5-ArcSight_Labbe

18/03/2010 © 2010 ArcSight Confidential 1

Technology Day

Genève, 17 Mars 2010

Jean-Luc LabbeArcSight

Southern EMEA Sales Engineer

Cell +39 335 879 0307

[email protected]


ArcSight - Company Overview

Company Background Analyst Recognition

Founded May 2000

2000+ customers

450+ employees, offices worldwide

NASDAQ: ARST #1 In-use for both SIEM & Log Management

#1 in Market Share –Last three reports

SIEM Leader’s Quadrant -SIX years running

Industry Recognition


Agenda

- La collecte et la normalisation des logs, le premier pas de l’analyse

- Avec ArcSight Express, la corrélation à un moindre coût


NetworkDevices

ServersMobile DesktopSecurityDevices

PhysicalAccess

AppsDatabasesIdentitySources

Email

Millions of events generated per day

No central point of collection and analysis

Too difficult to manage security and risk

The Real Challenge


Reduce Risk by Understanding the Big Picture

Connect the dots

Collect information everywhere

Analyze it for a clear picture

Take action to resolve problems early


SIEM enables centralized visibility of enterprise events

Understanding the Big Picture

NetworkDevices


PhysicalAccess


Email


ArcSight - Centralized Security Monitoring Platform

An integrated product set for collecting and assessing security and risk information.

NetworkDevices


PhysicalAccess


Email

Data Collection

Log ManagementEvent Correlation

Guided Response

Rules

Reports/Logic

Rules

Reports/Logic

Rules

Reports/Logic

Business 3rd PartyRegulatory EnterpriseView

IdentityView FraudView

ArcSight ESM

ArcSight Connectors

ArcSight Logger

ArcSight Threat Response Module

ModuleLayer

Core EngineLayer

IntegrationLayer


ArcSight ESM ArcSight Logger

Integration & Core Engine Layers – Flows & Interactions

Correlation

ArcSight Smart Connectors

Integration Layer

Log Management

ArcSight Threat Response Manager

Auto Response

NetworkDevices


PhysicalAccess


Email


Integration Layer


Collect in native log format from 275+ types of products

Normalize to a common format

Send to centralized engines via secure, reliable delivery

Rackable Appliances(Connector Appliance)

Branch Office/Store Appliance(Connector Appliance)

Installable Software

Available as:

Benefit: Insulates device choices from analysis

Connectors

Integration Layer – ArcSight Connectors


ArcSight Connectors - 275+ Products, 50+ Categories, 80+ Partners

Access and Identity

Anti-Virus

Applications

Content Security

Database

Data Security

Firewalls

Honeypot

Network IDS/IPS

Host IDS/IPS

Integrated Security

Log Consolidation

Mail Filtering

Mail Server

Mainframe

NBAD

Network Management

Network Monitoring

Net Traffic Analysis

Policy Management

Security Management

Router Web Cache

Web Filtering

Switch

Vulnerability Mgmt

Web Server

Operating System VPN Wireless

http://www.tripwire.com/

http://www.vormetric.com/

http://www.iss.net/

http://www.qualys.com/

http://www.sybase.com/

http://www.tenablesecurity.com/index.shtml

http://www.toplayer.com/

http://www.tripwire.com/

http://www.vormetric.com/

http://www.iss.net/

http://www.qualys.com/

http://www.sybase.com/

http://www.tenablesecurity.com/index.shtml

http://www.toplayer.com/


ArcSight Connectors - Primary Functions

Normalization Layer

ArcSight SmartConnectors

Categorization Layer


Event Extraction Layer


Delivery Layer


*RAW Event

ArcSight Event


ArcSight Connectors - Event Extraction Layer

OR

Agent Agentless

Event Extraction Layer


Event Sources

SyslogSNMP Traps

Files (Delimited RegEx, XML)ODBC Databases

CustomFlex API

Capabilities

FilteringAggregation

Filed MappingPolling Options


ArcSight Connectors - Normalization Layer

Jun 02 2005 12:16:03: %PIX-6-106015:

Deny TCP (no connection) from

10.50.215.102/15605 to

204.110.227.16/443 flags FIN ACK on

interface outside

Time (Event Time)

name

DeviceVendor deviceProduct

CategoryBehavior

CategoryDeviceGroup

CategoryOutcome

CategorySignificance

6/17/2009 9:29

Deny CISCO Pix /Access /Firewall /Failure

/Informational/Warning

6/17/2009 9:30

Deny NetScreen Firewall/VPN /Access/Start /Firewall /Failure


6/17/2009 9:31

Deny CISCO Pix /Access /Firewall /Failure


6/17/2009 9:32

Deny NetScreen Firewall/VPN /Access/Start /Firewall /Failure


Normalization Layer



ArcSight Connectors - Categorization Layer

Jun 02 2005 12:16:03: CISCO PIX: PERMIT TCPJun 02 2005 12:16:03: CHECK POINT: ALLOW TCPJun 02 2005 12:16:03: NETSCREEN: ACCEPT TCP

Failed logins across the enterprise as simple as: “/Authentication/Verify” AND “/Failure”

Categorization Layer



ArcSight Connectors - Delivery Layer

- Encryption (Capable of FIPS 140-2 Encryption)- Compression (Up to 80% over the wire compression)

- Split Feeds (Each feed has independent cache)- Bandwidth Management (Rate Limiting based on Time of Day)

- HA (Failover Configuration)

Delivery Layer


Event Sources

Guaranteed DeliveryBatching

Scheduling

ArcSight Destinations

EncryptedCompressedSplit Feeds

Rate LimitingFail-OverCACHE

ESM

Logger

and/or

Failover

HA

Or Or

DestinationA_FilterA

DestinationB_FilterB

Or...

Many options, scenarios…


Integration Layer – Connector Appliance Specifications

Model C1000 C3200 C5200

Management

OS CentOS 4.6 64-bit

Max EPS 400 2500 5000

Onboard Connectors 4 16 32

Remote Connector

Management

No Up to 500 Up to 1000

Max Devices

CPU 1 x Intel Celeron 220 1.2 GHz 1 x Intel Xeon Quad Core 2 x Intel Xeon Quad Core

RAM 1GB 6GB 12GB

Storage 120GB 500GB 2 x 500GB - RAID1

Chassis Table Top 1U 1U

Power External (100 - 240 VAC) 480 W (100 - 240 VAC) 2 x 500 W (100 - 240 VAC)

Redundant Power Yes

Ethernet Interfaces 1 x Fast Ethernet

Dimensions (D x W x H) 10.83" x 8.27" x 2.56"

Actual performance will depend on factors specific to a user's environment.

24.7" x 17.1" x 1.7"

By EPS only

Web browser, CLI

Oracle Enterprise Linux 4 64-bit

2 x Gigabit Ethernet

No


Log Management


Available as:

Data Center Log Storage & Management Appliance

(35 TB max)

SAN-Based Log Management Appliance

SMB/Regional Log Storage & Management

Appliance

ArcSight Logger

Efficient, self-managed archiving of terabytes of log data

Raw or normalized format

Pre-built reporting for security or compliance needs

ArcSight Logger

Benefit: Cost-efficient compliance retention/reporting

Core Engine Layer - Log Management


• Up to 50TB of online data per appliance

• Onboard & External (SAN) storage options

• Automatic archival

• Analyze across onboard and externally archived data

• Granular role-based access controls

• Automated enforcement of multiple retention policies

SAN NAS SAN

LAN

Logger – Efficient & Intelligent Storage (1/2)


Logger – Efficient & Intelligent Storage (2/2)

C

D

E

F

A

BStorage Rule

Pirority 5

Storage Rule

Pirority 10

G

H

Device Group 1

Device Group 2

Device Group 3

Storage Rule

Pirority 15

Devices Device Groups Storage Rules Storage Groups

Storage Group 1

Storage Group 2

StorageVolume

Storage Volume

Logger 4 supports up to 6 Storage

Groups (Internal SG + Default SG + 4

SGs that you can create)

Storage Rules create a mapping between the Device Groups and the

Storage Groups.

Each Storage Ruke has a unique priority value,

and the lower value has the higher priority.

Each Storage Group can have a different retention policy which is specified in term of number of days that events are stored, and overall maximum size in GB.

Events from specific IP addresses can be routed to particular Storage Groups, making it possible to store all router events, for example, to a Storage Group with a short retention period, and business/critical host events to another Storage Group with a longer retention period.


Logger – Hundreds of Out-of-the-Box Reports

i.e. PCI Package includes 70 reports based on the PCI DSS


Logger – Using Reports

Quick RunRuns the report using default data filtering configuration, which was set at report deploy time.Provides options to change start and end time parameters, storage groups, and devices included in the scope of the report run.

Run in BackgroundUse this option to run reports that take long time to generate or the ones that are not required online immediately.

RunProvides options to modify the data filter criteria used by the report query for this run.You can specify a maximum number of rows to include in the report, and perform various comparison and logical operations on event fields.

PublishedDisplays the list of previously-generated reports that are not yet expired. You can view the user (user name) who generated the report, generate time, and expiry time of the report.The report can be viewed as well as deleted from the saved report list.

EditOpens the Report Designer for the associated report, where you can make changes to the underlying query the report uses.


Logger – Dive Into A Report Template (Example) 1/3


Logger – Forensics On-the-Fly (Dashboards)


“Google Like Search” Requires no familiarity with various log syntaxes

Clean and structured viewing of logs

Active results for quick drill down

Logger – Google Like Search Anything

failure windows mjohnson

ArcSight Cybersecurity survey: More than 75% said they very rarely or hardly ever knew what exactly to look for when researching a cyber attack

• Unstructured raw text search for fast forensic analysis

• Structured data search to simplify investigations

+

• Unified analysis across all data for complete visibility and fast detection and remediation of cyber-attacks


Logger – Logger Specifications

Model L3200 & L3200-PCI L7200-SAN L7200s L7200x

Management

OS

Compression

Max Devices 200 Unrestricted 500 Unrestricted

RAW EPS 2000 75000 5000 100000

Onboard Connectors 4

Connector EPS 200

Remote Connector Management 20 (5 containers)

CPU 1 x Intel Xeon Quad 2.0 GHz

RAM 12GB

Storage 2 x 1TB - RAID1 External SAN

Chassis 1U

Power 480W (Non-Redundant)

Ethernet Interfaces 2 x 10/100/1000

Host Bus Adapter N/A Emulex Lpe 11002

Dimensions 24.7" x 17.1" x 1.7"

N/A

2 x 870W (Redundant)

4 x10/100/1000

2 x Intel Xeon Quad 2.0 GHz

24GB

6 x 1TB - RAID5

Supported Sources

24.7" x 17.1" x 1.7"

N/A


ArcSight Common Event Format (CEF), ArcSight ESM

Oracle Enterprise Linux 4, 64-bit

Up to 10:1

No

No

2U

Web browser, CLI

Raw syslog (TCP/UDP), Raw file-based logs (FTP, SCP,SFTP)

Analysis optimized collection for 275+ commercial products

FlexConnector framework for legacy event sources

Logger Model Physical Capacity¹ Effective Capacity Compression

L3200 / L3200-PCI .78TB ~7.8TB

L7200s/L7200x 4.2TB ~42TB

L7200-SAN 5TB² ~50TB

Up to 10:1

¹ Capacity prior to compression.

² Allocate 5.4TB in order to use 5TB.


Correlation


Real-time analysis of business events

Activity profiling to create baselines for context

Flexible visualization for role-based presentation

Available as:

Benefit: Focus resources only on important issues

ArcSight ESM

Data Center Rackable Appliance Installable Software

Core Engine Layer - Correlation


From Millions of Events to the those that Matter

Who: User Identity

Where: Contextual Analysis

Asset Value: What

Time Window: When

Correlation Engine

How

Correlation - Filter Out the Noise and Focus on Key Issues


Lifecycle of an Event Through ESM

1- Data collection and event processing

2- Event priority evaluation & network model lookup

3- Correlation: Filters, rules, data monitors

4- Monitoring and investigation

5- Workflow

6- Reporting and incident analysis


Lifecycle of an Event Through ESM (1/6)

The Connector sends the aggregated & filtered events to the ESM…



… where they are evaluated & tagged with Priority Levels and Network Modeling information.

They are then stored in the ArcSight database and processed through the Correlation Engine.


Events that have been tagged with Event Categories, Priority Evaluations and Network Modeling information are processed by the Correlation Engine, where Filters, Rules and Data Monitors can evaluate them.



Events that have been processed by the Correlation Engine can be monitored on Active Channels, Dashboards and Event Graphs.



Follow up investigation can be done manually or automatically using ArcSight workflow components.



ArcSight analysis tools work on processed events to produce Reports, discover new patterns and analyze output data using interactive graphics.

Analysis and Reporting tools are highly customizable and can be run manually or scheduled to output data at regular intervals to be viewed by the SOC staff



Correlation – ESM Specifications

Model E7200-2 E7200-4

Max EPS (Peak/Sustained) 2,500 EPS / 1,500 EPS 5,000 EPS / 3,000 EPS

OS

CPU

RAM

Ethernet Interfaces

Storage

Chassis

Power

Thermal

Weight

Chassis

Dimensions (D x W x H) 26.8" x 17.4" x 3.4"

2U


Oracle Enterprise Linux 4

2 x Intel Xeon Quad

24GB

4 x 10/100/1000

6 x 600GB - Serial Attached SCSI - RAID0

2U

2 x 870W ()Redundant)

3000 BTU/hr

36 Kg (78 lbs)


ArcSight Express vs. ArcSight ESM

ArcSight Express vs. ArcSight ESMArcSight

Express

ArcSight

ESM

Cross-Regulation Compliance Reporting √ √

End-User Web Console √ √

Appliance Deployment Option √ √

Pre-Built Out-of-Box Rules/Reports √ √

Market-Leading Correlation √ √

Customizable Regulatory Compliance Packages √ √

Unlimited Rule/Device Types √ √

Custom Rules/Report Creation √ √

Software Deployment Option √

Unlimited Device Expandability √

Activity Profiling (Pattern Discovery) √

User, Fraud, and Data Monitoring √

More Storage √

More Integration Options * √

* i.e. TRM, Remedy, etc integration


ArcSight Express – Your Security Expert “In A Box”

AE is an integrated event and log management solution

Uses the same collection & correlation as ArcSight ESM but,

Is appliance based for easier deployment and management

AE has pre-defined rules, reports, alerts and dashboards built-in

Solves the most important security & compliance issues right out of the box

Bot, Worm and Virus Attack Visibility and Alerting

Hacker Detection

Bandwidth Hogs and Policy Violations

Application Access Monitoring

Remote Access

System and User Impact

Compliance controls

Out-Of-The-Box AE Coverage:

Model M720-M M720-L M720-X L3200

OS

Compression

Max Network Devices 40 100 225 Same as M7200

Max Desktops 100 250 500 Same as M7200

Max EPS 500 1000 2500 Same as M7200

Max Assets 5000 10000 25000 N/A

Web Users

CPU 1 x Intel Xeon E5504 Quad Core 2.0 GHz

Ethernet Interfaces 2 x 10/100/1000

RAM 12GB

Physical Capacity 2TB (2 x 1TB - RAID1)

Effective Capacity 1.6TB 7.8TB

Chassis 1U

Power 1 x 480W (Non-Redundant)

Dimensions (DxWxH) 24.7" x 17.1" x 1.7"26.8" x 17.4" x 3.4"

1.6TB (+L3200)

L3200 not included with Express-M

Oracle Enterprise Linux 4, 64-bit

UP to 10:1


Unlimited Users

2 x Intel Xeon E5504 Quad Core 2.0 GHz

4 x10/100/1000

24GB

3.6TB (6 x 600GB - RAID10)

2U

2 x 870W (Redundant)


ArcSight Express Pre-Built Content for Top Scenarios

Cross Device Reporting• Top Bandwidth Users• Configuration Changes• Successful and Failed Logins• Password Changes• Top Attackers and Internal Targets

Anti-Virus Reporting• Top Infected Systems• All AV errors• AV Signature Update stats• Consolidated Virus Activity• AV Configuration Changes

Database• Database Errors and Warnings• Database Successful and Failed Logins• Database Configuration Changes

IPS/IDS• IPS/IDS Alert Metrics• Alert Counts• Top Alert Sources and Destinations• Top Attackers and Internal Targets

Access Management• User Authentication across hosts• Authentication Success and Failures• User Administration Configuration Changes

Network Devices Reporting• Network Device Errors and Critical Events• Network Device Status and “Down” Notifications• Bandwidth Usage• Configuration Changes by User and Change Type• Successful and Failed Logins• Top Connections

VPN Device Reporting• VPN Authentication Errors• Connection Counts• Connection Durations• Connections Accepted and Denied• Successful and Failed Logins• Top Connections• Top Bandwidth Users• VPN Configuration Changes

Operating System Reporting• Privileged User Administration• Successful and Failed Logins• Configuration Changes

Firewall Reporting• Denied Inbound Connections• Denied Outbound Connections• Bandwidth Usage• Successful/Failed Login Activity


Solutions Modules


Pre-built rules, reports, dashboards, and connectors

Regulatory: Address compliance for public/industry regulations

Business: Address scenarios common to most organizations

Available as:

ArcSight Solution Modules

Pre-configured AppliancesInstallable Software

Regulatory:

SOX/JSOXPCIFISMA

HIPAANERC

Business:

Identity MonitoringFraud DetectionInsider Threat Detection

Benefit: Rapid deployment by leveraging best practices

ArcSight Modules


Solution Package that includes

– Installable Solution Module on top of ESM

– Prebuilt customizable Reports & Rules tuned for specific solution

– Pattern Discovery customizable configuration to create new monitoring rules

EnterpiseView - Business Solution Package

IdentityView

FraudView


IdentityView – Sample Reports (1/2)

Activity Report – For Users With The Developer Role


IdentityView – Sample Reports (2/2)

Activity Report – For Users in the Finance Department


FraudView – Multiple EnginesMultiple Engines for Detecting Fraudulent Activity

Risk Scoring Engine

Fraud-BasedCorrelation Engine

Pattern Recognition Engine

Escalation List Process

Multi-Path Risk Analysis

Transaction evaluation - Fraud Detection Correlation rules (against Real-Time events and Historical data).

Device Risk - Is Source address in Escalation List, Country of Concern, etc?

Transaction Risk - What is the Risk Associated with Transaction, etc?

Account Risk - Is Account in Escalation List, etc?

Destination Risk – Is the Destination a suspicious Payee, Country of Concern, etc?Risk Score

Investigate List

Suspicious List

Watch List

2- Source IP from which the website was scanned last week – the IP is in the Suspicious List.

1- Account authentication over the phone fails a second time… Account is added to the Watch List.

3- Source IP has used to access Account XYZ, both IP Address a.b.c.d & Account XYZ are escalated to the Investigation List.

Patterns Discovery – To find fraudulent behaviours that might not yet have been captured in rule definition.

Fraudulent transactions can be detected by FraudView in multiple ways.


Why is ArcSight Winning?What Makes ArcSight Unique.


ArcSight can be deployed to support a range of requirements

•ArcSight Logger•Report focus•Basic audit compliance

Alerting/Compliance Reporting

•Log collection and retention•Invest in report building•Delayed incident response

•ArcSight Logger•ArcSight ESM•Pattern Discovery•Advanced correlation•Live Dashboard focus

Fully Staffed SOC

•24x7 operations•Invest in ongoing staffing•Live incident response

Virtual SOC

•Lights out operations•Invest in upfront automation•Basic analysis/investigation

•ArcSight Logger•ArcSight ESM•ArcSight Express•Limited correlation•Email notification focus

Deploying the Platform

http://www.slipstick.com/images/Outlook 11 Mail.jpg


Automated Response

• Workflow-based lockdown

Advanced Correlation

• Dashboards

• Correlation Rules

• Trend Reporting• Activity Profiling

Log Management

• Live Alerting• Data Collection/Storage• Reporting• Single Appliance

Deployment: Simple to Start, Easy to Grow

ConnectorsMore Connectors


What Makes ArcSight Unique

Unmatched in

Collection Correlation Scale


ArcSight – Collection (1/2)

Largest Supported Products base– 275+ products, 100+ vendors, 35+ categories – FlexConnectors (for in-house device/source support)

Audit quality data– Integrity measures as data is received (FISMA requirement - NIST 800-92 recommendation)

Common Event Format


ArcSight – Correlation (1/2)

Pre-packaged, extensible content– For regulatory compliance & security– Includes report templates, trending &

dashboards.

Real-time Correlation & Alerting– Simple and meaningful alerts.– Device independent correlation.

Context-based Correlation– Based on vulnerability, asset & user context– Criticality based model

Response management– Native workflow, helpdesk integrations– Integrated comprehensive and intelligent rules

based response for network/security devices

Who: User Identity

Where: Contextual Analysis

Asset Value: What

Time Window: When

Correlation Engine

How

High-Impact Users

Role Does the event

match the role of the person

performing it?

User ProfilingIs this normal

behavior?

IdentityWho was

“behind the IP address?”

PolicyImpact of

this event on business risk?

User Model

High-Impact Assets

SusceptibilityIs the asset

susceptible to the specific attack?

Attack HistoryHistory withthis target?

Asset CriticalityHow important is this asset to the

business?

Device SeverityAssign severity levels to device

classes

Asset Model


Activity Profiling Engine– Discover patterns in large collections of events that have already occurred.– Can profile good and bad behaviors – Machine-discovered patterns can be turned into correlation rules

ArcSight – Correlation (2/2)

Better security through more effective rules.


ArcSight – Scale

Centralized and/or Distributed collection– Controls for security, reliability, batching, integrity checks along with bandwidth controls– Unique support for highly distributed environments

Form factor flexibility & Range of Appliances– Highest performance/price return (EPS/$)

• Up to 100K EPS (Events Per Second) / appliance with linear scalability

– Complete ArcSight platform (Connectors – Logger – ESM - TRM) is available in a range of modular & turnkey appliances

– Added flexibility of software deployments for ESM and connectors

Cost effective scalable long term storage– Up to 50TB of raw data capacity for long term storage appliance with linear scalability (peer)– Support for external storage (NAS, SAN)– Support for multiple retention policies.

ArcSight Threat Response Module


So Why Choose ArcSight?

Best products – Most market share, most awards,

proven over years.

Broadest customer base – Strong experience

solving the challenges in your industry.

Future proof – Insulate you from tomorrow’s

technology decisions.


SIEMLeader’s QuadrantSIX Years Running

(Most Visionary)

Market Share Leader

Protect Your Business - Choose the Best

Proven, integrated products for monitoring and controlling security and risk

Deployable together or incrementally

Designed to fit within today’s IT environment while insulating tomorrow’s decisions

Summary

Collect

Monitor

Audit

Respond

http://www.gartner.com/silentlocalechooser.jsp?locale=wcw


Thank You

Jean-Luc Labbe

Southern EMEA Sales Engineer

Cell +39 335 879 0307

[email protected]

mailto:[email protected]

Documents

5-ArcSight_Labbe