Top 10 use cases of HP ArcSight Logger - binss.de · Top 10 use cases: ‘Fastest search engine on the planet for the machine data’

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Top 10 use cases of HP ArcSight Logger

Sridhar Karnam

@Sri747

[email protected]

#HPSecure


Big data is driving innovation

•Collect Big Data for analytics

•Store Big Data for compliance

•Search Big Data for incident response

•Correlate Big Data for security

The Big Data will continue to expand


Log management challenges

• Compliance and reporting

• Comprehensive collection

• Secure applications

• Store Big Data

• Filtering & parsing of various logs

• IT change management

• Ultra-fast forensic investigation

• Where do I start?

• Mobility

• Consolidated view


HP’s unique approach to universal log management

A new approach: Comprehensive log management

Collect 100% data collection

Enrich Unify Big Data through normalization and categorization

Search Fastest search engine on the planet

Store Store years’ worth of Big Data without additional database

Correlate Analytics for 25+ use cases including security and compliance

?


HP ArcSight Log management and SIEM solution

What we do?

Collect Store Analyze


Time (Event Time) name DeviceVendor

DeviceProductCategoryBehavior

CategoryDeviceGroup

CategoryOutcome

CategorySignificance

6/17/2009 12:16:03

Deny Cisco PIX /Access /Firewall /Failure /Informational/

Warning

6/17/2009 14:53:16

Drop Checkpoint Firewall-1/VPN-1 /Access/Start /Firewall /Failure /Informational/

Warning

Convert all machine data into common format for search, report, and retention

Unified data

Benefit: Single data for searching, indexing, reporting, and archiving

Jun 17 2009 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outsideJun 17 2009 14:53:16 drop gw.foobar.com >eth0 product VPN-1 & Firewall-1 src xxx.xxx.146.12 s_port 2523 dst xxx.xxx.10.2 service ms-sql-m proto udp rule 49

Raw machine data

Unified data


Customer benefits

4 weeks to generate IT GRC report

Logger compliance packs generates IT GRC reports in 5 minutes

6 weeks to run an IT audit

Audit-quality search results helps you run audits in 8 hours

24 days to respond to a breach

Fastest search engine along with full-text searching enable respond in 4 hours

Top 10 use cases:

‘Fastest search engine on the planet for the machine data’


#10: Dev-Ops/ Sec-Ops

• Prioritization

• Heat map of risk

Integrating operations to be part of other IT priorities

Heat map/ Sec-Ops Asset mapping Risk indicators Dev-Ops

• Isolation of incidents

• Vulnerability score

• Aggregation events

• Risk scoring

• Continuous monitoring

• Development feedback


#9: Log analytics for support team

• Provide view access to log analytics

• Different support groups get access to logs that only they care

• Secure your logs with view only access to broader teams including contractors and partners


#8: Threat detection and response

• Early detection of attacks from malware, virus or distributed attacks

• Upload reputation database and use lookup to find any suspicious activities or threats


Security Analytics – Attacks

• Store year’s worth of data (1.6 PetaBytes) of data through peering 20 instances of Logger

• Run reports/ dashboards/ alerts on years’ worth of data

• Transfer data between Logger & ESM for long term security analytics use cases


Organizations of All Sizes Are At Risk

© 2010 ArcSight Confidential 13

Typical threats

• Bot, Worm, and Virus Attacks

• Hacker Detection

• Bandwidth Hogs and Policy Violations

• Unauthorized Application Access

• VPN Sneak Attacks


#7: Web log analysis

• What websites are frequently visited?

• What is the click through rate?

• Which Search Engine is generating the lead for the visitor at my website?


#6: Network analytics

• Analyze network data through netflow, syslog, etc

• Firewall/ NGFW log analytics in real-time across the devices and vendors

• Integrate with IPS/ IDS for better management of threats/ attacks


#5: Application intelligence

• Monitoring application logs for security, performance, and operations

• Logs both on-the-wire and run-time for securing both new and legacy apps


Logger collects and analyzes logs/ data from every layer or any RESTful APIs#4: Cloud monitoring

PaaS

IaaS

SaaS

Application

User

Consumer responsible Provider responsible

Application

Information

O/S

Network

Physical

O/Simage

Information

Application


#3: Mobility

• Monitoring on the go

• Compliance and security analytics on the mobile device

• Provide access to analysts/ CISO/ CIO to be on the same page

• Access dashboards/ reports quickly on iPad/ iPhone


#2: Compliance and audit reporting

• Built-in reports for automated compliance and audit reports

• Focused on delivering compliance

• Alerts

• Dashboards

• Reports

• Workflow

• Retention

ISO PCI DSS SOXNIST


#1: Big Data analytics

20

• Collect from 350+ log generating sources

• Collect data up to 5 TB/ day

• Store 1.6 PB of data

• Search billions of events in seconds through bloom filters

• Full-text English searching

• Collect data from thousands of devices from thousands of vendors


Documents

Top 10 use cases of HP ArcSight Logger - binss.de · Top 10 use cases: ‘Fastest search engine on the planet for the machine data’