Pre-Built Content for Top ScenariosCross Device ReportingTop
Bandwidth UsersConfiguration ChangesSuccessful and Failed
LoginsPassword ChangesTop Attackers and Internal TargetsAnti-Virus
ReportingTop Infected SystemsAll AV errorsAV Signature Update
statsConsolidated Virus ActivityAV Configuration
ChangesDatabaseDatabase Errors and WarningsDatabase Successful and
Failed LoginsDatabase Configuration ChangesIPS/IDSIPS/IDS Alert
MetricsAlert CountsTop Alert Sources and DestinationsTop Attackers
and Internal TargetsAccess ManagementUser Authentication across
hostsAuthentication Success and FailuresUser Administration
Configuration Changes
Network Devices ReportingNetwork Device Errors and Critical
EventsNetwork Device Status and Down NotificationsBandwidth
UsageConfiguration Changes by User and Change TypeSuccessful and
Failed LoginsTop ConnectionsVPN Device ReportingVPN Authentication
ErrorsConnection CountsConnection DurationsConnections Accepted and
DeniedSuccessful and Failed LoginsTop ConnectionsTop Bandwidth
UsersVPN Configuration ChangesOperating System ReportingPrivileged
User AdministrationSuccessful and Failed LoginsConfiguration
ChangesFirewall ReportingDenied Inbound ConnectionsDenied Outbound
ConnectionsBandwidth UsageSuccessful/Failed Login Activity
**ARCHITECT\Due Diligence\Mgmt Presentation\12 ArcSight Mgmt
Pres Sep 2006.ppt*Key Points
Organizations have invested in a wide variety of point
solutions, initially targeting perimeter security. These best of
breed security products come from many different vendors, creating
huge problems for security teams.Overwhelming Flood: Security
devices such as firewalls and IDSs overwhelm security staff,
generating tens or hundreds of millions of logs each day. Theres no
way any company can hire the people it would take to manually
review these logs Massive false positives: The vast majority of
these logs, or events, are false positivesuseless or or
insignificant data from chatty devices that lack the context or
intelligence to ascertain the true threats. Islands of Defense:
each device, or each set of devices from an individual vendor, lack
any context that is gained by a higher-level view and provides
valuable context on whats going on across devices, across the
systems and networks. Heterogeneous consoles: These products each
has its own log format, categorization and taxonomy, console and so
on. A security person would need to learn and be proficient at each
different console for trying to understand what is going on, with
millions of logs streaming by all in incompatible formats. The
common complaint is YACyet another consolethe last thing a security
person wants to try to manage.This means that the security team
cannot do their most basic job: identifying, prioritizing, and
defending against the highest priority threats. With all these
disparate systems, they have no overall view, no overall
understanding, no ability to monitor or report on even the most
critical aspects of security.Because there are so many IT
components generating millions of events in any given day, security
officers are unable to manually scour these events to find the ones
that pose serious security risks. Let us look at a few
examples.
In the first example, Dassault Corp. was not aware of the
on-going theft of military secrets for more than 5 years because
no-one was looking at the events being generated. Only after they
realized something was wrong were they able to go back, review
events logs and discover the illegal activity. * ArcSight ESM would
have highlighted the access to this privileged information and been
able to build the relevant context around the access events. This
was the illegal access would have come to light as soon as it
started.
Here is a favorite example the TJX breach. Once again we see
that system intrusions that were clearly being logged went
unnoticed for at least 3 years before TJX found their name on the
front page of a newspaper. TJX eventually disclosed that over 47
million customer records were stolen over a long period of time,
simply because no-one was watching the events that indicated a
breach was repeatedly occurring.
So what we are really taking about there is shrinking the window
of vulnerability. I mentioned this on the last slide we live in a
world where threat are rapidly propagating and impacting corporate
environments within minutes or even seconds rather then
historically when it was hours or days.
So from a response program you obviously want to minimize the
amount of time you are vulnerable to that incident. This is where
ArcSight TRM comes in, we provide you a reliable, repeatable and
auditable capability to rapidly and automatically respond to
different incidents in your infrastructure at multiple enforcement
points. The right event management solution is needed to ensure
that riskiest events occurring in the organization are not left
unnoticed.To successfully do this the solution must be able to do
these things.Collect from across the enterpriseUnderstand the full
impact of any event, andAnalyze and prioritize the event based on
the full context surrounding the eventArcSight Express allows you
to work more efficiently.It includes ArcSights market leading SIEM
and log management technologies, along with the years of expertise
we have developed fulfilling the security needs of the worlds
leading organizations.
ArcSight Expresss Security Expertise in a boxfilters out the
noise in your environment,brings the key incidents to your
attention quickly, helps you focus on the issues that need to be
addressed right awayand puts the information you need to address
compliance mandates at your fingertipsOur connectors are an
important part of the platform. They collect events from hundreds
of devices in native format, then they normalize those to a common,
well defined format so that you can compare and analyze very
disparate events. The connectors collect locally and then send the
normalized events to our logging and correlation products in a
guaranteed, secure, and bandwidth-efficient manner.
The key point of our approach is that by normalizing all these
device logs into a common format, ArcSight insulates your analysis
from your choice of products. If you want to swap out Cisco and
replace with Juniper, none of your analysis breaks. This gives you
tremendous flexibility in your choice of technology, and it also
means that when new products come out in the future, you are not
painted into a corner in terms of your monitoring and analysis.
These connectors are available in multiple options. We have
rackable appliances that can manage thousands of devices, we have
small, cost-effective appliances designed for branch offices or
in-store use. And these are also available as software installable
on your own machines.ArcSight has the most connectors, for more
products, from more vendors in more categories than any other SIEM
vendor. There are 30 different categories of data sources, and the
list is growing every week. Our out-of-the-box connectors include
everything from external security, to compliance-relevant systems
such as SAP, to some of the newest insider threat technologies. The
benefits to our customers are threefold:-fast, low-cost
deploymentsno need to develop these connectors.-a single pane of
glassArcSight ESMsupporting the broadest set of inputs in the
industry-customers can easily leverage best-of-breed technologies
And this list does not include those connectors created by our
customers and partners using our FlexConnector development kit.
Customers have developed their own connectors using the
FlexConnector SDK, for everything from physical building security
bade reader systems, to telephone PBX and faxes.ArcSight connectors
dont just capture data, the connectors are highly intelligent. At a
high level connectors optionally support filtering of events (for
example filtering irrelevant data from verbose switches) and
aggregation. With aggregation, no data is lost, it merely provides
a mechanism to efficient storing data. For example, instead of
storing 10 FW accepts, the aggregation feature will store ONE event
with an event count of 10. One of the key benefits of the
distributed architecture is efficient and secure delivery of
events. Once events are processed by ArcSight SmartConnectors,
events are guaranteed delivery to the ArcSight manager in a secure
and compressed format. The events are secured via SSL over port
8443 to ensure 100% of the events are securely delivered to the
ArcSight manager. SmartConnectors also compress the events put on
the wire and then uncompress once received by the Arcsight Manager
to optimize bandwidth consumption as events travel through the
network. The other thing to consider is the closer connectors are
deployed to the end devices, the less bandwidth used, so if
bandwidth issues exist in your environment you would want to factor
this in your connector architectureGuaranteeing delivery of events
to the ArcSight manager is critical. First, ArcSight
SmartConnectors maintain a heartbeat connection to the manager. In
the event the connection goes down, the Smart connector will cache
events. This is important for example with windows events. If there
is an outage on the network and you cannot pull or send events
across the network, Domain Controllers event log files will be
overwritten and you will effectively lose those events. The
ArcSight SmartConnector cache ensures that events are not lost. The
connector caches events locally (you configure how large and where
to store cache). ArcSight connectors can also configured to
redirect events to a failover manager. If the connector cant
transmit to the primary Arcsight manager, security analysts will
not able to able monitor possible attacks in real-time. To ensure
continuous monitoring of real-time events, if the heartbeat with
the primary manager is lost, SmartConnectors will send a copy of
events to a failover manager so security analysts can continue to
monitor in real-time. Once the primary manager is back up, all the
cached events are sent to the primary manager and the failover
manager is no longer necessary . Cache ensures sizing to sustained
rather then burstingOne of the primary reasons companies request an
connectorless deployment is avoid management of remote connectors.
In order to provide that same benefit in a distributed
architecture, we automatically distribute content (categorization)
updates, centrally from the ArcSight manager. Categorization
updates are placed centrally on the Arcsight Manager and they are
automatically pushed out to the Smart connectors w/o having to
touch all the connectors out in the network.
The first unique strength is event collection and processing. We
touched on this earlier, but it is really core to good SIEM
operations.
One of the primary functions of the ArcSight connector is to
normalization and categorization the event data. Some SIM products
just take raw event and store it in the database. Others store the
event in each of their proprietary formats, then when they
correlate or report there is a lot of overhead associated with
processing those formats. At ArcSight, we put the various inputs
into one common format.
Here is an example of three different failed login
eventswindows, OS390, and linux. First, ArcSight connectors parse
the different fields of the event and map them into common event
schema in ArcSight. This ensures that the data is stored in a
common scheme regardless of input format or device type. So instead
of the Security Analyst having to understand the different fields
contained in each event of each different device, they have a
common set of fields.
ArcSight Express is designed for real time correlation and
analysis. ArcSight Express supports flexible correlation rules to
discover potential security and compliance problems quickly.
It uses a variety of methods to sift through millions of events
to find the incident that matters. These can be things like sliding
time windows, asset criticality, user identity, and so forth. When
correlation is done right, it filters out the noise and lets you
concentrate on the important stuff.
Unique among SIEM products is our activity profiling function.
This sifts through historical event sets to find subtle patterns
and then propose new rules based on these patterns. Activity
profiling allows you to create better correlations and therefore
improve your security.
Finally, our flexible visualization layer lets you customize the
presentation of data and results the way you need it. Different
views for different users, and sophisticated charting and graphing
can really show you whats happening.
ArcSight Express is available as rapid-deployment
appliances.ArcSight Correlation capability is built on a few core
technologies. These technologies working together are able to
provide the most effective analysis and alerting.
In-Memory correlation allows immediate visibility into the
activities occurring in the environment.Statistical Correlation
allows you to evolve the rules as the environment changes and
Historical Correlation allows you put much more context around
every single event that is seen.
Active Lists enable the intelligent escalation of events as they
grow in the level of threat,using events are prioritized based on
the level of risk to the organization.The results are presented via
a robust graphical engine in the most common formats, and can be
adapted to the technical, business, audit or executive user.To
address the growing use cases and management challenges for
enterprise log data, ArcSight Logger is delivered as a turnkey
appliance capable of capturing and analyzing all enterprise log
data while providing a compressed, cost effective and self managing
log repository.
With ever growing use cases for log data, organizations want to
bring more and more logs into the log management infrastructure so
performance and cost effective storage is critical.Fortunately
Logger supports collecting raw logs at event rates in excess of 75K
EPS and is equipped with 2TB of onboard storage. Since all log data
is compressed prior to storage you effectively get over 15TB of raw
data capacity per appliance. ArcSight Logger also provides the
necessary hooks to leverage an organizations existing network
attached storage (NAS) investment.
Many of you have large and distributed networks and you may want
collect, store, and analyze logs locally at each data center or key
location. Logger provides for linear scalability in terms of
capacity as well as performance. Effectively, organizations could
just as easily deploy 10 appliances in a hierarchical or
peer-to-peer manner which would yield roughly 750K EPS and 150 TB
of raw data capacity. Distributed ArcSight Logger appliances
continue to operate as an array enabling users to query enterprise
log data selectively or universally as dictated by granular access
controls.
If youre planning to use log data for forensics or compliance
youll have to ensure that the data meets audit quality standards.
Numerous audit and litigation best practices have been incorporated
into ArcSight Logger. Raw log data collected from across the
enterprise is subject to integrity checks as received. Once stored,
granular access controls protect both system and event data
ensuring that confidentiality is maintained and separation of
duties can be enforced. Most companies have multiple retention
requirements depending on internal policies and regulations and
Logger supports automated assignment and enforcement of such
retention policies which eliminates a lot of the manual overhead
data disposition or clean up efforts. ArcSight Logger also uniquely
supports administrative extensions to policies in the event of
litigation or ongoing investigations.
Captured Log data is only as valuable as it is searchable and
accessible and that can be a nightmare if youve ever tried to grep
you way through terabytes of logs. So weve invested a lot of effort
in equipping Logger with powerful but easy to use search interface
allows you and intuitively navigate across terabytes of log
data.
Log aggregation is seamless with ArcSight Loggers hardened 1U
appliance form factor. With optimized file storage and inbuilt
monitoring, organizations need minimal effort to configure and
manage ArcSight Logger deployments. No database administration
expertise is needed and a 100% web based GUI simplifies deployment
further by eliminating the need for client installations.
ArcSight Logger integrates bi-directionally with ArcSights
market leading SIEM offering ArcSight ESM. The integration allows
ArcSight Logger to flexibly forward security events to ArcSight ESM
for real time, cross device correlation, visualization and threat
detection. In addition to raw syslog or file based log sources it
also supports the vast library of ArcSight SmartConnectors which
enable search optimized collection from over 170 distinct sources
across 35 categories.
ArcSight includes over 350 standard reports out of the box these
can easily be run against events based on categorization, asset
priority, etc We also bundle in a ISO 17799 reporting package which
provides the framework for all compliance reporting. We also
include Sarbanes Oxley and HIPAA content as well.
Have a GUI report writer built into the product to simplify
custom and adhoc reporting needs. This is nice because there is not
any SQL experience needed to create/modify reports. ArcSight
Express addresses many compliance regulations, based on a mapping
of ArcSight content to the NIST 800-52 guidelines.Using this
framework you can demonstrate compliance with the SOX, PCI, HIPAA,
Basel II, ISO 17799 and the Federal NIST and FISMA mandates.Here
are a few examples of compliance reports that are available in
ArcSight Express.ArcSight Express also has fully functional
notification and escalation engine built in.You can use this to set
up multi-tiered notification rules to ensure that critical
incidents are addressed in a timely fashion.ArcSight Expresss
workflow and case management engine allows you to automatically
create cases when critical incidents are detected.The workflow
engine is used to build workflows and approval stages depending on
how you want to handle incident management.Next is log management,
ArcSight Logger. Logger is designed for long term historical
storage and reporting and gives you a very efficient way to archive
and manage large amounts of log data. Logger is a self-tuning event
store designed for long term storage. You can send raw logs here or
you can use the normalized format I described in the previous
slide. Logger has a variety of pre built reports for security and
compliance purposes, and it also support ad hoc searching.
This is a cost and time efficient way to retain compliance
records and report on compliance controls.
Its available as a self-storing multi terabyte data center
appliance. If you have a SAN and want to do log management but
store the records in the SAN, we have a version for that. Finally,
we also have smaller logger appliances for midsize or regional
organizations.ArcSight Express provides more benefits than any
other security solution.
It is able to enable your security operation in a matter of
days.It provides the visibility into perimeter, network and
compliance activity lacking in most organizations.It focuses on the
critical incidents and removes the complexity from security
operations
And it does all of this right out of the box.
Here is a walk-through of the initial deployment wizard. This
shows how easy it really is to get up and running with ArcSight
Express.
[walk through wizard over the next several slides]ArcSight
Express provides the fastest time to value, in a matter of days
instead of weeks or months with the ArcSight Express Implementation
professional service.With our PS engagement, you are up and running
within a week.If additional services are needed, you can engage
with our PS group to extend your deployment.
Lets do a deep-dive into deployment
ArcSight supports several different deployment options for
collecting data. First, we support connectorless environment. With
this deployment option, connectors are installed centrally with
ArcSight manager.
Or in the case of Windows events ArcSight connectors on the
manager box are configured to go out and pull window events across
network into ArcSight.
ArcSight support another option to distribute connectors in the
network, not necessarily on end devices, but on some connector box
such as Syslog servers, management stations, concentrators.
It is at this distributed point that connector processing is
completed before events are passed on to the ArcSight Manager.
There are a number of benefits to the distributed connector
architecture and I will highlight those as we continue walking thru
the connector architecture.
Distributed
LAN/WAN benefits.
Moreover, deploying all the pieces of the platform is also very
flexible. Many customers roll out the whole set, and many start
small and add on.For example, you can typically start with just log
management. Get some logging, some alerting and some reporting, on
a single box.You can add more connectors to get more data into the
platform.You can also have advanced multi variable correlation to
detect more sophisticated security risks. This can include activity
profiling and trend reporting.You can then have auto response
installed to take remediation action in response to advanced
correlation rules.The point is that you can tailor the platform
components to your needs.*ArcSight Express provides several key
functions.[Run through AE list items]
In addition to these functions, ArcSights flagship product
ArcSight ESM adds the following[Run through ESM additional
functionality]
*Now, other companies sell these kinds of products, so I want to
talk about what makes us different. There are three things Id like
you to remember that make ArcSight unique.
We are unmatched in: interoperability, correlation, and scale.
Let me talk about each of these.[next slide]*A few key
takeaways.
First, these products are proven, and integrated. They control
risk at the most demanding organizations in the world.
You can deploy any pieces you need.
Its designed to be a good citizen of the IT network today, while
also ensuring operations in the future via insulating your analysis
from your underlying device choices.
We are the market share leader and the MQ leader for 5 years
running for a reason. Why wouldnt you choose the best?
