HP ArcSight Technical Overview - EA v01 with Notes

Summary:

The "HP Restricted 1" course focuses on enhancing enterprise security by addressing issues such as log overload, high false positive rates, and vendor-specific device islands. It introduces ArcSight, a SIEM platform that collects comprehensive log data, analyzes over 200 fields for threat detection, and improves breach early detection through advanced rule writing. The system includes an integration layer with connectors collecting logs from various sources, a core engine layer comprising Logger, ESM (Enterprise Security Manager), and TRM (Threat Response Module), a solutions module layer offering customizable modules like analysis rules and reports, and deployment flexibility. ArcSight is vendor-neutral, supporting multiple deployment options and numerous out-of-the-box connectors for diverse data sources. The course emphasizes the benefits of ArcSight's distributed architecture, intelligent connectors, and advanced capabilities in managing security events effectively.

Details:

The course or module titled "HP Restricted 1" focuses on simplifying and discussing enterprise security issues, such as breaches and threats to organizations. It highlights problems like overwhelming flood of logs, high false positive rates, islands of defense caused by vendor-specific devices, and heterogeneous consoles causing confusion for security teams. The course discusses how ArcSight provides a leading SIEM platform that addresses these challenges through comprehensive log data collection, parsing out over 200 fields for analysis, and enabling advanced rule writing for threat detection. It emphasizes the importance of early breach detection and argues that ArcSight's capabilities in this area are superior to competitors. This document outlines a comprehensive system for data collection and analysis called ArcSight, which is designed to help organizations manage security events effectively. The system consists of several layers that work together in an integrated manner but can be tailored to specific customer needs. Here's an overview of each component: 1. **Integration Layer**: This involves the use of connectors that collect various types of events and transmit them to core engines for further processing. Connectors are installed centrally under the supervision of ArcSight Manager, which facilitates log collection from over 275 commercial data sources including network devices, security systems, databases, operating systems, and apps. 2. **Core Engine Layer**: This layer includes three main products:

• **ArcSight Logger**: Responsible for log management by collecting raw logs in various formats and translating them into a unified event format that can be analyzed across different systems.

• **ArcSight ESM (Enterprise Security Manager)**: Acts as the correlation engine, enabling advanced analysis of security events to detect risks more effectively.

• **ArcSight TRM (Threat Response Module)**: Offers automated response capabilities for threats detected through sophisticated correlation rules and threat profiling.

3. **Solutions Module Layer**: Above the core engines lies a customizable layer that provides various modules such as analysis rules, reports, and dashboards to present security and risk information in tailored ways according to user preferences or partner customizations. 4. **Deployment Flexibility**: ArcSight supports multiple deployment options for data collection, including a connectorless environment where connectors are centrally managed through ArcSight Manager. Alternatively, connectors can be distributed across the network on specialized devices like Syslog servers and management stations before being processed at the central point. This distributed architecture offers benefits such as faster processing and better coverage over LAN/WAN networks. 5. **Connector Capabilities**: ArcSight Connectors are capable of collecting logs from a wide range of sources, translating them into a common event format for easier analysis, and supporting direct raw feed input from syslog devices or file-based log sources. This functionality is crucial for managing diverse sets of security data efficiently. 6. **Vendor Independence**: The ArcSight platform is designed to be vendor-neutral in terms of hardware and software, ensuring that existing reports, alerts, and searches continue to function seamlessly even if there are changes in the underlying technology or equipment (e.g., replacing a Cisco PIX device with a Check Point Firewall). 7. **Customer Benefits**: The deployment flexibility allows customers to start small with basic log management features and expand their use of ArcSight as needed, adding more data sources, enhancing correlation capabilities, and implementing auto-response mechanisms according to the organization's requirements and risk tolerance. The document also provides a detailed technical explanation of how connectors are deployed and processed within the system, emphasizing the advantages of distributed architecture for efficient log management across networks. Additionally, it highlights the extensive range of out-of-the-box connectors supported by ArcSight, which cover various categories such as external security, compliance with SAP systems, and insider threat detection technologies. Overall, this document serves to promote the flexibility, scalability, and comprehensive functionality of the ArcSight platform for organizations looking to enhance their security event management capabilities. ArcSight ESM (Extended Smart Manager) is designed with extensive support for various inputs in the industry. It features a distributed architecture where connectors can be deployed closer to end devices to minimize bandwidth usage. These connectors are highly intelligent, capable of filtering irrelevant data through optional event filtering and aggregating similar events efficiently. Key benefits include guaranteed secure delivery of events via SSL over port 8443, compression for optimized bandwidth consumption, and failover mechanisms that ensure continuous monitoring even if the primary ArcSight manager is unavailable. The connector architecture supports a common event format across diverse inputs to simplify data processing for security analysts. ArcSight Logger simplifies log analysis by making it device-independent and future-proof across vendor swaps. It supports multiple deployment options and scales from smaller organizations to large enterprises, offering capabilities like capturing up to 100,000 events per second and storing up to 42TB of logs with minimal hardware requirements. The system can analyze both onboard and offboard data seamlessly, providing granular role-based access controls for specific log viewing permissions. Retention policies are automated based on compliance standards (e.g., PCI and SOX), ensuring that only relevant data is stored without manual intervention. Additionally, ArcSight offers advanced correlation capabilities to detect patterns in network activities and provide context for immediate action. The system includes a powerful reporting engine with hundreds of pre-built reports, which can be customized or used as-is based on user requirements. The presentation discusses ArcSight Express (ESM), a software designed for advanced forensic analysis of incidents in real-time. It allows users to receive notifications of events occurring within their environment and offers various formats such as PDF, HTML, RTF, XLS, and CSV for the report delivery. Upon receiving notification, users can analyze and investigate the incident using easy-to-use forensics capabilities on a dynamic and interactive dashboard. This dashboard supports drill-down features to view detailed event data and provides customized views based on organizational needs. The software also boasts strong visualization tools that help users understand the significance of the data easily. The presentation further elaborates on ArcSight ESM's case management and workflow capabilities, emphasizing how it manages incidents like former employee access attempts through a built-in system that informs relevant personnel about the incident and tracks their responses. It also features powerful alert and escalation mechanisms to ensure timely actions are taken on critical alerts. Furthermore, the presentation highlights ArcSight ESM's unique strengths in activity profiling and machine learning capabilities, which can discover patterns not immediately apparent to human observation, allowing for better security through more effective rules and early detection of risky behaviors. The software supports monitoring user activities based on identity, role, employee type, and department, providing a comprehensive view of user behavior across applications. Additionally, the presentation covers ArcSight Connectors, which facilitate intelligent log collection from over 275 commercial sources including networks, security devices, databases, operating systems, and commercial applications, with an ability to easily incorporate new data sources as needed. ArcSight Logger is a tool designed to simplify log analysis by accepting logs from various sources, including homegrown or legacy systems, and direct raw feeds from syslog devices or file-based log sources. It features connectors that not only collect logs but also translate them into a common event format, simplifying the process of analyzing hundreds of different log formats. This capability future proofs log analysis content against vendor swapouts, ensuring seamless operation even when switching to different types of security devices like replacing a Cisco PIX with a Checkpoint Firewall. Connectors can be deployed centrally and are part of the HP Networking portfolio, making it easier for users to manage and analyze logs effectively.