HP ArcSight Technical Overview - EA Extra Notes v02.1

Summary:

The document outlines a detailed system for managing litigation data, emphasizing the preservation of digital evidence with strict chain of custody protocols. It includes advanced features such as priority-based caching, horizontal scaling through logger cubes, and actionable alerts to prevent disruptions. Key aspects involve location correlation, session correlation, and vulnerability-based correlation techniques to identify potential threats. The document underscores the importance of comprehensive visibility across various network activities for effective threat monitoring in complex legal environments.

Details:

To summarize the provided information, it appears to be focused on a comprehensive system for handling data related to litigation purposes, particularly within large organizations or legal environments. The chain of custody outlined in the text emphasizes the importance of maintaining an exact and secure record of all digital data involved in any legal proceedings. This includes ensuring that no data is ever lost, with special attention paid to cases where systems experienced temporary issues like a lightning strike during the weekend causing a delay in data restoration. The system also incorporates advanced features such as priority-based caching for optimal performance and scalability, allowing for high transaction rates up to 100K events per second (EPS) and handling millions of records per second in searches. This setup includes horizontal scaling through logger cubes to manage extensive volumes of data efficiently. Another key aspect is the provision of actionable alerts to prevent disruption, ensuring that critical information is available without disturbing network administrators at unsociable hours. The system also employs various correlation techniques to identify potential threats and risks: 1. **Location Correlation**: This involves identifying whether a user’s login in two distinct physical locations simultaneously could indicate either unauthorized access or shared account usage. 2. **Session Correlation**: By monitoring the duration of a session, combined with network device logs generated from the same IP address, this technique can help attribute actions to specific users and detect anomalous long-lasting sessions indicative of potential security breaches. 3. **Vulnerability-based Correlation**: This method assesses the probability of a data breach by identifying vulnerabilities in systems or user behavior that may signal an attack. The text concludes with acknowledging the increasing complexity of monitoring threats and risks, suggesting that successful monitoring requires comprehensive visibility across various aspects of network activity including system presence, new malware, confidential database interactions, user activities, third-party connections, among others. This is a complex task given the vast amount of data involved, highlighting the need for robust systems like those described in the provided text to maintain an effective and vigilant posture against potential cyber threats.