configuration assessment technology. Tenable's SIEM software solution includes the Security Center console environment and the Log Correlation Engine (LCE). The LCE can be distributed in a network to collect logs from host and network devices, and also correlate events with data from Tenable's vulnerability scanning and security configuration assessment products. Security Center integrates Tenable's Log Correlation Engine and vulnerability scanning products to provide unified asset discovery, vulnerability detection, event management log collection and reporting.

Strengths

• The integration with Tenable's Nessus Vulnerability Scanner and Passive Vulnerability Scanner products can be beneficial to buyers seeking to address scanning and log collection, and reporting requirements, though a single user interface.

• Security Center's basic NetFlow collection and anomaly detection can be used for host breach discovery.

• A scripting capability offers customization options to users with sufficient technical expertise.

Cautions

• Other SIEM solutions provide a better fit for deployments that are focused on regulatory compliance reporting requirements related to host identity and access activity.

• Tenable needs to continue its efforts to expand its sales capabilities.

TriGeo TriGeo has designed its appliance-based SIEM solutions for midsize organizations that need out-of-the-box external threat monitoring and compliance reporting. In addition to the Security Information Manager for information and event management, TriGeo offers distributed appliances for log collection and for network event collection, an appliance for business intelligence reporting, and an appliance for log searching/reporting, which includes embedded technology from Splunk.



Strengths

• TriGeo's appliance-based approach provides easy-to-deploy SIEM, with extensive predefined correlation and compliance reporting templates.

• Add-on appliances for log collection, network device alert collection, searching and reporting enable customers to add incremental capabilities.

Cautions

• Other SIEM solutions are a better fit for large-scale data collection and aggregation efforts, or where deployment requirements include extensive customization and integration with other IT management technology.

• TriGeo targets the small-to-midsize enterprise market, and must develop more sales channels to sustain growth, in the face of larger competitors that are beginning sell into the segment.

RECOMMENDED READING

"Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market"

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel.

Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs



evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups and service-level agreements.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.



REGIONAL HEADQUARTERS

Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096

European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611

Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600

Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670

Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9° andar—World Trade Center 04578-903—São Paulo SP BRAZIL +55 11 3443 1509

Advertisement

Internet security problems have an upside for Silicon Valley By Scott Duke HarrisMercury News Posted: 05/08/2009 12:00:00 PM PDT Updated: 05/11/2009 03:11:26 AM PDT"Malware" and "botnets" are as sinister as they sound, computer security experts say. As Internet evildoers grow more sophisticated, average Joes are falling victim to identity theft, major corporations are battling external and internal threats and cyberwarfare is driving a new kind of arms race. But bad behavior has an upside for Silicon Valley. While the global recession has many tech companies reeling, computer security specialists McAfee and ArcSight are prospering, and new startups are emerging. Why is security resilient when other sectors are sagging? "You don't want to be the IT (information technology) guy when there's a big outbreak because of something you cut," explained Chuck Kolodgy, an analyst with the research firm IDC. Security, in other words, remains a must-have in IT budgets. ArcSight — a Cupertino company that was bankrolled in part by In-Q-Tel, the CIA's venture capital fund — provides a kind of IT alarm system for many U.S. and foreign government agencies, as well as major corporations. It was the last Silicon Valley company to do an initial public offering, debuting on Nasdaq in February 2008 at

$8.15 a share.

In recent days ArcSight has traded above $15 a share — roughly doubling in price while Wall Street swooned. Over the past 52 weeks, its stock has climbed 105 percent while the benchmark Standard & Poor's 500 shed more than one-third of its value.

McAfee, based in Santa Clara, recently reported record quarterly revenue of $448 million, an increase of 21 percent compared with the same period last year. The first-quarter net income was $53.5 million, beating analysts' average predictions as customers renewed and upgraded security. Over the past 12 months, McAfee stock is up 14 percent.

McAfee rival Symantec, based in Cupertino, took a beating on Wall Street after a disappointing quarterly earnings. Yet it has still performed better than the wider market over the past year, losing about one- quarter of its value while the broader market lost one-third.

Over the long term, Symantec hopes to benefit by its recent acquisition of Mi5 Networks, a 4-year-old valley startup that specializes in Web gateway security and derived its name from the British intelligence service. Mi5 plugged a gap in Symantec's product portfolio.

Mi5 co-founder and former CEO Doug Camplejohn liken the technology to "the moat and drawbridge of a castle." Terms were not disclosed, but "everyone was happy with the deal, employees and investors alike," Camplejohn said.

The Web has surpassed e-mail as the primary pathway for malware. Simply clicking on an advertisement or downloading a seemingly helpful

Page 1 of 3Internet security problems have an upside for Silicon Valley - San Jose Mercury News

5/14/2009http://www.mercurynews.com/ci_12319870?IADID=Search-www.mercurynews.com-ww...

Advertisement

program can unleash programs that, for example, record and analyze keystrokes in hopes of detecting credit card account numbers. They can also stealthily enlist a computer into so-called botnets — computers that have been clandestinely networked to perform tasks without the knowledge of their owners and operators. Over the past year, Symantec also acquired MessageLabs, for $695 million, while McAfee paid $497 million to purchase Secure Computing. Smaller security players, such as privately held Barracuda Networks, which focuses on small and medium-size businesses, have also made recent acquisitions. Security startups are also attracting venture funding. HyTrust, founded in 2007 to complement the VMware-led trend toward "virtualized" computer environments, recently announced first- round funding of $5.5 million led by Trident Capital. Stanford Hospital and Clinics is among HyTrust's pilot customers. The business activity comes amid the escalating peril of an increasingly interconnected world. Canadian security analysts, for example, recently traced a global plague of spyware to computers in China, some of which included the ability to remotely turn on and off cameras on laptops and desktops. Another recent report described how cyberspies had penetrated the Pentagon's $300 billion Joint Strike Fighter project, gaining access to secret electronics designs. Earlier, they hacked the Air Force air traffic control system. Chinese authorities denied any involvement and suggested accusations were rooted in an outdated Cold War mentality. Cyberwarfare is murky by nature. Governments typically deny any role in covert operations. The nature of computer networking makes it easy for

governments, rogue political elements, terror groups or cybergangs to cloak their deeds, said ArcSight CEO Tom Reilly.

An uncloaked exception came during Russia's invasion of Georgia last year. While Russian tanks rolled, their hacking comrades shut down Georgia's power grid and disrupted Internet and telephone services, as well as fuel supplies.

The episode vividly illustrated the vulnerability of computer systems. Reilly likened botnets to " sleeper agents" that can be activated at a moment's notice.

Reilly said he has been surprised that Pentagon sources have discussed recent security breaches — and suggested it may be because they are eager to protect their IT security budgets amid a rising threat. ArcSight's role with some agencies is classified, but its nonclassified clients include the Department of Homeland Security, the IRS, the FAA and Defense Information Systems Agency.

ArcSight products are akin to the alarm systems that monitor external and internal firewalls, e-mail and Web gateway filters that protect an enterprise network. IDC's Kolodgy likens ArcSight's products to "the brain," while firewalls from CheckPoint and others are like the " brawny cop" of IT security.

Government agencies are not the only drivers of ArcSight's growth, Reilly said. Another driver is the financial services industry, which has adopted tighter security against credit card fraud. An emerging opportunity is the health care industry trend toward electronic record keeping.

The escalating pace of cyberwarfare was the dominant theme at a recent security industry conference in San Francisco sponsored by RSA, a



Advertisement

security company owned by EMC. RSA is one of ArcSight's many rivals. Addressing the RSA Conference, McAfee CEO Dave DeWalt said "the traditional approach to enterprise security simply doesn't work — it leaves security holes, it's unmanageable and is too costly." Instead of a "patchwork of incompatible products from multiple vendors," DeWalt said, "we need to move to an approach where all security products exchange intelligence and provide real-time, all-the-time visibility." McAfee's aim, DeWalt said, is to deliver "predictive security" that could provide better forecasts and preparations for risk. Symantec CEO Enrique Salem, in his speech at the conference, emphasized the dramatic growth in attacks. In 2008, he said, Symantec blocked "an average of more than 245 million attempted malicious code attacks across the globe every month." Ninety percent of threats detected by Symantec, he said, were attempted thefts of confidential information, primarily for financial gain. Scott Duke Harris can be reached at [email protected] or 408-920-2704.



Print Back to story

CUPERTINO, Calif.--(BUSINESS WIRE)--ArcSight, Inc. (NASDAQ:ARST - News), a leading global provider of compliance and security management solutions that protect enterprises and government agencies, today announced financial results for its fiscal fourth quarter and fiscal year ended April 30, 2009.

For the fourth quarter of fiscal 2009, ArcSight reported total revenues of $39.3 million compared to total revenues of $29.4 million reported in the fourth quarter of fiscal 2008. Net income on a GAAP basis for the fourth quarter of fiscal 2009 was $4.3 million, or $0.13 per diluted share, including $211,000 in amortization of intangible assets and $1.6 million in stock-based compensation expense. This compares to a GAAP net loss of $1.1 million, or $0.04 per diluted share, reported in the fourth quarter of fiscal 2008, including $143,000 in amortization of intangible assets and $1.5 million in stock-based compensation expense.

Non-GAAP net income for the fourth quarter of fiscal 2009 was $6.1 million, or $0.18 per diluted share, excluding the above-mentioned amortization and stock-based compensation charges. This compares to a non-GAAP net income of $0.6 million, or $0.02 per diluted share, reported in the fourth quarter of fiscal 2008, excluding the above-mentioned charges.

During the fourth quarter of fiscal 2009, the company generated $4.5 million in cash from operations and closed the fourth quarter with cash and cash equivalents of $90.5 million.

For the fiscal year ended April 30, 2009, ArcSight reported total revenues of $136.2 million compared to $101.5 million reported for fiscal 2008. GAAP net income for fiscal year 2009 was $9.9 million, or $0.30 per diluted share, including $842,000 in amortization of intangible assets and $6.2 million in stock-based compensation expense. This compares to a net loss of $2.0 million, or $0.08 per diluted share, reported for fiscal 2008, including $573,000 in amortization of intangible assets and $4.9 million in stock-based compensation expense.

Non-GAAP net income for the fiscal year ended April 30, 2009 was $16.9 million, or $0.50 per diluted share, excluding the above-mentioned charges. This compares to a non-GAAP net income of $3.5 million, or $0.12 per diluted share, reported for fiscal 2008, excluding the above-mentioned charges.

“We believe that our strong results for the fourth quarter as well as the entire fiscal year reflect the increasing risk that corporations and government agencies face globally with rising cyber-warfare, cyber-theft, and cyber-fraud, particularly where the increasing sophistication of attacks are leading to tighter regulatory controls and compliance mandates, as well as the strength of our products and the dedication of our employees,” commented Tom Reilly, president and CEO of ArcSight. “We plan to leverage these drivers in fiscal 2010 by focusing on our customer’s success, extending our value proposition with a richer, more robust platform and expanding our market opportunity by utilizing a more mature channel and broader array of products.”

Business Outlook

The following forward-looking statements reflect expectations as of June 11, 2009. Results may be materially different and could be affected by the factors detailed in this release and in recent ArcSight SEC filings.

First Quarter Expectations – Ending July 31, 2009

Based on current business trends, anticipated seasonally lower first quarter and the visibility the company has from fourth quarter performance, ArcSight expects revenue for the first quarter of fiscal 2010 to be in the range of $31 million to $34 million, representing growth in the range of 12-23% over the same quarter of fiscal 2009.

ArcSight expects non-GAAP net income for the first quarter of fiscal 2010 to be in the range of $1.0 million to $2.9 million, or $0.03 to $0.08 per diluted share, which excludes stock-based compensation expense and amortization of intangibles.

ArcSight Reports 34% Year-over-Year Growth for Fiscal Fourth Quarter and Fiscal Year Ended April 30, 2009

Total Revenue: $39.3M, a 34% increase year-over-year

GAAP Net Income: $4.3M or $0.13 per diluted share

Non-GAAP Net Income: $6.1M or $0.18 per diluted share

Positive Cash Flows from Operations: $4.5M

Total Revenue: $136.2M, a 34% increase year-over-year

GAAP Net Income: $9.9M or $0.30 per diluted share

Non-GAAP Net Income: $16.9M or $0.50 per diluted share

Positive Cash Flows from Operations: $16.8M

On Thursday June 11, 2009, 4:02 pm EDT

Press Release Source: ArcSight, Inc.

Company Posts Total Revenues of $39.3M for Fiscal Fourth Quarter and GAAP and Non-GAAP Earnings per Diluted Share of $0.13 and $0.18, Respectively

For the Fiscal Fourth Quarter:

For the 2009 Fiscal Year:

Page 1 of 5ArcSight Reports 34% Year-over-Year Growth for Fiscal Fourth Quarter and Fiscal Year ...

6/17/2009http://finance.yahoo.com/news/ArcSight-Reports-34-bw-15504462.html/print

Conference Call and Webcast Information

ArcSight will host a conference call and live webcast to discuss these financial results for investors and analysts at 2:00 p.m. Pacific Time on June 11, 2009. To access the conference call, dial 877-723-9509 for the U.S. or Canada and 719-325-4757 for international callers. The webcast will be available live on the Investor Relations section of the company’s website at www.arcsight.com. An audio replay of the call will also be available to investors by phone beginning at approximately 4:00 p.m. Pacific Time on June 11, 2009 until 11:59 p.m. Pacific Time on June 18, 2009, by dialing 888-203-1112 for the U.S. or Canada or 719-457-0820 for international callers, and entering passcode 1340292. In addition, an archived webcast will be available on the Investor Relations section of the company’s website at www.arcsight.com.

Use of Non-GAAP Financial Measures

ArcSight reports all financial information required in accordance with generally accepted accounting principles (GAAP). To supplement the ArcSight unaudited condensed consolidated financial statements presented in accordance with GAAP, ArcSight uses certain non-GAAP measures of financial performance. The presentation of these non-GAAP financial measures is not intended to be considered in isolation from, as a substitute for, or superior to, the financial information prepared and presented in accordance with GAAP, and may be different from non-GAAP financial measures used by other companies. In addition, these non-GAAP measures have limitations in that they do not reflect all of the amounts associated with the results of ArcSight operations as determined in accordance with GAAP. The non-GAAP financial measures used by ArcSight include historical non-GAAP net income (loss) and non-GAAP basic and diluted earnings (loss) per share. These non-GAAP financial measures exclude amortization of intangible assets and stock-based compensation from the ArcSight statement of operations.

For a description of these items, including the reasons why management adjusts for them, and reconciliations of these non-GAAP financial measures to the most directly comparable GAAP financial measures, please see the section of the accompanying tables titled "Use of Non-GAAP Financial Information" as well as the related tables that precede it. ArcSight may consider whether other significant non-recurring items that arise in the future should also be excluded in calculating the non-GAAP financial measures it uses.

ArcSight believes that these non-GAAP financial measures, when taken together with the corresponding GAAP financial measures, provide meaningful supplemental information regarding the performance of ArcSight by excluding certain items that may not be indicative of the company’s core business, operating results or future outlook. ArcSight management uses, and believes that investors benefit from referring to, these non-GAAP financial measures in assessing operating results of ArcSight, as well as when planning, forecasting and analyzing future periods. These non-GAAP financial measures also facilitate comparisons of the performance of ArcSight to prior periods.

Cautionary Statement Regarding Forward Looking Statements

This news release contains forward-looking statements, including without limitation those regarding ArcSight’s “Business Outlook” (“First Quarter Expectations – Ending July 31, 2009”); ArcSight’s belief that corporations and government agencies will face increasing risk globally with rising cyber-warfare, cyber-theft, and cyber-fraud, particularly where the increasing sophistication of attacks may lead to tighter regulatory controls and compliance mandates, its products will remain strong and its employees will remain dedicated; and ArcSight’s plan to focus on our customer’s success, extend its value proposition with a richer, more robust platform and expand its market opportunity by utilizing a more mature channel and broader array of products in fiscal 2010. These forward-looking statements are subject to material risks and uncertainties that may cause actual results to differ substantially from expectations. Investors should consider important risk factors, which include: the risk that demand for our compliance and security management solutions may not increase and may decrease; the risk that competitors may be perceived by customers to be better positioned to help handle compliance violations and security threats and protect their businesses from major risk; the risk that the growth of ArcSight may be lower than anticipated; and other risks detailed under the caption “Risk Factors” in the ArcSight Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission, or the SEC, on March 12, 2009 and the company’s other filings with the SEC. You can obtain copies of the company’s Quarterly Report on Form 10-Q and its other SEC filings on the SEC’s website at www.sec.gov.

The foregoing information represents the company’s outlook only as of the date of this press release, and ArcSight undertakes no obligation to update or revise any forward-looking statements, whether as a result of new information, new developments or otherwise.

About ArcSight

ArcSight (NASDAQ:ARST - News) is a leading global provider of compliance and security management solutions that protect enterprises and government agencies. ArcSight helps customers comply with corporate and regulatory policy, safeguard their assets and processes, and control risk. The ArcSight platform collects and correlates user activity and event data across the enterprise so that businesses can rapidly identify, prioritize, and respond to compliance violations, policy breaches, cybersecurity attacks, and insider threats. For more information, visit www.arcsight.com. (ARST-IR)


ARCSIGHT, INC.Condensed Consolidated Balance Sheets

(In thousands)

As of As ofApril 30, April 30,

2009 2008(Unaudited)

Assets Current assets:

Cash and cash equivalents $ 90,467 $ 71,946 Accounts receivable, net 34,184 26,658 Other prepaid expenses and current assets 3,861 5,565

Total current assets 128,512 104,169



Property and equipment, net 4,416 4,834 Goodwill 5,746 5,746 Acquired intangibles assets, net 1,319 2,161 Other long-term assets 1,168 1,669

Total assets $ 141,161 $ 118,579

Liabilities and stockholders’ equity Current liabilities:

Accounts payable $ 1,432 $ 3,115 Accrued compensation and benefits 11,671 11,864 Other accrued liabilities 4,700 5,967 Deferred revenues, current 36,160 36,512

Total current liabilities 53,963 57,458

Deferred revenues, non-current 8,888 4,754 Other long-term liabilities 1,637 1,598

Total liabilities 64,488 63,810

Stockholders’ equity: Additional paid-in capital 113,781 101,574

Deferred stock-based compensation - (53 )

Accumulated other comprehensive loss (314 ) (45 )

Accumulated deficit (36,794 ) (46,707 ) Total stockholders’ equity 76,673 54,769

Total liabilities and stockholders’ equity $ 141,161 $ 118,579

ARCSIGHT, INC.Consolidated Statement of Operations

(On a GAAP basis) (In thousands, except per share amounts)

(Unaudited)

For the Three Months Ended Fiscal Year EndedApril 30, April 30, April 30, April 30,

2009 2008 2009 2008

Revenues: Products $ 23,870 $ 18,192 $ 80,616 $ 63,765 Maintenance 10,419 7,980 38,521 27,607 Services 4,989 3,204 17,031 10,173

Total revenues 39,278 29,376 136,168 101,545 Cost of revenues:

Products 2,459 1,466 8,595 4,767 Maintenance(1) 1,930 1,608 6,861 5,691 Services(1) 2,858 1,906 9,875 5,800

Total cost of revenues 7,247 4,980 25,331 16,258 Gross profit 32,031 24,396 110,837 85,287 Operating expenses(1):

Research and development 6,598 5,592 22,537 19,762 Sales and marketing 14,758 16,086 56,279 53,453 General and administrative 6,123 3,495 20,278 13,422

Total operating expenses 27,479 25,173 99,094 86,637 Income (loss) from operations 4,552 (777 ) 11,743 (1,350 )

Interest income 82 435 991 857 Other income and expense, net (150 ) (101 ) (257 ) (385 ) Income (loss) before provision for income taxes 4,484 (443 ) 12,477 (878 ) Provision (benefit) for income taxes 149 617 2,564 1,131

Net income (loss) $ 4,335 $ (1,060 ) $ 9,913 $ (2,009 )

Net income (loss) per common share, basic $ 0.14 $ (0.04 ) $ 0.32 $ (0.08 ) Net income (loss) per common share, diluted $ 0.13 $ (0.04 ) $ 0.30 $ (0.08 )

Shares used in computing basic net income (loss) per common share 31,848 30,195 31,233 25,936 Shares used in computing diluted net income (loss) per common share 34,416 30,195 33,550 25,936

(1) Stock-based compensation expense as included in above Cost of maintenance revenues 60 44 216 106 Cost of services revenues 36 46 142 115 Research and development 347 416 1,342 1,356 Sales and marketing 482 773 2,451 2,685 General and administrative 628 232 1,994 664



Copyright © 2009 Yahoo! Inc. All rights reserved. Privacy Policy - Terms of Service - Copyright Policy - Send Feedback

Quotes and other information supplied by independent providers identified on the Yahoo! Finance partner page. Quotes are updated automatically, but will be turned off after 25 minutes of inactivity. Quote data delayed 15 minutes for Nasdaq, NYSE and Amex. Real-Time continuous streaming quotes are available through our premium service. You may turn streaming quotes on or off. All information provided "as is" for informational purposes only, not intended for trading purposes or advice. Yahoo! is not an investment adviser and does not provide, endorse or

review any information or data contained herein.

Copyright © 2008 Business Wire. All rights reserved. All the news releases provided by Business Wire are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials by posting, archiving in a public web site or database, or redistribution in a computer network is strictly forbidden.

Use of Non-GAAP Financial Information

In addition to the reasons stated above, which are generally applicable to each of the items ArcSight excludes from its non-GAAP financial measures, ArcSight believes it is appropriate to exclude certain items for the following reasons:

Amortization of Intangibles. When analyzing the operating performance of an acquired entity, ArcSight management focuses on the total return provided by the investment (i.e., operating profit generated from the acquired entity as compared to the purchase price paid) without taking into consideration any allocations made for accounting purposes. Because the purchase price for an acquisition necessarily reflects the accounting value assigned to intangible assets (including acquired in-process technology and goodwill), when analyzing the operating performance of an acquisition in subsequent periods, ArcSight management excludes the GAAP impact of the amortization of acquired intangible assets to its financial results. ArcSight believes that such an approach is useful in understanding the long-term return provided by an acquisition and that investors benefit from a supplemental non-GAAP financial measure that excludes the accounting amortization expense associated with acquired intangible assets.

In addition, in accordance with GAAP, ArcSight generally recognizes expenses for internally-developed intangible assets as they are incurred until technological feasibility is reached, notwithstanding the potential future benefit such assets may provide. Unlike internally developed intangible assets, however, and also in accordance with GAAP, ArcSight generally capitalizes the cost of acquired intangible assets and recognizes that cost as an expense over the useful lives of the assets acquired (other than goodwill, which is not amortized, and acquired in-process technology, which is expensed immediately, as required under GAAP). As a result of their GAAP treatment, there is an inherent lack of comparability between the financial performance of internally developed intangible assets and acquired intangible assets. Accordingly, ArcSight believes it is useful to provide, as a supplement to its GAAP operating results, a non-GAAP financial measure that excludes the amortization of acquired intangibles.

Stock-Based Compensation. When evaluating the performance of its consolidated results, ArcSight does not consider stock-based compensation charges. Likewise, the ArcSight management team excludes stock-based compensation expense from its operating plans. In contrast, the ArcSight management team is held accountable for cash-based compensation and such amounts are included in its operating plans. Further, when considering the impact of equity award grants, ArcSight places a greater emphasis on overall stockholder dilution rather than the accounting charges associated with such grants.

ArcSight believes it is useful to provide a non-GAAP financial measure that excludes stock-based compensation in order to better understand the long-term performance of its business.

Contact:

ARCSIGHT, INC.Consolidated Statement of Operations

(GAAP to Non-GAAP Reconciliation)(In thousands, except per share amounts)

(Unaudited)

For the Three Months Ended Fiscal Year EndedApril 30, April 30, April 30, April 30,

2009 2008 2009 2008

GAAP net income (loss) $ 4,335 $ (1,060 ) $ 9,913 $ (2,009 ) Plus:

a) Stock-based expenses 1,553 1,511 6,145 4,926 b) Amortization of intangibles 211 143 842 573

Non-GAAP net income $ 6,099 $ 594 $ 16,900 $ 3,490

GAAP net income (loss) per common share, basic $ 0.14 $ (0.04 ) $ 0.32 $ (0.08 ) Plus:

a) Stock-based expenses 0.04 0.05 0.19 0.19 b) Amortization of intangibles 0.01 0.01 0.03 0.02

Non-GAAP net income, basic $ 0.19 $ 0.02 $ 0.54 $ 0.13 Non-GAAP net income, diluted $ 0.18 $ 0.02 $ 0.50 $ 0.12

Shares used in computing basic net income (loss) per common share 31,848 30,195 31,233 25,936 Shares used in computing diluted net income (loss) per common share 34,416 32,535 33,550 28,576

Investor Relations Contact: Robert Dougherty FD 415-293-4427 [email protected]



At ArcSight we honor originAl mindS

And encourAge the mAverick in everyone.

© 2009 ArcSight. All rights reserved. 5 Results Way, Cupertino, CA 95014, USA 1-888-415-ARST [email protected]

ArcSight is proud to have the best employees. Everyday you help protect the world’s top enterprises and government agencies. Thank you to our employees for voting us as one of the best companies to work for in the Bay Area. For more information visit www.arcsight.com.

Voted #13 Best Place to Work in the Bay Area 2009

Copyright © 2002-2008 ArcSight | All rights reserved. Privacy Policy

ArcSight is a leading provider of security and compliance management solutions that intelligently identify and mitigate business risk for enterprises, MSSPs and government agencies. Designed with the needs of highly complex, geographically dispersed and heterogeneous business and technology infrastructures in mind, ArcSight provides the industry’s only vendor-neutral solution for intelligent identification, prioritization and network response to external security attacks, insider threats and compliance breaches.

Much like a "mission control center," ArcSight's award-winning ESM solution intelligently collects and distills millions of enterprise-wide events down to the most critical information necessary for organizations to make informed decisions to protect their businesses. It does this through an open platform which integrates hundreds of point/individual security and networking products to find risks that would otherwise go undetected, and inherently enhances the business value of point technology investments.

The resulting real time and historic view across heterogeneous infrastructures, augmented by ArcSight's complementary solutions for high performance log management – ArcSight Logger, network configuration management – ArcSight NCM and threat response management – ArcSight TRM, offers the industry’s only complete solution suite with a closed-loop process for addressing both security and compliance requirements.

Products:

ArcSight SIEM Platform

The ArcSight SIEM Platform is an integrated set of products for collecting, analyzing, and managing enterprise event information. These products can be purchased and deployed separately or together, depending on organization size and needs. They include software and appliances for:

Event Collection Log Management Event Management Compliance Automation Identity Monitoring

Forensics On The Fly The ArcSight SIEM Platform is unique in its ability to provide “forensics on the fly” across a broad range of customer needs. Some organizations might only need historical reporting, others simple alerting or time and frequency threshold notification. Still others require complex multi-variable correlation and pattern matching. Across this spectrum, ArcSight provides different products that each deliver summarized alerts and reports plus drill-down into the source events behind each alert or report.


Customers can deploy the appliance or software product that best fits their needs, while still retaining the ability to drill down and perform live forensics.

Integrated Set of Products The ArcSight SIEM Platform is used across a wide variety of industries to manage and monitor security, business risk, and compliance. The Platform includes products for event collection, real time event management, log management, automatic response, and compliance reporting.

Event Collection

ArcSight connectors insulate your security and compliance analysis from your technology choices. By collecting logs in native device formats, then normalizing this data into a common format, ArcSight Connectors produce a single structure for searching, correlating, and reporting on event information. As a result, your analysis platform is future-proofed against new network technologies. Swap out one vendor’s firewall for another, and all of your correlation and compliance reports will continue to work as defined. Connectors are available as installable software, data center appliances, or small branch-office/store appliances.


ArcSight Connectors decouple an organization’s ability to analyze risk from its network device decisions. <more info>

Log Management

The ArcSight log management product, ArcSight Logger, isa self contained appliance for storing, managing, and reporting against enterprise log data. A single appliance can effectively store up to 35 TB of log information, without the need for tuning or optimization. ArcSight Logger offers search and reporting, as well as alerting via email, SNMP, or a web console.

Unlike other log management products, ArcSight Logger provides drill-down from alerts and reports to the source events behind the alert or report. As a result, even customers who require only simple alerting and reporting benefit from “forensics on the fly.”

ArcSight Logger can be deployed on its own, or in conjunction with ArcSight ESM and ArcSight Connectors.

The ArcSight PCI Logger includes all of the log management functionality described above, plus pre-built reports, rules, and alerts mapped directly to the PCI DSS requirements. This appliance can be deployed in a single-box configuration or with separate ArcSight Connectors, depending on customer needs.

ArcSight Logger provides a cost and time-efficient way to store and manage enterprise logs for security and compliance purposes. <more info>


Event Management

The market-leading ArcSight real-time correlation product, ArcSight ESM, provides advanced analysis of log event data to discover potential threats before they spread.

Advanced Correlation ESM uses a variety of sophisticated techniques to sift through millions of events to find the incidents that can have real business impact. Effective correlation is very important; poor correlation results in either missed threats or too many false positives and therefore, wasted time and money. ArcSight ESM provides “forensics on the fly” via real time correlation across multiple systems and millions of events, with drill down from a complex alert to the events that caused it.

Automatic Response When ArcSight ESM finds a potential problem via event correlation, the optional guided response engine, ArcSight Threat Response Manager (TRM) can provide administrators with workflow-driven advice for containing the problem. For example, if ArcSight ESM detects an employee potentially accessing records in an unauthorized way, ArcSight TRM can determine which Active Directory account to disable, which VPN session to disconnect, etc. and then guide an administrator through the proper steps.

ESM is available as configurable software or as an appliance (ArcSight ESM E7100), and can be deployed on its own or with ArcSight Logger and ArcSight Connectors. By using ESM and ArcSight Logger together, customers can find anomalies in real time, then compare those to historical data for more context.

ArcSight ESM makes organizations more effective and secure by filtering out the “noise” and focusing on the most important incidents.

Automatic Discovery ArcSight employs two unique products to aid in the discovery of subtle and complex behavior – ArcSight Pattern Discovery and ArcSight Interactive Discovery. The Discovery products mine event log data and apply sophisticated mathematical algorithms to uncover malicious and discreet behavior across the various devices in your organization. Administrators can use visual


analysis to investigate this behavior further, and when necessary turn the patterns found into rules that can be used to find future occurrences of this subtle but suspicious behavior.

Compliance Automation

ArcSight Compliance Insight Packages are an ideal way to jump start a compliance project or automate the monitoring of existing manual compliance controls.

Installable on top of the ArcSight SIEM Platform, these Modules provide pre-packaged rules, reports, dashboard, and alerts mapped to specific regulations. Through automation and best practices, ArcSight Compliance Insight Packages can dramatically cut the cost and effort ofcompliance. <more info>

Identity Monitoring

ArcSight IdentityView is a specialized solution module designed to help organizations understand who is on the network, what data they are seeing, and which actions they are taking with that data. IdentityView leverages the user and role information stored in corporate directories and managed by Identity and Access Management systems. It correlates user activity with role and rights information to demonstrate that controls are working effectively. It also performs activity profiling to assist in identifying problem scenarios early. IdentityView enhances an organization’s investment in identity management and increases security, visibility, and compliance.

Broad product support. ArcSight supports a comprehensive range of data sources from more vendors and in more categories than any other Security Information and Event Management system. Over 180 products, from over 85 vendors, representing 36 data categories are connected to the ArcSight system by over 200 ArcSight SmartConnectors. SmartConnectors are updated frequently to accommodate new versions of supported products.


Customers ArcSight's customer base includes leading global companies across all verticals—and more than 20 U.S. federal agencies. Our customer list includes: DISA (Defense Information Systems Agency), Lehman Brothers, U.S. Securities & Exchange Commission, Verizon, Bank Leumi, Energis, Sumitomo, Unisys, Bank of Tokyo-Mitsubishi, Cable & Wireless, Dept. of Health and Human Services, Priority Health, the U.S. Federal Reserve, Xerox, McAfee, HealthSouth, Union Bank of California, Harris, Capital Blue Cross and the U.S. Dept. of the Treasury.

Partners Over eighty-five security companies work with ArcSight to ensure we support their 180+ security products with our ESM solution. In addition, we leverage strategic MSSP and reseller partners to complement our security and compliance solution, as well as to extend our geographic market coverage. Some of these partners include CERT, HP, IBM, Juniper, Lenovo, McAfee, Mitre, Oracle, Sumitomo and Unisys.

Employment

We are currently searching for dynamic and intelligent professionals, for a complete listing of our current openings, please click on the link below to view our jobs by department.

We are always looking for the best of the best.

www.arcsight.com/about_careers

If you don't see a specific opening, please send your resume to [email protected].

Our recruiting team reviews ALL resumes that come to us.


ArcSight Management Team


Tom Reilly President and CEO

Thomas Reilly has served as our Chief Executive Officer since September 2008 and as our President since August 2007. Mr. Reilly served as our Chief Operating Officer from November 2006 to September 2007. From April 2004 to November 2006, Mr. Reilly served as Vice President of Business Information Services of IBM. From November 2000 until its acquisition in April 2004 by IBM, Mr. Reilly served as Chief Executive Officer of Trigo Technologies, Inc., a product information management software company. He holds a B.S. in mechanical engineering from the University of California, Berkeley.

Hugh Njemanze, CISSP Chief Technology Officer and Executive Vice President of Research and Development

Hugh S. Njemanze co-founded ArcSight in May 2000 and has served as our Executive Vice President of Research Development and Chief Technology Officer since March 2002. From 1993 to 2000, Mr. Njemanze served in various positions at Verity, Inc., a provider of knowledge retrieval software products, most recently as its Chief Technology Officer. He holds a B.S. in computer science from Purdue University.


Kevin Mosher Senior Vice President, Worldwide Field Operations

Kevin P. Mosher has served as our Senior Vice President of Worldwide Field Operations since March 2004. From May 2002 to March 2003, Mr. Mosher served as the President and Chief Operating Officer of Rapt Inc., a provider of pricing and profitability management solutions. From 1997 to 2001, Mr. Mosher served as Senior Vice President of Sales at Portal Software, Inc., a provider of billing and customer management solutions. He also serves as a director of a private company. Mr. Mosher holds a B.A. in economics from the University of Connecticut.


Stewart Grierson Chief Financial Officer

Stewart Grierson has served as our Chief Financial Officer since October 2004 and also served as our Vice President of Finance from March 2003 to April 2007. In addition, from January 2003 to January 2006, he served as our Secretary. From 1999 to July 2002, Mr. Grierson served in several positions for ONI Systems Corp., a provider of optical communications equipment, including most recently as Vice President and Corporate Controller. From 1992 to 1999, he served in various roles in the audit practice at KPMG LLP. He holds a B.A. in economics from McGill University and is a chartered accountant.


Reed Henry Senior Vice President of Marketing

Mr. Henry has served as our Senior Vice President of Marketing since May 2007. Before joining ArcSight, Mr. Henry spent five years at SeeBeyond, a public company acquired by Sun Microsystems, where he served as Senior Vice President of Marketing, Alliances and Business Development. Mr. Henry holds a MBA from the Stanford University Graduate School of Business, a M.S. in electrical engineering from the California Institute of Technology, and a B.S. in electrical engineering from the University of Washington.


Jeff Scheel Senior Vice President, Business Development Jeffrey Scheel has served as our Senior Vice President of Business Development since June 2008. From November 2007 to May 2008, Mr. Scheel served as Vice President of Sales and Corporate Development at Damballa, Inc., a provider of protection against botnets. From June 2007 to October 2007, Mr. Scheel served as a consultant to various technology companies. From October 2006 to May 2007, he served as Executive Vice President of GuardID, Inc., an anti-phishing products company. From December 2005 until July 2006 following its acquisition by RSA in 2006, Mr. Scheel served as Corporate Development Officer at PassMark Security, Inc., an authentication software company. From November 2004 until December 2005 following its acquisition by PassMark, he served as CEO of Vocent, Inc., an authentication software company. From 1996 to 1999 and from 2001 to November 2004, Mr. Scheel served in several positions at Siebel Systems, Inc., a provider of eBusiness applications, including most recently as Vice President and General Manager of CRM Products. He holds a B.A. in history from Stanford University and an M.B.A. from Harvard Business School.


Chief Information Officer

Anya Yudin-Baehrle has served as our CIO since May 2008. From August 2005 to August 2007, Ms. Yudin-Baehrle served as Sr. Director and CIO Chief of Staff of Electronic Arts, an interactive entertainment company supporting in-home video game consoles, personal computers, mobile platforms and publisher of online video games. From 1995 to 2005, Ms. Yudin-Baehrle served as IT Strategy, Planning and Architecture Manager at Agilent, a diversified technology company serving communiations, electronics and life science markets. Ms. Yudin-Baehrle has a B.A. in Linguistics from Moscow State University.


Ray Patterson, Jr., CPA, Vice President, Professional Services

Raymond Patterson has served as ArcSight's Vice President for Professional Services since January 2006. From September 2003 until January 2006, Mr. Patterson served as Director Program Management. Prior to ArcSight, Mr. Patterson was Consulting Services Director for Oracle Corporation. Mr. Patterson holds a B.A. in economics from Virginia Tech, a B.S. in Accounting from George Mason University and an M.B.A. from George Washington University. Mr. Patterson is also a Lieutenant Colonel in the U.S Army reserve component.


Trâm Phi Vice President, General Counsel and Secretary

Trâm T. Phi has served as our Vice President, General Counsel and Secretary since January 2006. From September 2002 to May 2005, Ms. Phi served in various positions at InVision Technologies, Inc., a manufacturer of explosives detection systems, most recently as Senior Vice President and General Counsel, including following the acquisition of InVision by General Electric Company in December 2004. From 1995 to September 2002, she was an associate at Fenwick & West LLP, a high technology law firm. Ms. Phi holds a B.A. in political science from San Jose State University and a J.D. from the University of California, Berkeley, School of Law (Boalt Hall).


Laura Tom Vice President, Customer Support

Laura Tom has been our Vice President of Support since August 2007. Prior to then, commencing in March 2002, Ms. Tom was Director of Sales Engineering. Prior to joining ArcSight, from April 2001 to March 2002, Ms. Tom was Director of Product Marketing and Pre-Sales at Rapt, Inc. Ms. Tom held various sales management positions at Portal Software from 1998 to January 2002. Ms. Tom has a B.S. in Business Administration from the University of California at Berkeley.


Haiyan Song Vice President, Engineering

Haiyan Song has served as our Vice President of Engineering since September 2005. From 2004 to September 2005, Haiyan served as vice president of engineering at SenSage, a provider of log management and compliance auditing applications. From 2003 to 2004, Ms. Song has served as vice president of engineering and support at Omniva Policy Systems, a provider of secure messaging solutions, acquired by Liquid Machines. Ms. Song led engineering organizations at various enterprise software and service providers including Ketera Technology, Escalate and Informix. As Executive Director at Informix for the system management product division, she led the development of trusted RDBMS server products. Ms. Song studied at Tsinghua University in Beijing and holds a B.S. in Computer Science and M.S. in Computer Engineering from Florida Atlantic University.


Gail Boddy Vice President, Human Resources

Gail Boddy has led ArcSight’s Human Resource function since September 2003. Prior to joining ArcSight, Ms. Boddy served as a Senior Manager of Human Resources at Ingrian Networks, a provider of security solutions. Ms. Boddy has held various management positions at Brokat Technology, Blaze Software, Aspec Technology and Akashic Memories. Ms. Boddy has a B.A. in English from Chico State University.


Tom Reilly President and CEO Thomas Reilly has served as our Chief Executive Officer since September 2008 and as our President since August 2007. Mr. Reilly served as our Chief Operating Officer from November 2006 to September 2007. From April 2004 to November 2006, Mr. Reilly served as Vice President of Business Information Services of IBM. From November 2000 until its acquisition in April 2004 by IBM, Mr. Reilly served as Chief Executive Officer of Trigo Technologies, Inc., a product information management software company. He holds a B.S. in mechanical engineering from the University of California, Berkeley.

Sandra Bergeron Member of the Board of Directors

Sandra Bergeron has served as a director since May 2006. Since June 2005, Ms. Bergeron has served as a Venture Advisor to Trident Capital, a venture capital firm. From 2001 to December 2004, Ms. Bergeron served in various positions at McAfee, Inc., a software security company, most recently as Executive Vice President of Mergers/Acquisitions and Corporate Strategy. Ms. Bergeron currently serves as a director of several private companies. She holds a B.B.A. in information systems from Georgia State University and an M.B.A. from Xavier University, Cincinnati.

William P. Crowell Member of the Board of Directors

William P. Crowell has served as a director since March 2003. Since February 2003, Mr. Crowell has worked as an independent consultant in the areas of information technology, security and intelligence systems and serves as Chairman of the Senior Advisory Group to the Director of National Intelligence. He served as President and Chief Executive Officer of Cylink Corporation, a provider of network security solutions, from 1998 until its acquisition by SafeNet, Inc. in February 2003. Prior to Cylink, Mr. Crowell worked at the National Security Agency, where he held a series of senior executive positions, including Deputy Director of Operations and Deputy Director of the NSA. He also serves as a director of several private companies. Mr. Crowell holds a B.A. in political science from Louisiana State University.


E. Stanton McKee, Jr. Member of the Board of Directors

E. Stanton McKee, Jr. has served as a director since February 2005. From 1989 until his retirement in November 2002, Mr. McKee served in various positions at Electronic Arts Inc., a developer and publisher of interactive entertainment, most recently as Executive Vice President and Chief Financial and Administrative Officer. He also serves as a director of LeapFrog Enterprises, Inc., a provider of technology-based educational products, and of a private company. Mr. McKee holds a B.A. in political science from Stanford University and an M.B.A. from Stanford University Graduate School of Business.

Craig Ramsey Member of the Board of Directors

Craig Ramsey has served as a director since October 2002. From July 2003 to September 2004, Mr. Ramsey served as Chief Executive Officer of Solidus Networks Inc. (doing business as Pay By Touch), a provider of authentication and payment processing services. From 1996 to 2000, Mr. Ramsey served as Senior Vice President, Worldwide Sales, of Siebel Systems, Inc., a provider of eBusiness applications. From 1994 to 1996, Mr. Ramsey served as Senior Vice President, Worldwide Sales, Marketing and Support for nCube Corporation, a maker of massively parallel computers. From 1968 to 1994, Mr. Ramsey held various positions with Oracle Corporation, Amdahl Corporation and IBM. He also serves as a director of salesforce.com, inc., a provider of customer relationship management services, and of several private companies. Mr. Ramsey holds a B.A. in economics from Denison University.

Scott A. Ryles Member of the Board of Directors

Scott A. Ryles has served as a director since November 2003. Mr. Ryles has served as Vice Chairman of Cowen and Company, LLC, an investment banking firm, since February 2007. From December 2004 to September 2006, he served as Chief Executive Officer of Procinea Management LLC, a private equity firm. From 1999 to 2001, Mr. Ryles served as Chief Executive Officer of Epoch Partners, Inc., an investment bank, until its acquisition by The Goldman Sachs Group, Inc. Prior to then, Mr. Ryles served as a Managing Director of Merrill Lynch & Co., Inc. Mr. Ryles holds a B.A. in economics from Northwestern University.

Ted Schlein Member of the Board of Directors

Ted Schlein has served as a director since March 2002. Mr. Schlein has served as a partner at Kleiner Perkins Caufield & Byers, a venture capital firm, since 1996. From 1986 to 1996, Mr. Schlein served in various executive positions at Symantec Corporation, a provider of Internet security technology and business management technology solutions, most recently as Vice President of Enterprise Products. He currently serves as a director of several private companies. Mr. Schlein holds a B.A. in economics from the University of Pennsylvania.


Ernie von Simson Member of the Board of Directors

Ernest von Simson has served as a director since October 2002. Mr. von Simson has served as the President of Ostriker von Simson, Inc., an information technology consulting firm, since 1999. He also served as a senior partner of Cassius Advisors, an emerging technology consulting firm, from 1999 to January 2006. Prior to then, Mr. von Simson served as a Senior Partner at The Research Board, a company that assists large companies with their information technology strategies. He currently serves as a director of two private companies. Mr. von Simson holds a B.A. in international relations from Brown University and an M.B.A. from New York University.

arc sight info documents 10 21 2009

Economy & Finance

leading global provider

handle compliance violations

caught investor attention

seeded large projects

0x ev fy11 revenue

constantly evolving regulatory

compliance management solutions

fastest growing technology