Beruflich Dokumente
Kultur Dokumente
com
ArcSight Overview
Patrick EFAGWU HP Software West Africa
2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners. www.arcsight.com 2010 ArcSight Confidential 2
ArcSight has complete separation from the pack RSA drops off CA exits the market Everyone else clustered in the middle
www.arcsight.com
www.arcsight.com www.arcsight.com
33
HP Integrations
www.arcsight.com
100010011 001000000 110100000 100001001 0 001100010000010010 1 100100010110010001 10000 00000 00001 00001 00000 10011 00000 00001 00100 1100001000 0010000001
1010001 0000100 0010000 1001000 0010101 10000 000 00100000 00100001 00100100 10000011
Network Connections
Fraud Techniques Application Risk
00110001 00100000 00100000 10010001 10001000 10101010
0010000 1101011 0001000 0010000 1010001 00100000 00000010 10000000 10000010 000010 00011010 000001 001100 000001
www.arcsight.com
Easily scale to 100,000s EPS low cost Scalable data retention, store years of log data Efficient, Fast investigations
Complete correlation Logs, Users, Network Sophisticated correlation for complex threats Mitigate modern threats, prevent breach and loss
www.arcsight.com
NBAD
Network Management
Network Monitoring Net Traffic Analysis Operating System
www.arcsight.com
Use Everywhere
Fast collection (100K EPS collection rate) Storage efficiency and flexibility (42 TB/instance, NAS/DAS/SAN) Quick analysis (Millions of EPS)
ArcSight Logger
SAN-based Appliance
SMB/Regional Appliance
www.arcsight.com
LAN
ArcSight Logger
SAN
DAS
NAS
10.1.1.90
Intelligent Search
www.arcsight.com
11
Correlation
Real-time, in memory analysis of business events Activity profiling to create baselines for context
Installable Software
Recap
www.arcsight.com
13
An integrated product set for collecting, processing, and assessing security and risk event information.
Module Layer
Rules/Alerts
Reports/Dashboards Custom
Integration Layer
Connectors
Network Devices
Security Devices
Physical Access
Mobile
Servers
Desktop
Identity Sources
Databases
Apps
14
www.arcsight.com
14
Integration Layer
Connectors
Collect in native log format from 300+ types of products
Syslog, SNMP, ODBC/JDBC, Opsec, WMI.RDEP,SDEE, CSV / XML files
Normalize to a common format Send to centralized engines via secure, guaranteed delivery Available as:
Rackable Appliances
Installable Software
15
Log Management
ArcSight Logger Logger
Efficient, self-managed archiving of terabytes of log data Raw or normalized format Pre-built reporting for security or compliance needs
Available as:
16
Correlation
ArcSight ESM
Real-time analysis of business events Activity profiling to create baselines for context Flexible visualization for role-based presentation
Available as:
Installable Software
17
Auto-Response
ArcSight Threat Response Manager
Network mapping to determine impact of problems Auto or Workflow-based response to contain users or devices Action report for manual response to issues
Available as:
18
ArcSight Modules
ArcSight Solution Modules
Pre-built rules, reports, dashboards, and connectors Regulatory: Address compliance for public/industry regulations Business: Address scenarios common to most organizations
Available as:
Installable Software
Pre-configured Appliances
IdentityView
Events
Asset Data
IP Address
Scan Data
Access Rights
User
Attributes
Location
Roles
www.arcsight.com
20
Identity Correlation
Correlate common identifiers such as email address, badge ID, phone extension Events occurring across devices that identify users by different attributes Attribute the event to a unique identity allowing correlation across any type of device
Identifiers
rjackson 348924323 jackson@arc.com robertj rjackson_dba 510-555-1212
Identity
Robert Jackson
www.arcsight.com
21 21
IdentityView:
1. 2. 3.
Correlates an IP with a user Identifies the associated username Enriches the event with user data
2010 ArcSight Confidential 22
www.arcsight.com
Security/Compliance
Security/IP Protection Security/IP Protection Compliance/IP Protection IAM/IP Protection IAM/IP Protection IAM/IP Protection IP Protection
*Core use cases map to all business requirements: Security, Compliance, Identity & Access Management, www.arcsight.com 2010 ArcSight Confidential and IP Protection
24
www.arcsight.com
25
User Model
Device Severity
Mapping of reporting device severity to ArcSight severity (if reported)
Asset Repository
Supports up to a million Assets to provide complete coverage
Identity
Who was the individual behind the IP address at the time of the event?
Policy
What is the impact of this event on business risk?
Role Susceptibility
Is the asset susceptible to the specific attack?
User profiling
Was suspicious behavior by this individual observed in the past?
Asset Criticality
How important is this asset to the business?
Does the event match the role of the person performing it?
Understand true impact and risk Reduce false positives Focus on real threats to operations
www.arcsight.com 2010 ArcSight Confidential 26
Multi-Variable Correlation
Correlation
Universal event taxonomy No need to learn multiple log formats Device-independent rules and reports
Vulnerability risk correlation Event & field-matching correlation Multi-session correlation Moving-average correlation Stateful correlation Identity correlation Role correlation Dynamic network correlation Location correlation Anomaly correlation Threshold count correlation
A vital tool for preventative maintenance and early detection Apply sophisticated data-mining techniques to event flows to create baselines of good and bad activity Find previously undetected patterns of behavior
www.arcsight.com
28
www.arcsight.com
29
www.arcsight.com
30
Real-Time Alerting
Real-time Alerting
Alert actions can be configured for Critical Events Complete Alert Management Console
www.arcsight.com
31
Cases and Workflow for compliance verification Annotations: Track and escalate events through the workflow system Cases: Create specific incidents for specific event occurrences Stages: Process cases through predefined, collaborative workflow definitions Attachments: Add additional context for incidents Real-time Alerting and Notifications
Email, Pager or Text Message SNMP alerts to leverage network management response teams
www.arcsight.com
32
Databases
Sensitive Data Security
Advanced Correlation
Users
User Activity Monitoring
Log Management
Collection
Transactions
Application Transaction Security
Infrastructure
Fraud Detection
Unmatched in
Interoperability
Correlation
Scale
ArcSight, Inc. Corporate Headquarters: 1 888 415 ARST EMEA Headquarters: +44 (0)844 745 2068 Asia Pac Headquarters: +65 6248 4795 www.arcsight.com
www.arcsight.com
35
Reports
Dashboards
Active Lists
Rules
Real-Time Alerts
Asset Relevance
SOX
NERC
PCI
HIPAA
GLBA
Basel II
Business Relevance
ISO-27002
Business Processes
Logon/Logoff Privilege Changes Config Changes Attack Status
Policy Monitoring
Risk Management
Analysis
Technical Checks
NIST 800-53
Data Feeds
Application Firewall
Database IDS/IPS
OS
IAM
HIDS
VA
Networking Infrastructure
www.arcsight.com
36
www.arcsight.com
37