First Aid for IT: Automated, Integrated & Dynamic Operations
-
Upload
hp-software-solutions -
Category
Documents
-
view
815 -
download
3
Transcript of First Aid for IT: Automated, Integrated & Dynamic Operations
![Page 1: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/1.jpg)
www.arcsight.com 1© 2010 ArcSight Confidential
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Twitter hashtag #HPSWU
BTOS-TU-1700Twitter hashtag #HPSWU
![Page 2: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/2.jpg)
www.arcsight.com 2© 2010 ArcSight Confidential
© 2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
First AID for IT –Automated, Integrated & Dynamic Operations
Hugh Njemanze
Founder, CTO, Executive VP of Research & Development
ArcSight – an HP Company
![Page 3: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/3.jpg)
www.arcsight.com 3© 2010 ArcSight Confidential
Today’s Agenda
Today’s Challenges
– IT Ops and Service Availability
– Compliance
– Security Threats
How do SIEM and Log Management enable the Automated, Integrated and Dynamic Enterprise
– What do SIEM and Log Management Products Do?
How can HP BTO and security products together help?
![Page 4: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/4.jpg)
www.arcsight.com 4© 2010 ArcSight Confidential
Today’s Challenges
ComplianceSecurity Threats Compliance Controls & Reporting
IT OperationsIT Operations & Service Availability
![Page 5: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/5.jpg)
www.arcsight.com 5© 2010 ArcSight Confidential
Security and IT Operations Challenges for the Enterprise
Audit & Risk
NetworkingApplications
Forensics
IT Operations
Security
Change Management
Infrastructure
?
? ????
?ComplianceReporting
Network Availability User Monitoring
Investigations
SLA Monitoring
Threat Monitoring
Configuration Monitoring
System Health
LOGS
Security Monitoring IT Operations
Manual Security Monitoring
Challenging SLAs
Slow Forensics Response
![Page 6: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/6.jpg)
www.arcsight.com 6© 2010 ArcSight Confidential
Today’s Problems
ComplianceIT Operations Compliance IT OperationsSecurity
• 80% of application downtime is due to people or processes
• 1 hour of downtime means a loss of 250K USD or more for most companies
• Change management can reduce downtime by 35% and save 30% in costs
• Quickly resolve FCAPS issues to keep MTTR as short as possible
![Page 7: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/7.jpg)
www.arcsight.com 7© 2010 ArcSight Confidential
Log Collection Challenges
7www.arcsight.com © 2009 ArcSight Confidential 7
Network Devices
Servers
Mobile
Desktop
Security Devices
Physical Access
Apps
Databases
Identity Sources
•More devices and growing log volumes
• Collection agents are not a feasible option
• Ensuring complete collection from all devices & locations
![Page 8: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/8.jpg)
www.arcsight.com 8© 2010 ArcSight Confidential
Log Storage Challenges
www.arcsight.com © 2009 ArcSight Confidential 8
• Retention requirements drive up storage costs
• Hard to manage logs distributed across native devices
• Tedious and error prone log rotation
• Enforcing security and access controls
![Page 9: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/9.jpg)
www.arcsight.com 9© 2010 ArcSight Confidential
Log Analysis Challenges
www.arcsight.com © 2009 ArcSight Confidential 9
• Lots of different and cryptic log formats
• No simple search and reporting interface for users
• High-performance search and reporting is critical
• Expertise required to build regulation specific content
• Lots of different and cryptic log formats
• No simple search and reporting interface for users
• High-performance search and reporting is critical
• Expertise required to build regulation specific content
![Page 10: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/10.jpg)
www.arcsight.com 10© 2010 ArcSight Confidential
Today’s Problems
Security ComplianceIT OperationsIT Operation
• 46 of 50 states in US require disclosure of breaches
• Europe currently reviewing similar laws
• Non-compliance means fines of millions of dollars, criminal charges and imprisonment
• Individual compliance solutions cost 10x more than consolidated ones
• Shrinking budgets and growing # of regulations require automation to maximize ROI
![Page 11: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/11.jpg)
www.arcsight.com 11© 2010 ArcSight Confidential
More Compliance
Canada• The Privacy Act 1983• PIPEDA 2001
Asia Pacific • New Zealand – Privacy Act 1993• Australia – PA/PA(PS)A 1988/2000
2001• South Korea – eCommerce Act
1999• Taiwan – CPPDP Law 1995• Hong Kong – Personal Data 1996,
Code of Practice on Consumer Credit Data (2003, Privacy at Work (2004)
• India – Information Technology Act 2000 and Amendment Act 2006
South America• Chile – APPD 1998• Argentina – PDPA 2000
Mexico• eCommerce Act 2000
U.S.A. • Sarbanes-Oxley• NERC CIP 002-009• SB1386• S239• S248• S495• S806• S1178• S1260• HIPAA 1996/2002• FSMA/GLBA
1999/2001• COPPA 1998/2000• DMPEA 1999/2000• State Breach Laws
• Slovakia – Protection of Personal Data Act 2002 and Amendment Act 2005
• Slovenia – (99) • Hungary – On the Protection of
Personal Data and the Disclosure of Data of Public Interest 1992
• Czech – (00) • Latvia – (00) • Lithuania – (00) • EU Directive• Basel II • Greece – PIPPD 1995/1997• Portugal – PDPA 1995/1998• Italy – Data Protection Code• Malta – Data Protection Act 2001• Norway – Personal Data Act 2000• Finland – FPDA 1995/1999
• Germany – FDPA 1995/2001, S 93 Telecommunications Act
• Austria – DPA 1995/2000• Luxembourg – “EUD” 1995/2002• Netherlands – PDPA 1995/2001,
Telecommunications Act• France – ADPDFIL 1978, “EUD” 1995,
Postal and Electronic Communications Code
• Spain – Personal Data Protection Act, Telecommunications Act
• Ireland – Data Protection Act (1988) and Amendment Act (2003) and Ireland Data Protection Commission
• Belgium – LPPLRPPD 1992, DPA 1995/2001
• Sweden – PDPA 1995/1998, Electronic Communications Act
• UK – DPA 1995/2000, Proposal by House of Lords Committee, Privacy and Electronic Communications Regulations
• Denmark – DPRA 1978, Act on Processing of Personal Data 1995/2000
• Estonia – (96)• Poland – (98)
Europe
Africa• SALRC 2009
11
More Regulations Affect More Companies
![Page 12: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/12.jpg)
www.arcsight.com 12© 2010 ArcSight Confidential 12
Confusing Compliance Requirements
![Page 13: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/13.jpg)
www.arcsight.com 13© 2010 ArcSight Confidential
Today’s Problems
IT Operations Compliance Security
• 859% of employees steal data on the way out
• Average cost of financial fraud is $500,000
• Cybercrime is committed every 10 seconds; twice the rate of actual real-world robberies
• 362 million identity records lost by the top ten known incidents
![Page 14: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/14.jpg)
www.arcsight.com 14© 2010 ArcSight Confidential
More Security: Recent Cyber Attacks
www.arcsight.com © 2009 ArcSight Confidential 14
• 27 American and South Korean government agencies attacked
• 50,000 to 65,000 computers used in the attack• Attackers were generating about 23 megabits of
data/second• Attackers used 86 IP addresses in 16 countries,
including the United States, Guatemala, Japan and China, but North Korea was not among them
![Page 15: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/15.jpg)
www.arcsight.com 15© 2010 ArcSight Confidential
01010101111101010101010101000010101010101010101010101010101010101111111111111111111100000000000000111111111111111000000000000000000001000000000000000010101011111010101010101010000101010101010101010101010101010101011111111111111111111000000000000001111111111111110000000000000000000010000000
000000000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000000000
00000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000011111
11111111110101010111
01010101111101010101010101000010101010101010101010101010101010101111111111111111111100000000000000111111111111111000000000000000000001000000000000000010101011111010101010101010000101010101010101010101010101010101011111111111111111111000000000000001111111111111110000000000000000000010000000
000000000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000000000
00000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000011111
11111111110101010111
The line of sight has been digitized
www.arcsight.com © 2009 ArcSight Confidential 15
ZombieZombieVirusVirusFraudFraud
MalwareMalware
HackingHacking
SpamSpam
Target
Attacker
Zombie
Zombie Control center
![Page 16: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/16.jpg)
www.arcsight.com 16© 2010 ArcSight Confidential
It is Fairly Easy to Launch a Cyber-attack
www.arcsight.com © 2009 ArcSight Confidential 16
An Ounce of Prevention is Worth a Pound of Cure!
![Page 17: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/17.jpg)
www.arcsight.com 17© 2010 ArcSight Confidential 17
Malware is Getting Worse
Source: F-Secure
More Widespread and More Malicious
20x over the last 5 years
3x in the last year alone
1,600,000
1,500,000
1,400,000
1,300,000
1,200,000
1,100,000
1,000,000
900,000
800,000
700,000
600,000
500,000
400,000
300,000
200,000
100,000
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08
![Page 18: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/18.jpg)
www.arcsight.com 18© 2010 ArcSight Confidential
Is Your Staff Growing?
18
Bottom-line: The Problems are Growing
Regulations are Growing
Breaches are GrowingMalware is Growing
Problems moving downstream and impacting more and more for SMBs
![Page 19: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/19.jpg)
www.arcsight.com 19© 2010 ArcSight Confidential
Effective log management can save you money by:…
ComplianceHelping to Identify and mitigate
security vulnerabilities
Helping with compliance
reporting & controls
IT OperationsSimplifying and improving IT operations
![Page 20: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/20.jpg)
www.arcsight.com 20© 2010 ArcSight Confidential 20
Leveraging SIEM and Log Management Products
www.arcsight.com © 2009 ArcSight Confidential
![Page 21: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/21.jpg)
www.arcsight.com 21© 2010 ArcSight Confidential
What is SIEM?
www.arcsight.com © 2009 ArcSight Confidential 21
![Page 22: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/22.jpg)
www.arcsight.com 22© 2010 ArcSight Confidential 22
SIEM in action
Firewalls/VPN
IntrusionDetectionSystems
VulnerabilityAssessment
NetworkEquipment
Server and Desktop OS Anti-Virus Applications Databases
PhysicalInfrastructure
IdentityManagement
DirectoryServices
System HealthInformation
WebTraffic
Risk-based Prioritization Critical Events Surfaced
Identified .Threats
Known Vulnerabilities
Business-critical IT Assets
Millions:Raw Events
Thousands:Security Relevant Events
Hundreds:Correlated Events
![Page 23: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/23.jpg)
www.arcsight.com 23© 2010 ArcSight Confidential
Before and After
Helps in reducing cost, time and resources
Manual & Dispersed Automated & Centralized
SIEM & Log Management
vs.
23
![Page 24: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/24.jpg)
www.arcsight.com 24© 2010 ArcSight Confidentialwww.arcsight.com © 2009 ArcSight Confidential 24
Problem: Security
“Everything looks like a one-off”
Too Many Devices on the Network
Too Many Different Device Types
Too Many Systems Exposed to the Internet
“I can’t understand the impact of this problem”
“We don’t even know when we are being attacked”
![Page 25: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/25.jpg)
www.arcsight.com 25© 2010 ArcSight Confidential
Solution: Real-Time Correlation + Event History
SIEM and/or Log Management
Collect, categorize, correlate network/application activities
Alert staff, take automated action
Find unusual behavior in time to prevent lossWorms spreading through the firewall
Viruses spreading across desktops
Hackers accessing the network
Users running p2p applications
Remote accesses through the VPN
Use Log Management for forensics investigation:How long has this been happening
Who else is involved
What systems are affected
![Page 26: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/26.jpg)
www.arcsight.com 26© 2010 ArcSight Confidential 26
Problem: Compliance
“Even simple investigations require my best people”
Too Much Data
Too Many Formats
Too Hard to Consolidate
Too Expensive to Store
“My databases can’t retain this many years’ of audit data”
“We spend too much time preparing for an audit”
![Page 27: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/27.jpg)
www.arcsight.com 27© 2010 ArcSight Confidential
Solution: Automated Compliance Reporting
Log Management
Collect, categorize, and capture for long term storage
Produce up-to-date and automatic reports for auditors
Perform forensics investigations in minutes
Low TCO to support multiple retention policies
Reports mapped directly to regulatory requirements
![Page 28: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/28.jpg)
www.arcsight.com 28© 2010 ArcSight Confidential 28
Problem: IT Ops
“We are not aware of the downtime unless a ticket is
opened”
Too Many Log Formats
Unplanned and unknown downtimes
Change management is difficult
Mean Time To Repair (MTTR) is too high
“Root cause analysis is difficult and takes a lot of time and resources”
“We never know who made the change that resulted in failure”
![Page 29: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/29.jpg)
www.arcsight.com 29© 2010 ArcSight Confidential
Solution: Real-Time Correlation + Event History
SIEM and/or Log Management
Collect, categorize, correlate network/application activities
Alert staff, take automated action
Find unusual behavior in time to resolve issues
Fault
Configuration
Accounting
Performance
Security
Use Log Management for forensics investigation:
Who made the change
How well are your systems/resources are being utilized
What other systems are impacted
![Page 30: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/30.jpg)
www.arcsight.com 30© 2010 ArcSight Confidential
The Automated Integrated and Dynamic Enterprise
Insider Threat Perimeter Threat Forensics SANS
SecurityOperations
PCISOX
Regulations & Industry Mandates
System Health Network Avail SLA
IT Operations
+ HIPAAFISMA
![Page 31: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/31.jpg)
www.arcsight.com 31© 2010 ArcSight Confidential
Key Evaluation Criteria
Does the technology…
•Collect from everything?
•Make events easy to read?
•Provide built-in security rules?
•Enable regulation-specific audit reporting?
•Efficiently retain and manage my data?
•Expand when I need it?
![Page 32: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/32.jpg)
www.arcsight.com 32© 2010 ArcSight Confidential
The AID Platform That Delivers More
Audit & Risk
NetworkingApplications
Security
IT Operations
IT Governance
Change Management
Infrastructure
SIEM NSMsForensic Tools
HP BTO & ArcSight SIEM/LogHP BTO & ArcSight SIEM/LogManagement SuiteManagement Suite
![Page 33: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/33.jpg)
www.arcsight.com 33© 2010 ArcSight Confidential
Customer Case Study: University of Tennessee
Compliance challenges quickly addressed after 2-day deployment
"Finding needles in the haystack" reduced from 45 minutes to 2 minutes
Reduced budgets highlight the operational efficiencies of ArcSight Logger
“Tremendous cost savings from ArcSight Logger”- James Perry, U. of Tenn
“We continue to find new applications for the product“• e.g. Early detection of network outage warning signs
• e.g. PCI reporting across stores/restaurants on all campuses (150+ collection locations)
![Page 34: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/34.jpg)
www.arcsight.com 34© 2010 ArcSight Confidential
Customer Success Profile:Large Healthcare Provider
We need a scalable log management solution for HIPAA compliance. Plus ability to proactively protect our infrastructure and improve SLA. The ArcSight Log Management solution streamlines our audit and delivers ongoing visibility into security risk. It saves time for our system, application support and forensic teams. We now provide the right log data to the right staff in a cost-effective manner.
► Top 10 provider of health insurance plans in the nation
► 565,000 customers► 1000 employees► 10,500 healthcare providers
► Homegrown log management did not scale to event rates of network and server devices
► Compliance: containing the cost of HIPAA and other audits
► IT Operations: increasing pressure on SLA adherence
► Security team overburdened by forensics follow up
► Significant improvements in event rate collection and cost effective long term storage
► Automated HIPAA audits► Continuous real time awareness and
notification on security threats► Dramatic reduction in troubleshooting
complex IT system issues► Direct access to forensic team
CHALLENGES
COMPANY OVERVIEW
RESULTS
COMPANY PERSPECTIVE
—CIO
![Page 35: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/35.jpg)
www.arcsight.com 35© 2010 ArcSight Confidential
ArcSight for IT Operations
NSM tool provides system (CPU, memory, etc.) alerts but lacks source context
With ArcSight Log Management– Helpdesk user launches ArcSight
Logger Web interface– IP, hostname, and/or application
search shows all activity in last x minutes
– Dynamic result set and drill down capabilities provide intuitive navigation path to root cause analysis
Customer Success Profile
![Page 36: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/36.jpg)
www.arcsight.com 36© 2010 ArcSight Confidential
ArcSight for IT Operations
Turnkey
– Eliminate HW procurement and deployment delays – rapid deployment
Consolidated log repository
– Avoid separate log storage investment
– Reduce direct access to critical infrastructure
– Rapid cross device troubleshooting
Device independent search taxonomy
– Reduced training cost and faster root cause analysis
Analytics portal
– Rapid conversion of searches to alerts – reduce future incidence
– SLA reports and dashboards
Customer Success Profile
![Page 37: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/37.jpg)
www.arcsight.com 37© 2010 ArcSight Confidential
ArcSight for Forensics Investigations
Investigative tools (ex: Encase, iLook) take a snapshot of volatile machine activity as evidence
With ArcSight Log Management
– Search by user or host can quickly reveal similar past behavioral trends – reconnaissance activity
– Across years of historical data
Readily accessible audit quality data can provide strong evidentiary trails to support forensics investigations
Customer Success Profile
![Page 38: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/38.jpg)
www.arcsight.com 38© 2010 ArcSight Confidential
ArcSight for Security Monitoring
Advanced Threat Detection–Multi-event correlation–Session extrapolation–User correlation–Pattern discovery–Comprehensive case management
ArcSight Logger
ArcSight Connectors
Any SIEM(ESM)
Proactive Security Awareness– Reports– Real time alerts– Anomaly detection– Tier 1 notification – Ad hoc investigations
Customer Success Profile
Phase I Phase II
![Page 39: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/39.jpg)
www.arcsight.com 39© 2010 ArcSight Confidential
ArcSight SIEM & Log Management Suite Delivers
ArcSight LogArcSight LogManagement SuiteManagement Suite
Uncontrolled Log Infrastructure
Manual & Expensive Audits
Inefficient IT Operations
Small to Enterprise ScaleAutomated & Cost-effective AuditsProactive Security MonitoringIT Operations SLA Efficiency
Before
+
Real-Time Protectionwith ArcSight ESM
![Page 40: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/40.jpg)
www.arcsight.com 40© 2010 ArcSight Confidential
Automated and Integrated Real Time Operations
DETECT
PR
IOR
ITIZ
E
ISOLATE
DIA
GN
OS
ER
EP
AIR
CO
NSO
LIDATE
1. Discover, monitor and measure. Events detected, alerts are sent.
2. Topology, events and performance metrics are consolidated cross domains into BSM. Events are automatically correlated.
3. Affected Business Servicesand SLAs are determined.
4. Find root cause and escalate as needed.
5. Diagnose root cause through subject matter expert investigation tools.
6. Repair problem through automated response and close event/incident once resolved.
![Page 41: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/41.jpg)
www.arcsight.com 41© 2010 ArcSight Confidential41
HP C
on
fid
en
tial
IT OPERATIONS & SECURITY: SYNERGIES
REAL TIME REAL TIME SERVICE SERVICE MODELMODEL((CMDB)CMDB)
APPLICATIONS, BUSINESS SERVICES RISK & APPLICATIONS, BUSINESS SERVICES RISK & COMPLIANCECOMPLIANCE
APPLICATIONS, BUSINESS SERVICES RISK & APPLICATIONS, BUSINESS SERVICES RISK & COMPLIANCECOMPLIANCE
Changes
Pro
ble
ms
Ale
rts.
Inci
dents
Vuln
era
bili
ties
Thre
ats
Events
, Lo
gs
SIEMSIEMSIEMSIEM
IT OPSIT OPS SECURITY OPSSECURITY OPSSECURITY OPSSECURITY OPS
POLICYPOLICYPOLICYPOLICY
REMEDIATION REMEDIATION (BSA)(BSA)
DISCOVERDISCOVERYY
THE IT ENVIRONMENTTHE IT ENVIRONMENTTHE IT ENVIRONMENTTHE IT ENVIRONMENT
CIs
COMPLIANCECOMPLIANCECOMPLIANCECOMPLIANCE
Upd
ate
s
Rules
Polic
y
Upd
ate
sA
ctio
ns
CommonContext
Alignment
RISK & RISK & COMPLAINCE COMPLAINCE
OFFICEOFFICE
RISK & RISK & COMPLAINCE COMPLAINCE
OFFICEOFFICE
Event Event CorrelationCorrelation
Problem Problem IsolationIsolation AnalyticsAnalytics Event Event
CorrelationCorrelationProblem Problem IsolationIsolation AnalyticsAnalytics
![Page 42: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/42.jpg)
www.arcsight.com 42© 2010 ArcSight Confidentialwww.arcsight.com © 2009 ArcSight Confidential
To learn more, contact ArcSight at: [email protected] or 1-888-415-ARST
ArcSight, Inc. (NASDAQ: ARST)5 Results Way, Cupertino, CA 95014, USACorporate Headquarters: 1 888 415 ARST EMEA Headquarters: +44 870 351 6510 Asia Pac Headquarters: 852 2166 8302http://www.arcsight.com/
Questions?
![Page 43: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/43.jpg)
www.arcsight.com 43© 2010 ArcSight Confidential
© 2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
Backup Slides
![Page 44: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/44.jpg)
www.arcsight.com 44© 2010 ArcSight Confidential
Integrated Platform for Closed Loop Work Flow
InfrastructureInfrastructure Network, Hosts, VM, OS
Network, Hosts, VM, OS
UsersUsers Database, Apps, Identity
Database, Apps, Identity
PhysicalPhysical Datacenter, Doors, Cameras
Datacenter, Doors, Cameras
Application TransactionsApplication Transactions Financial, Retail, Insurance, TelcoFinancial, Retail, Insurance, Telco
![Page 45: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/45.jpg)
www.arcsight.com 45© 2010 ArcSight Confidential45
HP C
on
fid
en
tial
SECURITY: VISION & MISSION
Proactively manage application security and vulnerabilities across the applications lifecycle with continuous, real time assessment and remediation of business risk at
lower cost.
Customer needs Disruptions & Inflections Beliefs
• Align the security organization’s priorities with the business
• A single control framework to facilitate governance, compliance and security
• Reduce the cost of managing security while maintaining or improving risk and compliance levels
• Reduce the number of tools and vendors required to manage security related practices
• Convergence of governance, risk management and compliance into a single practice
• The scope and breadth of business expectations from the CISO group has increased significantly due to higher complexity
• Managed Security Services market is growing at an increasing rate and provides a viable alternative to in house implementations.
• The most proactive and cost-effective way to manage application security risks and vulnerabilities is as part of quality assurance in pre production
• Once deployed, applications security and compliance needs to be continuously monitored in real time.
• Risk assessment for the enterprise must be aggregated, assessed, prioritized and remediated at the business service level
Improve application security & vulnerability assessment to proactively reduce business risk in real time
CONFIDENTIAL
![Page 46: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/46.jpg)
www.arcsight.com 46© 2010 ArcSight Confidential
Analysis Optimization
Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside
Device Independent CategorizationOne Common Taxonomy
“Plain language” analysis
Universal device content applicability
Avoids content explosion
“Plain language” analysis
Universal device content applicability
Avoids content explosion
![Page 47: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/47.jpg)
www.arcsight.com 47© 2010 ArcSight Confidential
2. Real Time Alerting
SECURITY MONITORING
Reporting Real Time Alerting
![Page 48: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/48.jpg)
www.arcsight.com 48© 2010 ArcSight Confidential
3. Automation of Analysis Lifecycle
Dashboards
Drill DownReports
Forensic Searches
Real TimeAlerting
![Page 49: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/49.jpg)
www.arcsight.com 49© 2010 ArcSight Confidential
Personalized, Interactive Dashboards
Browser-based, ready-to-use out of the box Hyperlink to KB articles, remediation procedures and other
internal or external referential documents Fully customizable
– Role-based views
– Active reports ondrill down
– Drag-and-drop monitors
– Comprehensive reporting
– Configurable auto refresh rates
![Page 50: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/50.jpg)
www.arcsight.com 50© 2010 ArcSight Confidential
Workflow Simulation: Drill Down Reporting
![Page 51: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/51.jpg)
www.arcsight.com 51© 2010 ArcSight Confidential
Forensic Search
Distributed, device independent search based on time or term Meta-search filters for retention policies, devices, device groups,
and peer Logger appliances Dynamic time and term based drill down/drill across
![Page 52: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/52.jpg)
www.arcsight.com 52© 2010 ArcSight Confidential
Real Time Alerting
Based on
– Any expression
– Metadata
• Device
• Device group
• Retention policy
– Taxonomy
Anomalous activity
– Time + term thresholds
Console, syslog, SMTP, SNMP Internal system health
![Page 53: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/53.jpg)
www.arcsight.com 53© 2010 ArcSight Confidential
ArcSight Log Managementfor Compliance, Security & IT Operations
Com
plia
nce
Com
plia
nce
Secu
rity
Secu
rity
Op
era
tion
sO
pera
tion
s
IT
IT
Op
era
tion
sO
pera
tion
s
Log Management Log Management NeedsNeeds
Universal Event Collection
Scalable Architecture
Automated Analysis Lifecycle
High Performance Collection
![Page 54: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/54.jpg)
www.arcsight.com 54© 2010 ArcSight Confidential
ArcSight Log Managementfor Compliance, Security & IT Operations
Com
plia
nce
Com
plia
nce
Secu
rity
Secu
rity
Op
era
tion
sO
pera
tion
s
IT
IT
Op
era
tion
sO
pera
tion
s
Log Management Log Management NeedsNeeds
Transaction AssuranceMinimal Footprint at Remote
SitesAudit & Litigation Quality Data
Storage Flexibility
![Page 55: First Aid for IT: Automated, Integrated & Dynamic Operations](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d53499bb61eb335f8b468e/html5/thumbnails/55.jpg)
www.arcsight.com 55© 2010 ArcSight Confidential
Continue the conversation with your peers at the HP Software Community hp.com/go/swcommunity