Whether or not most ArcSight SIEM customers underutilize their solutions is an excellent question, although the answer may be completely subjective.  As information security consultants, we know that the InfoSec infrastructure has to adhere to Corporate Security Program objectives, which are driven by business priorities and the critical infrastructure, which supports business.  Therefore, an answer to "Is the SIEM implementation leveraged to its full potential?" depends not as much on the incredible SIEM capabilities, but much on what were the original business drivers behind the deployment, or to put it simply, why was the solution procured?  Reviewing the original goals and motivations may provide a direct answer to whether or not your organization's SIEM solution is used to its full intended potential.

Of course, these objectives may not always be clear due to organizational changes or complexity of internal decisions (or, let's face it, politics).  So let us take a look at the most common scenarios which we have seen to drive customers to invest into enterprise-grade SIEM solutions, such as ArcSight in particular.

As IT infrastructure demands grow, so does the increasing need to monitor and control the IT environment. Information security professionals are dealing with increasingly high rates of security-significant events within the SIEM infrastructures, which presents advanced challenges to both engineers and architects.

There is a multitude of automated sources tweeting out there, aside from bots and spammers.  All those updates broadcasted in real-time by scripts and applications are a goldmine of intelligence information with a lot of potential for security practitioners.

Overview of recommendations for log reports.