Documente Academic
Documente Profesional
Documente Cultură
NASDAQ: ARST
#1 In-use for both SIEM &
Log Management
Industry Recognition
Network Security Physical Mobile Servers Desktop Identity Email Databases Apps
Devices Devices Access Sources
An integrated product set for collecting and assessing security and risk information.
ArcSightGuided
Threat Response
Response Module
Core Engine
Layer
ArcSight
Event ESM
Correlation ArcSight
Log Logger
Management
Integration
Layer Data Collection
ArcSight Connectors
Network Security Physical Mobile Servers Desktop Identity Email Databases Apps
Devices Devices Access Sources
Auto Response
ArcSight Threat Response Manager
Correlation
Log Management
ArcSight ESM ArcSight Logger
Integration Layer
ArcSight Smart Connectors
Network Security Physical Mobile Servers Desktop Identity Email Databases Apps
Devices Devices Access Sources
Connectors
Collect in native log format from 275+ types of products
Normalize to a common format
Send to centralized engines via secure, reliable delivery
Available as:
Access and Identity Data Security Integrated Security NBAD Policy Management Vulnerability Mgmt
Applications Honeypot Mail Filtering Network Monitoring Security Management Web Filtering
Content Security Host IDS/IPS Mail Server Net Traffic Analysis Switch Web Server
*
RAW
Event ArcSight SmartConnectors
Normalization Layer
ArcSight SmartConnectors
Categorization Layer
ArcSight SmartConnectors
Delivery Layer
ArcSight
ArcSight SmartConnectors Event
18/03/2010 © 2010 ArcSight Confidential 12
ArcSight Connectors - Event Extraction Layer
OR
Agent Agentless
ArcSight SmartConnectors
Jun 02 2005 12:16:03: %PIX-6-106015: Normalization Layer Time (Event nam Device Category Category Category Category
Deny TCP (no connection) from Time) e Vendor deviceProduct Behavior DeviceGroup Outcome Significance
10.50.215.102/15605 to 6/17/2009
9:29
Den
y CISCO Pix /Access /Firewall /Failure
/Informational/
Warning
ArcSight SmartConnectors
9:31 y CISCO Pix /Access /Firewall /Failure Warning
ArcSight SmartConnectors
ArcSight SmartConnectors
Logger
DestinationA_FilterA
Or Or Or...
Failover
DestinationB_FilterB
HA
Available as:
LAN
A
Each Storage Group can
have a different retention
Storage Rule
policy which is specified in B Device
Pirority 5
Storage
Group 1 Group 1
term of number of days that
events are stored, and Storage Rules create a
overall maximum size in GB. C mapping between the
Device Groups and the
Storage Groups. Logger 4 supports
up to 6 Storage
H
Devices Device Groups Storage Rules Storage Groups Storage Volume
Published
Run in Background Displays the list of previously-generated reports
Use this option to run reports that that are not yet expired. You can view the user
take long time to generate or the (user name) who generated the report, generate
ones that are not required online time, and expiry time of the report.
immediately. The report can be viewed as well as deleted from
the saved report list.
ArcSight Cybersecurity survey: More than 75% said they very rarely or
hardly ever knew what exactly to look for when researching a cyber attack
18/03/2010 © 2010 ArcSight Confidential 2626
Logger – Logger Specifications
ArcSight ESM
Real-time analysis of business events
Activity profiling to create baselines for context
Flexible visualization for role-based presentation
Available as:
Correlation Engine
How
The Connector sends the aggregated & filtered events to the ESM…
… where they are evaluated & tagged with Priority Levels and Network Modeling
information.
They are then stored in the ArcSight database and processed through the Correlation
Engine.
Events that have been tagged with Event Categories, Priority Evaluations and Network
Modeling information are processed by the Correlation Engine, where Filters, Rules
and Data Monitors can evaluate them.
Events that have been processed by the Correlation Engine can be monitored on Active
Channels, Dashboards and Event Graphs.
ArcSight analysis tools work on processed events to produce Reports, discover new
patterns and analyze output data using interactive graphics.
Analysis and Reporting tools are highly customizable and can be run manually or
scheduled to output data at regular intervals to be viewed by the SOC staff
ArcSight ArcSight
ArcSight Express vs. ArcSight ESM
Express ESM
Cross-Regulation Compliance Reporting √ √
End-User Web Console √ √
Appliance Deployment Option √ √
Pre-Built Out-of-Box Rules/Reports √ √
Market-Leading Correlation √ √
Customizable Regulatory Compliance Packages √ √
Unlimited Rule/Device Types √ √
Custom Rules/Report Creation √ √
Software Deployment Option √
Unlimited Device Expandability √
Activity Profiling (Pattern Discovery) √
User, Fraud, and Data Monitoring √
More Storage √
More Integration Options * √
Business:
Installable Software Identity Monitoring Pre-configured Appliances
Fraud Detection
Insider Threat Detection
IdentityView
FraudView
Multi-Path Risk Analysis Device Risk - Is Source address in Escalation List, Country of Concern, etc?
Investigate List 3- Source IP has used to access Account XYZ, both IP Address
a.b.c.d & Account XYZ are escalated to the Investigation List.
Escalation List Suspicious List 2- Source IP from which the website was scanned last week – the
Process IP is in the Suspicious List.
Watch List 1- Account authentication over the phone fails a second time…
Account is added to the Watch List.
Fraud-Based Transaction evaluation - Fraud Detection Correlation rules (against Real-Time events and Historical data).
Correlation Engine
Pattern Recognition Patterns Discovery – To find fraudulent behaviours that might not yet have been captured in rule definition.
Engine
Automated Response
• Workflow-based lockdown
Advanced Correlation
• Dashboards • Trend Reporting
• Correlation Rules • Activity Profiling
Log Management
• Live Alerting
• Data Collection/Storage
• Reporting
• Single Appliance
Connectors
More Connectors
Unmatched in
Common Event
Format
Proven, integrated products for monitoring and controlling security and risk
Deployable together or incrementally
Designed to fit within today’s IT environment while insulating tomorrow’s decisions
Audit Collect
Jean-Luc Labbe
Southern EMEA Sales Engineer
Cell +39 335 879 0307
jlabbe@arcsight.com