ArcSight provides three different log management products, so part of this question is dependent upon which ArcSight product is being compared. Those three products are Express, Logger, and ESM. Logger is a log-management tool only, and does not include the full suite of functionality one would expect in a SIEM product. Express is a price-scaled version of ESM. Presumably the product of interest is ESM.
As such, one of the first challenges out-of-the-box with both ESM and Express is the UI. The UI is designed for experienced security analysts, whereas LEM is built with an easy-to-use interface suitable for the IT generalist.
The second challenge is the pricing itself. ArcSight products are priced based on Events per Second (EPS) activity. The problem here is determining an appropriate licensing target. Do you overlicense for the days when you get slammed by extra activity, or do you license based on a normal activity. Furthermore, licensing based on EPS may or may not result in linear licensing costs as more nodes are added into the network, and adding a single node may actually result in an increase in EPS-based licensing costs.
Now, extend that into the MSSP environment. Here are some questions to further consider:
- What if the customer wants some form of console access to monitor their own network's events? (Even though it's a "managed service" does not necessarily mean the customer wants to remain oblivious to ongoing activity.)
- What resources would be required to train the customer to use the console?
- What are the implications of managing a collection of deployed appliances in the customers' environments and the licensing models appropriate for each customer. Is it easier to sell the service by event load (which may be volatile even in a small organization), or by the number of managed nodes (which will remain fairly static in almost any customer of a managed provider).
- How complicated will it be to account for and bill for EPS to a customer's network, if that's the chosen licensing model? And even if you don't bill the customer by EPS, or service volume of some type, how difficult will it be to reconcile the licensing costs against the service fees, and determine whether a customer is profitable, or not?
I, also, look forward to the thoughts of any others who have hands-on experience with both and how they view the actual user experience.