Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
www.arcsight.com 1© 2010 ArcSight Confidential
© 2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
SN17: ArcSight ArchitecturesBrook Watson
Solutions ArchitectSeptember 2010
www.arcsight.com 2© 2010 ArcSight Confidential
Agenda
Overview of possible ArcSight Architectures including the use of ArcSight ESM, ArcSight Logger, and ArcSight Connector Appliance
Discussion of several potential architectures– Multiple tiered ArcSight ESM Instances– Multiple ArcSight Loggers with a single ArcSight ESM Instance– Traditional single ArcSight Logger with a single ArcSight ESM Instance
Pros and cons overview and discussion of the best practices surrounding each architecture
The session is geared towards ArcSight administrators and authors in charge of maintaining the health and content of each of the ArcSight components
www.arcsight.com 3© 2010 ArcSight Confidential
Flexible Solutions to Satisfy Customer Needs
Small environments– Low event throughput
(less than 1,000 EPS)– 1 or 2 dedicated analysts
Large environments– High event throughput
(more than 10,000 EPS)– 3 to 10 dedicated analysts
Global / distributed environments– Low or high event throughputs– Customer data located throughout
the world or country– Regional analytical teams feeding
global analytical team
MSSP environments– High event throughputs– Customer data located throughout
the world or country– Multiple customers with differing
SLA (content)
www.arcsight.com 4© 2010 ArcSight Confidential
Information Gathering
What information do I need to gather to make informed decisions on possible architectures?
Event throughput requirements (EPS / EPD) Event type requirements Log retention requirements High availability / fail over requirements Additional customer requirements
– Bandwidth consideration– NAT’ing considerations– MSSP considerations– Regional / global considerations– Compliance requirements– Use case requirements
www.arcsight.com 5© 2010 ArcSight Confidential
ArcSight Platforms – ArcSight ESM
What key features and functionality allow ArcSight ESM to adapt to a customer’s environment? Multiple ArcSight ESM Instances can be deployed in a hierarchal
configuration via the ArcSight ESM SuperConnector ArcSight ESM enriches the normalized event to add specific
organizational and event context– Categorization– Network and asset modeling– Threat level priority determination– Correlated events
ArcSight ESM provides – Customer designation to allow for multiple business units– Store designations (retail)– MSSP environments to segment data into logical groups
www.arcsight.com 6© 2010 ArcSight Confidential
ArcSight Platforms – ArcSight Logger
What key features and functionality allow the ArcSight Logger appliance to adapt to a customer’s environment? ArcSight Logger provides a significantly lower cost of ownership
over ArcSight ESM to store large amounts of historical data ArcSight Logger accepts significantly higher event throughputs
than ArcSight ESM ArcSight Logger allows for multiple data retention policies Multiple ArcSight Logger appliances can be deployed as peers to
allow for cross appliance searching ArcSight Logger can forward or receive normalized events directly
to or from ArcSight ESM
www.arcsight.com 7© 2010 ArcSight Confidential
ArcSight Platforms – ArcSight Connector Appliance
What key features and functionality allow the ArcSight Connector Appliance to adapt to a customer’s environment? ArcSight Connector Appliance reduces the management
overhead associated with SmartConnectors administrative tasks An ArcSight Connector Appliance can host up to 32 individual
SmartConnectors An ArcSight Connector Appliance can remotely manage
thousands of Software or CA based SmartConnectors
www.arcsight.com 8© 2010 ArcSight Confidential
Single ArcSight Logger with a Single ArcSight ESM Instance
Typical customer requirements Low event throughput Small number of unique event sources Mid-to-long term retention policy Event sources located in single datacenter Regulatory compliance needs Standard perimeter and insider threat security seeds
www.arcsight.com 9© 2010 ArcSight Confidential
Single ArcSight Logger with a Single ArcSight ESM Instance
www.arcsight.com 10© 2010 ArcSight Confidential
When Should ArcSight Logger be Deployed Before ArcSight ESM?
Ideally, ArcSight Logger is deployed behind ArcSight ESM for long term storage of “enriched” events
Alternatively, event rates may dictate that ArcSight Logger will need to be deployed in front of ArcSight ESM– Event rates are higher than ArcSight ESM can handle– All events are captured and stored for long-term retention– Only events of interest will be sent to ArcSight ESM for real-time
correlation– Correlated events will be forwarded from ArcSight ESM to ArcSight
Logger for long-term storage– Limited event enrichment occurs in this architecture at the ArcSight
Logger tier– ArcSight ESM retains event enrichment– ArcSight Connector Appliance required for management of
SmartConnectors
www.arcsight.com 11© 2010 ArcSight Confidential
Single ArcSight Logger with a Single ArcSight ESM Instance: ArcSight Logger First
www.arcsight.com 12© 2010 ArcSight Confidential
Multiple ArcSight Loggers with a Single ArcSight ESM Instance
Typical customer requirements Medium-to-high event throughput rates Medium-to-high number of unique event sources Long-term retention policy Event sources located in single or multiple datacenters and/or
regions Small MSSP workflow and customer access requirements Regulatory compliance needs Standard perimeter and insider threat security needs Some custom content development
www.arcsight.com 13© 2010 ArcSight Confidential
Multiple ArcSight Loggers with a Single ArcSight ESM Instance
www.arcsight.com 14© 2010 ArcSight Confidential
Multiple Hierarchal ArcSight ESM Instances
Typical customer requirements Low-to-medium event throughput rates Medium-to-high number of unique event sources Short-term / various retention policies Event sources located in multiple datacenters and/or regions Regional administrative staff Regional SOC teams Large MSSP workflow and customer access requirements Regulatory compliance needs Standard perimeter and insider threat security needs Major custom content development
www.arcsight.com 15© 2010 ArcSight Confidential
Multiple Hierarchal ArcSight ESM Instances
www.arcsight.com 16© 2010 ArcSight Confidential
How Do I Manage ArcSight ESM Content?
Very carefully and with a lot of planning– MSSP and global environments typically have a dedicated content
author that manages and builds all custom content for all ArcSight ESM instances in the environment• Content author typically represents the global SOC team and works with the
various regional SOC teams to identify security threats impacting the organization and builds content to detect such activity
• Globally correlated rules need to have consistent event types from the regional ArcSight ESM instances
• If each regional SOC team can create their own custom content, it becomes extremely difficult for the global content author to build relevant content to represent the entire enterprise
Utilizing ArcSight ESM 4.0 package functionality– Once content has been agreed upon, the package functionality allows
the content author to build transportable ArcSight ESM content and deploy throughout the global and regional ArcSight ESM tiers
www.arcsight.com 17© 2010 ArcSight Confidential
The Whole Enchilada!
Typical customer requirements High-to-extremely-high event throughput rates High number of unique event sources Long-term / various retention policies Event sources located in multiple datacenters and/or regions Regional administrative staff Regional SOC teams Large MSSP workflow and customer access requirements Regulatory compliance needs Standard perimeter and insider threat security needs Major custom content development
www.arcsight.com 18© 2010 ArcSight Confidential
The Whole Enchilada!
www.arcsight.com 19© 2010 ArcSight Confidential
Two Distinct Architecture Services to Ensure Successful Customer Deployments
1. Architecture Review Service– Primarily designed to help
customers define architectural requirements for complex environments
– Can be accomplished during a one-day on-site visit or a remote teleconference meeting
– The goal is to review and document environmental requirements needed for a successful ArcSight Solution
2. Architecture Design Service – Created for existing customers
looking to make significant upgrades or modifications to their existing ArcSight Solution
– Perfect for new customers with large scale environments who have significant or unique solution requirements
– Two days of on-site information gathering and design planning along with three days of off-site Architecture plan authoring
– The goal is to detail the various design components of the customer proposed environment to insure a successful ArcSight solution is deployed
www.arcsight.com 20© 2010 ArcSight Confidential
Your Feedback Builds a Better Conference!
Download session replays after the conference:https://protect724.arcsight.com/community/protect10/sessions
Excellent Good Fair Poor
Rate the speaker a b c d
Rate the content e f g h
Please provide comments: (*) enter any comments/feedback
Text to 32075 (USA & Canada) or 447786204951 (Non-USA) Type ARCS <space> 17and the letter to each response
SMS body example: ARCS 17ae*your comments
www.arcsight.com 21© 2010 ArcSight Confidential
ArcSight, Inc.Corporate Headquarters: 1 888 415 ARST
EMEA Headquarters: +44 (0)844 745 2068Asia Pac Headquarters: +65 6248 4795
www.arcsight.com