www.arcsight.com 1© 2010 ArcSight Confidential

© 2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

SN17: ArcSight ArchitecturesBrook Watson

Solutions ArchitectSeptember 2010

www.arcsight.com 2© 2010 ArcSight Confidential

Agenda

Overview of possible ArcSight Architectures including the use of ArcSight ESM, ArcSight Logger, and ArcSight Connector Appliance

Discussion of several potential architectures– Multiple tiered ArcSight ESM Instances– Multiple ArcSight Loggers with a single ArcSight ESM Instance– Traditional single ArcSight Logger with a single ArcSight ESM Instance

Pros and cons overview and discussion of the best practices surrounding each architecture

The session is geared towards ArcSight administrators and authors in charge of maintaining the health and content of each of the ArcSight components

www.arcsight.com 3© 2010 ArcSight Confidential

Flexible Solutions to Satisfy Customer Needs

Small environments– Low event throughput

(less than 1,000 EPS)– 1 or 2 dedicated analysts

Large environments– High event throughput

(more than 10,000 EPS)– 3 to 10 dedicated analysts

Global / distributed environments– Low or high event throughputs– Customer data located throughout

the world or country– Regional analytical teams feeding

global analytical team

MSSP environments– High event throughputs– Customer data located throughout

the world or country– Multiple customers with differing

SLA (content)

www.arcsight.com 4© 2010 ArcSight Confidential

Information Gathering

What information do I need to gather to make informed decisions on possible architectures?

Event throughput requirements (EPS / EPD) Event type requirements Log retention requirements High availability / fail over requirements Additional customer requirements

– Bandwidth consideration– NAT’ing considerations– MSSP considerations– Regional / global considerations– Compliance requirements– Use case requirements

www.arcsight.com 5© 2010 ArcSight Confidential

ArcSight Platforms – ArcSight ESM

What key features and functionality allow ArcSight ESM to adapt to a customer’s environment? Multiple ArcSight ESM Instances can be deployed in a hierarchal

configuration via the ArcSight ESM SuperConnector ArcSight ESM enriches the normalized event to add specific

organizational and event context– Categorization– Network and asset modeling– Threat level priority determination– Correlated events

ArcSight ESM provides – Customer designation to allow for multiple business units– Store designations (retail)– MSSP environments to segment data into logical groups

www.arcsight.com 6© 2010 ArcSight Confidential

ArcSight Platforms – ArcSight Logger

What key features and functionality allow the ArcSight Logger appliance to adapt to a customer’s environment? ArcSight Logger provides a significantly lower cost of ownership

over ArcSight ESM to store large amounts of historical data ArcSight Logger accepts significantly higher event throughputs

than ArcSight ESM ArcSight Logger allows for multiple data retention policies Multiple ArcSight Logger appliances can be deployed as peers to

allow for cross appliance searching ArcSight Logger can forward or receive normalized events directly

to or from ArcSight ESM

www.arcsight.com 7© 2010 ArcSight Confidential

ArcSight Platforms – ArcSight Connector Appliance

What key features and functionality allow the ArcSight Connector Appliance to adapt to a customer’s environment? ArcSight Connector Appliance reduces the management

overhead associated with SmartConnectors administrative tasks An ArcSight Connector Appliance can host up to 32 individual

SmartConnectors An ArcSight Connector Appliance can remotely manage

thousands of Software or CA based SmartConnectors

www.arcsight.com 8© 2010 ArcSight Confidential

Single ArcSight Logger with a Single ArcSight ESM Instance

Typical customer requirements Low event throughput Small number of unique event sources Mid-to-long term retention policy Event sources located in single datacenter Regulatory compliance needs Standard perimeter and insider threat security seeds

www.arcsight.com 9© 2010 ArcSight Confidential

Single ArcSight Logger with a Single ArcSight ESM Instance

www.arcsight.com 10© 2010 ArcSight Confidential

When Should ArcSight Logger be Deployed Before ArcSight ESM?

Ideally, ArcSight Logger is deployed behind ArcSight ESM for long term storage of “enriched” events

Alternatively, event rates may dictate that ArcSight Logger will need to be deployed in front of ArcSight ESM– Event rates are higher than ArcSight ESM can handle– All events are captured and stored for long-term retention– Only events of interest will be sent to ArcSight ESM for real-time

correlation– Correlated events will be forwarded from ArcSight ESM to ArcSight

Logger for long-term storage– Limited event enrichment occurs in this architecture at the ArcSight

Logger tier– ArcSight ESM retains event enrichment– ArcSight Connector Appliance required for management of

SmartConnectors

www.arcsight.com 11© 2010 ArcSight Confidential

Single ArcSight Logger with a Single ArcSight ESM Instance: ArcSight Logger First

www.arcsight.com 12© 2010 ArcSight Confidential

Multiple ArcSight Loggers with a Single ArcSight ESM Instance

Typical customer requirements Medium-to-high event throughput rates Medium-to-high number of unique event sources Long-term retention policy Event sources located in single or multiple datacenters and/or

regions Small MSSP workflow and customer access requirements Regulatory compliance needs Standard perimeter and insider threat security needs Some custom content development

www.arcsight.com 13© 2010 ArcSight Confidential

Multiple ArcSight Loggers with a Single ArcSight ESM Instance

www.arcsight.com 14© 2010 ArcSight Confidential

Multiple Hierarchal ArcSight ESM Instances

Typical customer requirements Low-to-medium event throughput rates Medium-to-high number of unique event sources Short-term / various retention policies Event sources located in multiple datacenters and/or regions Regional administrative staff Regional SOC teams Large MSSP workflow and customer access requirements Regulatory compliance needs Standard perimeter and insider threat security needs Major custom content development

www.arcsight.com 15© 2010 ArcSight Confidential

Multiple Hierarchal ArcSight ESM Instances

www.arcsight.com 16© 2010 ArcSight Confidential

How Do I Manage ArcSight ESM Content?

Very carefully and with a lot of planning– MSSP and global environments typically have a dedicated content

author that manages and builds all custom content for all ArcSight ESM instances in the environment• Content author typically represents the global SOC team and works with the

various regional SOC teams to identify security threats impacting the organization and builds content to detect such activity

• Globally correlated rules need to have consistent event types from the regional ArcSight ESM instances

• If each regional SOC team can create their own custom content, it becomes extremely difficult for the global content author to build relevant content to represent the entire enterprise

Utilizing ArcSight ESM 4.0 package functionality– Once content has been agreed upon, the package functionality allows

the content author to build transportable ArcSight ESM content and deploy throughout the global and regional ArcSight ESM tiers

www.arcsight.com 17© 2010 ArcSight Confidential

The Whole Enchilada!

Typical customer requirements High-to-extremely-high event throughput rates High number of unique event sources Long-term / various retention policies Event sources located in multiple datacenters and/or regions Regional administrative staff Regional SOC teams Large MSSP workflow and customer access requirements Regulatory compliance needs Standard perimeter and insider threat security needs Major custom content development

www.arcsight.com 18© 2010 ArcSight Confidential

The Whole Enchilada!

www.arcsight.com 19© 2010 ArcSight Confidential

Two Distinct Architecture Services to Ensure Successful Customer Deployments

1. Architecture Review Service– Primarily designed to help

customers define architectural requirements for complex environments

– Can be accomplished during a one-day on-site visit or a remote teleconference meeting

– The goal is to review and document environmental requirements needed for a successful ArcSight Solution

2. Architecture Design Service – Created for existing customers

looking to make significant upgrades or modifications to their existing ArcSight Solution

– Perfect for new customers with large scale environments who have significant or unique solution requirements

– Two days of on-site information gathering and design planning along with three days of off-site Architecture plan authoring

– The goal is to detail the various design components of the customer proposed environment to insure a successful ArcSight solution is deployed

www.arcsight.com 20© 2010 ArcSight Confidential

Your Feedback Builds a Better Conference!

Download session replays after the conference:https://protect724.arcsight.com/community/protect10/sessions

Excellent Good Fair Poor

Rate the speaker a b c d

Rate the content e f g h

Please provide comments: (*) enter any comments/feedback

Text to 32075 (USA & Canada) or 447786204951 (Non-USA) Type ARCS <space> 17and the letter to each response

SMS body example: ARCS 17ae*your comments

www.arcsight.com 21© 2010 ArcSight Confidential

ArcSight, Inc.Corporate Headquarters: 1 888 415 ARST

EMEA Headquarters: +44 (0)844 745 2068Asia Pac Headquarters: +65 6248 4795

www.arcsight.com