Ensuring SIEM data sovereignty: the case for on-prem OpenText ArcSight SIEM

Given the critical nature of cybersecurity for industry sectors such as defense, healthcare, finance, and government, ensuring SIEM data sovereignty has never been more crucial….

Steve Jones  profile picture
Steve Jones

August 30, 20245 minute read

Fingers typing on a keyboard. In front of the keyboard, a transparent screen shows a computer interface. In the middle, there is a orange tinted circle with a blue shield in the middle. In the middle of the shield, it says SIEM. The whole image has a blue tint to it.

Given the critical nature of cybersecurity for industry sectors such as defense, healthcare, finance, and government, ensuring SIEM data sovereignty has never been more crucial. These organizations must balance the advantages of cloud-based SIEMs with the need for strict internal security controls. The urgency intensifies when existing on-prem SIEM solutions approach end-of-life due to vendor acquisition, threatening the continuity of their customized, heavily invested cybersecurity infrastructure. 

 Balancing risk vs. control

While SaaS solutions offer benefits like reduced management costs, increased update frequency and OpEx flexibility, they are also not without significant risks. SaaS-based SIEMs rely on shared cloud infrastructure and third-party security practices, increasing the risk of data interception and leakage, including supply chain attacks. Their reliance on internet connectivity also makes them vulnerable to DDoS attacks. Additionally, compliance and data residency requirements such as GDPR, CCPA, HIPAA, and FedRAMP are not met when data is stored outside local regulatory jurisdictions. 

For organizations that prioritize deep control over security, data sovereignty, and compliance—especially for classified information, medical records, or PCI data—on-prem SIEM solutions offer a more secure and appealing option. 

But aren’t on-prem SIEMs a relic of the past? 

The data suggests otherwise. According to IDC’s December 2023 Security Analytics TAM report, the total addressable market for on-prem SIEM/Security Analytics in EMEA is expected to grow from $2.008 billion in 2022 to $2.111 billion by 2027. Moreover, Grand View Research highlights that the on-prem SIEM segment is projected to expand at a compound annual growth rate (CAGR) of 12.8% from 2023 to 2030. This growth is driven by on-prem SIEMs’ ability to offer complete control over data, especially historical data for forensic purposes, and critical administrative functions such as disaster recovery. 

Why choose ArcSight for your on-prem SIEM? 

For organizations that prioritize security, governance, and data sovereignty, ArcSight on-prem is a smart choice. Here are the key reasons why: 

  • Proven track record of maturity: In 2025, ArcSight will celebrate its 25th anniversary. Founded on May 3, 2000, the company launched its first product in 2002 and was recognized as a visionary in Gartner’s 2003 ‘IT Security Management Magic Quadrant,’ where there were no leaders at that time. 
  • Leading real-time correlation engine: ArcSight’s real-time correlation engine is highly customizable, with an extensive range of fields, functions, categories, enabling organizations to detect and respond to threats as they happen, rather than relying on scheduled searches. 
  • Extensive connector support: ArcSight provides over 400 pre-built connectors for seamless integration across diverse security domains, including anti-virus, databases, cloud environments, mail servers, operating systems, firewalls, IDS/IPS, identity security, network management, and threat intelligence. For specialized needs, custom ‘flex connectors’ can be developed to meet any unique monitoring requirements. 
  • SOAR integration as a complimentary add-on: To offset on-prem SIEM maintenance costs, ArcSight includes SOAR capabilities as a complimentary add-on, enhancing ROI. It also offers seamless, customizable integration with third-party solutions, essential for any SOAR platform. 
  • Comprehensive MITRE ATT&CK coverage: In a GigaOM evaluation, ArcSight was found to cover 10 out of 10 of the common MITRE ATT&CK techniques.  
  • Secure threat intelligence and vulnerability data import: ArcSight on-prem allows the import of threat intelligence and vulnerability data from third-party vendors without cloud exposure. 
  • Ease of migration: ArcSight allows easy migration of correlation rules and policies, ensuring minimal disruption and continuity when transitioning from a SIEM with similar correlation technology. 
  • Fast and scalable log management platform: ArcSight Recon simplifies log management and compliance with powerful analytics, an intuitive UI and query language, and actionable insights. 
  • Guaranteed event handling —even under attack: ArcSight prevents event loss during EPS spikes, even in DDoS attacks, by accommodating short-term bursts beyond the licensed limit without penalty. 

Conclusion 

Despite the shift to SaaS, on-prem SIEMs still play a crucial role, especially in highly regulated or sensitive industries. For organizations that prioritize security, data sovereignty, autonomy, and compliance, ArcSight on-prem offers a mature, reliable, scalable, and highly customizable solution. 

What customers are saying: high praise for ArcSight’s performance  

‘The great integration capabilities demonstrated in the ArcSight toolset have allowed us to create an end-to-end SIEM with MITRE ATT&CK compliance and new data sources in ArcSight ESM, additional use cases and reporting with ArcSight SOAR, and enhanced overall security with ArcSight Intelligence.’ Cihan Yuceer, Cyber defence center manager, Turkcell 

‘ESM reveals security events to us that we were never able to detect before. We’re very happy with ESM and confident we can find threats before they compromise our network or disrupt business. ArcSight provides critical insurance against the damage modern cyber-attacks can inflict on an organization.’ Mark Beerends, Head of Security Operations Center, Rabobank 

‘Rather than writing multiple playbooks for each type of potential security threat, we use a single set of branching logic in ArcSight SOAR to help us close 33% of cases without any human involvement.’ Emrecan Batar, Information Security Senior Specialist, Odeabank 

For detailed insights on how OpenText ArcSight can enhance your cybersecurity posture, please refer to the ArcSight Enterprise Security Manager (ESM) data sheet. 

Share this post

Share this post to x. Share to linkedin. Mail to
Steve Jones avatar image

Steve Jones

Steve Jones is a Product Marketing Manager at OpenText, specializing in the cross-cybersecurity portfolio. Prior to this role, he served as a PMM for ArcSight and worked at Hewlett Packard and Micro Focus for 11 years as an ITOM & Cybersecurity Sales Enablement Specialist. Steve also spent 11 years as a Technical Enablement Specialist on Endpoint Automation for HP/Novadigm. Steve is also a published author, with a book on Apple Macintosh Troubleshooting, articles for PAGE digital design magazine, and a non-fiction book published by a New York publishing house.

See all posts

More from the author

OpenText Threat Intelligence™ (BrightCloud): Empowering proactive cyber defense 

OpenText Threat Intelligence™ (BrightCloud): Empowering proactive cyber defense 

In today’s rapidly evolving, AI-driven cybersecurity landscape, threats are growing more sophisticated by the day. To stay ahead of the curve—whether you are a networking,…

5 minute read

Ensuring AI-readiness with secure information management (SIM) 

Ensuring AI-readiness with secure information management (SIM) 

According to McKinsey, the enterprise use of Generative AI could generate an astounding $2.6 trillion to $4.4 trillion annually across more than 60 use cases….

6 minute read

Beyond the buzzwords: Automating protection with AI-enabled solutions for modern cybersecurity

Beyond the buzzwords: Automating protection with AI-enabled solutions for modern cybersecurity

The concept of security posture, as defined by the National Institute of Standards and Technology (NIST), refers to an organization’s overall cybersecurity strength—including its defenses…

4 minute read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.

Sign up