a look at the latest hp arcsight esm · •faster search for needle-in-the-haystack scenarios −...

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

A look at the latest HP ArcSight ESM Ken Mermoud, Product Management

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

This is a rolling (up to three year) Roadmap and is subject to change without notice.

Forward-looking statements

This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.


This is a rolling (up to three year) Roadmap and is subject to change without notice.

HP confidential information

This Roadmap contains HP Confidential Information. If you have a valid Confidential Disclosure Agreement with HP, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of 3 years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from HP and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with HP’s prior written approval.


Agenda

• Agenda

• ArcSight journey

• ESM Next Beta features

• Beta details @Protect

• Q&A


Predict

Visualize

Search

Collect

Correlate

Respond

Analytics SIEM

HP ArcSight Portfolio strategy: Next Gen Cyber Defense


ESM: What’s next?

Automatic Rule

Optimization

Storage Up To 12 TB

Web services APIs

Faster Queries with

Bloom

Active Channels in

ACC High

Availability

Next Future Roadmap

Disaster Recovery

Data Visualization

Distributed Correlation

UI/UX Redesign

Out-of-Box Content Revamp

Predictive Analytics

Security Ecosystem

Seamless Integration

w/ Analytics

Clustering for Scalability App Store

Quality: Stability

Quality: Reliability

Quality: Scalability

Quality: Customer

Bugs

Quality: Maintain-

ability

Quality: Resiliency

Quality: Customer

Bugs

This is a rolling (up to 3 year) roadmap and is subject to change without notice


ESM Next Beta


What is part of the Beta?

ESM Next Beta

• Main Beta features • High Availability • Active Channel in Web UI • CFC Connector Capabilities • Improved Search/Query speed with Bloom Filters • ESM Web Service APIs • Correlation Enhancements • Support for 12 TB storage • Transition to Java 7


High Availability (HA)

ESM Next Beta

• What is ESM HA? − Two server installation of ESM for improved

reliability and availability. − Active/passive cluster (Primary running ESM,

Secondary on hot standby) • How does it work?

− Secondary backs up Primary disk (Disk Mirroring - DRBD)

− Automatic Failover • System failures are automatically detected • Secondary switches to primary and runs

ESM − Audit events and notifications available for

monitoring status of HA


Connectors Clients

ESM HA


Active Channel in Web UI (ACC)

ESM Next Beta

• What is available? − Open and use pre-defined Active Channels − Annotate events − Add events to cases − Mark events as reviewed − Visualize event summary − Drill down by filter conditions


All product views are illustrations and might not represent actual product screens


ESM Web Service APIs

ESM Next Beta

• When do you need Web Service APIs? − Integrations with ESM − Building custom UI − Extending functionality

• What is the list of APIs? − LoginService, GroupService, CasesService,

SecurityEventService, ArchiveReportService, ActiveListService

• What are we making available? − Developer’s Guide − Javadoc (html + pdf) − Client side SDK (utilities/sdk/lib) − Examples (utilities/sdk/examples/)


ESM


Improved Search/Query speed with Bloom Filters

ESM Next Beta

• What’s New? − Super Indexing & Bloom Filters: Question: Is the value

in a Time Chunk? • Answer: Possibly in Time Chunk, or • Answer: Definitely not in Time Chunk

• Faster Search for needle-in-the-haystack scenarios − Peer Search Improvements − Search up to 1000x FASTER than ESM 6.5c on the most

frequently used fields − Search up to 500% FASTER with the use of new super

indexes on certain fields • Note: Re-activated ESM archives will also take advantage

of the increased search performance, as the Bloom filter data is stored in the archive


Master super-index

CORR-engine storage


CFC Connector Capabilities

ESM Next Beta

• What is CFC? − Correlation (event) Forwarding Connector − Allows forwarding base and correlation events from

one ESM to another − Push Mechanism (base events going along with

correlation events to destination) + Pull Mechanism (base events can be pulled to destination on user demand)

• What is CFC? − Ability to send up to 1,500 EPS of base + correlation

events − CFC Annotation moved to separate storage (minimize

performance hit on base annotation volume growth) − Automatic cleanup of old forwarded events every 3

days



Correlation Enhancements

ESM Next Beta

• Rule/Data Monitor Enhancements − Profiling: auto-reordering of rules/data monitor

conditions for better efficiency − Average 25% evaluation time enhancements

• Pattern Discovery Enhancements − Lighter process for building transactions in Pattern

Discovery − Going from O(nlog(n)) to O(n), n as number of events − Support for up to 15,000 EPS − Up to 66x execution time speed up

• Additional List Look-Up Functions − GetCurrenTime, DistinctListValue, ListIntersection,

ListUnion, NonNullListValues, SortListValues, etc.


All product views are illustrations and might not represent actual product screens


Additional Features

ESM Next Beta

• Storage − Support for 12 TB of Storage Capacity

• Java − Upgrade to Java 7

• OS Support − Support for RHEL 6.5, CentOS 6.5

• Upgrade − SW Upgrade from ESM 6.0c and ESM 6.5c SP1



Beta Details @ Protect


Beta Details @Protect Tuesday Wednesday

1:00pm – TB3255 A look at the latest HP ArcSight ESM

10:30am – TT3129 ESM Performance and Optimization

1:30pm – TB3255 A look at the latest ArcSight ESM

11:00am – TT3041 Dynamic rule and data monitor Optimization

2:00pm – TT3126 CFC Support on CORRE

12:00pm – BoF Lunch Tuning your ESM Correlation Engine

2:30pm – TB3069 HP ArcSight ESM 24/7

4:00pm - TT3139 An Intro to ESM APIs

4:30pm – TT3058 Building an HA ArcSight solution

Thursday

5:00pm – TT3099 Leveraging Super-indexed searches

10:00am – TT2978 ESM APIs and Applications


Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3255 Speaker Ken Mermoud

Please give me your feedback


Thank you

a look at the latest hp arcsight esm · •faster search for needle-in-the-haystack scenarios −...

Documents