Security Information and Event Management (SIEM)

Mohamed ZohairBusiness Development Consultant

Why Security

“We now create as much data in just two days as we did from the dawn of man until the year 2003. This means that over 90% of all data that exists today has been created in the last two years alone.”

Eric Schmidt, the former CEO of Google

Big Data Challenge

Security Intelligence and Risk Management (SIRM) platform

SIRM Platform

Based on market-leading products from ArcSight, Fortify, and TippingPoint, the HP SIRM Platform uniquely enables enterprises to take a proactive approach that integrates security correlation, deep application security analysis, and network-level defense mechanisms

How the SIRM Platform Protects Your Enterprise

• 360° Security Monitoring to Detect Incidents

• Proactive Security Testing to Protect Applications

• Adaptive Network Defenses to Block Attacks

• Platform Integration to Manage Risk

SIRM Solutions

SIEM Overview

The HP ArcSight Security Intelligence platform helps safeguard your business by giving you complete visibility into activity across the IT infrastructure including external threats such as malware and hackers, internal threats such as data breaches and fraud.

SIEM Solutions

SIEM Products• HP ArcSight Logger• HP ArcSight ESM• HP ArcSight Express• HP ArcSight Connector• HP ArcSight IdentityView• HP ArcSight Threat Detector• HP ArcSight Threat Response Manager• HP Compliance Insight Packages• HP EnterpriseView• HP Reputation Security Monitor (RepSM)

ArcSight environment Diagram Basic

ArcSight environment Diagram

HP ArcSight Logger

ArcSight Logger• ArcSight Logger you can improve everything

from compliance and risk management to security intelligence to IT operations. This universal log management solution collects data from any log generating source and unifies the data for searching, indexing, reporting, analysis, and retention.

• Collect logs from any log generating source through 350+

connectors from any device and in any format

• Unify the data across the IT through normalization and

categorization, into a common event format (CEF registered)

• Search through millions of events using a text-based search

tool on a simple interface

• Store years' worth of logs and events in an unified format

through a high compression ratio at low cost

• Automate analysis, alerting, reporting, intelligence of logs and

events for IT security, IT operations and log analytics

ArcSight Logger Key Capabilities

ArcSight Logger Specifications (SW)

ArcSight Logger Specifications (Appliance)

Logger Snapshoot

HP ArcSight Connector

HP ArcSight Connectors• ArcSight Connectors automate the process of

collecting and managing logs from any device and in any format through normalization and categorization of logs into a unified format known as Common Event Format (CEF),

• ArcSight Connectors provide universal data collection from over +350 unique devices and event sources without the need to deploy agents across the enterprise.

Common Event FormatEach device has its own log format. The data is normalized and categorized into the ArcSight Common Event Format (CEF) for easy correlation and analysis

Correlation Diagram

HP ArcSight Connectors Samples

HP ArcSight Smart Connectors

ArcSight Connectors including– Operating Systems, Applications, and Databases

– Network Devices (routers, switches),

– Network Analyzers (NetFlow data, traffic analyzers),

– Security Solutions (IPS/IDS, firewalls, VPNs, vulnerability

scanners),

– Identity management solutions

– Web servers/web-based applications.

HP ArcSight ESM

ArcSight ESM Overview

HP ArcSight ESM is the premiere security event

manager that analyzes and correlates every

event in order to help your IT SOC team with

security event monitoring, from compliance and risk

management to security intelligence and

operations.

ESM Key features

• A cost-effective solution for all your regulatory compliance needs

• Automated log collection and archiving• Fraud detection• Real-time threat detection• Forensics analysis capabilities for cyber

security

ESM Add-on ( Risk Insight )

• HP ArcSight Risk Insight maps key business indicators to IT assets and security events.

• HP ArcSight Risk Insight enables the user to understand the business impact of the real-time threats detected by ArcSight SIEM solution.

ESM Snapshoot

HP ArcSight ESM with CORR-Engine Specifications (SW)

HP ArcSight ESM 5.2 Specifications (Appliance)

HP ArcSight Express

ArcSight Express HP ArcSight Express delivers a new technological

innovation to address the problem of increased log volumes. This innovation, called the ArcSight Correlation Optimized Retention and Retrieval Engine (CORR-Engine), moves away from the limits of a relational DBMS. It provides the ability to correlate larger sets of log data faster than ever before, to scale to higher log processing volumes, and to archive larger volumes of log data for extended periods using an efficient data store.

The ArcSight CORR-Engine

• The CORR-Engine is a revolutionary solution for high-speed correlation and long-term data retention.

• The CORR-Engine uses a highly customized flat file repository with a “write once, read many” approach

• The CORR-Engine delivering up to five times the read performance when compared to the previous version of ArcSight running on similar hardware

Key learning Points

ArcSight Key learning Points

• ArcSight Solutions • ArcSight Connectors• FlexConnectors & Smart Connectors• Common Event Format (CEF) • CORR Engine

Additional Reading • CA Identity Minder http://www.ca.com/us/identity-and-access-management-resources.aspx

• Why and how to calculate your Events Per Second ( Including Sample ) http://eromang.zataz.com/2011/04/12/why-and-howto-calculate-your-events-per-second/

For any information or inquires, Please contact me

moh.zohair@gmail.com

Skype: eng.zohair

Linkedin Profile

Question

THANK YOU