View
4
Download
0
Category
Preview:
Citation preview
#MicroFocusCyberSummit
#MicroFocusCyberSummit
Data Simplicity:
Peter Titov – Micro Focus
ArcSight Data Platform enhances enterprise data via the Common Event Format
Usage What do we ask of our data?
Ingestion How do we get our data where it needs to go?
Management Where is the easiest place to manage data?
Solutions Why I can have my cake & eat it too.
3
Agenda
Smartconnector Ingest
ArcMC Manage
Event Broker Route
Logger Immutable storage
4
ADP: Hold up! Wait a minute.
What is ADP, what is included with it, and what is CEF?
CEF: Common Event Format
Normalized data
Ideal for real-time correlation
Ideal for known requests
Reports, dashboards, filters, lists, etc.…
Raw data
Ideal for hunting expeditions of the unknown
Compliance mandates
5
Normalized Data vs Raw Data: Usage
Normalization of Raw Data
Regardless when the data is analyzed, normalization will occur in some fashion.
Data will be formatted
Data will be read
Data will be interpreted
Approaches to Normalization
Pre-ingest – Formatting
Parsing up stream as close to the log source
Weight of normalization is on the SmartConnector
Post-ingest – Modeling
Parsing down stream as close to the log destination
Weight of normalization is on the Indexer
6
Normalized Data vs Raw Data: Ingestion
Transport
Encrypt or obfuscate
Enrich
Aggregate
Secure
Under budget
7
Normalized Data vs Raw Data: Management
Events are lumped together
ArcSight fields are not indexed and/or inaccurately captured
Aggregated ArcSight data compounds this problem
Indexing terabytes of data is exceptionally costly
8
Normalized Data vs Raw Data: Challenges
9
Normalized Data vs Raw Data: Platform Solutions
Elastic
Splunk
Sumo
HDFS
ArcSight X-Pack
ArcSight Integrator
CEF Syslog Parsing
Data Lake vs Data Warehouse
Fully normalized data aligned to CEF via Logstash
Aggregate data for faster searching
Machine learning & analytics
Awesome visualizations via Kibana
Additional data routing and ETL capabilities
10
Platform Solutions: Elastic & ArcSight X-Pack
Best part, it’s bundled with Elastic when installed!!!
Download and install Elastic:
https://www.elastic.co/downloads
Point ArcSight Connectors or Event Broker/Kafka to Logstash:
https://www.elastic.co/guide/en/logstash/current/arcsight-module.html
Helpful guide for beginning your journey:
https://community.softwaregrp.com/t5/ArcSight-User-Discussions/Elasticsearch-Installation-and-ArcSight-Module-Configuration/m-p/1616812
11
ADP & Elastic: Implementation
Fully normalized data aligned to CEF
Aggregating data to drastically reduce Splunk licensing
Splunk & ArcSight syntax similarities:
Share content quickly and easily between platforms
Increase efficiency of Splunk performance
12
Platform Solutions: Splunk & ArcSight Integrator
Simply add the ArcSight Integrator and point CEF Syslog orconsume CEF Kafka topic.
The Splunk Processing Language & ArcSight Interactive Search share many similarities
A unified schema enables the cross-pollination of query syntax, e.g...
ArcSight
sourceAddress=“10.0.0.1” | top destinationAddress
Splunk
index=“arcsight” AND sourceAddress=“10.0.0.1” | top destinationAddress
13
ADP & Splunk: Powerful Together
Reduce license utilization by 83% for one feed (from 9,000 to 1,500)
$1.35 million in savings from this one example*
14
ADP & Splunk: Aggregation Testimonial
*Based upon ESM License pricing
Add the ArcSight Technology Add-on (TA) for your ingest method:
Splunk_TA_ArcSight_Integrator_for_SmartConnectors
https://splunkbase.splunk.com/app/4133/
CEF Syslog Destinations
Splunk_TA_ArcSight_Integrator_for_EB_or_Kafka
https://splunkbase.splunk.com/app/4135/
Kafka topic of CEF data
https://splunkbase.splunk.com/app/4136/
Configure connectors to aggregate data per included instructions
Link to Protect724 for Splunk Add-On
15
ADP & Splunk: Implementation
Optional: Leverage the Splunk_SA_ArcSight_Integrator (Support Add-on) for CEF-based dashboards and queries
Fully normalized data aligned to CEF
Aggregating data to reduce Sumo licensing
Increase efficiency of Sumo performance
16
Platform Solutions: Sumo & CEF Syslog
17
Platform Solutions: HDFS Data Warehouse
Data Lake Data Warehouse
When platforms collaborate:
They become a force multiplier for their customers
Everyone wins: users have faster searches AND managers have lower costs.
Big data means thinking big and looking at the big picture.
18
Final Thoughts
At the end of the day, we are all on the same team:
Thank You.
#MicroFocusCyberSummitContact: Peter TitovPeter.Titov@microfocus.comPeter.Titov@gmail.com(412)-720-7938
#MicroFocusCyberSummit
Recommended