Join the SIEM Revolution

Vasant Kumar Regional Customer Success Manager - APJ HPE Security

Agenda

–The Current Threat Landscape

–HPE ArcSight Solution Portfolio

–Q&A

3

Volatile Uncertain Complex Ambiguity

Managing risk in today’s digital enterprise

Rapid transformation of enterprise IT

Shift to hybrid

Mobile connectivity

Big data explosion

Cost and complexity of regulatory pressures

Compliance

Privacy

Data protection

Increasingly sophisticated cyber attacks

More sophisticated

More frequent

More damaging

Cyber Timeline

Ashley

Madison 2014

Benesse 2014

Yahoo 2013

Loss/Stolen Data Rise of CyberCrime Professional / Hacktivism Advanced Persistent Threat

2010 2011 2012 2004 2005 2006 2008 2007 2009 2013

StuxNet 2010

AOL 2004

TJ Maxx 2010

UK Revenue

& Customs 2006

Heartland 2009

Evernote 2013

NASA Shuttle

Plans Dec 2006

Estonia Dark May 2007

Buckshot

Yankee Nov 2008

GhostNet Mar 2009

Sony PSN Dec 2010

Target Aug 2013

WSJ - SEA Aug 2013

Apple Aug 2011

Red October Dec 2010

Facebook

2013

Living

Social 2013

Shamoon Aug 2012

Tamper Data June 2012

2014

Video

Conferencin

g Aug 2012 DigiNotar

Sept 2011

Kernel.org Aug 2011

Code Spaces 2014

Sony

Pictures 2014

Controversial whether it is

an internal job or a

hacktivist group, some

might even say state-

sponsored, 100TB of

confidential data has been

exfiltrated

Dairy Queen 2014

.CN Aug 2013

Michaels 2014

UPS 2014

Kmart 2014

GoodWill 2014

Stuxnet, was designed to seek

out certain industrial control

systems made by Siemens.

Stuxnet took advantage of four

zero-day vulnerabilities and

appeared to be targeted at a

uranium enrichment program in

Iran.

The Russian firm

Kaspersky discovered a

worldwide cyber-attack

dubbed “Red October,” that

had been operating since

at least 2007. Hackers

gathered information

through vulnerabilities in

Microsoft’s Word and Excel

programmes

Heartland, stealing 100

million credit cards.

Cost 140M$

Shamoon - The virus has

been noted as unique for

having differing behavior

from other malware cyber

espionage

attacks. Shamoon is

capable of spreading to

other computers on the

network, through

exploitation of shared hard

drives

The most significant breach

of U.S. computer security .

infected flash drive.

Creation of US

CyberCommand.

PlayStation network,

stealing or misusing the

personal information of at

least 77 million users. Sony

estimated that fallout from

the hack cost at least $170

million.

2015

Anthem /

Premera 2015

Hacking

Team 2015

mSpy 2015

Nation State

Experian 2015

U.S

Government 2015

22 million current and

former federal

employees that included

the fingerprints of about

5 million.

largest breach of

medical records

(11M)

Things we have seen in 2015

• In most of the attacks, the attackers have been inside, sometimes for about a year.

• U.S Government was breached with over 22M personal files.

• Several of the more secure companies have been breached.

• There is a focus on attaining complete customer detailes

6

229 days

of breaches occur at the

of breaches reported by a

Average time bad guys are inside a network before detection

Average time to resolve a

Cyber Attack

45 Days

10%

80%

67% Percentage of

malware alerts

application layer

56% of organizations have been the

target of a Cyber

attack

60% of Organizations spend more time and money on

reactive measures 3rd party deemed to be reliable

Source: HP internal data, Forrester Research, Ponemon Institute, Gartner

Security trends & implications

Key Points

• Cybersecurity has catapulted to

the top of boards’ list of

concerns

• Security leadership is under

pressure

• Cybercrime is booming

• Internet of Things will just make

things worse

• Need for greater visibility of

business risks

• Need to make security investment

choices

Global Spend on Security

8 Source: HP internal data, Forrester Research, Ponemon Institute, Coleman Parkes Research, Markets & Markets & Gartner

8% of total IT budget spent on security

Global Security Spend

in 2015 was $77B Global Security market will

reach $120B by 2017

Security Market estimated worth $170B by 2020

77% of Budget spent on

blocking (Perimeter

Technologies such as

Firewall, IDS/IPS, Proxy,

Sandboxes…)

80% of attacks are

taking place at the

application layer

40% of Security jobs unfulfilled in the market

Resolving an incident requires a significant time And the longer the resolution time, the more expensive it is per day

Average days to resolve an incident by attack type(1)

9 (1) 2015 Cost of Cyber Crime Study, Ponemon Institute

The value of Security intelligence to the organization(1)

10

(1) 2015 Cost of Cyber Crime Study, Ponemon Institute

Intelligent Security Operations

11

• Security Operations Centers face an increasing amount of information to process

• Effectiveness depends on narrowing the funnel, and accelerating the throughput

• Lower false positives and less noise allows analysts to focus on the critical events and IOCs

# logs & events increases

exponentially

Alerts identified

Increase speed to detection

Speed up investigation

Servers

Users

Firewalls

NW Devices

End-points

Investigation

Hunt

IOCs*

Key Points

Proactively detecting and managing breaches

IOC: Indicator of Compromised

Logs & Events Alerts Alerts

2017 State of Security Operations 4th annual report

82% of organizations are not meeting their business goals

27% of SOCs are failing to achieve minimum security monitoring capabilities

183 assessments

Read the full report at hpe.com/software/StateOfSecOps

ArcSight Portfolio Elements Overview

What is HPE Security ArcSight?

2:

Normalize data from various

vendors into a

industry

accepted

common event

format

3:

Enrich collected data

with taxonomy,

network and

assets specific

details

1:

Collect machine data from

almost any source

5:

Search with a simple and

easy to use user

interface

4:

Store Years’ worth of

data through a

high compression

ratio of up to 10:1

7:

Analyze Identify and trace

the patterns of

threats or

breaches or even

suspicious

behaviors

6:

Detect Anomalies and

cyber threats with

use cases

ArcSight monitors, analyzes and detects threats and risks across organizations and enterprises

HPE Security - ArcSight Portfolio Today

15

Users Endpoints Network Servers & Workloads Apps Cloud IoT

ArcSight Data Platform Threat Intel

ArcSight Marketplace Framework for Security Operations providing essential use cases and processes

ArcSight ESM ArcSight User

Behavior Analytics ArcSight DMA

ArcSight App Analytics

Analytics SIEM

ArcSight Data Platform (ADP) Next-generation data collection and storage engine

• Comprised of Logger, ArcMC

and SmartConnectors.

• Capture data at rates of up to

400,000 events per second

• Compresses and stores up to

4.8PB of data

• Executes searches at millions

of events per second

• Connector Appliance ingests

raw data up to 25,000 EPS

• Leverages off the shelf

connectors and Common

Event Format (CEF)

• Universal resilient and secure collection

• Data normalization and enrichment

• High volume low cost long term retention

• Simple web based analytics and out of the box

compliance

• Central management

• Appliance and software form factors

Collect machine data from any source

Enterprise security

management

User behavior analytics

Hadoop

Third party application

Hunt tools

Visualization

Network

Servers

Mobile devices

Data centers

Applications

Network Traffic streams

Web 2.0

Security devices

Rich media

Storage

Social networks

Scalable, high performance data engine

16

Intelligent Event Broker architecture allows connector IP to be built in

Making ingestion deployment much easier in the future

17

Event Consumers

Event Producers Long-term Storage

Hercules Search Application

ArcMC Manage, Monitor, Admin

Hercules Portal Install, Deploy, Elastic Scale

Other Applications

ArcSight Logger/ESM

Other Consumers

ArcSight Connectors

(GDPR)

Other Event Sources

FIPS IPv6 TLS

EB Web Service EB Web Service EB Web Service

Kafka Kafka Event Transform Stream Process

EB Stream Processing (Virtual Connectors)

Streams

Kafka Kafka Event Routing Stream Process

EB Streaming Platform

Kafka Kafka Schema Registry

CEF

AVRO

Intelligent Event Broker an enterprise message bus

‒ Destination routing

‒ Format conversion

‒ Scale out cluster

Intellectual Property built-in ‒ Normalization, categorization &

enrichment

‒ Vastly simplified implementation

‒ Multi vendor connector support

‒ Managed with ArcMC

Investigate Investigate

HPE Enterprise Security Manager (ESM)

– SIEM is the foundation for intelligent security operations • Flexible hierarchical

deployment for unlimited

expansion.

• Workflow and notification

engine.

• Event level access control and

multi-tenancy support.

• Rich context model for

networks, assets, users and

vulnerabilities.

• Flexible APIs to integrate with

your operational, IT and

security systems

• High performance real-time correlations

• Contextual investigation for faster resolution

• Incident management and workflow for

faster remediation

• Pattern discovery and visualization

facilitating hunt

The

Power of

SIEM and

Analytics

High Performance Real Time Correlation Engine

18

• Streamlined investigation through risk-

ranked threats

• Enable more efficient threat hunting

and faster remediation

The Power

of

Advanced

Analytics

Detects malicious users and processes

with user behavior analytics • Fast event resolution with user activity reports

• Identify high risk data exfiltration

• Prioritization of high risk users

• 5:1 ROI Impact

ArcSight - User Behavior Analytics (UBA) Detecting abnormal behavior fast

19

Application Defender providing app insights and analytics Real time visibility into application activity & vulnerability exploits

20 20

Analysts can investigate with

visualization that greatly

improves efficiency and

speed to remediation

Target Application

App Defender Agent

JVM/CLR

ESM with App Defender content

Logging & Protection Events

Application Defender

Visual exploration of large sets of

data to discover unknown

patterns in the event base Application activity logs and real-time

exploit event data are analyzed

Identify critical app events

App data is provided to ArcSight in

Common Event Format

Analyze DNS traffic to identify

unknown infected hosts invisible to

perimeter or security products

Operationally proven via HP Labs

The

Power of

SIEM and

Analytics

ArcSight - Marketplace Out of the box use cases, best practices

21

• Out of the box use cases, best practices, tools

and utilities all accelerate SIEM benefits so

analysts can be more efficient

• Enhances ArcSight capabilities through new use

cases

• Dedicated learning center to understand best

practices

Accelerate

time to

business

value for

SIEM and

Analytics

investments

App Store to get the latest security and compliance

use cases freeing up from custom programming

• Centralized location for trusted security packages

• Partner integrations that speed deployment

• Utilities and tools saving time for security operations

ArcSight Investigate Introducing

ArcSight 3000 Customers Around the World 15 years a Leader in Gartner 5 out 10 Biggest Banks 5 out of 10 Biggest Defense and Aerospace 5 out of 10 Biggest Utilities

SOC today…

Matt Smith Lv2. Security Analyst

Sophia Rodriguez SOC Manager

Cindy Lee Lv1. Security Analyst

Matt Smith Lv2. Security Analyst

How can I manage my workforce efficiently?

Too many alerts!

Don’t know where to start

Do I need to learn a

query language?

Search result is too long.

How I can find insight here?

So many manual

tasks to get context

Hard to find skilled talent

Sophia Rodriguez SOC Manager

Cindy Lee Lv1. Security Analyst

search is slow!

Facing many challenges…

Search

ArcSight Investigate: 4 Major Capabilities

Data

Analysis Live Open

Move data to Hadoop and perform search and analytics in open data format

Integration

with Hadoop

Hot Data

• Most frequent queries

• Fast ad-hoc analysis • Best Performance

• For data accessed less frequently

• Cheap storage • Holds long-range data

Cold Data

ArcSight Investigate

Vertica

Hot Data

Days

45

180 90

270

Single screen for all your investigations

ArcSight product portfolio overview

ARCSIGHT INVESTIGATE Investigation | Entity Profiling | Hunt |

ARCSIGHT ESM 24x7 Real-time

Monitoring & Correlation

ARCSIGHT UBA User & Entity

Behavior Analytics

ARCSIGHT DMA Advanced Analytics for

Malware Detection

ARCSIGHT DATA PLATFORM Connectors | Event Broker | Management Console | Compliance (Logger)

User Cloud App Servers & Workloads

Network Endpoints IoT

ARCSIGHT MARKETPLACE HPE and Expert Community Developed Use Cases and Connectors

Next generation security search and investigation

Industry-leading search speed at scale

10x faster search using HPE Vertica as an embedded high-performance database

Pre defined data analysis for security investigation

Create powerful charts and dashboard with a few clicks

Seamless integration with Hadoop

A single UI provides easy access to a full range of historical data

ESP Technology Partners

Partners

DDoS

GRC

SIEM

Application

Security

Threat

Intelligence

ESP

Technology

30

ArcSight Differentiators and Benefits

Real time Correlation with

Context

Out of the box tailoring for your

environment

Proven technology for any size organization

1

2

3

• ArcSight maintains contextual information, allowing for real-time correlation and prioritization.

• Reduces time to detection with efficient processing.

• Implement use cases for the threats that matter.

• Highly configurable, with hundreds of connectors, built-in filters and templates to quickly tailor to your environment and workflow.

• Tailoring identifies specific IOCs an analyst needs to look at, reducing false positives.

• Integrates with your operational, IT and security systems.

• ArcSight is used for real SOCs

• HPE SIOC practice helped many of those start.

• Fits any organizational structure & size.

Thank You