5-ArcSight Labbe

Technology Day
Genève, 17 Mars 2010

Jean-Luc Labbe
ArcSight
Southern EMEA Sales Engineer
Cell +39 335 879 0307
jlabbe@arcsight.com
18/03/2010 © 2010 ArcSight Confidential 1

ArcSight - Company Overview
Company Background Analyst Recognition

SIEM Leader’s Quadrant -
 Founded May 2000 SIX years running
 2000+ customers
#1 in Market Share –
 450+ employees, offices worldwide Last three reports
 NASDAQ: ARST
#1 In-use for both SIEM &
Log Management
Industry Recognition

Agenda
- La collecte et la normalisation des logs, le premier pas de l’analyse
- Avec ArcSight Express, la corrélation à un moindre coût

The Real Challenge
Millions of events generated per day
No central point of collection and analysis
Too difficult to manage security and risk
Network Security Physical Servers Desktop Identity Email Databases Apps

Mobile
Devices Devices Access Sources

Reduce Risk by Understanding the Big Picture
Connect the dots
 Collect information everywhere

 Analyze it for a clear picture
 Take action to resolve problems early

Understanding the Big Picture
SIEM enables centralized visibility of enterprise events
Network Security Physical Mobile Servers Desktop Identity Email Databases Apps

ArcSight - Centralized Security Monitoring Platform
An integrated product set for collecting and assessing security and risk information.
Rules Rules Rules

Module IdentityView FraudView
Reports/Logic Reports/Logic Reports/Logic
Layer
Regulatory EnterpriseView
Business 3rd Party
ArcSightGuided
Threat Response
Response Module
Core Engine
Layer
ArcSight
Event ESM
Correlation ArcSight
Log Logger
Management
Integration
Layer Data Collection
ArcSight Connectors

Integration & Core Engine Layers – Flows & Interactions
Auto Response
ArcSight Threat Response Manager
Correlation
Log Management
ArcSight ESM ArcSight Logger
Integration Layer
ArcSight Smart Connectors

Integration Layer

Integration Layer – ArcSight Connectors
Connectors
 Collect in native log format from 275+ types of products
 Normalize to a common format
 Send to centralized engines via secure, reliable delivery
Available as:
Rackable Appliances Branch Office/Store Appliance Installable Software

(Connector Appliance) (Connector Appliance)
Benefit: Insulates device choices from analysis

ArcSight Connectors - 275+ Products, 50+ Categories, 80+ Partners
Access and Identity Data Security Integrated Security NBAD Policy Management Vulnerability Mgmt
Anti-Virus Firewalls Log Consolidation Network Management Router Web Cache
Applications Honeypot Mail Filtering Network Monitoring Security Management Web Filtering
Content Security Host IDS/IPS Mail Server Net Traffic Analysis Switch Web Server
Database Network IDS/IPS Mainframe Operating System VPN Wireless

ArcSight Connectors - Primary Functions
Event Extraction Layer
*
RAW
Event ArcSight SmartConnectors
Normalization Layer
ArcSight SmartConnectors
Categorization Layer
Delivery Layer
ArcSight
ArcSight SmartConnectors Event
ArcSight Connectors - Event Extraction Layer
OR
Agent Agentless
Event Sources Event Extraction Layer Capabilities

Syslog
SNMP Traps Filtering
Files (Delimited RegEx, XML) Aggregation
ODBC Databases Filed Mapping
Custom Polling Options
Flex API

ArcSight Connectors - Normalization Layer
Jun 02 2005 12:16:03: %PIX-6-106015: Normalization Layer Time (Event nam Device Category Category Category Category
Deny TCP (no connection) from Time) e Vendor deviceProduct Behavior DeviceGroup Outcome Significance
10.50.215.102/15605 to 6/17/2009
9:29
Den
y CISCO Pix /Access /Firewall /Failure
/Informational/
Warning
204.110.227.16/443 flags FIN ACK on 6/17/2009 Den /Informational/
interface outside 9:30 y NetScreen Firewall/VPN /Access/Start /Firewall /Failure Warning
6/17/2009 Den /Informational/
9:31 y CISCO Pix /Access /Firewall /Failure Warning
6/17/2009 Den /Informational/

9:32 y NetScreen Firewall/VPN /Access/Start /Firewall /Failure Warning

ArcSight Connectors - Categorization Layer
Failed logins across the enterprise as simple as:

“/Authentication/Verify” AND “/Failure”
Jun 02 2005 12:16:03: CISCO PIX: PERMIT TCP Categorization Layer

Jun 02 2005 12:16:03: CHECK POINT: ALLOW TCP
Jun 02 2005 12:16:03: NETSCREEN: ACCEPT TCP

ArcSight Connectors - Delivery Layer
- Encryption (Capable of FIPS 140-2 Encryption)

- Compression (Up to 80% over the wire compression)
Event Sources Delivery Layer ArcSight Destinations ESM

Encrypted
Guaranteed Delivery Compressed and/or
Batching Split Feeds
Scheduling Rate Limiting
CACHE Fail-Over
Logger
- Split Feeds (Each feed has independent cache)

- Bandwidth Management (Rate Limiting based on Time of Day)
- HA (Failover Configuration)
Many options, scenarios…
DestinationA_FilterA
Or Or Or...
Failover
DestinationB_FilterB
HA

Integration Layer – Connector Appliance Specifications
Model C1000 C3200 C5200

Management Web browser, CLI
OS CentOS 4.6 64-bit Oracle Enterprise Linux 4 64-bit
Max EPS 400 2500 5000
Onboard Connectors 4 16 32
Remote Connector No Up to 500 Up to 1000
Management
Max Devices By EPS only
CPU 1 x Intel Celeron 220 1.2 GHz 1 x Intel Xeon Quad Core 2 x Intel Xeon Quad Core
RAM 1GB 6GB 12GB
Storage 120GB 500GB 2 x 500GB - RAID1
Chassis Table Top 1U 1U
Power External (100 - 240 VAC) 480 W (100 - 240 VAC) 2 x 500 W (100 - 240 VAC)
Redundant Power No Yes
Ethernet Interfaces 1 x Fast Ethernet 2 x Gigabit Ethernet
Dimensions (D x W x H) 10.83" x 8.27" x 2.56" 24.7" x 17.1" x 1.7"
Actual performance will depend on factors specific to a user's environment.

Log Management

Core Engine Layer - Log Management
ArcSight Logger ArcSight Logger

 Efficient, self-managed archiving of terabytes of log data
 Raw or normalized format
 Pre-built reporting for security or compliance needs
Available as:
Data Center Log Storage & SAN-Based Log SMB/Regional Log

Management Appliance Management Appliance Storage & Management
(35 TB max) Appliance
Benefit: Cost-efficient compliance retention/reporting

Logger – Efficient & Intelligent Storage (1/2)
• Up to 50TB of online data per appliance

• Onboard & External (SAN) storage options
• Automatic archival
• Analyze across onboard and externally archived data
• Granular role-based access controls
• Automated enforcement of multiple retention policies
LAN
SAN NAS SAN

Logger – Efficient & Intelligent Storage (2/2)
A
Each Storage Group can
have a different retention
Storage Rule
policy which is specified in B Device
Pirority 5
Storage
Group 1 Group 1
term of number of days that
events are stored, and Storage Rules create a
overall maximum size in GB. C mapping between the
Device Groups and the
Storage Groups. Logger 4 supports
up to 6 Storage
Events from specific IP Storage Rule

Groups
(Internal SG +
Storage
Device Volume
addresses can be routed to D
Group 2 Pirority 10
Default SG + 4
SGs that you can
particular Storage Groups,

create)
making it possible to store Each Storage Ruke has

a unique priority value,
all router events, for E and the lower value
has the higher priority.
example, to a Storage Group Storage

Group 2
with a short retention period,
F
and business/critical host
events to another Storage
Group with a longer Device
Storage Rule
G
retention period. Group 3 Pirority 15
H
Devices Device Groups Storage Rules Storage Groups Storage Volume

Logger – Hundreds of Out-of-the-Box Reports
i.e. PCI Package includes 70

reports based on the PCI DSS

Logger – Using Reports
Published
Run in Background Displays the list of previously-generated reports
Use this option to run reports that that are not yet expired. You can view the user
take long time to generate or the (user name) who generated the report, generate
ones that are not required online time, and expiry time of the report.
immediately. The report can be viewed as well as deleted from
the saved report list.
Quick Run Edit

Runs the report using default data Opens the Report Designer for the
filtering configuration, which was set associated report, where you can make
at report deploy time. changes to the underlying query the
Provides options to change start and Run report uses.
end time parameters, storage Provides options to modify the data
groups, and devices included in the filter criteria used by the report
scope of the report run. query for this run.
You can specify a maximum number
of rows to include in the report, and
perform various comparison and
logical operations on event fields.

Logger – Dive Into A Report Template (Example) 1/3

Logger – Forensics On-the-Fly (Dashboards)

Logger – Google Like Search Anything
“Google Like Search”  Requires no familiarity with various log syntaxes

failure windows mjohnson
 Clean and structured viewing of logs
 Active results for quick drill down
• Unstructured raw text search for fast forensic analysis

• Structured data search to simplify investigations
+
• Unified analysis across all data for complete visibility and fast
detection and remediation of cyber-attacks
ArcSight Cybersecurity survey: More than 75% said they very rarely or
hardly ever knew what exactly to look for when researching a cyber attack
Logger – Logger Specifications
Model L3200 & L3200-PCI L7200-SAN L7200s L7200x

Management Web browser, CLI
Supported Sources Raw syslog (TCP/UDP), Raw file-based logs (FTP, SCP,SFTP)
Analysis optimized collection for 275+ commercial products
FlexConnector framework for legacy event sources
ArcSight Common Event Format (CEF), ArcSight ESM
OS Oracle Enterprise Linux 4, 64-bit
Compression Up to 10:1
Max Devices 200 Unrestricted 500 Unrestricted
RAW EPS 2000 75000 5000 100000
Onboard Connectors 4 No
Connector EPS 200 N/A
Remote Connector Management 20 (5 containers) No
CPU 1 x Intel Xeon Quad 2.0 GHz 2 x Intel Xeon Quad 2.0 GHz
RAM 12GB 24GB
Storage 2 x 1TB - RAID1 External SAN 6 x 1TB - RAID5
Chassis 1U 2U
Power 480W (Non-Redundant) 2 x 870W (Redundant)
Ethernet Interfaces 2 x 10/100/1000 4 x10/100/1000
Host Bus Adapter N/A Emulex Lpe 11002 N/A
Dimensions 24.7" x 17.1" x 1.7" 24.7" x 17.1" x 1.7"
Logger Model Physical Capacity¹ Effective Capacity Compression

L3200 / L3200-PCI .78TB ~7.8TB
L7200s/L7200x 4.2TB ~42TB Up to 10:1
L7200-SAN 5TB² ~50TB
¹ Capacity prior to compression.
² Allocate 5.4TB in order to use 5TB.
Correlation

Core Engine Layer - Correlation
ArcSight ESM
 Real-time analysis of business events
 Activity profiling to create baselines for context
 Flexible visualization for role-based presentation
Available as:
Data Center Rackable Appliance Installable Software
Benefit: Focus resources only on important issues

Correlation - Filter Out the Noise and Focus on Key Issues
Who: User Identity Asset Value: What
Where: Contextual Analysis Time Window: When
Correlation Engine
How
From Millions of Events to the those that Matter

Lifecycle of an Event Through ESM
1- Data collection and event processing

2- Event priority evaluation & network model lookup
3- Correlation: Filters, rules, data monitors
4- Monitoring and investigation
5- Workflow
6- Reporting and incident analysis

Lifecycle of an Event Through ESM (1/6)
The Connector sends the aggregated & filtered events to the ESM…

… where they are evaluated & tagged with Priority Levels and Network Modeling
information.
They are then stored in the ArcSight database and processed through the Correlation
Engine.

Events that have been tagged with Event Categories, Priority Evaluations and Network
Modeling information are processed by the Correlation Engine, where Filters, Rules
and Data Monitors can evaluate them.

Events that have been processed by the Correlation Engine can be monitored on Active
Channels, Dashboards and Event Graphs.

Follow up investigation can be done manually or automatically using ArcSight workflow

components.

ArcSight analysis tools work on processed events to produce Reports, discover new
patterns and analyze output data using interactive graphics.
Analysis and Reporting tools are highly customizable and can be run manually or
scheduled to output data at regular intervals to be viewed by the SOC staff

Correlation – ESM Specifications
Model E7200-2 E7200-4

Max EPS (Peak/Sustained) 2,500 EPS / 1,500 EPS 5,000 EPS / 3,000 EPS
OS Oracle Enterprise Linux 4
CPU 2 x Intel Xeon Quad
RAM 24GB
Ethernet Interfaces 4 x 10/100/1000
Storage 6 x 600GB - Serial Attached SCSI - RAID0
Chassis 2U
Power 2 x 870W ()Redundant)
Thermal 3000 BTU/hr
Weight 36 Kg (78 lbs)
Chassis 2U
Dimensions (D x W x H) 26.8" x 17.4" x 3.4"

ArcSight Express vs. ArcSight ESM
ArcSight ArcSight
ArcSight Express vs. ArcSight ESM
Express ESM
Cross-Regulation Compliance Reporting √ √
End-User Web Console √ √
Appliance Deployment Option √ √
Pre-Built Out-of-Box Rules/Reports √ √
Market-Leading Correlation √ √
Customizable Regulatory Compliance Packages √ √
Unlimited Rule/Device Types √ √
Custom Rules/Report Creation √ √
Software Deployment Option √
Unlimited Device Expandability √
Activity Profiling (Pattern Discovery) √
User, Fraud, and Data Monitoring √
More Storage √
More Integration Options * √
* i.e. TRM, Remedy, etc integration

ArcSight Express – Your Security Expert “In A Box”
AE is an integrated event and log management solution

Uses the same collection & correlation as ArcSight ESM but,
Is appliance based for easier deployment and management
AE has pre-defined rules, reports, alerts and dashboards built-in
Solves the most important security & compliance issues right out of the box
Model M720-M M720-L M720-X L3200
Out-Of-The-Box AE OS Oracle Enterprise Linux 4, 64-bit

Coverage: Compression UP to 10:1
Max Network Devices 40 100 225 Same as M7200
 Bot, Worm and Virus
Attack Visibility and Max Desktops 100 250 500 Same as M7200
Alerting Max EPS 500 1000 2500 Same as M7200
 Hacker Detection Max Assets 5000 10000 25000 N/A
 Bandwidth Hogs and Web Users Unlimited Users
Policy Violations CPU 2 x Intel Xeon E5504 Quad Core 2.0 GHz 1 x Intel Xeon E5504 Quad Core 2.0 GHz
 Application Access Ethernet Interfaces 4 x10/100/1000 2 x 10/100/1000
Monitoring
RAM 24GB 12GB
 Remote Access Physical Capacity 2TB (2 x 1TB - RAID1)
3.6TB (6 x 600GB - RAID10)
 System and User Effective Capacity 1.6TB 1.6TB (+L3200) 7.8TB
Impact
Chassis 2U 1U
 Compliance controls
Power 2 x 870W (Redundant) 1 x 480W (Non-Redundant)
Dimensions (DxWxH) 26.8" x 17.4" x 3.4" 24.7" x 17.1" x 1.7"
L3200 not included with Express-M

ArcSight Express Pre-Built Content for Top Scenarios
 Cross Device Reporting  Network Devices Reporting

• Top Bandwidth Users • Network Device Errors and Critical Events
• Configuration Changes • Network Device Status and “Down” Notifications
• Successful and Failed Logins • Bandwidth Usage
• Password Changes • Configuration Changes by User and Change Type
• Top Attackers and Internal Targets • Successful and Failed Logins
• Top Connections
 Anti-Virus Reporting
• Top Infected Systems  VPN Device Reporting
• All AV errors • VPN Authentication Errors
• AV Signature Update stats • Connection Counts
• Consolidated Virus Activity • Connection Durations
• AV Configuration Changes • Connections Accepted and Denied
 Database • Successful and Failed Logins
• Top Connections
• Database Errors and Warnings
• Top Bandwidth Users
• Database Successful and Failed Logins
• VPN Configuration Changes
• Database Configuration Changes
 IPS/IDS  Operating System Reporting
• Privileged User Administration
• IPS/IDS Alert Metrics
• Successful and Failed Logins
• Alert Counts
• Configuration Changes
• Top Alert Sources and Destinations
• Top Attackers and Internal Targets
 Firewall Reporting
 Access Management • Denied Inbound Connections
• User Authentication across hosts • Denied Outbound Connections
• Authentication Success and Failures • Bandwidth Usage
• User Administration Configuration Changes • Successful/Failed Login Activity

Solutions Modules

ArcSight Modules
ArcSight Solution Modules

 Pre-built rules, reports, dashboards, and connectors
 Regulatory: Address compliance for public/industry regulations
 Business: Address scenarios common to most organizations
Available as: Regulatory:

SOX/JSOX HIPAA
PCI NERC
FISMA
Business:
Installable Software Identity Monitoring Pre-configured Appliances
Fraud Detection
Insider Threat Detection
Benefit: Rapid deployment by leveraging best practices

EnterpiseView - Business Solution Package
 Solution Package that includes

– Installable Solution Module on top of ESM
– Prebuilt customizable Reports & Rules tuned for specific solution
– Pattern Discovery customizable configuration to create new monitoring rules
IdentityView
FraudView

IdentityView – Sample Reports (1/2)
Activity Report – For Users With The Developer Role

IdentityView – Sample Reports (2/2)
Activity Report – For Users in the Finance Department

FraudView – Multiple Engines
Multiple Engines for Detecting Fraudulent Activity
Multi-Path Risk Analysis Device Risk - Is Source address in Escalation List, Country of Concern, etc?
Transaction Risk - What is the Risk Associated with Transaction, etc?

Risk Scoring Engine
Account Risk - Is Account in Escalation List, etc?
Risk Score
Destination Risk – Is the Destination a suspicious Payee, Country of Concern, etc?
Investigate List 3- Source IP has used to access Account XYZ, both IP Address
a.b.c.d & Account XYZ are escalated to the Investigation List.
Escalation List Suspicious List 2- Source IP from which the website was scanned last week – the
Process IP is in the Suspicious List.
Watch List 1- Account authentication over the phone fails a second time…
Account is added to the Watch List.
Fraud-Based Transaction evaluation - Fraud Detection Correlation rules (against Real-Time events and Historical data).
Correlation Engine
Pattern Recognition Patterns Discovery – To find fraudulent behaviours that might not yet have been captured in rule definition.
Engine
Fraudulent transactions can be detected by FraudView in multiple ways.

Why is ArcSight Winning?
What Makes ArcSight Unique.

Deploying the Platform
ArcSight can be deployed to support a range of requirements
Alerting/Compliance Reporting Virtual SOC Fully Staffed SOC
•Log collection and retention •Lights out operations •24x7 operations

•Invest in report building •Invest in upfront automation •Invest in ongoing staffing
•Delayed incident response •Basic analysis/investigation •Live incident response
•ArcSight Logger •ArcSight Logger •ArcSight Logger

•Report focus •ArcSight ESM •ArcSight ESM
•Basic audit compliance •ArcSight Express •Pattern Discovery
•Limited correlation •Advanced correlation
•Email notification focus •Live Dashboard focus

Deployment: Simple to Start, Easy to Grow
Automated Response
• Workflow-based lockdown
Advanced Correlation
• Dashboards • Trend Reporting
• Correlation Rules • Activity Profiling
Log Management
• Live Alerting
• Data Collection/Storage
• Reporting
• Single Appliance
Connectors
More Connectors

What Makes ArcSight Unique
Unmatched in
Collection Correlation Scale

ArcSight – Collection (1/2)
 Largest Supported Products base

– 275+ products, 100+ vendors, 35+ categories
– FlexConnectors (for in-house device/source support)
Common Event
Format
 Audit quality data

– Integrity measures as data is received (FISMA requirement - NIST 800-92 recommendation)

ArcSight – Correlation (1/2)
Who: User Identity Asset Value: What
Where: Contextual Analysis Time Window: When
 Pre-packaged, extensible content Correlation Engine

Asset Model
– For regulatory compliance & security
– Includes report templates, trending & Device Severity Susceptibility
dashboards. Assign severity Is the asset
levels to device How susceptible to the
classes specific attack?
 Real-time Correlation & Alerting
– Simple and meaningful alerts.
Asset Criticality
– Device independent correlation. Attack History
How important is
History with High-Impact
this asset to the
this target? Assets
business?
 Context-based Correlation
– Based on vulnerability, asset & user context
– Criticality based model User Model
 Response management Identity

Who was
Policy
Impact of
– Native workflow, helpdesk integrations “behind the this event on
– Integrated comprehensive and intelligent rules IP address?” business risk?
based response for network/security devices

Role
Does the event User Profiling High-Impact
match the role of Is this normal Users
the person behavior?
performing it?
ArcSight – Correlation (2/2)
 Activity Profiling Engine

– Discover patterns in large collections of events that have already occurred.
– Can profile good and bad behaviors
– Machine-discovered patterns can be turned into correlation rules
Better security through more effective rules.

ArcSight – Scale
 Centralized and/or Distributed collection

– Controls for security, reliability, batching, integrity checks along with bandwidth controls
– Unique support for highly distributed environments
 Form factor flexibility & Range of Appliances

– Highest performance/price return (EPS/$)
• Up to 100K EPS (Events Per Second) / appliance with linear scalability
– Complete ArcSight platform (Connectors – Logger – ESM - TRM) is available in a range of modular
& turnkey appliances
– Added flexibility of software deployments for ESM and connectors
ArcSight Threat Response Module
 Cost effective scalable long term storage

– Up to 50TB of raw data capacity for long term storage appliance with linear scalability (peer)
– Support for external storage (NAS, SAN)
– Support for multiple retention policies.

So Why Choose ArcSight?
 Broadest customer base – Strong experience

solving the challenges in your industry.
 Best products – Most market share, most awards,

proven over years.
 Future proof – Insulate you from tomorrow’s

technology decisions.

Summary
 Proven, integrated products for monitoring and controlling security and risk
 Deployable together or incrementally
 Designed to fit within today’s IT environment while insulating tomorrow’s decisions
Audit Collect
Market Share SIEM

Leader Leader’s Quadrant
SIX Years Running
Respond Monitor (Most Visionary)
Protect Your Business - Choose the Best

Thank You
Jean-Luc Labbe
Southern EMEA Sales Engineer
Cell +39 335 879 0307
jlabbe@arcsight.com

5-ArcSight Labbe

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

5-ArcSight Labbe

Încărcat de

Drepturi de autor:

Formate disponibile

Technology Day

Genève, 17 Mars 2010

18/03/2010 © 2010 ArcSight Confidential 1

Company Background Analyst Recognition

18/03/2010 © 2010 ArcSight Confidential 2

18/03/2010 © 2010 ArcSight Confidential 3

Millions of events generated per day

No central point of collection and analysis

Too difficult to manage security and risk

Network Security Physical Servers Desktop Identity Email Databases Apps

18/03/2010 © 2010 ArcSight Confidential 4

Connect the dots

 Collect information everywhere

18/03/2010 © 2010 ArcSight Confidential 5

SIEM enables centralized visibility of enterprise events

18/03/2010 © 2010 ArcSight Confidential 6

Rules Rules Rules

18/03/2010 © 2010 ArcSight Confidential 7

18/03/2010 © 2010 ArcSight Confidential 8

18/03/2010 © 2010 ArcSight Confidential 9

Rackable Appliances Branch Office/Store Appliance Installable Software

Benefit: Insulates device choices from analysis

18/03/2010 © 2010 ArcSight Confidential 10

Anti-Virus Firewalls Log Consolidation Network Management Router Web Cache

Database Network IDS/IPS Mainframe Operating System VPN Wireless

18/03/2010 © 2010 ArcSight Confidential 11

Event Extraction Layer

Event Sources Event Extraction Layer Capabilities

18/03/2010 © 2010 ArcSight Confidential 13

204.110.227.16/443 flags FIN ACK on 6/17/2009 Den /Informational/

interface outside 9:30 y NetScreen Firewall/VPN /Access/Start /Firewall /Failure Warning

6/17/2009 Den /Informational/

6/17/2009 Den /Informational/

18/03/2010 © 2010 ArcSight Confidential 14

Failed logins across the enterprise as simple as:

Jun 02 2005 12:16:03: CISCO PIX: PERMIT TCP Categorization Layer

18/03/2010 © 2010 ArcSight Confidential 15

- Encryption (Capable of FIPS 140-2 Encryption)

Event Sources Delivery Layer ArcSight Destinations ESM

- Split Feeds (Each feed has independent cache)

Many options, scenarios…

18/03/2010 © 2010 ArcSight Confidential 16

Model C1000 C3200 C5200

18/03/2010 © 2010 ArcSight Confidential 17

18/03/2010 © 2010 ArcSight Confidential 18

ArcSight Logger ArcSight Logger

Data Center Log Storage & SAN-Based Log SMB/Regional Log

Benefit: Cost-efficient compliance retention/reporting

18/03/2010 © 2010 ArcSight Confidential 19

• Up to 50TB of online data per appliance

SAN NAS SAN

18/03/2010 © 2010 ArcSight Confidential 20

Events from specific IP Storage Rule

particular Storage Groups,

making it possible to store Each Storage Ruke has

example, to a Storage Group Storage

18/03/2010 © 2010 ArcSight Confidential 21

i.e. PCI Package includes 70

18/03/2010 © 2010 ArcSight Confidential 22

Quick Run Edit

18/03/2010 © 2010 ArcSight Confidential 23

18/03/2010 © 2010 ArcSight Confidential 24