HP ArcSight Technical Overview - EA v01.1

Summary:

The document highlights HP ArcSight ETRM (Extended Threat Response Manager) as a comprehensive solution for managing complex security threats in large enterprises. Key components include SmartConnectors, Logger, ESM (Event Stream Management), IdentityView, Insider Threat, and Pattern Discovery modules. Differentiators of the platform are its ability to handle over 300 connectors, efficient data retention, sophisticated correlation for modern threats, scalability, customization options, seamless integration, low TCO, and pro-active threat management. HP ArcSight ETRM addresses security monitoring challenges by offering a flexible deployment from alerting to advanced mitigation strategies, supporting various logs and formats. It includes HP ArcSight IdentityView, which enhances the correlation of user activities across devices using unique identifiers, customizable notifications, and priority escalation based on event severity. Additionally, it features HP ArcSight Threat Detector for preventative maintenance and early threat detection through sophisticated data-mining technology. HP ArcSight is part of the HP Enterprise Security Products suite, designed to provide reliable and future-proof IT security solutions against increasingly sophisticated cyber threats. Its standout features include robust workflow engine, automated retention policies, Google-like search capabilities, multidimensional correlation, compliance automation, integration with HP Fortify for application security, and bidirectional integration with HP TippingPoint for threat response. The platform supports scalable architecture capable of handling millions of event entries in real-time, ensuring continuous situational awareness and reliable audit-quality collection mechanisms.

Details:

The document outlines the challenges in security monitoring and how HP ArcSight ETRM can address these issues. It provides an overview of the HP ArcSight ETRM platform, including its architecture, key components (SmartConnectors, Logger, ESM), modules (IdentityView, Insider Threat, Pattern Discovery), and the HP ESP Threat Response Ecosystem. The document also highlights HP ArcSight's differentiators, such as its ability to handle complex threats effectively with functions like 300+ connectors out of the box, efficient data retention, and sophisticated correlation for modern threats. The overview includes technical details about the platform architecture, scalability, customization options, and deployment considerations. It emphasizes the importance of comprehensive collection, low total cost of ownership (TCO), seamless integration, and pro-active threat correlation and retention in addressing security challenges. The document suggests that HP ArcSight ETRM can be deployed flexibly with options ranging from alerting to advanced mitigation strategies, supporting various logs and log formats. Summary failed for this part. This document discusses HP ArcSight IdentityView, a security monitoring tool that enhances the correlation of user activities across various devices based on unique identifiers. The system allows for customizable notification messaging via email, pager, or text message and uses SNMP alerts to manage network management response teams. It also supports priority-based escalation of notifications through image dashboards and domain field sets. ArcSight IdentityView extends the standard ArcSight Event and Resource Schema beyond 450 fields by defining additional fields and types such as domains, which can be associated with events based on common attributes. This helps in identifying and grouping events more efficiently. Additionally, ArcSight SmartConnector maps additional data fields to these domain fields for better utilization within the system. The tool also provides a comprehensive view of user activity across all systems through detailed event correlation and identity mapping. It correlates common identifiers such as email addresses, badge IDs, phone extensions, and attributes like First Name, Last Name, Department, etc., to attribute events to unique identities allowing for cross-device correlation. HP ArcSight Threat Detector is another feature that uses sophisticated data-mining technology for preventative maintenance and early detection of threats. It creates baselines of activity (user, app, network) to identify previously undetected behavior patterns and stay ahead of potential exploits. These features are crucial in managing security risks, compliance issues, and IP protection across the organization. In summary, HP ArcSight IdentityView enhances security monitoring by providing a detailed view of user activities through identity mapping, correlation of events based on unique identifiers, and proactive threat detection mechanisms. HP ArcSight is a comprehensive security information and event management (SIEM) solution designed for large enterprises to effectively address the evolving threats in their IT environments. Key features of HP ArcSight include robust workflow engine, automated retention policies, Google-like search capabilities, universal log storage, multidimensional correlation, compliance automation, and more. One of its standout differentiators is the incorporation of application security from HP Fortify, bidirectional integration with HP TippingPoint for threat response, and integration of reputation data from HP DVLabs. The solution also boasts a Cloud Connections program that provides visibility into cloud data alongside physical and virtual layers. It supports scalable architecture capable of handling millions of event entries in real-time, ensuring continuous situational awareness. HP ArcSight stands out due to its reliable audit-quality collection mechanisms, superior correlation engine, identity correlation for generic user attribution, categorization-based content management, intuitive usability, rich functionality, extensive integration capabilities with various tools, and adaptive security features including threat feeds, priority evaluation, lists, and join-rules. As a part of the HP Enterprise Security Products suite, ArcSight is aimed at providing reliable and future-proof IT security solutions to tackle increasingly sophisticated cyber threats.