www.arcsight.

com

ArcSight Overview
Patrick EFAGWU HP Software West Africa

2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners. www.arcsight.com 2010 ArcSight Confidential 2

Gartner MQ2011 Gartner MQ 2011

ArcSight has complete separation from the pack RSA drops off CA exits the market Everyone else clustered in the middle

www.arcsight.com

2011 ArcSight Confidential

www.arcsight.com www.arcsight.com

2010 ArcSight Confidential

33

HP Integrations

www.arcsight.com

2010 ArcSight Confidential

Monitoring is More Challenging Than Ever

0010000 0000000 0010000 0001000 0010000

You Need to See

Networked Systems Zero-day Threats Critical Data Stores Privileged Users

100010011 001000000 110100000 100001001 0 001100010000010010 1 100100010110010001 10000 00000 00001 00001 00000 10011 00000 00001 00100 1100001000 0010000001

1010001 0000100 0010000 1001000 0010101 10000 000 00100000 00100001 00100100 10000011

Network Connections
Fraud Techniques Application Risk
00110001 00100000 00100000 10010001 10001000 10101010

0010000 1101011 0001000 0010000 1010001 00100000 00000010 10000000 10000010 000010 00011010 000001 001100 000001

00100 00000 10000

www.arcsight.com

2010 ArcSight Confidential

Only ArcSight ETRM Can Address The Challenges

Effectively Tackle Complex Threats With Key Functions
300+ connectors out of the box No toolkit to create new connectors, No R& D needed 1-2 weeks per custom connector

Easily scale to 100,000s EPS low cost Scalable data retention, store years of log data Efficient, Fast investigations

Complete correlation Logs, Users, Network Sophisticated correlation for complex threats Mitigate modern threats, prevent breach and loss

www.arcsight.com

2010 ArcSight Confidential

ArcSight Collection: 300+ Products, 50+ Categories, 80+ Partners

Access and Identity Anti-Virus Applications Content Security Database

www.arcsight.com

Data Security Firewalls Honeypot Host IDS/IPS Network IDS/IPS

Integrated Security Log Consolidation Mail Filtering Mail Server Mainframe

NBAD

Policy Management Router Security Management Switch VPN

Vulnerability Mgmt Web Cache Web Filtering Web Server Wireless

7

Network Management
Network Monitoring Net Traffic Analysis Operating System

2010 ArcSight Confidential

Key Strength: Normalization

OS/390 Failed Login Event

UNIX Failed Login Event

Oracle Failed Login Event

Windows Failed Login Event

Badge Reader Entry Denied

www.arcsight.com

2010 ArcSight Confidential

Use Everywhere
Fast collection (100K EPS collection rate) Storage efficiency and flexibility (42 TB/instance, NAS/DAS/SAN) Quick analysis (Millions of EPS)

ArcSight Logger

Data Center Appliance

SAN-based Appliance

SMB/Regional Appliance

Multiple software deployment options

Benefit: Optimal price / performance for deployments of any size

www.arcsight.com

2010 ArcSight Confidential

Efficient and Intelligent Storage

RAID enabled onboard capacity per appliance Automatically analyze across onboard and archived data without restoring it Automated enforcement of multiple retention policies

LAN

ArcSight Logger

SAN

DAS

NAS

Benefit: Flexible, efficient and intelligent storage for all events

www.arcsight.com 2010 ArcSight Confidential 10

Forensics on the Fly

Personalized Dashboards Drill-down reports

10.1.1.90 Real time Alerting

10.1.1.90
Intelligent Search

10.1.1.90 AND Snort

Search Save search

www.arcsight.com

2010 ArcSight Confidential

11

Correlation

Real-time, in memory analysis of business events Activity profiling to create baselines for context

Multiple visualization for role-based presentation

Advanced correlation millions of events important incidents
Available as:

Data Center Rackable Appliance

Installable Software

Benefit: Focus resources only on important issues

www.arcsight.com www.arcsight.com 2010 ArcSight Confidential 2009 ArcSight Confidential 12 12

Recap

www.arcsight.com

2010 ArcSight Confidential

13

ArcSight SIEM Platform

An integrated product set for collecting, processing, and assessing security and risk event information.

Module Layer

Rules/Alerts Reports/Dashboards ArcSight

Rules/Alerts
Reports/Dashboards Custom

Rules/Alerts Reports/Dashboards 3rd Party

Core Engine Layer

Response Engine Correlation Engine Logging Engine

Integration Layer

Connectors

Network Devices

Security Devices

Physical Access

Mobile

Servers

Desktop

Identity Sources

Email

Databases

Apps
14

www.arcsight.com

2010 ArcSight Confidential

14

Integration Layer
Connectors
Collect in native log format from 300+ types of products
Syslog, SNMP, ODBC/JDBC, Opsec, WMI.RDEP,SDEE, CSV / XML files

Normalize to a common format Send to centralized engines via secure, guaranteed delivery Available as:

Rackable Appliances

Branch Office/Store Appliance

Installable Software

Benefit: Insulates device choices from analysis

www.arcsight.com 2010 ArcSight Confidential 15

15

Log Management
ArcSight Logger Logger
Efficient, self-managed archiving of terabytes of log data Raw or normalized format Pre-built reporting for security or compliance needs

Available as:

Data Center Log Storage & Management Appliance (35 TB max)

SAN-Based Log Management Appliance

SMB/Regional Log Storage & Management Appliance

Benefit: Cost-efficient compliance retention/reporting

www.arcsight.com 2010 ArcSight Confidential 16

16

Correlation
ArcSight ESM
Real-time analysis of business events Activity profiling to create baselines for context Flexible visualization for role-based presentation

Available as:

Data Center Rackable Appliance

Installable Software

Benefit: Focus resources only on important issues

www.arcsight.com 2010 ArcSight Confidential 17

17

Auto-Response
ArcSight Threat Response Manager
Network mapping to determine impact of problems Auto or Workflow-based response to contain users or devices Action report for manual response to issues

Available as:

Rackable Appliance Option for ArcSight ESM

Benefit: Flexible, effective containment of problems

www.arcsight.com 2010 ArcSight Confidential 18

18

ArcSight Modules
ArcSight Solution Modules
Pre-built rules, reports, dashboards, and connectors Regulatory: Address compliance for public/industry regulations Business: Address scenarios common to most organizations

Available as:

Regulatory: SOX/JSOX PCI FISMA

HIPAA GLBA NERC

Installable Software

Business: Identity Monitoring Fraud Detection Sensitive Data Protection

Pre-configured Appliances

Benefit: Rapid deployment by leveraging best practices

www.arcsight.com 2010 ArcSight Confidential 19

User Activity: A New Axis for Security Monitoring

Traditional SIEM
Events

IdentityView
Events

Asset Data

IP Address

Scan Data

Access Rights

User

Attributes

Location

Roles

www.arcsight.com

2010 ArcSight Confidential

20

Identity Correlation

Correlate common identifiers such as email address, badge ID, phone extension Events occurring across devices that identify users by different attributes Attribute the event to a unique identity allowing correlation across any type of device

Identifiers
rjackson 348924323 jackson@arc.com robertj rjackson_dba 510-555-1212

Identity

Robert Jackson

www.arcsight.com

2010 ArcSight Confidential

21 21

Correlated Identity in Practice

With IdentityView, a simple event

Tells you much more

IdentityView:
1. 2. 3.

Correlates an IP with a user Identifies the associated username Enriches the event with user data
2010 ArcSight Confidential 22

www.arcsight.com

User Monitoring that Scales

Investigate List: (10)

High Confidence Violations Excessive Escalations

Monitored List: (100s)

Repeated Suspicious Activity Repeated Policy Violations

Watch List: (1000s)

www.arcsight.com

Layoffs Contractors Notice-Given New Hires Policy Violators

2010 ArcSight Confidential 23

Key Use Cases for IdentityView

Use Case User Attribution and Identity Mapping User Activity Reporting Role Violations Business Requirement Core Core Core

Privileged User Monitoring

High Risk User Monitoring Suspicious Activity Monitoring Shared Account Usage User, Role, and Access Management Tracking Activity Based Role Modeling IAM and Directory Reporting Sensitive Information Monitoring

Security/Compliance
Security/IP Protection Security/IP Protection Compliance/IP Protection IAM/IP Protection IAM/IP Protection IAM/IP Protection IP Protection

*Core use cases map to all business requirements: Security, Compliance, Identity & Access Management, www.arcsight.com 2010 ArcSight Confidential and IP Protection

24

Example Dashboard: Employee/Contractor Monitoring

www.arcsight.com

2010 ArcSight Confidential

25

Asset and User Modeling

Asset Model

User Model

Device Severity
Mapping of reporting device severity to ArcSight severity (if reported)

Asset Repository
Supports up to a million Assets to provide complete coverage

Identity
Who was the individual behind the IP address at the time of the event?

Policy
What is the impact of this event on business risk?

Role Susceptibility
Is the asset susceptible to the specific attack?

User profiling
Was suspicious behavior by this individual observed in the past?

Asset Criticality
How important is this asset to the business?

Does the event match the role of the person performing it?

Understand true impact and risk Reduce false positives Focus on real threats to operations
www.arcsight.com 2010 ArcSight Confidential 26

Multi-Variable Correlation

Correlation

Universal event taxonomy No need to learn multiple log formats Device-independent rules and reports

Vulnerability risk correlation Event & field-matching correlation Multi-session correlation Moving-average correlation Stateful correlation Identity correlation Role correlation Dynamic network correlation Location correlation Anomaly correlation Threshold count correlation

Benefit: Prioritize Accurately, Stop Sophisticated Threats

www.arcsight.com 2010 ArcSight Confidential 27

ThreatDetector Activity Profiling

A vital tool for preventative maintenance and early detection Apply sophisticated data-mining techniques to event flows to create baselines of good and bad activity Find previously undetected patterns of behavior

Periodically schedule pattern discovery to stay ahead of evolving exploit behavior

Take action on newly discovered patterns

www.arcsight.com

2010 ArcSight Confidential

28

Analyze and Investigate

Intuitive investigations and compliance relevant reporting

Active Channels for interactive investigations Dashboards with Drill-to-detailExecutive Dashboards

125 Reusable, graphical building blocks (real-time data monitors) 48 Pre-built dashboards with Drill-to-detail

www.arcsight.com

2010 ArcSight Confidential

29

Powerful And Flexible Reporting

Out-of-Box Compliance Reporting

Long Term Trend Analysis

events, policy violations, risk, or any other data

Robust Adhoc Report Development

Build Custom Graphical Reports

GUI-based - No programming needed Multiple Distribution Formats HTML, XLS, PDF

www.arcsight.com

2010 ArcSight Confidential

30

Real-Time Alerting

Real-time Alerting
Alert actions can be configured for Critical Events Complete Alert Management Console

Notifications and Notification Templates

Customizable Notification Messaging Email, pager or text message delivery SNMP alerts to leverage network management response teams

Priority Based Escalation of Notifications

www.arcsight.com

2010 ArcSight Confidential

31

Built-in Case Management

Cases and Workflow for compliance verification Annotations: Track and escalate events through the workflow system Cases: Create specific incidents for specific event occurrences Stages: Process cases through predefined, collaborative workflow definitions Attachments: Add additional context for incidents Real-time Alerting and Notifications
Email, Pager or Text Message SNMP alerts to leverage network management response teams

www.arcsight.com

2010 ArcSight Confidential

32

Integrated Growth Path

Guided Response

Databases
Sensitive Data Security
Advanced Correlation

Users
User Activity Monitoring

Log Management

Collection

Transactions
Application Transaction Security

Infrastructure
Fraud Detection

Benefit: Common Collection, Low TCO and Seamless integration

www.arcsight.com www.arcsight.com 2010 ArcSight Confidential 2009 ArcSight Confidential 3333

What Makes ArcSight Unique

Unmatched in

Interoperability

Correlation

Scale

ArcSight, Inc. Corporate Headquarters: 1 888 415 ARST EMEA Headquarters: +44 (0)844 745 2068 Asia Pac Headquarters: +65 6248 4795 www.arcsight.com

www.arcsight.com

2010 ArcSight Confidential

35

ArcSight Compliance Package Framework

Formats Focus
Content

Reports

Dashboards

Active Lists

Rules

Real-Time Alerts

Asset Relevance

SOX

NERC

PCI

HIPAA

GLBA

Basel II

Business Relevance

ISO-27002

Business Processes
Logon/Logoff Privilege Changes Config Changes Attack Status

Policy Monitoring

Risk Management

Analysis
Technical Checks

NIST 800-53

Super-User Activity Terminated Employees Vulnerabilities System Activity

Data Feeds

Primary Controls Secondary Controls

Application Firewall

Database IDS/IPS

OS

IAM

HIDS

VA

Networking Infrastructure

www.arcsight.com

2010 ArcSight Confidential

36

Compliance Insight Package Overview Dashboard

www.arcsight.com

2010 ArcSight Confidential

37