#MicroFocusCyberSummit

#MicroFocusCyberSummit

Global Protection and Awareness through Data Analytics, Threat Detection and Pattern RecognitionCharles Clawson, ArcSight Marketing Manager

Steven Riley, ArcSight Technical Marketing Manager

Log Management

Data Analysis

Real time alerting & monitoring

Security Analytics

Intelligent Security Operations

Visual Agenda

Discover Micro Focus Security strategy Intelligent SecOps use case & Maturity roadmap

ArcSight Marketplace

ArcSight ESM

ArcSight Data Platform

ArcSight Investigate 3rd partySecurity Analytics

Activate Use caseThreat Intel

Company Discover the New

Network Management/

Data ProtectorCOBOL

The New Combined Company: Micro FocusBuilt on stability, acquisition and innovation

Years Years

$7.1

$5.1 $4.9 $4.4 $4.0$3.4 $3.3 $3.2 $3.1

$2.5 $2.5 $2.4 $2.3 $2.1 $2.1 $2.0 $2.0 $1.9 $1.9 $1.8 $1.7 $1.7 $1.4 $1.3 $1.2 $1.1

Mic

roso

ft

Ora

cle

SAP

Sale

sfo

rce

Ad

ob

e

Sym

ante

c

HP

E SW

/ M

F

CA

Ge

mal

to

Cit

rix

Das

sau

lt

SAS

HP

E SW

Info

r

Ver

itas

Au

tod

esk

Syn

op

sys

CD

K G

lob

al

Red

Hat

Ass

eco

BM

C

Nu

ance

Co

nst

ella

tio

n

Op

en T

ext

Cad

ence

Ch

eck

Po

int

Mic

rofo

cus

Wo

rkd

ay

Serv

iceN

ow

Info

rmat

ica

Combined Micro Focus: An Industry Shaper

#12

HP

E SW

HP

E SW

/ M

F#7

Mic

ro F

ocu

s

#26

4 Focus AreasFour Focus Areas

DevOps Hybrid ITManagement

Security & Data Management

Predictive Analytics

Users

AppsData

SecurityAnalytics

Protecting

What MattersMost

One of the Worlds Most Powerful Security Portfolios

ArcSight EmpowersIntelligent Security Operations

Click icon to add picture

Decrease impacts of security events

Detect and stop security threats

Reduce business downtime and

non-compliance

What Are the Top CISO Priorities

Challenges to the Security Operations Center

Increasing rate of data

Limited detection and

response tools

Complex and slow investigation capabilities

Intelligent Security Operations Increase Speed, Simplicity and Effectiveness Across Entire Workflow

Visibility Without Boundaries

Comprehensive Detection

Intuitive Investigation

ArcSight Drives Business Profits

Open architecture

Reduce data and licensing

costs

Comprehensivedetection

Minimize risk and data loss

Intuitive investigation

Reduce time and human

struggle

Security & Risk management

IT operations Compliance & Legal Line of Business

All Departments Benefit

Proven, Accurate and Fast

ArcSight Investigate

ArcSight ESM

ArcSight ADP

Open, Relevant and Intuitive

ArcSight Investigate

Investigation | Security Analytics

ArcSight ESM

Real-time correlation | Alerting | Workflow

ArcSight Data Platform

Connectors | Event Broker | Management | Logger

Security Operations Use Cases & Maturity Roadmap

Intelligent Security Operations – Use case Roadmap

Log Management

• Centralize Logs

• Retain data

• Compliance

Data Analysis

• Forensics

• Rapid Search

• Reporting

Real time alerting & monitoring

• Detect & identify

• Respond in time

• Build workflow

Security Analytics

• Behavior Profiling

• Threat detection

• Know the unknown

Intelligent Security Operations

• Integrated monitoring

• People & Process & Technology

• Efficiency & Resilience

Intelligent Security Operations – Capability Roadmap

Log Management

• Centralize Logs

• Retain data

• Compliance

Data Analysis

• Forensics

• Rapid Search

• Reporting

Real time alerting & monitoring

• Detect & identify

• Respond in time

• Build workflow

Security Analytics

• Behavior Profiling

• Threat detection

• Know the unknown

Intelligent Security Operations

• Integrated monitoring

• People & Process & Technology

• Efficiency & ResilienceArcSight Data Platform

ArcSight ESM

ArcSight Investigate

Analytics & SIOC

ArcSight Data PlatformExpand the visibility of your data

Visibility Without Boundaries

Faster detection with business optics

Real-time security context

Keep up with growing environments

Scalability through variety and velocity

Integrate data lakes with security apps

Open architecture to maximize usage

ArcSight Security Technology Partners

Partners

DDoS

GRC

SIEM

Application

Security

Threat

Intelligence

Technology

ArcSight Data Platform in Nutshell

Collect Enrich Distribute Retain Search Report

Connector

Event Broker

Logger

Arcsight Management Console

Cost-effective universal log management

Unifies searching, reporting and analysis

Scale

1M EPS in a 100 peers architecture

100 Concurrent search

Performance

Search speed improvements by 50-200%

10:1 compression ration to store up to 1200 TB

Security

Data at rest encryption on ADP appliances

Data Retention (Logger)

Management Console – End to End Monitoring

Topology view for consolidated overview

Display device information on hover

Sort devices by region / groups

Instant Connector Deployment ArcMC 2.70, Connectors 7.70

Capability:

• Connector deployment on remote hosts through ArcSight UI

• In-context deployment View UI

• Re-usable deployment templates with configuration values for source and destination

• Many Connectors to a single host

• Centralized management of long running deployment jobs

45

Benefit: Improve security administrator productivity by providing a quick and easy deployment option so that they onboard new data sources or readjust connectors deployment layout quickly with ease.

Enhanced Topology View ArcMC 2.70, Event Broker 2.10

Capability:

• View Event Broker topics in Topology view on ArcMC

• Get visibility into consumer connectivity through ArcMC

47

Benefit: Improve analyst productivity by giving them a centralized monitoring tool so that they can optimize their time and do more with ease.

Logger 6.5 Updates

Capability:

• Create Reports from Logger Queries

• Archives will include Indexes

• ADP Logger standalone mode: both for appliances and software

• Complete support for SHA-2: receivers and forwarders, archiving, SSL signatures

• Complete support for TLS 1.2: peer communications, on-board connector

• Dark Theme for Logger

48

Benefit: Easy to use Logger reporting tools with an enhanced UI help optimize analyst time and generate comprehensive reports and dashboards for compliance and other use cases

Data De-identification for Privacy (GDPR, health..)Format Preserving Encryption by Voltage embedded

SourceEvent data

LoggerESM

3rd party

ArcSightConnector

john.doe@arcsight.com uwol.clu@qnmpdsaa.kleDe-identify sensitive data

ArcSight ESMComprehensive Detection

54

ArcSight ESM in Nutshell

Enrichment

•Asset Model

•Network Model

•Vulnerability

Rules Engine

•Real-time rules

•Data Monitors

•Prioritization

Active Channel

•Rich news feeds

•Drill down

•Visuals

Context

•Enrichment

•Baselines/ trends

•Lists

•Search

3rd party action

• Integration Commands

•Action Connectors

•Partners

Case Management

•Annotations

•Stages and impact

• Integration

Detection Investigation

250 Ready Made, Tested and Documented Use Cases

Activate use case configurator

Value for Everyone

• Actionable Output

• Structured event handling

• Community

• Components & Solutions

• Methodology

• Increase TTV via Marketplace content

• SOC Workflow Efficiency

• Content Maintainability

• Reduced Training Cost

• Detailed data source configuration information

• Categorization + Product Packages

EngineerSOC

Manager

AnalystContent Author

Openness

4x more with same headcount

ESM & Activate adoption increased SOC efficiency 4x

Activate Content Layers

ArcSight ESM with Fresh & Relevant Content

Activate example: Wanna Cry Dashboard released in few hours Market-leading Real-time Correlation

Threat Lifecycle

Tailored use cases

Central integration point for the SOC process

Integrated SOC platform

70

Secure the New

ArcSightSecurity Operations

VoltageData Security

NetIQIdentity

FortifyApp Security

Enriched Data Powerful Correlation Quick Detection Multi-tenancy

ArcSight Enterprise Security Manager (ESM) Summary

Threat Intelligence

Threat Intel context is the king!

Whois behind this?

Whereis it comming from?

Howbad is it?

Dowe know them?

Isit related to ..?

75

But what Threat Intel?

ArcSight Threat Intelligence Program

Reputation Security Monitor Activate Threat Intelligence

Currated list of malicious IPs and domains Open TI program for Activate use case

0 Ingest

1 Populate

2 Context

3 Track

Activate TI Data Fusion Model

78

Threat Intel Activity Dashboard

ArcSight Investigate

What Do We Need to Address These Challenges?Intelligent Threat Investigation Solution

Act faster Work smarter Reach further

ArcSight Investigate

Analytics optimized and robust engine

Guided natural language search box

Modern and intuitive data manipulations

Powerful built-in analytics modules

Reach Further

Confidently hunt across all of your data

Seamless view

Accross Investigate and Hadoop

Optimize storage

Short term in Investigate

Long term in Hadoop

VerticaEvent Broker

Store data

Search & Analyze

Hadoop/HDFS

Investigateapplication

Data flow

Data lake

Connectors

HPE CONFIDENTIAL

Act Faster to Identify and Respond to Threats

Decrease the impact of security incidents

Minimize downtime by uncovering hidden threats

Work Smarter with an Intuitive Solution

Be productive from “Day 1”

Reduce response time to advanced attacks

Reach Further by Leveraging Data Lakes

Reduce risk by expanding the scope of investigation

Lower TCO by optimizing data management cost

92

ArcSight Investigate Benefits

HPE CONFIDENTIAL

Capability:

Ready made security-centric visuals out of the box

Graphs include field assignments without input from analyst

Retool visualizations to your needs

Categories available- Authentication Activity, Source Activity, Destination Activity & others

94

Built-in Security Analytics

Benefit: Increase analyst efficiency and provide ease of use with pre-defined visuals defined for specific use cases and removes guess work from the security investigation process

Capability:

Perform database table join

Query the Investigate database to determine if anyone in the environment established a connection with a host on the malicious IP address list

95

Lookup List (Joins) Feature

Benefit: Security practitioners can now run searches and add additional context information while importing a list for data enrichment purposes.

Capability:

Instantly identify the users impacted by a security event

96

Find the User

Benefit: Ability to search for and find the authenticated user for a particular event or incident helps analysts save time finding who was impacted and speed up incidence response.

Capability:

Ready made security-centric visuals out of the box

Graphs include field assignments without input from analyst

Retool visualizations to your needs

Categories available- Authentication Activity, Source Activity, Destination Activity & others

98

Built-in Security Analytics

Benefit: Increase analyst efficiency and provide ease of use with pre-defined visuals defined for specific use cases and removes guess work from the security investigation process

Investigate: Quick Security Insights (pre-defined viz)

Login by usernameLogin by User

Unresolved Malware – Infected Host InvestigationPivoting from search results to enable intuitive investigations.

100

101

Time-chart Based Hunting – Detect the OutliersDNS Domain Analysis over Time

102

Outlier Detection to Assist SOC Analyst

103

User Behavior Analytics – Peer Comparison

104

Search to Detection in Seconds – Complete Visibiliy

Detected the C2 server (fansfootball.com)

Detected a compromised account (Luke)

Detected lateral movement

Detected an additional compromised host (10.100.1.8)

Found indication of data exfiltration (bytes out through SSH)

Established the attack timeline

105

Value Proposition & Key Benefits

Thank You.

#MicroFocusCyberSummit

#MicroFocusCyberSummit