SUNNYVALE, CALIF. - ArcSight, a security information management software start-up, this week said its upgraded product will conduct event correlation and allow for some limited automated response to a network-based intrusion or attack.

ArcSight 2.0, expected to ship the end of the month, will correlate data from 50 types of equipment, including intrusion-detection systems (IDS) from Cisco, Enterasys Networks, Internet Security Systems (ISS), Tripwire and Intrusion, and correlate this with information obtained from firewalls such as those from Check Point Software, NetScreen Technologies and Nokia. The idea is that by centralizing data about events or alerts from multivendor products, which is what all SIM products do, managers get a better view of an ongoing threat.

"IDS by itself doesn't realize the target is vulnerable or not to an incoming attack," says Hugh Njemanze, CTO and co-founder of ArcSight.

ArcSight 2.0 includes SmartAgent software that collects output data from router and security equipment. This collected information is sent to a server called ArcSight manager, which analyzes it to provide a security overview at the ArcSight workstation. The data is stored in a relational database.

ArcSight competes against a handful of other SIM start-ups, including netForensics and e-Security, while established security players such as Check Point, ISS and Symantec have taken steps to build competing SIM systems.

The first version of ArcSight could only collect data from a number of IDS, firewall and routers but not correlate it to provide an analyzed overview of a network threat.

ArcSight is introducing automation so that a customer could decide to have a policy to automate certain actions, such as launching the Tripwire host-based intrusion detection that can check to see if files, operating system or router configuration has been changed.

However, Njemanze says many customers are probably still gun-shy about automating security response because of falling prey to false alerts.

One ArcSight customer, Union Bank of California, uses ArcSight 1.0 to consolidate security-related information from several host-and network-based IDS, firewalls and Web server logs. Union Bank's vice president of security, Bob Justus, says the bank is testing out ArcSight 2.0 to correlate events, such as whether there might be a visible relationship between a router noticing a port scan for a source IP address and a malformed packet being sent to a Web server in an attempt to disable it.