Vous êtes sur la page 1sur 37

ArcSight Express

Name :- Vasant Kumar, Channel Sales Engineer India & ASEAN


Date :- 13th October 2010

2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

Agenda

Event Management Challenges ArcSight Express Product Overview

Rapid Implementation
Growth Path Q&A

Event Management Challenges

2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

Millions Of Events From Disparate Sources


Firewalls Firewalls Firewalls Firewalls Firewalls/ Firewalls VPN Intrusion Detection Systems Vulnerability Assessment Network Equipment Sign-On Identity Sign-On Management Server and Desktop OS Directory Services Applications Applications Applications Applications Applications Applications Applications Applications Applications Anti-Virus Applications

Anti Anti Virus Databases Virus

Mainframes

User Attributes

Physical Infrastructure

Business Processes

Critical events lost in sea of events and most attacks and misconfigurations 100sgo ofcompletely Millions Events Per Day undetected

Islands of defense Overwhelming flood of logs Week long manual investigations

Massive false positives Heterogeneous consoles Many different formats

Missing an Attack can be Catastrophic

When Events Go Unnoticed, Bad Things Happen

Threat Response Time is Critical


How Long Does It Take To Respond Once a Problem is Discovered?

Reduce risk and cost by dramatically reducing the time it takes to effectively respond

Risk/Cost

Time to Remediate

An Event Management Solution


Must be able to : Collect events from a wide variety of sources Correlate and build context in real-time Analyze and prioritize the most critical events Shift focus to malicious activity and immediate threats Provide immediate risk identification and mitigation Scale without requiring a replacement solution

ArcSight Express Product Overview

2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

ArcSight Express: Fast, Easy Security Automation


Your Security Expert In a Box

World-Class Event Correlation Capabilities Market-Leading Log Management Functionality Simple Browser-based Operator Console Handles Most Common Security and Compliance Issues Out of the Box
Perimeter & Network Security Monitoring Broad Compliance Controls

Minimal Administrative Overhead

2009 ArcSight Confidential

Targeted at Problems That Matter Most

Bot, Worm, and Virus Attacks


Is this a zero-day outbreak?

VPN Sneak Attacks


Where are my remote access connection requests coming from? Who are the top remote users that have auth failures? When do my remote users access my systems?

Hacker Detection
Who is attacking me? What are they attacking?

Bandwidth Hogs and Policy Violations


What users are bandwidth hogs? What protocols are they using? Which systems are affected by this worm or virus? Which user maps to this IP address?

Unauthorized Application Access


What servers are accessed most? Where are the most access events coming from? What systems have compromised accounts? Which users are generating the most login failures? Which critical systems have suspicious login activity?

System and User Impacts


Failed Audits, Fines and Penalties


Which reports are needed for this regulation? Which requirements are not in compliance?

Market Leading Integration


ArcSight Connectors

Collect native log formats from 275+ products Centralized or Distributed collection Normalize to a common format Device independent categorization Secure, reliable transport

Available options:

Rackable Appliances (C3000/C5100)

Branch Office/Store Appliance (C1000)

Installable Software

Benefit: Insulates device choices from analysis

ArcSight Express Event Collection: 275+ Products, 50+ Categories, 80+ Partners

Access and Identity Anti-Virus Applications Content Security Database

Data Security Firewalls Honeypot Host IDS/IPS Network IDS/IPS

Integrated Security Log Consolidation Mail Filtering Mail Server Mainframe

NBAD Network Management Network Monitoring Net Traffic Analysis Operating System

Policy Management Router Security Management Switch VPN

Vulnerability Mgmt Web Cache Web Filtering Web Server Wireless

Assured Integrity and Reliability with a Robust Connector Architecture

Events

Centralized Updates/Upgrades Compressed Event Stream

ArcSight Connector

Heartbeat Connection Bandwidth Management

ArcSight Monitoring

Follows NIST 800-92 Log Aggregation Guidelines

Normalization and Categorization

UNIX Failed Login Event

Oracle Failed Login Event

Windows Failed Login Event

Benefit: Future-proof your analysis and monitoring

Market Leading Correlation Engine


ArcSight Express Correlation

Real-time, in memory event analysis across 8 device categories Prescriptive, Pre-Built Correlation Rules Advanced Intelligence: millions of events important incidents

Data Center Rackable Appliance

Benefit: Focus scarce resources on relevant threats

ArcSight Express Correlation Helps Find Needles in the Haystack


Anti-Virus Databases

Network Equipment

Intrusion Detection Systems

Server and Desktop OS

Access Management

VPN Devices

Firewalls

Identified . threats

Millions: Raw Events Thousands: Security Relevant Events Hundreds: Correlated Events

Cross Device
Business-critical IT assets

Risk-based Prioritization

Critical Events Surfaced

Correlation
Intelligent Correlation For Real-Time Monitoring of Malicious Activity

In Memory Correlation
22 Real-Time Correlation Rules, Real-Time Monitoring

Statistical Correlation
Find Baselines and Report Deviations from Normal Behavior

Historical Correlation
Correlation of Past Events, Scheduled or On-Demand Correlation

Connector Categorization

Active Lists
Automatic Threat Escalation

Risk Based Prioritization


Reduction of False Positives

Pre-Built Rules
Immediate deployment

Leverage Core Technologies

Analyze and Investigate


Intuitive investigations allow forensics on the fly

Active Channels for interactive investigations Dashboards with Drill-to-detail 75 Prescriptive Reports 18 Pre-built dashboards with Drill-to-detail

Powerful And Flexible Reporting

Focused Monitoring Reports Asset-based

Categorization-based

Report Scheduling Multiple Distribution Formats URL or Email Attachment

HTML, XLS, PDF, RTF, CSV Key Reporting Categories: User Login Tracking Bandwidth Usage Top Activity User Change Tracking Perimeter Security

ArcSight Express for Compliance

Correlation Rules and Reports that can map to Multiple Regulations

Coverage for SOX, PCI, HIPAA, ISO 17799, NIST, FISMA

Major focus areas derived from NIST 800-53 Guidelines Authentication Availability Workflow Attacks Access control policies Virus/Worm/Malware activity Configuration Management

Key ArcSight Express Compliance Reports


External Logins to Critical Systems Failed Database Access Logins to Email Systems Administrative Logins and Logouts by Asset Successful Brute Force Logins

Top 10 Unsuccessful Administrative Logins


Failed Anti-Virus Updates By Host Virus Summary Most Frequent 10 Targets

Device and Operating System Configuration Modifications

Real-Time Alerting

Real-time, Correlated Alerts Alert actions can be configured for Critical Events Complete Case Management Notifications Email, pager or text message delivery SNMP alerts to leverage network management response teams Notification Groups Priority Based Escalation of Notifications

Built-in Case Management


Cases and Workflow for compliance verification Cases: Create specific incidents for specific event occurrences Stages: Process cases through predefined, collaborative workflow definitions Attachments: Add additional context for incidents

Market Leading Long-term Storage


ArcSight Logger

Efficient, self-managed archiving of 8 terabytes of log data

Fast and Flexible Search Capability without traditional compromises


Raw or normalized format Automated enforcement of multiple retention policies

Data Center Rackable Appliances

Benefit: Long Term retention and Fast Search

ArcSight Express vs. The Competition


Cross Device Correlation and Reports Correlation Multi-session, asset information, moving average correlation Centralized or Distributed Collection, Secure Guaranteed event delivery Drill-downs, Active Channels from Dashboards Dynamic Rules through Session/Active Lists Lights Out Operation, Focused Management/Response UI Dedicated Design Console Robust Case Management/Workflow Notification Escalations Flex-Connector support option Future Proof Analysis from Technology Choices

? ? ?

Over a Thousand Reports Complex and Confusing Out of Box Content

10x Simple Analysis Taxonomy FEWER Reports neededwith to Categorization detect threats 10x FEWER Reports needed to detect threats Compliance Content by leveraging categorization and Network Monitoring Perimeter Compliance Content Perimeter and Network Monitoring

Compliance Content Perimeter and Network Monitoring

ArcSight Express

Competition

Rapid Implementation

2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

First Boot Wizard

Connector Wizard

Network Modeling Wizard

ArcSight Express Professional Service Offering

5 days of on-site implementation services covering the following:

Appliance setup Installation of up to 8 connectors from the list of correlated event types Basic Network/Asset Modeling guidance Content tuning, as necessary Product tutorial

Additional costs items include FlexConnector development, extensive network/asset modeling work, additional content and connector deployment

ArcSight Express Deployment Options: Centralized or Distributed


Supports Many Logs and Log Formats Syslog Connector

File Based Logs ArcSight Express

3rd Party Logs

Growth Path

2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

Integrated Growth Path

Databases
Sensitive Data Security

Guided Response

Users
User Activity Monitoring

ArcSight ESM

ArcSight Express

Transactions
Application Transaction Security

Infrastructure
Fraud Detection

Benefit: Common Collection, Low TCO and Seamless integration


www.arcsight.com 2009 ArcSight Confidential 33

What Makes ArcSight Unique

Unmatched in

Interoperability

Correlation

Scale

Summary

Proven, integrated technology for monitoring and controlling security and risk Designed to fit within todays IT environment while insulating tomorrows decisions Simplified form factor, easy deployment and immediately time to value

Market Share Leader

SIEM Leaders Quadrant SIX Years Running

Protect Your Business, Choose The Best

Questions?
For More Information:

ArcSight Inc.: www.arcsight.com


Webcasts: www.arcsight.com/news_webinars.htm Collateral: www.arcsight.com/whitepapers.htm

2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

Pre-Built Content for Top Scenarios

Cross Device Reporting


Top Bandwidth Users Configuration Changes Successful and Failed Logins Password Changes Top Attackers and Internal Targets Top Infected Systems All AV errors AV Signature Update stats Consolidated Virus Activity AV Configuration Changes

Network Devices Reporting


Network Device Errors and Critical Events Network Device Status and Down Notifications Bandwidth Usage Configuration Changes by User and Change Type Successful and Failed Logins Top Connections

Anti-Virus Reporting

VPN Device Reporting


VPN Authentication Errors Connection Counts Connection Durations Connections Accepted and Denied Successful and Failed Logins Top Connections Top Bandwidth Users VPN Configuration Changes

Database
Database Errors and Warnings Database Successful and Failed Logins Database Configuration Changes

IPS/IDS
IPS/IDS Alert Metrics Alert Counts Top Alert Sources and Destinations Top Attackers and Internal Targets

Operating System Reporting


Privileged User Administration Successful and Failed Logins Configuration Changes

Access Management
User Authentication across hosts Authentication Success and Failures User Administration Configuration Changes

Firewall Reporting
Denied Inbound Connections Denied Outbound Connections Bandwidth Usage Successful/Failed Login Activity