ArcSight - Staffing Guide for Intelligent Security Operations Center (SOC)

Summary:

The provided information discusses various aspects of maintaining an effective Security Operations Center (SOC) in organizations, focusing on staffing practices, roles within the SOC, and strategies for enhancing security capabilities. Here are some key points highlighted in the text: 1. **Staffing Practices**: - Organizations should consider operational requirements such as 24x7, 8x5, or 12x5 schedules when scheduling analysts for shifts. - At least two analysts should be on shift at any given time to manage workloads and prevent burnout among the team. - Junior analysts are paired with more experienced colleagues (Level 1 and Level 2 analysts) to contribute to a balanced and supportive work environment. - SOC shift leads play a crucial role in providing senior experience, managing operational tasks, facilitating training and mentoring, and ensuring coverage during breaks and holidays. They also take on Level 2 responsibilities when needed. - Analysts should be able to work at least one weekend to provide redundancy for vacations, holidays, PTO, or emergencies. 2. **Role of SOC**: - The ArcSight Enterprise Security Manager (ESM) workflow is designed with integrated case management and event annotation for initial triage through investigation stages, with escalation paths to the Security Incident Response Team. - More Level 1 analysts are recommended than Level 2 analysts due to their broader role in handling routine tasks before they become incidents. 3. **Strategic Planning**: - Organizations should not increase headcount solely based on symptoms but should first understand and address underlying issues through strategic planning, such as re-prioritizing efforts or developing new tools for improved workflow efficiency. - They may need to transition work items that do not align with their mission or vision, incorporate new capabilities to address emerging threats, extend operational hours, or improve risk management. 4. **Maturity and Capabilities**: - Inefficient use of administrative tasks over analytical ones can lead to insufficient event detection and misallocation of resources. Organizations should focus on risk-based prioritization for clear objectives and targeted focus. 5. **Incremental Improvement**: - The text suggests starting small in cybersecurity operations and gradually building up capabilities with the help of consultants like Micro Focus Consulting, which provides solutions such as ArcSight to harden organizations' attack surfaces and defend against advanced cyber threats. In summary, the passage underscores the importance of a well-planned staffing strategy within a SOC, the role of different analyst levels, and how organizational maturity can be improved through strategic planning and tool development. It also highlights the role of specialized consulting services in enhancing cybersecurity capabilities for organizations.

Details:

The document "White Paper on ArcSight Intelligent Security Operations" provides a comprehensive guide for staffing and managing a SOC (Security Operations Center). It outlines key aspects including staffing considerations, roles and responsibilities within a SOC, metrics used, automation implementation, different staffing models, scheduling practices, and roadmap for growth. Additionally, it briefly introduces Micro Focus Security and its product offerings. The paper begins by acknowledging the primary challenge faced by security operations organizations: finding adequate talent to meet the demands of cybersecurity tasks. It then goes on to discuss various aspects of building a competent SOC team, including staffing considerations such as role definitions and responsibilities in Section 2. The concept of metrics is introduced in Section 3, which are crucial for evaluating performance and progress within the organization's security operations. Automation plays a significant role in modern cybersecurity practices (Section 4), and this paper discusses various models for SOC staffing to effectively implement automation tools and techniques (Section 5). Scheduling mechanisms that optimize workflow and resource utilization are also covered, ensuring efficient operation of the SOC (Section 6). A roadmap for future growth is proposed as a strategy to manage capacity expansion and maintain high performance standards in dynamic threat landscapes. Finally, Section 7 concludes with an overview of Micro Focus Security's offerings and its commitment to providing comprehensive solutions for enhancing security operations capabilities. This guide serves as a valuable resource for organizations looking to establish or enhance their SOC, balancing technological advances with human expertise to effectively counter the ever-evolving threats in digital environments. The article discusses the challenges faced by organizations when building a Security Operations Center (SOC). It highlights that optimal staffing may not always be achievable, but it's crucial for prioritizing what matters most to ensure smooth operations. The article addresses several questions such as "what does it take to staff a SOC?", "how to get started?", "how to prioritize?" and "how to utilize resources?". For organizations without a security intelligence capability, starting from scratch to build a SOC can be challenging but they can start with just a few security experts and one-third of the total investment. The article provides insights into staffing considerations, including hiring experienced analysts from the marketplace despite challenges related to culture and processes. It also acknowledges that there is a broad disparity in the quality of existing SOCs in the market, where individuals from these centers may bring baggage due to their established experiences but often lead to conflicts and inconsistencies when brought together as a full team. The role of a Security Operations Analyst (SOC analyst) is crucial for maintaining operational consistency and predictability within a security operations center (SOC). As an experienced market professional in this field seeks career progression, they are unlikely to settle for another level 1 analyst position. Organizations must retain top-performing analysts and understand that candidates with SOC experience might not always be the best fit at lower levels unless specifically proven otherwise. When starting from scratch and having a budget to fill exactly three SOC roles, it's recommended by Micro Focus to focus on key areas such as a SOC manager, security analyst, and SIEM content author or engineer. These positions are vital for strategic planning, operational expertise, threat intelligence, incident response, and device engineering within the SOC environment. Building an SOC with three personnel would initially establish it as an 8x5 operation but may require significant automation, metrics implementation, up-front effort, and possibly partnering with a third-party service provider such as a hybrid staff augmentation or managed security service. The more attention and resources invested in the initial design of the program, ensuring its sustainability will lead to better long-term outcomes for the organization's cybersecurity efforts. In conclusion, starting a new SOC involves strategic selection of roles tailored to specific expertise required at each level (manager, analyst, content author/engineer), coupled with significant upfront planning and potential third-party support to ensure operational effectiveness from the outset. The provided text discusses various aspects of a Security Operations Center (SOC), including roles, responsibilities, resource utilization, and management. It emphasizes the importance of clear definitions of roles and responsibilities within the SOC to avoid accountability gaps, which can lead to catastrophic security issues if individuals assume that tasks are someone else's responsibility. The text suggests that having specialized roles such as L1 analysts focused on routine tasks, L2 analysts who delve deeper into investigations, and engineers focusing on technology is beneficial for efficiency and effectiveness. The SOC operates with automation and hybrid 24x7 operations, utilizing MSS (Managed Security Services) for after-hours monitoring. Leadership in the SOC starts with the SOC manager, who has the responsibility to implement processes, procedures, and performance indicators related to security incidents and prevention management. This includes managing day-to-day operations, ensuring SLAs are met, and following policies and procedures. The SOC manager is ultimately accountable for achieving the goals of the SOC program through these managerial duties. In summary, the text highlights the importance of a structured approach to roles and responsibilities within a SOC to ensure efficient operation, effective incident handling, and minimal responsibility overlap that could lead to security issues. The provided text outlines the responsibilities and tasks of a Level 1 Security Analyst in a SOC (Security Operations Center). These include overseeing daily operational procedures, managing scheduling and tasking, ensuring effective incident management, identifying chronic issues, collaborating with external teams, documenting training requirements, and participating in process improvement. Key specific duties involve monitoring security events using various log sources such as firewalls, systems, network devices, web proxies, intrusion detection systems, antivirus systems, and investigating events for rapid identification, categorization, prioritization, and handling them according to established protocols. Level 2 Security Analysts are responsible for owning the successful completion of all procedures executed during their presence in the SOC. They document and measure subordinate procedures, improve them through research and intelligence gathering on emerging threats, and execute information fusion by feeding data inputs to operations and engineering. This role involves monitoring security incidents using tools like Micro Focus Security ArcSight Enterprise Security Management (ESM), performing initial investigation and triage of potential incidents, and escalating or closing events as needed. They also handle the successful completion of all procedures executed during their presence in the SOC, document and measure subordinate procedures, improve them through research and intelligence gathering on emerging threats, and execute information fusion by feeding data inputs to operations and engineering. Additionally, they conduct security research and intelligence gathering on emerging threats and exploits, monitor relevant activity from analyst shifts, update or reference SOC collaboration tools as necessary for changes in processes and procedures, document investigation results, maintain shift logs, and perform additional auxiliary responsibilities as outlined in the console monitoring procedure. This document outlines the role of a Micro Focus ArcSight SIEM Engineer, who is primarily responsible for infrastructure and content development within the SIEM tool. The responsibilities encompass managing the architecture and performance of the ArcSight system, as well as performing all necessary administration, management, configuration, testing, and integration tasks related to this system. Additionally, they are tasked with developing reports and other content, ensuring that relevant information is gathered and disseminated according to SOC requirements. Furthermore, the engineer serves as a backup analyst for potential coverage gaps to ensure business continuity, investigates incoming events using available tools, addresses level 1 events promptly, escalates necessary matters, mentors junior analysts, and acts as a detection authority. They also conduct security research and intelligence gathering on emerging threats and exploits, serve as shift subject-matter experts (SMEs), and perform other related tasks to enhance the SOC's capability in detecting incidents. The Micro Focus ArcSight Engineer is responsible for overseeing the administration, operation, and maintenance of the system infrastructure, ensuring it meets established service-level objectives. Key tasks include developing standard procedures, maintaining technical architecture, performing routine equipment checks, creating documentation, responding to on-call support issues, managing new product releases, and deploying content such as dashboards, rules, filters, and active channels for effective SOC monitoring and response capabilities. Additionally, the role involves coordinating incident collection, management, and handling escalations from the SOC, as well as performing collateral duties in backup to security engineering responsibilities. The Incident Response Manager (IRM) plays a crucial role in ensuring that the goals of a Security Operations Center (SOC) are achieved through the implementation of effective processes, procedures, and performance indicators related to both security incident prevention and management. Their responsibilities include collaborating with senior management to refine emergency response and crisis management plans, testing these plans for effectiveness, maintaining their relevance through lessons learned and business requirements, and handling escalations from the SOC to internal business units. The IRM is responsible for managing incidents throughout their lifecycle, directing forensic analysis on affected systems, compiling root cause analyses and resolution metrics, tracking lessons learned, and ensuring that this information is documented and shared appropriately. They also serve as a key point of contact for critical security events and incidents, providing expert guidance to both internal business units and the SOC lead for escalation and remediation. In addition to these duties, the IRM handles all incidents requiring escalation from level 2 or level 1 analysts, investigates cases until closure, recommends corrective actions for data security incidents, communicates with implementation staff, and leads efforts in monitoring, reporting, and responding to information security incidents based on external threat indicators, industry trends, and lessons learned. Overall, the IRM is responsible for establishing and maintaining a mature incident management program, ensuring that processes are robust, procedures are well-defined, and performance indicators are effective in managing both potential threats and actual security incidents within the organization. The document "Intelligent Security Operations: A Staffing Guide" from Micro Focus discusses the role of a Security Engineer. As a Security Engineer, your main focus is on maintaining the security infrastructure such as firewalls, anti-virus software, intrusion detection systems, etc. You are responsible for developing and implementing standard procedures for administration, backup, disaster recovery, operation, and system maintenance tasks including: 1. Operating system security hardening 2. Backup management 3. Capacity planning 4. Change management 5. Version and patch management 6. Lifecycle upgrade management Additionally, you are required to maintain the technical architecture of infrastructure systems and ensure all components perform as expected for established service-level objectives in terms of uptime. You also need to: 1. Perform routine equipment checks and preventative maintenance 2. Create and maintain up-to-date documentation of designs and configurations 3. Manage new product releases, policy and integration testing, security testing, and vendor management 4. Maintain hardware or software revisions, applicable content, security patches, hardening, and documentation 5. Deploy content (policies, signatures, or rules) for the security infrastructure 6. Coordinate and conduct event collection to improve response time in case of incidents. The job description outlines the responsibilities and tasks associated with a Forensic Investigator role. Key duties include conducting forensic analyses on systems to identify root causes of issues and tracking metrics, lessons learned; using forensic tools and methods to find specific electronic data such as internet use history, documents, images, and files; disseminating and reporting cyber-related activities including vulnerability analyses and risk management of computer systems; and recovering information from computers and data storage devices. Additionally, the role involves investigating escalated cases until closure, recommending appropriate corrective actions for data security incidents, which include investigation and recommendation of measures to enhance data security. The Hunt Analyst role involves several key responsibilities such as communicating with implementation staff, performing postmortem analysis on logs and traffic flows to identify malicious activities, researching and developing testing tools for security event detection, reverse engineering binaries and files to analyze malicious artifacts, managing forensic evidence chain of custody, retrieving data from damaged devices, detailing retrieval processes, testifying in court about collected computer evidence, keeping updated with new methodologies and technology, contributing to research projects, attending professional conferences, maintaining proficiency in latest skills, providing input on information security systems operations, and ensuring compliance with organizational cyber security standards. The Hunt Analyst is focused on detecting emerging threats, vulnerabilities, and potential weaknesses while training law enforcement officers on proper procedures related to computer evidence. A "hunt" refers to the role of a hunt analyst whose primary responsibilities involve designing queries, models, and hypotheses to identify anomalies and malicious activities on networks. This process starts with cyber threat intelligence or internal awareness to form a hypothesis that is then tested through data collection and analysis. The hunt analyst primarily uses manual methods and techniques for threat detection. The hunt analyst's role can be broken down into several key tasks, which may include: 1. **Designing Queries, Models, and Hypotheses**: This involves creating educated guesses based on prior knowledge and observation to identify potential threats, vulnerabilities, and weaknesses in the network. 2. **Collecting and Analyzing Data**: The hunt analyst must gather necessary data to validate and refine the hypothesis formed earlier. 3. **Specialized Roles within a Team**: Depending on the maturity of the hunting program and the specific needs of the organization, roles such as intelligence analysts, network security analysts, data scientists, and incident responders may be filled by dedicated personnel or shared resources. 4. **Continuous Improvement**: Formal feedback loops and lessons learned are essential for continuous improvement in hunt operations. Skills required for a hunt analyst include core business knowledge coupled with security analysis expertise. The ability to work effectively within a team and contribute specialized talents to the hunting process is crucial, as it allows for more focused detection efforts. Larger enterprise operations may have the capacity to fill these specialized roles, such as CSIRT involvement in joint remediation efforts. Ensuring full transparency throughout all hunts and fostering continuous improvement through formal feedback mechanisms are integral parts of the role. The content provided outlines various aspects involved in the field of cybersecurity, focusing on different roles such as hunt analysts, security data scientists, and vendor liaisons. Hunt analysts are tasked with endpoint analysis, network attacks, forensics, and incident response, requiring them to be knowledgeable about analytical models, paradigms, data science basics, and emerging threats. They must manage large amounts of data from various sources efficiently by extracting, transforming, and loading the data appropriately. Data management includes schema management, size and retention management, format or storage management, as well as ensuring that data is accepted without additional conditions imposed on the source. The role of a security data scientist collaborates with hunt analysts to explore indicators of threat within security data lakes, build algorithms for threat detection, and provide business intelligence reporting based on SOC (Security Operations Center) and enterprise needs. They are expected to remain updated with current and emerging threats by staying informed about the latest information security news, vulnerabilities, and detection methods. The vendor liaison role involves operational vendor management, ensuring smooth communication and collaboration between the organization's internal teams and external vendors in the realm of cybersecurity. From a real-time security perspective, managing interactions with all vendors, including cloud providers, has become crucial. The risks faced by businesses have become increasingly dispersed, making it necessary to assign a specific individual whose role is to collaborate with these vendors. This person must ensure that the required controls are being provided and that service levels align with contractual agreements. The role demands expertise in governance, investigation, and incident response, as well as the ability to handle incidents and investigations for environments not directly owned by the business. As businesses expand and increase their reliance on third-party relationships and multiple vendors, this position is growing in importance. In the public sector, a Watch Officer plays a pivotal role within the security operations team. They are responsible for managing, motivating, developing, and supporting the team members, as well as potentially leading the incident response team. Key responsibilities include overseeing the creation and maintenance of standard operating procedures (SOPs) for the Security Operations Center (SOC), ensuring staffing coverage across shifts, coordinating escalations for security issues, managing technology implementation, automation, and maintenance for monitoring and administrative tools, and tracking key performance indicators such as metrics and SLAs. The Watch Officer also contributes to strategic decision-making within the government by providing expert advice in matters of security operations. They are expected to develop and maintain leading practices and expertise in SIEM or SOC setups, ensuring successful delivery of SOC operations from a day-to-day tasking perspective, and completing all tactical security intelligence tasks related to people and processes for this engagement. This text outlines various processes and procedures required for maintaining security intelligence within a SOC (Security Operations Center). It emphasizes the importance of effective communication with all stakeholders, including regular status updates. The role involves contributing to ESM content such as rules, reports, and developing new use cases while serving as the primary contact for reviews. Additionally, it requires project management and strategic oversight for onboarding new customers, managing resource schedules to meet coverage requirements and budget, improving performance, boosting risk management, and acting as an escalation point for all SOC-related issues. The text also describes various roles within the SOC such as Level 1 analyst (L1), Level 2 analyst (L2), Security engineer, Incident handler, SIEM content author, Forensic investigator, Hunt analyst, and others like security data scientist, vendor liaison, watch officer. It highlights that metrics related to cases by status, monthly cases severity, event categories, closure reasons, time to resolution, and events per analyst hour can be useful in analyzing long-term trends and forecasting staffing needs. The proper way to staff and size a Security Operations Center (SOC) involves focusing on the number of hours that need to be monitored rather than solely increasing staffing numbers. Adding more headcount does not necessarily make the SOC more effective. Instead, using metrics such as EPAH (Efficiency, Productivity, Accuracy, and Handling time per Hour) can help determine the effectiveness of current staffing levels. The ideal range for EPAH is between 8-12 hours to allow analysts to effectively triage and escalate events. If this metric indicates that too much is being asked from the analysts, adjustments such as adding more staff, reducing workload, or modifying SLA requirements might be necessary. Efficiency in event management can be improved through automation, which allows for better handling of vast amounts of data typically generated by modern enterprises. SIEM platforms are evolving to handle big data volumes and must support advanced threat detection mechanisms that leverage incident orchestration and automation systems. Investing in skilled professionals who can maintain and manage automated systems will become increasingly crucial as the role of automation in security operations becomes more critical. The article discusses enhancing security monitoring by focusing on intelligent security operations, automation, and staffing models. To improve visibility and understanding in IT management and IT security, it recommends leveraging tools like NetFlow and Microsoft® System Center Configuration Manager (SCCM) within a security program. The article suggests increasing levels of automation to efficiently handle investigatory tasks and incident workflows through smart and robust security automation tools. Instead of brute force analysis, the focus is shifting towards automated hunting and near-time investigations with real-time data analysis. Security convergence involves aligning IT management and IT security for better visibility and understanding by leveraging existing applications like NetFlow and Microsoft SCCM in the SIEM solution or via right-click tools menu options in ESM. This allows analysts to access critical threat detection information and specialized dashboards/reports, reducing assessment timelines during incidents. For effective automation, consider incorporating IT management tools for managing service performance and availability, as well as using existing tools to augment security team capabilities. Additionally, leveraging additional applications such as Micro Focus Asset Manager or a CMDB can provide value add. The staffing model will evolve based on the business's needs, focusing on protecting assets with minimal impact on operations. The SOC may be virtual and involve event collection, analysis, alerting, and reporting, evolving according to the organization's requirements. The article discusses the staffing needs of a Security Operations Center (SOC) and provides guidelines to follow when implementing different staffing models. According to the article, SOC analysts should never work alone during their shifts due to potential safety and performance issues that can arise. Each shift role within the SOC must have clearly defined responsibilities and deliverables with no ambiguity in expectations from each analyst at any given time. Workload and output should be regularly measured, and adjustments such as schedule changes or staffing levels should be made accordingly to avoid overloading analysts. A significant issue that often arises during shift turnover is oversights and errors; therefore, clear communication "hand-off" between shifts and overlapping shifts needs to be established. Each shift should maintain a formal log of events documenting issues needing additional attention. The article also mentions the importance of effective communication with night shift analysts and scheduling time for joint work. To sustain 24x7x365 SOC operations, a minimum of 10 analysts are required, supported by four shifts each working 12 hours, with at least two analysts on schedule at all times. Additionally, two more experienced level 2 analysts cover planned and unplanned absences through an overlapping 8x5 shift. The passage discusses the challenges and considerations for building and operating a Security Operations Center (SOC) within highly virtualized and dispersed environments such as BYOD, IoT, and cloud services. It emphasizes the importance of having visibility into vendor partner environments due to the less controlled ecosystem present in these settings. Analysts need expertise not only in network traffic and threat detection but also in handling highly virtualized cloud environments and understanding cloud vendors' processes. The past decade has seen a shift from traditional managed security service provider (MSSP) SOCs to on-premises dedicated centers, with analysts now focusing more on hunting and investigation skills. Enterprises face challenges accessing skilled resources, leading them towards hybrid staffing models that combine in-house expertise with outsourcing. These new models allow for less reliance on internal staff while maintaining control over critical detection capabilities, with the ability to vary capability levels between in-sourced and outsourced teams based on risk assessments. The article discusses the varying approaches to staffing in cyber defense, with a focus on managed security services (MSS) providers versus internal teams. It notes that while MSS providers may not possess as thorough an understanding of an organization's specific needs as an internal team, they can still offer value through hybrid models. Many companies are transitioning towards building and operating 24x7 in-house capabilities or using a combination of both internal and external resources to manage their cyber defense. Hybrid cyber defense teams utilize a blend of internal staff and MSS providers to execute their defense strategies effectively. These environments necessitate advanced process maturity to handle incidents efficiently, as hybrid staffing models can exacerbate issues like attrition or skill gaps by making recovery more costly. Organizations adopting this approach must meticulously manage escalation and shift turnover between in-house and outsourced roles to maintain information flow and optimal response capabilities. When it comes to scheduling analysts for shifts, the article recommends considering factors such as operational requirements (e.g., 24x7x365, 8x5, or 12x5 schedules) and overall security responsibilities. A general guideline is that at least two analysts should be on shift at any given time to manage workloads and prevent burnout among the team. Additionally, junior analysts are typically paired with more experienced colleagues (level 1 and level 2 analysts), contributing to a balanced and supportive work environment. The article discusses the optimal staffing practices in a Security Operations Center (SOC), emphasizing the importance of having more Level 1 analysts compared to Level 2 analysts. It highlights that the ArcSight Enterprise Security Manager (ESM) workflow is designed to use either a Level 1 or Level 2 model, with integrated case management and event annotation for initial triage through investigation stages, all the way to escalation to the Security Incident Response Team. The role of SOC shift leads is crucial as they provide senior experience and accountability during shifts, manage operational tasks by priority, facilitate analyst training and mentoring across all shifts, and ensure coverage during breaks like lunchtimes. They also take on Level 2 responsibilities when needed. The article suggests that analysts should be able to work at least one weekend to balance the workload and provide redundancy through built-in staffing for vacations, holidays, PTO, or emergencies. It emphasizes the need for holiday coverage as if it were a normal business day but with minimal staffing. Additionally, on-call services are provided for after-hours monitoring of critical use cases or incidents, and consideration should be given to workday hours and weekend coverage based on local employment standards. The passage emphasizes that organizations should not solely rely on increasing headcount in response to symptoms they are experiencing. Instead, it is crucial for security leaders to thoroughly understand the issues before formulating a plan. As business owners of SOC (Security Operations Center), their primary responsibilities include aligning business strategies and tactics with financial responsibility. To justify execution plans, organizations may need to: 1. Transition work items that do not align with their mission or vision, and re-prioritize efforts accordingly. 2. Develop applications or tools for improved workflow efficiencies and automation. 3. Incorporate new capabilities to address emerging threats or risks, establish analytics, or extend operational hours like 24x7 availability. The passage also highlights potential issues in SOCs such as an inability to prioritize tasks effectively, which leads to low capability and maturity in protecting the organization's assets. It suggests that more mature approaches involve risk-based prioritization for clear objectives and targeted focus. Additionally, it criticizes inefficient use of administrative tasks over analytical ones, leading to insufficient event detection and misallocation of resources. The passage concludes with a question about whether the daily responsibilities or tasks in a SOC are aligned with its mission and vision statement. This text discusses the importance of establishing comprehensive security monitoring and incident response capabilities within organizations to effectively manage potential threats and incidents. It highlights that in certain situations or scenarios, additional resources such as full-time equivalent (FTE) headcount, contingent staffing, budgetary allotments, or organizational realignment may be required to address growing operational issues. To handle these scenarios, the organization should establish security monitoring and incident response capabilities by establishing comprehensive monitoring and having dedicated staff in the Security Operations Center (SOC) for specific shifts. The text also mentions certain triggers that might lead to an increase in SOC headcount, such as expansion of EPAH (Environmental Protection Agency Homeland Security), compliance with new regulations like General Data Protection Regulation, and expanding coverage or 24x7 services. The article concludes by emphasizing the importance of a tailored approach for each organization based on their unique security expertise, posture, risk tolerance, compliance requirements, and budget, but all organizations share the common goal of hardening their attack surface, detecting and responding to threats efficiently. It suggests starting small and gradually building up the necessary capabilities in cybersecurity operations with the help of consultants like Micro Focus Consulting. The text also provides information about Micro Focus, a leading provider of security and compliance solutions, offering products such as ArcSight and Fortify that support organizations in mitigating risk and defending against advanced cyber threats in their hybrid environments. This text is about a Maryland-based company called Micro Focus that creates an "intelligence platform" for protecting businesses from cyber threats. They offer advanced tools like correlating data, protecting applications, and defending networks to safeguard hybrid IT infrastructure in today's complex digital environment. Their services are designed to protect big companies against sophisticated cyber threats by taking a holistic approach, combining operational expertise with proven methodologies to enhance cyber threat management and regulatory compliance. To learn more about their solutions, visit the website at software.microfocus.com/arcsight.