mini arcsight siem product deck 2011ng
TRANSCRIPT
www.arcsight.com
www.arcsight.com 2© 2010 ArcSight Confidential
© 2010 ArcSight, Inc. All rights reserved.
ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
ArcSight Overview
Patrick EFAGWU
HP Software – West Africa
www.arcsight.com 3© 2010 ArcSight Confidential
Gartner MQ – 2011
www.arcsight.com 3
www.arcsight.com 6© 2011 ArcSight Confidential
Gartner MQ – 2011
• ArcSight has complete separation from the
pack
• RSA drops off
• CA exits the market
• Everyone else clustered in the middle
www.arcsight.com 4© 2010 ArcSight Confidential
HP Integrations
www.arcsight.com 5© 2010 ArcSight Confidential
Monitoring is More Challenging Than Ever
You Need to See…
… Networked Systems
… Zero-day Threats
… Critical Data Stores
… Privileged Users
… Network Connections
… Fraud Techniques
… Application Risk
0 0 1 0 0 0 0
0 0 0 0 0 0 0
0 0 1 0 0 0 0
0 0 0 1 0 0 0
0 0 1 0 0 0 0
0 0 1 1 0 0 0 1
0 0 1 0 0 0 0 0
0 0 1 0 0 0 0 0
1 0 0 1 0 0 0 1
1 0 0 0 1 0 0 0
1 0 1 0 1 0 1 0
1 0 0 0 0
0 0 0 0 1
0 0 0 0 0
0 0 1 0 0 0 0
1 1 0 1 0 1 1
0 0 0 1 0 0 0
0 0 1 0 0 0 0
1 0 1 0 0 0 1
0 0 0 0 1 0
0 0 0 0 0 1
0 0 1 1 0 0
0 0 0 0 0 1
0 0 1 0 0 0 0 0
0 0 0 0 0 0 1 0
1 0 0 0 0 0 0 0
1 0 0 0 0 0 1 0
0 0 0 1 1 0 1 0
0 0 1 0 0
0 0 0 0 0
1 0 0 0 0
0 0 0 1 0 0 0 0
0 0 1 0 0 0 0 0
0 0 1 0 0 0 0 1
0 0 1 0 0 1 0 0
1 0 0 0 0 0 1 1
0 0 1 0 0 0 0 0 0 1
1 1 0 0 0 0 1 0 0 0
0 0 0 0 1 0 0 0 0 0
1 0 0 1 1 0 0 0 0 0
0 0 1 0 0 0 0 0 0 1
1 1 0 0 0 0 1 0 0 0
0 0 1 0 0 0 0 0 0 1
1 0 0 0 1 0 0 1 1
0 0 1 0 0 0 0 0 0
1 1 0 1 0 0 0 0 0
1 0 0 0 0 1 0 0 1
0 1 0 1 0 0 1 0 0
0 1 0 1 1 0 1 0 1
1 0 1 0 0 0 1
0 0 0 0 1 0 0
0 0 1 0 0 0 0
1 0 0 1 0 0 0
0 0 1 0 1 0 1
www.arcsight.com 6© 2010 ArcSight Confidential
Only ArcSight ETRM Can Address The Challenges
• 300+ connectors out of the box
• No toolkit to create new connectors, No R& D needed
• 1-2 weeks per custom connector
• Easily scale to 100,000s EPS – low cost
• Scalable data retention, store years of log data
• Efficient, Fast investigations
• Complete correlation – Logs, Users, Network
• Sophisticated correlation for complex threats
• Mitigate modern threats, prevent breach and loss
Effectively Tackle Complex Threats With Key Functions
www.arcsight.com 7© 2010 ArcSight Confidential
ArcSight Collection:
300+ Products, 50+ Categories, 80+ Partners
Access and Identity
Anti-Virus
Applications
Content Security
Database
Data Security
Firewalls
Honeypot
Network IDS/IPS
Host IDS/IPS
Integrated Security
Log Consolidation
Mail Filtering
Mail Server
Mainframe
NBAD
Network Management
Network Monitoring
Net Traffic Analysis
Policy Management
Security Management
Router Web Cache
Web Filtering
Switch
Vulnerability Mgmt
Web Server
Operating System VPN Wireless
www.arcsight.com 8© 2010 ArcSight Confidential
Windows
Failed Login Event
Oracle
Failed Login Event
Key Strength: Normalization
UNIX
Failed Login Event
Badge Reader
Entry Denied
OS/390
Failed Login Event
www.arcsight.com 9© 2010 ArcSight Confidential
Benefit: Optimal price / performance for deployments of any size
Data Center
Appliance
SAN-based
Appliance
SMB/Regional
Appliance
Use Everywhere
Fast collection (100K EPS collection rate)
Storage efficiency and flexibility (42 TB/instance, NAS/DAS/SAN)
Quick analysis (Millions of EPS)
Multiple software
deployment options
ArcSight Logger
www.arcsight.com 10© 2010 ArcSight Confidential
Benefit: Flexible, efficient and intelligent storage for all events
Efficient and Intelligent Storage
SAN DAS NAS
LAN
ArcSight Logger
RAID enabled onboard capacity per appliance
Automatically analyze across onboard and archived data without restoring it
Automated enforcement of multiple retention policies
www.arcsight.com 11© 2010 ArcSight Confidential
Personalized Dashboards
Forensics on the Fly
Personalized Dashboards
Intelligent SearchIntelligent Search
Drill-down reportsDrill-down reports
10.1.1.90
10.1.1.90
Save searchSearchSearch Save search
Real time Alerting
10.1.1.90 AND Snort
www.arcsight.com 12© 2010 ArcSight Confidential
Available as:
Correlation
www.arcsight.com © 2009 ArcSight Confidential 12
Data Center Rackable Appliance Installable Software
Benefit: Focus resources only on important issues
Real-time, in memory analysis of business events
Activity profiling to create baselines for context
Multiple visualization for role-based presentation
Advanced correlation – millions of events important incidents
www.arcsight.com 13© 2010 ArcSight Confidential
Recap
www.arcsight.com 14© 2010 ArcSight Confidential14
ArcSight SIEM Platform
An integrated product set for collecting, processing, and assessing
security and risk event information.
Rules/Alerts
Reports/Dashboards Reports/Dashboards Reports/Dashboards
Rules/Alerts Rules/Alerts
ArcSight Custom 3rd Party
Response Engine
Correlation Engine Logging Engine
Connectors
Core Engine Layer
Module Layer
Integration Layer
Network
DevicesServersMobile Desktop
Security
Devices
Physical
AccessAppsDatabases
Identity
SourcesEmail
www.arcsight.com 15© 2010 ArcSight Confidential
Collect in native log format from 300+ types of productsSyslog, SNMP, ODBC/JDBC, Opsec, WMI.RDEP,SDEE, CSV / XML
files
Normalize to a common format
Send to centralized engines via secure, guaranteed delivery
15
Integration Layer
Rackable Appliances Branch Office/Store Appliance Installable Software
Available as:
Benefit: Insulates device choices from analysis
Connectors
www.arcsight.com 16© 2010 ArcSight Confidential
Available as:
16
Log Management
Data Center Log Storage
& Management
Appliance
(35 TB max)
SAN-Based Log
Management
Appliance
SMB/Regional Log
Storage & Management
Appliance
ArcSight Logger
Efficient, self-managed archiving of terabytes of log data
Raw or normalized format
Pre-built reporting for security or compliance needs
Logger
Benefit: Cost-efficient compliance retention/reporting
www.arcsight.com 17© 2010 ArcSight Confidential
Real-time analysis of business events
Activity profiling to create baselines for context
Flexible visualization for role-based presentation
17
Correlation
Available as:
Benefit: Focus resources only on important issues
ArcSight ESM
Data Center Rackable Appliance Installable Software
www.arcsight.com 18© 2010 ArcSight Confidential
Network mapping to determine impact of problems
Auto or Workflow-based response to contain users or devices
Action report for manual response to issues
18
Auto-Response
Available as:
Benefit: Flexible, effective containment of problems
ArcSight Threat Response Manager
Rackable Appliance
Option for ArcSight ESM
www.arcsight.com 19© 2010 ArcSight Confidential
Pre-built rules, reports, dashboards, and connectors
Regulatory: Address compliance for public/industry regulations
Business: Address scenarios common to most organizations
ArcSight Modules
Available as:
ArcSight Solution Modules
Pre-configured AppliancesInstallable Software
Regulatory:
SOX/JSOX
PCI
FISMA
HIPAA
GLBA
NERC
Business:
Identity Monitoring
Fraud Detection
Sensitive Data Protection
Benefit: Rapid deployment by leveraging best practices
www.arcsight.com 20© 2010 ArcSight Confidential
User Activity: A New Axis for Security Monitoring
User
Events
Attributes
Roles
Access Rights
IP Address
Events
Scan Data
Location
Asset Data
Traditional SIEM IdentityView
www.arcsight.com 21© 2010 ArcSight Confidential 21
Identity Correlation
Correlate common identifiers such as email address, badge ID, phone extension
Events occurring across devices that identify users by different attributes
Attribute the event to a unique “identity” allowing correlation across any type of device
rjackson
348924323
robertj
rjackson_dba
510-555-1212
Identifiers
Robert
Jackson
Identity
www.arcsight.com 22© 2010 ArcSight Confidential
22
With IdentityView, a simple event
Tells you much more
1. Correlates an IP with a user
2. Identifies the associated username
3. Enriches the event with user data
Correlated Identity in Practice
IdentityView:
www.arcsight.com 23© 2010 ArcSight Confidential
User Monitoring that Scales
Monitored List: (100s) Repeated Suspicious Activity
Repeated Policy Violations
Investigate List: (10) High Confidence Violations
Excessive Escalations
Watch List: (1000s) Layoffs
Contractors
Notice-Given
New Hires
Policy Violators
www.arcsight.com 24© 2010 ArcSight Confidential
Key Use Cases for IdentityView
Use Case Business Requirement
User Attribution and Identity Mapping Core
User Activity Reporting Core
Role Violations Core
Privileged User Monitoring Security/Compliance
High Risk User Monitoring Security/IP Protection
Suspicious Activity Monitoring Security/IP Protection
Shared Account Usage Compliance/IP Protection
User, Role, and Access Management Tracking
IAM/IP Protection
Activity Based Role Modeling IAM/IP Protection
IAM and Directory Reporting IAM/IP Protection
Sensitive Information Monitoring IP Protection
*Core use cases map to all business requirements: Security, Compliance, Identity & Access Management,
and IP Protection
www.arcsight.com 25© 2010 ArcSight Confidential
Example Dashboard: Employee/Contractor Monitoring
www.arcsight.com 26© 2010 ArcSight Confidential
Asset and User Modeling
SusceptibilityIs the asset susceptible to
the specific attack?
Asset Repository Supports up to a million
Assets to provide
complete coverage
Asset CriticalityHow important is this
asset to the business?
Device SeverityMapping of reporting
device severity to
ArcSight severity (if
reported)
Asset Model
Role
Does the event match the role of the person
performing it?
User profiling
Was suspicious behavior by this
individual observed in the past?
Identity
Who was the individual“behind the IP address” at the time of the event?
Policy
What is the impact ofthis event on
business risk?
User Model
• Understand true impact and risk
• Reduce false positives
• Focus on real threats to operations
www.arcsight.com 27© 2010 ArcSight Confidential
Multi-Variable Correlation
Benefit: Prioritize Accurately, Stop Sophisticated Threats
• Vulnerability risk correlation
• Event & field-matching correlation
• Multi-session correlation
• Moving-average correlation
• Stateful correlation
• Identity correlation
• Role correlation
• Dynamic network correlation
• Location correlation
• Anomaly correlation
• Threshold count correlation
• Universal event taxonomy
• No need to learn multiple log formats
• Device-independent rules and reports
Correlation
www.arcsight.com 28© 2010 ArcSight Confidential
ThreatDetector – Activity Profiling
A vital tool for preventative maintenance and early detection
Apply sophisticated data-mining techniques to event flows to create baselines of good and bad activity
Find previously undetected patterns of behavior
Periodically schedule pattern discovery to stay ahead of evolving exploit behavior
Take action on newly discovered patterns
www.arcsight.com 29© 2010 ArcSight Confidential
Active Channels for interactive investigations
Dashboards with Drill-to-detailExecutive Dashboards
– 125 Reusable, graphical building blocks (real-time data monitors)
– 48 Pre-built dashboards with Drill-to-detail
Analyze and Investigate
Intuitive investigations and compliance relevant reporting
www.arcsight.com 30© 2010 ArcSight Confidential
Powerful And Flexible Reporting
Out-of-Box Compliance Reporting
Long Term Trend Analysis
– events, policy violations, risk, or any other data
Robust Adhoc Report Development
Build Custom Graphical Reports
GUI-based - No programming needed
Multiple Distribution Formats
– HTML, XLS, PDF
www.arcsight.com 31© 2010 ArcSight Confidential
Real-time Alerting
– Alert actions can be configured for Critical Events
– Complete Alert Management Console
Notifications and Notification Templates– Customizable Notification Messaging
– Email, pager or text message delivery
– SNMP alerts to leverage network management response teams
Priority Based Escalation of Notifications
Real-Time Alerting
www.arcsight.com 32© 2010 ArcSight Confidential
Built-in Case Management
Cases and Workflow for compliance verification
Annotations: Track and escalate events through the workflow system
Cases: Create specific incidents for specific event occurrences
Stages: Process cases through predefined, collaborative workflow definitions
Attachments: Add additional context for incidents
Real-time Alerting and Notifications– Email, Pager or Text Message
– SNMP alerts to leverage network
management response teams
www.arcsight.com 33© 2010 ArcSight Confidential
Infrastructure
Databases
Transactions
Users
www.arcsight.com © 2009 ArcSight Confidential 33
Integrated Growth Path
Benefit: Common Collection, Low TCO and Seamless integration
Guided
Response
Advanced
Correlation
Sensitive Data Security
User Activity
Monitoring
Fraud Detection
Application
Transaction
Security
Log
Management
Collection
What Makes ArcSight Unique
Interoperability Correlation
Unmatched in
Scale
www.arcsight.com 35© 2010 ArcSight Confidential
ArcSight, Inc.
Corporate Headquarters: 1 888 415 ARST
EMEA Headquarters: +44 (0)844 745 2068
Asia Pac Headquarters: +65 6248 4795
www.arcsight.com
www.arcsight.com 36© 2010 ArcSight Confidential
ArcSight Compliance Package Framework
Primary Controls
Secondary Controls
DataFeeds
Business Relevance
Technical Checks
Analysis
Asset
RelevanceFocus
Formats Content
SOX NERC PCI HIPAA GLBA Basel II
Reports Dashboards Active Lists Real-Time AlertsRules
ISO-27002Business Policy Risk
Processes Monitoring Management
NIST 800-53
Logon/Logoff Super-User Activity
Privilege Changes Terminated Employees
Config Changes Vulnerabilities
Attack Status System Activity
Firewall IDS/IPS Networking Infrastructure
Application Database OS IAM HIDS VA
www.arcsight.com 37© 2010 ArcSight Confidential
Compliance Insight Package
Overview Dashboard