www.arcsight.com

www.arcsight.com 2© 2010 ArcSight Confidential

© 2010 ArcSight, Inc. All rights reserved.

ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

ArcSight Overview

Patrick EFAGWU

HP Software – West Africa

www.arcsight.com 3© 2010 ArcSight Confidential

Gartner MQ – 2011

www.arcsight.com 3

www.arcsight.com 6© 2011 ArcSight Confidential

Gartner MQ – 2011

• ArcSight has complete separation from the

pack

• RSA drops off

• CA exits the market

• Everyone else clustered in the middle

www.arcsight.com 4© 2010 ArcSight Confidential

HP Integrations

www.arcsight.com 5© 2010 ArcSight Confidential

Monitoring is More Challenging Than Ever

You Need to See…

… Networked Systems

… Zero-day Threats

… Critical Data Stores

… Privileged Users

… Network Connections

… Fraud Techniques

… Application Risk

0 0 1 0 0 0 0

0 0 0 0 0 0 0

0 0 1 0 0 0 0

0 0 0 1 0 0 0

0 0 1 0 0 0 0

0 0 1 1 0 0 0 1

0 0 1 0 0 0 0 0

0 0 1 0 0 0 0 0

1 0 0 1 0 0 0 1

1 0 0 0 1 0 0 0

1 0 1 0 1 0 1 0

1 0 0 0 0

0 0 0 0 1

0 0 0 0 0

0 0 1 0 0 0 0

1 1 0 1 0 1 1

0 0 0 1 0 0 0

0 0 1 0 0 0 0

1 0 1 0 0 0 1

0 0 0 0 1 0

0 0 0 0 0 1

0 0 1 1 0 0

0 0 0 0 0 1

0 0 1 0 0 0 0 0

0 0 0 0 0 0 1 0

1 0 0 0 0 0 0 0

1 0 0 0 0 0 1 0

0 0 0 1 1 0 1 0

0 0 1 0 0

0 0 0 0 0

1 0 0 0 0

0 0 0 1 0 0 0 0

0 0 1 0 0 0 0 0

0 0 1 0 0 0 0 1

0 0 1 0 0 1 0 0

1 0 0 0 0 0 1 1

0 0 1 0 0 0 0 0 0 1

1 1 0 0 0 0 1 0 0 0

0 0 0 0 1 0 0 0 0 0

1 0 0 1 1 0 0 0 0 0

0 0 1 0 0 0 0 0 0 1

1 1 0 0 0 0 1 0 0 0

0 0 1 0 0 0 0 0 0 1

1 0 0 0 1 0 0 1 1

0 0 1 0 0 0 0 0 0

1 1 0 1 0 0 0 0 0

1 0 0 0 0 1 0 0 1

0 1 0 1 0 0 1 0 0

0 1 0 1 1 0 1 0 1

1 0 1 0 0 0 1

0 0 0 0 1 0 0

0 0 1 0 0 0 0

1 0 0 1 0 0 0

0 0 1 0 1 0 1

www.arcsight.com 6© 2010 ArcSight Confidential

Only ArcSight ETRM Can Address The Challenges

• 300+ connectors out of the box

• No toolkit to create new connectors, No R& D needed

• 1-2 weeks per custom connector

• Easily scale to 100,000s EPS – low cost

• Scalable data retention, store years of log data

• Efficient, Fast investigations

• Complete correlation – Logs, Users, Network

• Sophisticated correlation for complex threats

• Mitigate modern threats, prevent breach and loss

Effectively Tackle Complex Threats With Key Functions

www.arcsight.com 7© 2010 ArcSight Confidential

ArcSight Collection:

300+ Products, 50+ Categories, 80+ Partners

Access and Identity

Anti-Virus

Applications

Content Security

Database

Data Security

Firewalls

Honeypot

Network IDS/IPS

Host IDS/IPS

Integrated Security

Log Consolidation

Mail Filtering

Mail Server

Mainframe

NBAD

Network Management

Network Monitoring

Net Traffic Analysis

Policy Management

Security Management

Router Web Cache

Web Filtering

Switch

Vulnerability Mgmt

Web Server

Operating System VPN Wireless

www.arcsight.com 8© 2010 ArcSight Confidential

Windows

Failed Login Event

Oracle

Failed Login Event

Key Strength: Normalization

UNIX

Failed Login Event

Badge Reader

Entry Denied

OS/390

Failed Login Event

www.arcsight.com 9© 2010 ArcSight Confidential

Benefit: Optimal price / performance for deployments of any size

Data Center

Appliance

SAN-based

Appliance

SMB/Regional

Appliance

Use Everywhere

Fast collection (100K EPS collection rate)

Storage efficiency and flexibility (42 TB/instance, NAS/DAS/SAN)

Quick analysis (Millions of EPS)

Multiple software

deployment options

ArcSight Logger

www.arcsight.com 10© 2010 ArcSight Confidential

Benefit: Flexible, efficient and intelligent storage for all events

Efficient and Intelligent Storage

SAN DAS NAS

LAN

ArcSight Logger

RAID enabled onboard capacity per appliance

Automatically analyze across onboard and archived data without restoring it

Automated enforcement of multiple retention policies

www.arcsight.com 11© 2010 ArcSight Confidential

Personalized Dashboards

Forensics on the Fly

Personalized Dashboards

Intelligent SearchIntelligent Search

Drill-down reportsDrill-down reports

10.1.1.90

10.1.1.90

Save searchSearchSearch Save search

Real time Alerting

10.1.1.90 AND Snort

www.arcsight.com 12© 2010 ArcSight Confidential

Available as:

Correlation

www.arcsight.com © 2009 ArcSight Confidential 12

Data Center Rackable Appliance Installable Software

Benefit: Focus resources only on important issues

Real-time, in memory analysis of business events

Activity profiling to create baselines for context

Multiple visualization for role-based presentation

Advanced correlation – millions of events important incidents

www.arcsight.com 13© 2010 ArcSight Confidential

Recap

www.arcsight.com 14© 2010 ArcSight Confidential14

ArcSight SIEM Platform

An integrated product set for collecting, processing, and assessing

security and risk event information.

Rules/Alerts

Reports/Dashboards Reports/Dashboards Reports/Dashboards

Rules/Alerts Rules/Alerts

ArcSight Custom 3rd Party

Response Engine

Correlation Engine Logging Engine

Connectors

Core Engine Layer

Module Layer

Integration Layer

Network

DevicesServersMobile Desktop

Security

Devices

Physical

AccessAppsDatabases

Identity

SourcesEmail

www.arcsight.com 15© 2010 ArcSight Confidential

Collect in native log format from 300+ types of productsSyslog, SNMP, ODBC/JDBC, Opsec, WMI.RDEP,SDEE, CSV / XML

files

Normalize to a common format

Send to centralized engines via secure, guaranteed delivery

15

Integration Layer

Rackable Appliances Branch Office/Store Appliance Installable Software

Available as:

Benefit: Insulates device choices from analysis

Connectors

www.arcsight.com 16© 2010 ArcSight Confidential

Available as:

16

Log Management

Data Center Log Storage

& Management

Appliance

(35 TB max)

SAN-Based Log

Management

Appliance

SMB/Regional Log

Storage & Management

Appliance

ArcSight Logger

Efficient, self-managed archiving of terabytes of log data

Raw or normalized format

Pre-built reporting for security or compliance needs

Logger

Benefit: Cost-efficient compliance retention/reporting

www.arcsight.com 17© 2010 ArcSight Confidential

Real-time analysis of business events

Activity profiling to create baselines for context

Flexible visualization for role-based presentation

17

Correlation

Available as:

Benefit: Focus resources only on important issues

ArcSight ESM

Data Center Rackable Appliance Installable Software

www.arcsight.com 18© 2010 ArcSight Confidential

Network mapping to determine impact of problems

Auto or Workflow-based response to contain users or devices

Action report for manual response to issues

18

Auto-Response

Available as:

Benefit: Flexible, effective containment of problems

ArcSight Threat Response Manager

Rackable Appliance

Option for ArcSight ESM

www.arcsight.com 19© 2010 ArcSight Confidential

Pre-built rules, reports, dashboards, and connectors

Regulatory: Address compliance for public/industry regulations

Business: Address scenarios common to most organizations

ArcSight Modules

Available as:

ArcSight Solution Modules

Pre-configured AppliancesInstallable Software

Regulatory:

SOX/JSOX

PCI

FISMA

HIPAA

GLBA

NERC

Business:

Identity Monitoring

Fraud Detection

Sensitive Data Protection

Benefit: Rapid deployment by leveraging best practices

www.arcsight.com 20© 2010 ArcSight Confidential

User Activity: A New Axis for Security Monitoring

User

Events

Attributes

Roles

Access Rights

IP Address

Events

Scan Data

Location

Asset Data

Traditional SIEM IdentityView

www.arcsight.com 21© 2010 ArcSight Confidential 21

Identity Correlation

Correlate common identifiers such as email address, badge ID, phone extension

Events occurring across devices that identify users by different attributes

Attribute the event to a unique “identity” allowing correlation across any type of device

rjackson

348924323

jackson@arc.com

robertj

rjackson_dba

510-555-1212

Identifiers

Robert

Jackson

Identity

www.arcsight.com 22© 2010 ArcSight Confidential

22

With IdentityView, a simple event

Tells you much more

1. Correlates an IP with a user

2. Identifies the associated username

3. Enriches the event with user data

Correlated Identity in Practice

IdentityView:

www.arcsight.com 23© 2010 ArcSight Confidential

User Monitoring that Scales

Monitored List: (100s) Repeated Suspicious Activity

Repeated Policy Violations

Investigate List: (10) High Confidence Violations

Excessive Escalations

Watch List: (1000s) Layoffs

Contractors

Notice-Given

New Hires

Policy Violators

www.arcsight.com 24© 2010 ArcSight Confidential

Key Use Cases for IdentityView

Use Case Business Requirement

User Attribution and Identity Mapping Core

User Activity Reporting Core

Role Violations Core

Privileged User Monitoring Security/Compliance

High Risk User Monitoring Security/IP Protection

Suspicious Activity Monitoring Security/IP Protection

Shared Account Usage Compliance/IP Protection

User, Role, and Access Management Tracking

IAM/IP Protection

Activity Based Role Modeling IAM/IP Protection

IAM and Directory Reporting IAM/IP Protection

Sensitive Information Monitoring IP Protection

*Core use cases map to all business requirements: Security, Compliance, Identity & Access Management,

and IP Protection

www.arcsight.com 25© 2010 ArcSight Confidential

Example Dashboard: Employee/Contractor Monitoring

www.arcsight.com 26© 2010 ArcSight Confidential

Asset and User Modeling

SusceptibilityIs the asset susceptible to

the specific attack?

Asset Repository Supports up to a million

Assets to provide

complete coverage

Asset CriticalityHow important is this

asset to the business?

Device SeverityMapping of reporting

device severity to

ArcSight severity (if

reported)

Asset Model

Role

Does the event match the role of the person

performing it?

User profiling

Was suspicious behavior by this

individual observed in the past?

Identity

Who was the individual“behind the IP address” at the time of the event?

Policy

What is the impact ofthis event on

business risk?

User Model

• Understand true impact and risk

• Reduce false positives

• Focus on real threats to operations

www.arcsight.com 27© 2010 ArcSight Confidential

Multi-Variable Correlation

Benefit: Prioritize Accurately, Stop Sophisticated Threats

• Vulnerability risk correlation

• Event & field-matching correlation

• Multi-session correlation

• Moving-average correlation

• Stateful correlation

• Identity correlation

• Role correlation

• Dynamic network correlation

• Location correlation

• Anomaly correlation

• Threshold count correlation

• Universal event taxonomy

• No need to learn multiple log formats

• Device-independent rules and reports

Correlation

www.arcsight.com 28© 2010 ArcSight Confidential

ThreatDetector – Activity Profiling

A vital tool for preventative maintenance and early detection

Apply sophisticated data-mining techniques to event flows to create baselines of good and bad activity

Find previously undetected patterns of behavior

Periodically schedule pattern discovery to stay ahead of evolving exploit behavior

Take action on newly discovered patterns

www.arcsight.com 29© 2010 ArcSight Confidential

Active Channels for interactive investigations

Dashboards with Drill-to-detailExecutive Dashboards

– 125 Reusable, graphical building blocks (real-time data monitors)

– 48 Pre-built dashboards with Drill-to-detail

Analyze and Investigate

Intuitive investigations and compliance relevant reporting

www.arcsight.com 30© 2010 ArcSight Confidential

Powerful And Flexible Reporting

Out-of-Box Compliance Reporting

Long Term Trend Analysis

– events, policy violations, risk, or any other data

Robust Adhoc Report Development

Build Custom Graphical Reports

GUI-based - No programming needed

Multiple Distribution Formats

– HTML, XLS, PDF

www.arcsight.com 31© 2010 ArcSight Confidential

Real-time Alerting

– Alert actions can be configured for Critical Events

– Complete Alert Management Console

Notifications and Notification Templates– Customizable Notification Messaging

– Email, pager or text message delivery

– SNMP alerts to leverage network management response teams

Priority Based Escalation of Notifications

Real-Time Alerting

www.arcsight.com 32© 2010 ArcSight Confidential

Built-in Case Management

Cases and Workflow for compliance verification

Annotations: Track and escalate events through the workflow system

Cases: Create specific incidents for specific event occurrences

Stages: Process cases through predefined, collaborative workflow definitions

Attachments: Add additional context for incidents

Real-time Alerting and Notifications– Email, Pager or Text Message

– SNMP alerts to leverage network

management response teams

www.arcsight.com 33© 2010 ArcSight Confidential

Infrastructure

Databases

Transactions

Users

www.arcsight.com © 2009 ArcSight Confidential 33

Integrated Growth Path

Benefit: Common Collection, Low TCO and Seamless integration

Guided

Response

Advanced

Correlation

Sensitive Data Security

User Activity

Monitoring

Fraud Detection

Application

Transaction

Security

Log

Management

Collection

What Makes ArcSight Unique

Interoperability Correlation

Unmatched in

Scale

www.arcsight.com 35© 2010 ArcSight Confidential

ArcSight, Inc.

Corporate Headquarters: 1 888 415 ARST

EMEA Headquarters: +44 (0)844 745 2068

Asia Pac Headquarters: +65 6248 4795

www.arcsight.com

www.arcsight.com 36© 2010 ArcSight Confidential

ArcSight Compliance Package Framework

Primary Controls

Secondary Controls

DataFeeds

Business Relevance

Technical Checks

Analysis

Asset

RelevanceFocus

Formats Content

SOX NERC PCI HIPAA GLBA Basel II

Reports Dashboards Active Lists Real-Time AlertsRules

ISO-27002Business Policy Risk

Processes Monitoring Management

NIST 800-53

Logon/Logoff Super-User Activity

Privilege Changes Terminated Employees

Config Changes Vulnerabilities

Attack Status System Activity

Firewall IDS/IPS Networking Infrastructure

Application Database OS IAM HIDS VA

www.arcsight.com 37© 2010 ArcSight Confidential

Compliance Insight Package

Overview Dashboard