top of page
Search

Intermountain Healthcare ArcSight Solution Proposal (May 2011)

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 8, 2025
  • 53 min read

Summary:

This text outlines the details of a software licensing agreement between Intermountain Health Services, Inc., its subsidiaries, and ArcSight (a third-party software company). The agreement specifies various terms including the provision of a working demo, non-infringement guarantees, obligations for ArcSight to indemnify Intermountain against claims of infringement, and certain restrictions on use. Additionally, it addresses intellectual property rights, unauthorized code, system performance expectations, and costs associated with licensing the software. Key points from the agreement include: 1. **Provision of a Working Demo**: ArcSight agrees to provide a working demo within a specified period as outlined in the contract. This demonstrates ArcSight's commitment to allowing practical evaluation before full implementation. 2. **Non-Infringement Guarantees**: The software and its use will not infringe on any third-party intellectual property rights. In case of infringement claims, ArcSight agrees to indemnify Intermountain against such suits or actions. 3. **Indemnification and Defense**: If the Software becomes subject to an infringement suit, ArcSight can either replace it, modify it to be non-infringing, procure rights for continued use, or accept return of the infringing software at its discretion and expense. 4. **Exclusion of Certain Scenarios**: The indemnity does not cover scenarios where the product is used in a superseded release, combined with non-ArcSight software, outside specified terms, modified by parties other than ArcSight, or if it does not comply with Licensee’s specifications or plans. 5. **No Unauthorized Code**: Neither the product nor its documentation should include any unauthorized code as defined, which includes malicious components that could unlawfully access, control, harm, or disrupt computer systems. 6. **Scope of License**: The license granted extends to Intermountain Health Services, Inc., and all other members of the "Intermountain Organization," with obligations being extended to these affiliated entities. 7. **Remote Access for Independent Clinics**: ArcSight agrees to include language in their agreement allowing remote access via PCs or terminals for Independent Clinics who have signed a confidentiality agreement. This is subject to certain limitations, including that it does not apply to hospitals with more than 50 beds. 8. **Costs Associated with Licensing**: The document specifies the costs associated with licensing the software over several years, categorized into one-time and ongoing expenses, which includes hardware expenditures, software license fees, implementation costs, support and maintenance fees, and travel & lodging expenses estimated initially at 20% of the implementation services cost. This comprehensive agreement ensures clarity on both parties' obligations and expectations regarding the use of the licensed software within Intermountain Health Services, Inc., its subsidiaries, and affiliated entities as well as Independent Clinics under specific conditions.

Details:

The document outlines a proposal for ArcSight's solution to enhance enterprise security log management and correlation at Intermountain Healthcare. It begins by explaining that cybersecurity is now more complex due to factors like cloud computing, mobile devices, and borderless networks. Threats are harder to identify because they can come from anywhere on the network. To address this, organizations need visibility beyond traditional security devices, extending to the application layer. ArcSight, as a global leader in security solutions for firms and government agencies, is proposed to provide comprehensive detection and mitigation of risks related to cybersecurity and compliance requirements. The document includes technical details, benefits, and cost information, all geared toward improving Intermountain Healthcare's security practices. According to IDC research, ArcSight holds a dominant position in the SIEM market share. ArcSight serves over 2,000 organizations across nearly every industry globally, including more than 40 government agencies and governments from over 40 countries. Its solutions are deployed in highly complex environments where security is critical, such as within the entire U.S. intelligence community (including DHS and DISA), major financial institutions like the Internal Revenue Service (IRS) and SEC, and retail巨头如Wal-Mart和Bank of America. ArcSight's platform provides a scalable, flexible, and powerful toolset for enterprises to manage their security and log data, helping them achieve compliance goals despite the challenges posed by large numbers of heterogeneous devices and applications in distributed infrastructures that generate vast amounts of event data. The company has developed an Enterprise Security Manager as a comprehensive, flexible, and extensible platform to address these issues, enabling real-time monitoring of external attacks, insider threats, and compliance breaches, while also supporting the development of custom use cases through its open architecture for interoperability with various logging technologies. ArcSight has expanded its capabilities to include user activity monitoring, fraud detection, complex application monitoring (such as ERP systems), and other use cases. It offers comprehensive support throughout the lifecycle of a SIEM deployment, from initial setup with professional services to ongoing customer success and security operations center consulting. ArcSight's technology provides features like enterprise-class architecture, interoperability, performance scalability, and log management capabilities, which are designed to serve organizations with diverse event sources and infrastructures. Its platform supports the collection of billions of events per day from various devices and applications in real-time, while maintaining high performance and scalability. This text describes a high-speed search engine capable of handling millions of events and correlating them into intelligence for identifying threats or compliance violations. The correlation engine simplifies large volumes of daily events to reveal specific threats or issues. Additionally, it offers reporting and visualization tools through an intuitive graphical interface to display risk across organizations. Recently, ArcSight announced its merger with HP, making it part of the largest technology company globally. This partnership allows them to offer enhanced enterprise threat and risk management solutions that provide broader visibility and deeper context for a more secure modern enterprise. ArcSight is a company that provides security solutions for large enterprises with complex networks. They have three main parts to their system: Integration Layer, Core Engine Layer, and Module Layer. These layers help the system collect data from various sources like computers or devices across the whole company. The data they collect can then be compared and analyzed in a standard format to find potential problems faster. ArcSight aims to protect businesses by offering them solutions that are scalable and efficient for managing large networks while ensuring compliance and reducing risk. They value their customers, like Intermountain Health, and want to build long-lasting relationships with them. ArcSight's approach is based on normalizing device logs into a common format to ensure flexibility in technology choices and future product integrations. This normalization allows users to swap out one product for another without disrupting analysis. The company offers custom solutions called FlexConnectors, which are essentially tailored SmartConnectors designed for specific devices or applications not covered by standard offerings. These connectors come in various forms such as rack-mountable appliances or software installable on personal machines like Connector Concentrators. The ArcSight solution's mid-tier consists of key technologies including the log management engine (ArcSight Logger), correlation engine (ArcSight Enterprise Security Manager or Express), and response engine (ArcSight Threat Response Manager). These components collectively enable comprehensive security event collection, storage, analysis, and automated threat responses across various devices and applications. ArcSight ESM/Express is a powerful tool that enhances the broader ArcSight platform by providing real-time situational awareness through its correlation engine, which processes millions of event entries in real time. It focuses on critical events requiring review by security administrators, utilizing built-in concepts of network asset and user models to understand who is accessing data and what actions are being taken. Real-time alerts highlight the most significant security events with necessary context for further analysis and mitigation. ArcSight TRM, part of the ArcSight solution, uses the Threat Response Manager (TRM) to pinpoint exact locations of threats within a network and respond with automated or manual policy-based quarantine actions. Together, ArcSight ESM/Express and ArcSight TRM monitor, detect, and stop threats in real time. The top layer of the ArcSight solution is comprised of administrative interfaces that provide a single pane of glass for Security Operations to create content while allowing auditors or executives to view reports based on role-based permissions. Additionally, this module layer includes Solution Modules that can be installed over the Core Engine layer to offer business or compliance specific monitoring, alerting, and reporting capabilities. One such module is Perimeter Security, referred to as Foundation Content along with Logger and Express. Additional modules can be purchased for more detailed monitoring and management. ArcSight is designed with scalability at its core, catering to large enterprise and government environments through its tiered architectural model. The architecture supports scalability across multiple layers, including integration, engine, and database layers. In the integration layer, thousands of ArcSight SmartConnectors can manage vast amounts of data from various devices like routers, switches, firewalls, UNIX servers, and more, adapting to different log types. These connectors can report to one or many ArcSight Express Managers, with failover capabilities, ensuring high availability even under heavy loads. The architecture also includes a SmartConnector Concentrator appliance that collects and aggregates feeds from multiple connectors, managing them centrally for scalability and management efficiency. In the core engine layer, ArcSight Logger Appliances support multi-tiered storage that scales both horizontally (adding more appliances) and vertically (increasing capacity within each appliance). This hierarchical setup allows lower-tier Loggers to send relevant security data to higher tiers for advanced monitoring and alerting. Logical segregation of logger data ensures secure accessibility while maintaining data privacy in complex, multi-domain environments. As the number of loggers increases, the system can handle more data and continue to provide robust performance. The document outlines a comprehensive solution for Intermountain Healthcare using the ArcSight platform, designed to manage and correlate vast amounts of data from numerous devices (318) and generate over 240 million events per day. This system is aimed at providing rapid search capabilities across all Loggers, with results displayed on one console. The architecture includes a hierarchical deployment of Express managers for growth, segregation of duties, and performance improvement. Key features include:

  • **Scalability**: Supports many concurrent connections from various components like connectors, consoles, and web consoles.

  • **Geographical Support**: Designed for quick response across VPNs and international links, ideal for scenarios like Follow-the-Sun deployments or Disaster Recovery.

  • **Integration with Third-Party Systems**: Scalable to integrate with third-party ticketing systems, Network Management systems, and security tools.

  • **Performance Metrics**: Ensures separation of duties and auditing capabilities that can scale according to business unit needs.

**Assumptions** for this solution include:

  • 318 devices

  • 240 million events per day (EPD)

  • A 90-day online retention requirement

  • Relevant security information is filtered and forwarded for correlation.

The document does not provide detailed technical specifications or diagrams of the proposed ArcSight Console or ArcSight Web Console, nor does it specify how these components would interact with each other within the Intermountain Healthcare environment. The connector appliance is used to gather data from various sources like network devices, servers, databases, and applications. It also helps manage connectors installed on dedicated servers across Intermountain Healthcare's infrastructure. ArcSight recommends using C5200 at each data center for a total of 2 units. Updates in configurations or software are centrally managed with the C5200s Connector Appliance. Additional devices can be accommodated by procuring more connector appliances or providing their own servers for software-based connectors to run on. For custom applications that aren't supported by ArcSight, FlexConnector Toolkit is recommended. Intermountain Healthcare should buy this toolkit and work with professional services to develop necessary integrations for collecting log events from these sources. Intermountain Healthcare can benefit from several collection options: 1. Connector Caching: All SmartConnectors maintain a heartbeat with the destination; if it fails, they start caching data received. They use two caches - front end for temporary storage of raw events and back-end for processed (normalized, filtered, and categorized) events before transmission to the Logger or Express. The article discusses three methods for handling communication or hardware failures with ArcSight Connectors and Logger systems: caching, fail-over, and redundancy. In the event of a communications failure or unavailability due to upgrades, backups, or other reasons, SmartConnectors cache events on C5200 appliances until connectivity is restored. Events are then sent in batches to the Logger without saturating the WAN connection. The fail-over option allows connectors to be configured with multiple destinations for continuity in event flow even if the primary destination becomes unavailable during upgrades or network issues. If the heart-beat fails between the connector and the primary, it automatically switches to a secondary destination. The system will return to the primary once connectivity is restored, and events can also be sent to both the primary and secondary destinations. Connector redundancy involves configuring multiple destinations for connectors so that all events are simultaneously sent to two locations. This creates a redundant log store with potential event duplication in case of failure. If WAN links between the Primary and DR sites become unavailable, ArcSight Connectors will cache events on C5200 appliances until connectivity is restored, then send cached events to Logger conservatively while also transmitting latest events. Provisioning for log management involves using two L7200 series Loggers in each data center, one per location, to ensure robust logging capabilities and fail-safe operations even in the face of infrastructure challenges. This text talks about Fountain Healthcare's use of ArcSight Logger appliances to manage and store large amounts of log data from up to 500 devices at a rate of 5,000 events per second. The system can retain data for up to 90 days online with compressed storage of 42 TB (or 4.2 TB when compressed) and is designed to handle expected event rates of 240 million EPD over this period. The ArcSight Logger automates log archival by implementing multiple retention policies, which can be tailored for different types of logs according to regulatory or security requirements, without manual intervention. It allows the postponement of deleting expired data in case of forensic investigations or compliance issues. The system is scalable and can be clustered to handle increased event rates beyond initial expectations. Fountain Healthcare uses ArcSight M7200-XL Express Appliance for its core engine layer, which is a 2U rack-mountable appliance with bundled licenses, featuring Oracle Enterprise Linux (64-bit), 24 GB of memory, and two quad-core Intel Xeon processors. The appliance includes 6x600GB SAS in RAID 10 storage configuration for the module layer. ArcSight Console is used to manage these appliances effectively. ArcSight Express is a software system designed for Intermountain Healthcare to manage security operations. It includes an administrative console called ArcSight Console, which serves as the main interface for administering and authorizing various components such as cases, notifications, rules, dashboards, and reports. This tool is intended for use by security staff or similar roles within a SOC environment. ArcSight Express also provides Web Viewers that allow analysts, auditors, and executives to access the system remotely via web browsers. These Web Viewers provide functionalities like viewing events, accessing dashboards, reviewing reports, and collaborating with integrated ticketing systems. This browser-based interface shares similar capabilities as the main console but lacks authoring features. To meet HIPAA compliance requirements, ArcSight suggests purchasing the HIPAA Compliance Insight Package, which helps in demonstrating compliance through a cohesive framework like NIST or ISO standards that promote flexibility and adherence to specific regulatory guidelines for business operations. The ArcSight Compliance Insight Package (CIP) for HIPAA is designed as a content solution for managing security and regulatory compliance programs based on ISO and NIST standards. It allows users to monitor, prioritize, respond to, and report on security incidents and network activities in a way that addresses regulatory requirements using the ISO and NIST frameworks as guidelines. The CIP is a layered solution that combines the granularity of the security-focused NIST standard with the more encompassing business policy focus of ISO. It offers flexibility for users to choose between content based solely on ISO standards, solely on NIST standards, or a combination of both, depending on their regulatory compliance framework structure. Benefits of this solution include: 1. Real-time monitoring and early warning breach detection across all users, applications, and IT infrastructure for efficient compliance validation. 2. The ability to collect, normalize, and categorize events from over 300 event sources using the FlexConnector framework for any unsupported devices. 3. Collection of 100% raw log data with audit quality measures, fully normalized and categorized for high-performance real-time analysis. 4. High-performance centralized and distributed log collection across geographically distributed assets, including shaping, throttling, and event caching capabilities. 5. Real-time situational awareness and alerting of all critical assets through scalability in ArcSight solution tiers, with fail-over mechanisms, high-availability, and backward compatibility between components. 6. Multidimensional correlation in real-time, without the need to write events to a database first, providing efficient performance and data handling capabilities. The document outlines a comprehensive solution provided by Intermountain Healthcare to enhance their infrastructure security through advanced intelligent threat prioritization technology. This system includes: 1. **Integration Layer**: Consists of C5200 connector appliances installed in each data center location, which collect event data and are managed centrally. 2. **Core Engine Layer**: Features L7200 loggers at each data center and one M7200XL Express Correlation Engine for long-term storage of events online for up to 90 days. An extended retention beyond 90 days can be archived to a NAS provided by Intermountain Healthcare. 3. **Module Layer**: ArcSight Administration Consoles are installed on a dedicated system, accessible via the ArcSight Web Console through supported web browsers. The console runs on various operating systems including MS Windows XP Pro, MS Windows Vista, MS Windows Server 2003, MacOS X, Red Hat Enterprise Linux WS and AS, and Sun Solaris (SPARC). Supported web browsers include IE 6.0 or greater on Windows, Mozilla 1.7 or greater across all mentioned platforms, Safari 1.2 or greater on Mac OS X, Netscape 8 or greater across multiple platforms, and Firefox 1.5 or greater on Windows, Linux, Solaris, and Mac. This solution aims to provide Intermountain Healthcare with a fully integrated system for threat identification and investigation, ensuring minimal false-positives through intelligent prioritization based on asset awareness, susceptibility, and criticality metrics, supported by completely integrated workflows including notifications, annotations, case management, and integration with third-party ticketing systems like Service Desk. ArcSight is a comprehensive security information and event management (SIEM) solution designed to monitor, detect, analyze, and respond to threats in real time. The system consists of three main components: the Connector Appliance hardware, which includes two ArcSight C5200 units, two ArcSight L7200s Logger Appliances, and one ArcSight M7200-XL Express Appliance; and related licensing and support. **Core Components:** 1. **ArcSight C5200 Connector Appliance**: This hardware is responsible for event collection from various sources like networks, servers, applications, and databases. It supports high-performance data collection and integration with other ArcSight appliances. 2. **ArcSight L7200s Logger Appliance**: These devices are used for log management tasks, collecting and compressing logs from a wide range of systems to provide historical context for security analysis. 3. **ArcSight M7200-XL Express Appliance**: This is a more streamlined version of the main appliance, designed to focus on critical events requiring immediate attention by security administrators. **Optional Components:** 1. **Compliance Insight Pack for HIPAA**: Adds functionality to monitor and report against HIPAA compliance requirements, helping organizations manage sensitive patient data according to regulatory standards. 2. **ArcSight Consoles and Web Viewers**: Provide a graphical interface for managing the SIEM system and viewing security events in real-time or as archived records. 3. **FlexConnector SDK**: Allows developers to extend the functionality of ArcSight by creating custom connectors for monitoring additional devices or systems not natively supported by the appliance. **Functionality:** ArcSight technology aims to provide a continuous state of situational awareness by processing millions of events in real time and focusing on critical issues requiring immediate review. It includes built-in network asset and user models, enabling it to understand network users and their activities without direct human intervention. Real-time alerts are triggered for the most pressing security events, providing necessary context for analysis and response. **Conclusion:** ArcSight is a robust SIEM solution that not only addresses classic use cases of external attacks, insider threats, and compliance breaches but also supports custom use case development through its flexible architecture and SDK. It provides comprehensive monitoring, visualization, reporting, and remediation capabilities to maintain a secure environment. The provided text discusses the capabilities and architecture of the ArcSight Logger platform, which is designed to manage logs effectively through its powerful reporting and alerting engine. It serves as a standalone appliance for log management and complements other products in the broader ArcSight suite. ArcSight connectors play a crucial role by collecting events from various devices in their native format, then normalizing them into a standard format that allows comparison and analysis across different types of logs. This normalization is done to ensure consistency in data handling within the logging system. The collected data is securely sent to ArcSight's logging and correlation products for further processing. The architecture includes specific hardware components: two ArcSight C5200 Connector Appliances, two ArcSight L7200 Logger Appliances, and one ArcSight M7200-XL Express Appliance. These are accompanied by necessary software licenses such as the Compliance Insight Pack for HIPAA, ArcSight Consoles, and Unlimited ArcSight Web Viewers, along with the FlexConnector SDK which supports expanded capabilities through a Software Development Kit. To visually represent this architecture, you would need to create a diagram that shows these components (core hardware and appliances) functioning together within the system's framework. This includes highlighting how each component contributes uniquely to log management and analysis tasks. The optionality mentioned in the text suggests that there might be additional software components or configurations available for ArcSight Logger, which could enhance its functionality further depending on specific organizational needs or compliance requirements (as indicated by the Compliance Insight Pack for HIPAA). The exact nature of these optional components would need to be determined based on particular use cases and contractual agreements. ArcSight is a comprehensive security analytics platform designed for enterprises with diverse IT environments, offering advanced features like log management, interoperability, performance scalability, intelligent correlation, and robust reporting capabilities. Key benefits include enhanced protection against cyber threats and compliance violations through real-time event analysis and visualization. The system's scalable architecture allows for the addition of hardware components as needed to meet expanding requirements, reducing costs associated with infrastructure expansion. Moreover, ArcSight supports seamless integration with a wide range of technologies and devices via its extensive software connectors and vendor partnerships, ensuring efficient operations and cost savings through reduced deployment times and enhanced interoperability. The platform's performance capabilities enable it to handle massive volumes of data from various sources, turning raw log information into actionable insights that can be quickly analyzed for security threats or compliance issues. Overall, Intermountain Healthcare could expect significant benefits in terms of improved security posture, operational efficiency, and cost savings through the implementation and utilization of ArcSight's solutions. ArcSight is a comprehensive security information and event management (SIEM) solution designed for enterprises to monitor, detect, analyze, and respond to threats across their network devices effectively. The product offers several key advantages over competitive products, including support for over 300 devices from various vendors, flexibility in data collection with custom integrations and software-based deployments, and the ability to centralize management of vast amounts of log data collected from diverse sources such as proprietary or legacy systems. ### Advantages Over Competitors: 1. **Broad Device Support**: ArcSight supports a wide range of devices from more than 100 vendors across 50 categories, providing comprehensive coverage for potential security threats and issues that may arise from these devices. 2. **Custom Integration Capabilities**: For unique or proprietary event sources, ArcSight offers FlexConnector functionality to create custom connectors, ensuring seamless integration with any type of log data collection method like File Reader, SNMP, Syslog, or Database connectivity. 3. **Software-Based Collection Flexibility**: In environments where physical space for additional hardware is limited but computing resources are available, ArcSight's software-based connectors can be deployed without the need for agents, allowing centralized management of large volumes of data from various sources in a flexible manner. 4. **Centralized Windows Event Collection**: The solution efficiently collects and manages Windows event logs through its Windows Unified Connector (WUC), which supports standard system, security, and application logs, as well as custom log parsing and automated Active Directory scanning for monitoring newly added or decommissioned systems. 5. **Normalization and Categorization**: ArcSight provides tools to normalize data from different sources, making it easier to categorize and prioritize alerts across the organization's risk landscape. These features collectively enable organizations to streamline their security operations, enhance threat detection capabilities, and maintain a proactive stance against potential cyber threats by leveraging centralized management of diverse log data and real-time insights into organizational risks. ArcSight is a system designed to handle and analyze large amounts of data from various sources by breaking it down into specific categories such as device type, technique, behavior, outcome, object, and significance. This categorization helps in speeding up the correlation process and provides a common language for analysts regardless of their specialized vendor knowledge. ArcSight also offers distributed or centralized event collection through its software connectors. These connectors can be installed on central systems or appliances to collect log data from all remote devices, minimizing bandwidth usage by compressing and batching logs across slow WAN circuits. Alternatively, local installations at remote sites gather events for processing before being sent centrally. The system distributes the processing load among multiple connectors for normalization, categorization, time-correction, throttling, and data compression. This offloads processing from primary servers, freeing up resources for other functions such as alerting, reporting, or correlation. For bandwidth management in geographically distributed networks during an attack scenario, ArcSight allows controlling the event flow with features like compression, batching, time delay, committed bit-rate, aggregation, and filtering to prevent saturation of critical WAN links throughout the organization. Lastly, ArcSight connector technology can be installed using several methods, including agent-based, agent-less, or pre-configured options, providing flexibility in deployment based on specific needs. ArcSight is a powerful system that helps keep important information safe and secure on special hardware called ArcSight SmartConnectors. It makes sure that this information, like messages or events, stays private, doesn't get lost, and can be found quickly when needed. This whole process has digital signatures and timestamps to prove everything is correct and in order. ArcSight Express helps make sure the important stuff from these events gets kept safe all the way through their journey until they are stored safely. If something goes wrong during this process, like if a manager can't be reached, ArcSight SmartConnectors will save the data somewhere else to keep everything running smoothly. They also check to see if devices are still sending messages and let people know right away if there's a problem. For customers with many different organizations under their control, ArcSight connectors can add extra information like location or IP addresses to help them better understand what is happening in each part of the company. This helps when it's crucial to catch potential threats before they become big problems. ArcSight Logger allows people to quickly search through large amounts of data stored in both raw and organized ways, which can be important for finding specific details quickly. With its special technology, ArcSight Logger can handle millions of events per second, making it easy to find what you're looking for even with a lot of information. Finally, the Unified Search Interface helps users combine all their existing search options in one place, which makes using the system more convenient and efficient. This text discusses several features and capabilities of ArcSight Logger, a security information and event management (SIEM) tool. It includes: 1. Unified Search Interface: The system allows users to perform searches using unstructured "full text" search or more specific Field Based or Regex search within the same window. This flexibility supports searching through mixed data types and unifies all Logger Search methodologies, enhancing usability by integrating structured, unstructured/raw, and regex search methods. 2. Centralized Log Storage: ArcSight Logger can store vast amounts of log data locally with a 10:1 compression ratio, enabling the storage of more than 42 TB without additional external storage. This feature ensures efficient data management within the system. 3. Linear Scalability: The tool supports scaling up to 100,000 events per second on one appliance, allowing for both vertical and horizontal scalability as the enterprise grows. This scalability is crucial for handling increased volumes of log data efficiently. 4. Multiple Retention Policies: Customers can create up to five storage groups within each ArcSight Logger, which can be tailored to handle different types of event data. Each group has its own unique Retention and Disposal Policy, allowing for customized retention schedules based on the sensitivity and criticality of the data. 5. Threat Evaluation: ArcSight uses a threat formula that collects real-time information about IDM user roles, critical assets, vulnerability data, zone information, attack susceptibility, and watchlists to reduce false positives and monitor critical infrastructure. This system helps in assessing threats more accurately by considering factors such as database type vulnerability and user privileges. Overall, these features enable ArcSight Logger to provide a comprehensive solution for managing and monitoring security events across an enterprise's IT infrastructure. ArcSight's ESM (Enterprise Security Manager) is designed to enhance cybersecurity by using a multi-dimensional correlation engine that integrates real-time event log data, asset awareness, vulnerability assessments, and identity information. This system aids in detecting threats promptly, reducing false alerts, and preventing insider threats while centralizing monitoring of over 300 sources across 100 categories. ArcSight's powerful correlation engine processes millions of log events in real-time, focusing on critical incidents that require review by security administrators. With built-in network asset and user models, it can identify who is using the network, what data they are accessing, and their actions. This understanding helps to maintain a state of continuous situational awareness. The ESM employs Data Monitors to analyze statistics from received events, monitoring for increases in specific activities like attacks or unauthorized access. It uses percentage thresholds to detect spikes in baseline activity and assesses anomalous behavior such as DHCP lease irregularities. ArcSight Express offers a complete process framework for integrating security monitoring and investigations, providing customers with tools to manage alerts effectively through workflows that guide the investigation and response processes. ArcSight is a system designed to help forensic and incident response teams manage their workflows efficiently. It focuses on informing users about incidents through notifications and escalations, ensuring timely responses from the relevant parties. Key features include dynamic visualizations of attack origins and destinations using event graphs, which are linked directly to existing cases for easier handling. ArcSight Express also provides detailed tracking of both attackers and targets in real-time, with options to escalate suspicious activity to a malicious list if necessary. The system allows for the generation of reports and alerts based on collected data, providing comprehensive information for both current and past incidents. Finally, the ArcSight Console is a Java-based application that offers rich visualizations through multiple dashboards, real-time data monitors, and active channels, all running in their own virtual machine. ArcSight Express is a user-friendly platform that facilitates real-time monitoring and investigation of network events through customizable dashboards. It offers unlimited dashboard creation for users to drill down into specific details during investigations. The system provides detailed event graphs showing the attack path across the network, complete with dynamically updated topology maps indicating both attackers and targets. Content can be added directly to cases with a single click. For reporting, ArcSight ESM features a drag-and-drop Boolean interface that is future-proof due to its use of normalization and categorization. It generates comprehensive technical, operational, and trend reports that communicate security status and regulatory requirements effectively. The framework allows for easy business-level reporting with customizable templates tailored to compliance status, business risk, and user profiling. Compliance Automation is supported through ArcSight's Compliance Insight Packages (CIPs), which integrate seamlessly with existing Logger or Express deployments to provide real-time alerts and reports for various regulatory standards like PCI, SOX, NIST 800-53, and ISO 27002. These CIPs enhance the platform's capabilities in multidimensional correlation, false positive reduction, workflow management, and advanced threat response. Lastly, ArcSight provides a Threat Detector feature that helps identify potential threats within networks by leveraging integrated multidimensional correlation, reducing false positives, and employing advanced techniques for handling threats effectively. The Threat Detector module in ArcSight Express allows customers to analyze weeks, months, or years worth of data to identify relationships between events that might be missed by real-time correlation. For example, an evasive technique used in attacks involves guessing a password slowly and stealthily, avoiding detection by only attempting login twice with a gap of five minutes each time. This routine can result in 576 unsuccessful login attempts daily but is often not detected due to its brute-force method. ArcSight Threat Detector can detect such patterns and help customers block future attacks by introducing new rules. ArcSight Express uses grid table Active Channels to display real-time events, allowing for detailed investigations through event details or drill-down into different channels. The console includes tools like Nslookup, ping, and traceroute for forensic analysis and can integrate custom tools such as manual vulnerability scanners or export to third-party ticketing systems. However, the most significant disadvantages of ArcSight's product mentioned in the comments are that it is perceived as too complex and expensive for average users. The Express offering aims to address these perceptions by providing a more user-friendly and cost-effective solution within the ArcSight suite. The provided text discusses the capabilities and features of the ArcSight platform, a comprehensive security log management and correlation solution. Key points include: 1. **Integrated Log Management and Aggregation**: The ArcSight platform supports integration and aggregation of data from various log sources, including over 300 event sources out-of-the-box. It can collect data from network devices, applications, transactions, users, configuration changes, among others. Through the FlexConnector framework, it is capable of supporting virtually any additional device or application that generates logs. 2. **Real-Time Threat Detection**: The platform allows for real-time analysis of generated data to quickly identify threats and anomalies. It supports pattern detection and historical trending to monitor unusual behavior in people or applications and can automatically respond to shut down threats detected. 3. **Long-Term Data Storage and Reporting**: ArcSight enables the management and storage of all collected data for extended periods, supporting various reporting, audit, and investigation needs. 4. **Compliance and Visibility**: The platform provides a level of visibility into modern enterprise threats and risks that is unmatched by other solutions, aiding in compliance with security regulations and standards. In summary, the ArcSight platform serves as an effective market growth engine for companies, regardless of size, due to its broad log collection capabilities, real-time threat detection features, long-term data retention, and comprehensive reporting options. ArcSight is a comprehensive security information and event management (SIEM) platform that offers real-time log monitoring, alert notification, data correlation, and analysis capabilities. Here's an overview of its key features based on the provided comments: 1. **Real-Time Log Event Monitoring and Alert Notification:**

  • ArcSight provides a robust solution for monitoring logs through its Logger component. This tool allows users to search, report, and investigate activities within their environment effectively.

  • As monitored events are identified, ArcSight can generate alerts such as email notifications.

  • The system also features the Express real-time correlation engine, which filters security events of interest into this engine for further analysis and alerting. This ensures that critical events are prioritized and managed efficiently across all tiers of the ArcSight platform.

2. **Data Analysis and Correlation:**

  • ArcSight boasts the most advanced real-time correlation engine in the market, which operates in memory and evaluates incoming events in real time against predefined conditions set within active rule sets.

  • Users have the flexibility to run historical data through this engine for evaluation against newly created or modified rules, making it a valuable tool for both initial setup validation and retrospective analysis.

3. **False Positive Tuning:**

  • To minimize false positive alerts (alerts that are triggered by normal system activities rather than actual security threats), ArcSight employs a threat level prioritization process within its Express correlation engine.

  • Events are assigned a priority rating based on four key factors in the threat model, which helps focus attention on the most significant and relevant threats to critical infrastructure.

These features collectively enable organizations to efficiently monitor their systems for potential security events, analyze correlated data with high accuracy, and tune out false alerts through prioritization mechanisms, thereby enhancing overall security posture and response capabilities. The article discusses the data management capabilities of ArcSight, a security information and event management (SIEM) solution. ArcSight appliances can store up to 42 TB of event data, with multiple retention policies allowing for different types of log data to be stored according to specific regulatory or compliance requirements. For example, HIPAA relevant assets may have log data retained for seven years, while security relevant firewall data is kept for just 90 days but can be accessed through the management console if needed. ArcSight allows users to expand storage groups to accommodate additional log data, with scalability achieved by adding Logger appliances in a peer or hierarchical relationship. The solution supports various types of network nodes and applications that generate event data, which is collected via SmartConnectors. These connectors normalize event data into common formats and schemas before filtering and aggregating them to reduce the volume sent to the ArcSight Manager. Typically, SmartConnectors are not deployed on end devices but are hosted either on Connector Appliances or customer-provided servers to gather remote event data. In summary, ArcSight's SIEM solution offers robust data management capabilities including increasing log file size, recommending collection points, implementing data compression and retention guidelines, and providing scalable storage options through its appliances and connectors. ArcSight is a comprehensive security information and event management (SIEM) solution that efficiently manages vast volumes of log data from various devices and applications. It employs SmartConnectors to compress log data at an average compression ratio of 10:1, significantly reducing both the network traffic required for transport and the storage space needed. The system supports multiple retention periods tailored to different types of data, depending on factors such as regulatory compliance, asset importance, and operational requirements. In terms of event management, ArcSight features a sophisticated console that facilitates the presentation and analysis of security events. This includes: 1. **Policy/Rule Creations**: The console allows users to create and manage policies and rules for event monitoring, enabling them to define what constitutes an acceptable or suspicious activity within the system. 2. **System Event Monitoring**: It provides real-time monitoring of system events, allowing quick identification of potential threats or anomalies that may require immediate attention. 3. **Log Correlation**: ArcSight leverages its advanced log correlation capabilities to analyze and link related logs from multiple devices, helping in the detection of complex security breaches and patterns. For user interaction with event data, ArcSight offers several methods:

  • **Active Channels**: These serve as a table view for events, which can be filtered based on criteria defined by users. Filters can range from simple include/exclude statements to more complex correlations involving multiple devices and asset or identity information.

  • **Dashboards**: Real-time dashboards provide visual representations of events in the enterprise, available either as tables or graphical displays (e.g., charts, graphs). They offer a snapshot view of activity across the organization.

  • **Real-Time Rules**: Users can set up rules to monitor and correlate events in real time, enabling proactive response to significant conditions that require action. These rules can automatically initiate case creation within the ArcSight workflow and attach relevant events for analyst review.

  • **Reports and Queries**: The console supports both detailed reports and high-level summaries of event data, which can be generated on demand or scheduled for regular distribution to authorized users.

Visual aids such as screenshots are included in accompanying documentation to visually demonstrate these features and functionalities effectively. The ArcSight FlexConnector is a versatile tool that allows users to create custom connectors for various devices and applications, enabling them to collect event data from these systems. This includes file reader, database reader, Syslog, SNMP, and XML readers, providing customizable normalization and data collection capabilities. ArcSight offers an API for integrating with the Logger platform, allowing customers to access system data if they wish to provide additional integration. The correlation engine provides a web service layer that can be consumed by other applications, enabling the extension of ArcSight's functionality into custom software. This is achieved through a service-oriented architecture (SOA) which supports multiple clients for the web services. ArcSight ships with over 100 pre-defined rules and more than 300 reports to address approximately 80% of customer needs. The platform's components can be customized as required, offering flexibility in addressing specific security, regulatory, and compliance requirements. Compliance Insight Packages (CIP) are available for quick implementation or automation of compliance projects on top of the ArcSight SIEM Platform, adding specialized rules, reports, alerts, and dashboards that are mapped to specific regulations or industries. ArcSight's cybersecurity solution is designed to provide detailed reporting and metrics, making it a robust tool for compliance monitoring. The platform offers comprehensive features to ensure that organizations can meet regulatory requirements such as FISMA, HIPAA, ISO/IEC 27002:2005, PCI DSS, and others. ArcSight's solution includes over 300 out-of-the-box reports, which are customizable or can be created from scratch using the Report Wizard or Report Designer. These reports cover various aspects of security events, cases, notifications, and assets stored in the ArcSight Database. The reports provide data based on queries and trends, utilizing pre-defined templates to determine display formats such as charts and tables. For forensic investigations and legal requests, ArcSight separates raw and normalized logs effectively. It captures both types of logs—raw and normalized—ensuring that all necessary information is available for detailed analysis. This capability supports the collection of evidence required for these types of investigations, which can be crucial during legal proceedings or for ongoing security monitoring. In summary, ArcSight's solution not only provides a wide range of customizable reports to meet specific compliance needs but also ensures robust separation and preservation of raw and normalized logs to support forensic investigations and legal requests effectively. ArcSight offers a comprehensive security information and event management (SIEM) platform that adheres to the NIST 800-92 standard for log management, ensuring data integrity. The system includes robust role-based access control (RBAC), which allows users to have fine-grained control over resources within the platform. Users are assigned to user groups, and each group has an access control list (ACL) that determines what they can view, edit, or delete. This feature ensures accountability and compliance with regulatory requirements. ArcSight also provides auditable workflow capabilities through its Express module, automatically generating events for significant system operations such as the creation, editing, or deletion of resources like rules, dashboards, channels, lists, reports, etc., and monitoring report executions. These generated events are accessible for auditing purposes to track user activities and ensure compliance with SEM (Security Event Management) standards. The platform includes customizable dashboards that enable users to tailor the interface to their specific needs. This flexibility allows organizations to display relevant data in a visually appealing and intuitive format, supporting informed decision-making and efficient operations management. ArcSight provides a real-time graphical view of events occurring on a network, utilizing data from SmartConnector input that is correlated by the software. The solution includes customizable dashboards composed of Data Monitors, which can display information in various formats such as tables, charts (pie, bar, line), etc., to aid in further investigation and launch active channels based on user interest. ArcSight offers numerous pre-built dashboards and data monitors, allowing for customization by users to fit specific needs. For regulatory or legal requirements, such as protecting the integrity of data relevant to security events and e-Discovery processes, ArcSight ensures log data is captured raw and normalized for analysis. The system performs integrity checks during data reception to prevent tampering, aligning with the NIST 800-92 standard for log management. ArcSight supports integration with various third-party ticketing systems, including bi-directional support through its XML interface or simple email formatting. Retention policies can be tailored based on different logs and sources, allowing for customized retention periods according to specific needs. The text discusses two main aspects related to a system, which are retention policies and role-based security. Retention Policies: It mentions that systems supporting multiple retention policies assign event sources to storage groups with defined retention policies to meet various requirements such as compliance or corporate policies. These requirements can be regulatory, like in the case of Intermountain, or internal policies for corporate security. Intermountain Requirements - General Functional Details: This section outlines basic functionality that Intermountain would like to see included in a product from potential vendors. The evaluation criteria are likely used to rank these vendors based on their compliance with specific weights assigned by Intermountain. ArcSight (a system mentioned in the text) provides two user interfaces, one being an application console and the other browser-based Web console, which serve different purposes: 1. Application Console (ArcSight Console): Designed for administrators and content authors, this interface supports all aspects of the ArcSight management including filter creation, rule setup, report generation, Threat Detector configuration, dashboard customization, and data monitoring among others. It is a Java-based application supporting Windows, Linux, Solaris, Mac OSX, and AIX operating systems. 2. Web Console (ArcSight Viewer): This interface allows broad user access with read-only functionality and can be remotely installed as an independent web server that provides security through the ArcSight Manager for browser clients. It supports all popular browsers and uses standard DHTML for the client side coupled with a J2EE engine on the server side. Role-based Security: The system offers role-based access control (RBAC) which allows specific logs to be granted access and restricts modifications of data according to user roles, ensuring that each group has its own set of permissions tailored to their needs within the application context. ArcSight is a security information and event management (SIEM) software that allows users to set access permissions on various objects within the system. This is managed by creating user groups (user-defined criteria like department, geography, business unit, etc.) and asset groups (log sources). Users are mapped to these asset groups, which determines what data they can view or edit. For example, firewall personnel see only firewall data, while an analyst sees events related to their specific assets. ArcSight provides the ability to manage access permissions on every object in the system at a user and group level. Log data cannot be modified once written, but administrative activities like modifying users, privileges, reports, or filters are audited for accountability. For storage options, ArcSight appliances come with built-in storage for active log data, though customers can integrate with their existing storage environment for archiving purposes. ArcSight efficiently integrates with various enterprise-level storage solutions, including Tivoli Storage Manager. Regarding directory integration, ArcSight does support Active Directory and IBM's Directory Server. It allows users to map user accounts from these directories directly into the system, which simplifies management and access control. The product may require specific schema or transformation rules depending on the organizational requirements and data interoperability needs. The passage discusses the capabilities of ArcSight in integrating with various systems for managing identities and accessing resources, particularly focusing on Active Directory and Identity Management Systems like Oracle's Identity Management. ArcSight is capable of not only collecting data from Windows domain controllers but also maintaining a mirror of Active Directory contents updated every 10 minutes with delta information. This mirror helps in referencing and leveraging AD user, group, or profile information for analysis and correlation purposes. The integration allows ArcSight to offer enhanced control over the Active Directory environment by providing notifications based on specific events (e.g., former employee's credentials being used, newly created users added to restricted groups) and supports privileged user monitoring through role mapping. ArcSight also supports integration with leading Identity Management Systems such as Oracle Identity Management, offering pre-built synchronization adapters for common directories like Microsoft Active Directory, Oracle Identity Management, and Sun Identity Management. Regarding Tivoli Access Manager (TAM) and Tivoli Identity Manager (TIM), ArcSight provides integration in two ways: as an event source of log data or as an authentication/authorization source for user monitoring. It offers SmartConnectors for many IAM systems including TAM, allowing it to act as a data collection point from these systems. For user monitoring, ArcSight's IdentityView combines the broad activity collection and correlation capabilities typical of SIEM with detailed user and role information from IAM and directory technologies, enriching log events with relevant user details. In summary, ArcSight supports integration with multiple identity management solutions to enhance security practices by providing enhanced visibility into user activities and access permissions across systems. ArcSight IdentityView is a comprehensive solution designed for monitoring user identities across various systems such as Microsoft Active Directory, Oracle Identity Management, and Sun Identity Management. It provides a complete picture of user activity by including pre-built synchronization adapters for these systems, enabling organizations to monitor high-risk accounts effectively. The product is available in both software and hardware form factors, allowing customers flexibility in deployment options. ArcSight's distributed log collection capabilities are facilitated through its ArcSight SmartConnector technology. These connectors can be deployed either centrally or in a distributed manner, depending on the infrastructure requirements. They support various data sources like syslog, RDBMS, Windows RPC, and operate in active or passive modes to collect events efficiently. The SmartConnectors have built-in features for normalization, filtering, enrichment of event data, and categorization, which enhance their functionality based on specific needs. The article discusses the development of a vendor-neutral taxonomy for rule writing and reporting, which allows data from various vendors' similar products to be compared as if they were homogeneous. Key features of this system include aggregation, batch sizing, compression, encryption, and caching, all aimed at optimizing bandwidth usage and ensuring reliable event collection in distributed environments. The article specifically addresses ArcSight SmartConnectors, explaining their capabilities to manage log data from systems with limited network bandwidth: 1. **Aggregation**: When multiple events are generated by the same device within a short time frame, they can be aggregated into a single event that includes start and end timestamps along with a count of the original events. This reduces the number of transmissions needed and thus minimizes network impact. 2. **Batch Sizing**: SmartConnectors batch multiple events together for transmission to reduce the total number of transmissions. They may also limit the size based on time or the number of events, ensuring that not all events are sent simultaneously but rather in a controlled manner. 3. **Compression**: Batched event information is compressed before encryption to reduce the volume of data being transmitted across the network, which can significantly lower the impact on bandwidth-sensitive networks. 4. **Encryption**: Data transmission is secured using SSL (Secure Sockets Layer) encryption and authentication protocols to ensure confidentiality and integrity of the logged data. 5. **Caching**: In case the upstream link fails or becomes unavailable, SmartConnectors are equipped with caching mechanisms that store events temporarily until a connection can be reestablished, thus preventing any loss of important log data. 6. **Filtering, Aggregation, Compression, and Throttling**: These techniques collectively help in smoothing out network traffic spikes and optimizing the bandwidth usage by local caching and controlling the rate at which data is sent to the central system. 7. **Prioritization Based on Log, Asset, and Event**: SmartConnectors can be configured according to different criteria such as log type, asset type, or event severity for prioritization. This allows critical events to bypass normal throttling and be forwarded immediately if necessary, ensuring that urgent issues are addressed promptly. By employing these features and techniques, ArcSight SmartConnectors provide an effective solution for collecting log data from systems with minimal network bandwidth, while also managing and optimizing the transmission of potentially large volumes of logged information in a secure and efficient manner. ArcSight's solution prioritizes traffic based on asset or event type, allowing for additional criteria to enhance its categorization. It offers robust real-time monitoring capabilities for correlated log data, with a correlation engine that operates in memory and evaluates events in real time. The solution supports various use cases such as identifying the user who posted a threatening message on a social networking site using source and destination IP addresses and time of posting from firewall, web proxy, and AD domain logs. It also verifies employee claims by analyzing system logs associated with the user ID, and aids in investigating data breaches by examining PHI records sent out across the internet through their host IP address. ArcSight's IdentityView tracks IP assignments in a DHCP environment to establish which user account was used for logging into machines, while firewall logs document network traffic and web proxy logs can be reviewed to show actual postings. ArcSight is a comprehensive security information and event management (SIEM) tool that can handle large volumes of logs from various sources to monitor network activity effectively. Here's a summary of the key points in the provided text regarding ArcSight's capabilities: 1. **Event Capture Capabilities**: ArcSight can receive thousands to millions of events per second, depending on its configuration and deployment architecture. The system scales up according to the specific needs of the customer, including large networks like DISA’s communication backbone or enterprise-level customers managed by MSSP (Managed Security Service Providers). 2. **Scalability**: ArcSight uses a modular tiered architecture for scalability. This allows it to handle initial volumes starting from 500 events per second up to millions during peak times, with the ability to add more modules as needed. It also supports scaling out across multiple regional or customer-specific ArcSight Express Managers connected through a global manager. 3. **Log Management**: ArcSight’s Log Management solution is capable of receiving, storing, and forwarding logs at rates up to 100,000 events per second for non-security relevant messages, which makes it suitable for environments requiring high throughput alongside its primary security monitoring functions. 4. **Overload Handling**: If the ArcSight manager becomes overloaded with too many events (exceeding the MAX threshold), there is a SmaRT feature that helps manage and distribute the load among multiple managers to prevent data loss or performance degradation. 5. **Packet Drop Identification**: The system can identify when packets are dropped, which could be an indicator of network congestion or other issues that might affect security posture or operational efficiency. This allows for proactive troubleshooting and adjustment to ensure optimal performance under different traffic conditions. 6. **Event Sources**: ArcSight can integrate with various event sources beyond just network activity, including database accesses, application logins, administrative changes, configuration changes, and email tracking, providing a more holistic view of user activities across the organization. In summary, ArcSight is designed to be highly scalable and capable of handling large volumes of security events efficiently, ensuring that it can adapt to various network sizes and requirements while maintaining robust performance even under high traffic conditions. rtConnector is designed to cache event logs on the connector itself, preserving these logs until the load on the manager reduces sufficiently for it to resume accepting data. This caching ensures that all events are delivered with guaranteed delivery through its capabilities. The user community of ArcSight is actively engaged and supported through a dedicated 7/24 user portal where members can share content, collaborate on best practices, ask and answer questions, network, and gain visibility on product roadmaps. Additionally, ArcSight organizes an annual event called the ArcSight Protect User Conference that attracts over 1000 participants, offering training sessions, breakout sessions, hands-on immersion programs, customer presentations, networking activities, and more to foster interactions among users and industry experts. Regarding log collection abilities, rtConnector can collect security logs from various sources: 1. IBM’s Directory Server - Utilizes the ArcSight's flex connector toolkit either as syslog or file reader. 2. Active Directory - Collects events using RPC through the AD SmartConnector. 3. IBM’s Tivoli Access Manager - Can be collected using a File reader or XML via the standard SmartConnector. 4. Oracle Internet Directory - Utilizes ArcSight's flex connector toolkit for collection, which can include syslog, file reader, or database methods. 5. RSA SecurID Token - Collected through the standard SmartConnector using syslog. This text lists various technologies and devices that can send logs to ArcSight's SmartConnector for intrusion detection. These include routers, switches, firewalls, endpoint protection software, web servers, antivirus programs, and more. The list confirms that the standard SmartConnector can collect events from these devices using syslog, XML files, or databases as applicable. This text appears to be a documentation or specification for a product related to event collection and management, likely part of the ArcSight suite. The document outlines support for various platforms such as Windows, Unix-based systems like Linux, specific hardware platforms like Tandem and ISeries, databases including Oracle Database, Microsoft SQL Server, DB2, Sybase, and more. It also mentions a physical badge access device that can be supported via a FlexConnector toolkit, which could collect data via syslog, file, XML or database, depending on the configuration. Regarding hardware and storage requirements, it is noted that the solution is appliance-based, and the active logs are included in the hardware setup of the appliances. The customer's existing storage infrastructure can be used for archived data once retention policies have expired. Operating system and software requirements are also specified; all ArcSight appliances come with the necessary OS and software. The ArcSight Console runs on a variety of operating systems including Windows (XP Pro, Vista, Server 2003), MacOS X, Red Hat Enterprise Linux, Sun Solaris, among others. This flexibility is aimed at supporting a wide range of hardware platforms efficiently. This text outlines the compatibility of various web browsers across different platforms, providing information on which versions are supported for Windows, Mac OS X, Solaris, Linux, and specific operating systems like Mac and Windows. Additionally, it addresses redundancy in the context of system reliability, detailing how ArcSight smart connectors and managers can be configured to handle communication disruptions and ensure data is not lost. The text also covers ArcSight's High Availability features, which are designed to avoid any single point of failure in mission-critical deployments by using advanced technologies like clustering with EMC/Legato (or Symantec/Veritas) cluster software for redundancy across three tiers: SmartConnectors, Manager, and database. The system is capable of functioning in active/active mode, has failover capability if the product is not available, and includes features to ensure data integrity when log collection management servers are down. ArcSight smart connectors use two caches – a front-end queue for raw events during sudden spikes in event flow and a back-end cache for processed events that can be stored even when upstream links are unavailable. The default cache size is customizable up to 1GB, providing robust data protection mechanisms. ArcSight's appliance-based solution simplifies administration with minimal required features, utilizing web-based management console for delegation and main administrative tasks. It does not provide root access to the operating system due to its hardened appliance nature but offers direct server access via SSH or KVM if needed. The database configuration requirements are met within the appliance, storing various types of data securely with integrity checks and encryption for rule sets and audit logs. Certificates are used for secure communications, typically recognized CA-issued certificates rather than self-signed ones. ArcSight es una solución de gestión de eventos e información de seguridad que facilita la recopilación, detección y respuesta a incidentes en tiempo real. Sus características incluyen compatibilidad con certificados autofirmados o reconocidos por CA, lo que garantiza una comunicación segura entre componentes del sistema. ArcSight ofrece un kit de conectores flexibles para la definición de fuentes de eventos desde aplicaciones personalizadas, apoyando la integración a través de interfaces gráficas de usuario y APIs. Además, proporciona una capa de servicio Express que expone funciones como servicios web, lo cual permite su consumo para integrar funcionalidades en aplicaciones externas. En términos de rendimiento, ArcSight utiliza tarjetas de red 100/1000 y escala desde 500 eventos por segundo hasta millones, dependiendo del entorno. Los dispositivos de hardware utilizados son flexibles y pueden adaptarse a las necesidades actuales o futuras, escalando para soportar redes mundiales grandes. Adicionalmente, ArcSight Logger está optimizado para manejar altos volúmenes de eventos en soluciones Express, permitiendo una compresión y almacenamiento eficiente de logs sin comprometer el rendimiento. En resumen, ArcSight es una solución robusta que integra fácilmente aplicaciones personalizadas y escalable para monitorear sistemas con un alto rendimiento y seguridad. ArcSight does not require opening multiple ports for processing; it only needs the customer to select specific ports (default TCP 8443 and 9443) for component connections. The pricing model is based on a recommended architecture with unlimited use of connectors, web access users, and one console user without additional charges beyond initial setup costs including HIPAA compliance package and flexibility to develop more connectors if needed. ArcSight does not charge per device or exporter; they provide an extensive library of over 300 developed connectors that can be deployed without cost implications for the number of devices being collected and correlated. **Summary of Document Content:** 1. **Pricing Table (Attachment 1):** The document indicates that a Pricing Table has been completed, but the details are not provided here. It mentions that the pricing includes various services such as installation, implementation, training, data conversions, interfaces, development, and other related services for specified fees. 2. **Dev/Test Systems Pricing:** ArcSight offers a Development/Test ESM software license at a significant discount, which is included in the provided Pricing Table (Attachment 1). 3. **Professional Services Hours and Costs:** Professional services are recommended to be provided for successful deployment of the product, with details indicated in the Pricing Table (Attachment 1) regarding both the number of hours required and the hourly fees associated with these services. 4. **Timing of Payment:** Intermountain Healthcare is expected to follow a payment schedule consisting of:

  • 20% within 30 days after the agreement execution.

  • 40% upon completion of product implementation, defined as after unit testing and integrated testing.

  • 40% upon final acceptance by Intermountain, which occurs after stress testing, live testing, and "productive use" of the product.

5. **Flexible Spending Arrangement:** ArcSight is open to discussing more favorable terms for payment arrangements with Intermountain Healthcare. 6. **Discounts and Incentives:** The document does not explicitly detail any discounts or incentives being offered to Intermountain, nor does it mention similar offers to other clients. It only provides a general framework for the payment schedule without specifying any promotional offers beyond the standard contractual terms. The text provides information about discounts, incentives, and pricing terms for Intermountain Healthcare when purchasing peripheral devices, equipment, and software from ArcSight. Here are the main points summarized: 1. **Price Protection**: Intermountain can request price protection for a minimum of two years on peripheral devices, equipment, and software required to run their system. ArcSight will offer a discount off the list price, but specific details like percentage are not provided in this text. 2. **Discounts and Incentives**: ArcSight offers significant pricing discounts off the list price as detailed in the proposal. They also provide maximum incentives available for Intermountain Healthcare. For initial purchases, ArcSight will offer a discount that is maintained for two years. 3. **Most Favored Pricing**: The text states that Intermountain should confirm they are getting most favored pricing and that this will continue during any agreement with ArcSight. However, ArcSight cannot guarantee the same level of flexibility in providing most favored pricing due to its contracts with large governmental entities and companies. 4. **Penalties for Non-Performance**: There are no specific penalties listed if Intermountain does not perform installation, implementation, and other obligations as promised on schedule. This is because ArcSight's commitment to success relies heavily on the participation and cooperation of the customer, making it difficult to enforce penalties without control over external factors that affect performance. 5. **Support and Maintenance Fees**: The text mentions a requirement for a cap on annual fee increases with a lesser of CPI (Consumer Price Index) or 3% as the maximum increase allowed. This indicates that Intermountain is seeking favorable terms in this area, but specific details about whether these fees are considered most favorable by ArcSight are not provided. In summary, the text outlines various pricing and contractual terms for Intermountain Healthcare when purchasing from ArcSight, including potential discounts, incentives, and requirements for price protection and maintenance of support and services agreements. The text discusses a partnership between Intermountain Healthcare and ArcSight regarding the deployment of ArcSight's enterprise security management software. Key points include: 1. **Cost Savings**: Intermountain has its own Help Desk for reporting problems, which allows it to save 5% on support fees charged by the vendor. This is achieved through an internal problem-reporting system that reduces the need for direct intervention from ArcSight's technical resources. 2. **ArcSight Services and Fees**: ArcSight offers annual support and maintenance including software upgrades, patches, and 24x7x365 support at a cost of 18% of the initial NET license cost annually. However, since Intermountain's Help Desk is not certified by ArcSight to handle technical issues, no discount based on first-level problem reporting is applicable. 3. **Administrative Costs**: According to ArcSight, only less than one full-time equivalent (FTE) resource is typically dedicated to administrative tasks for their customers. 4. **Resource Allocation for Implementation and Administration**:

  • Implementing the product: One FTE is recommended.

  • Daily administration of the product: One half (0.5) FTE is suggested, although this can vary based on specific needs and customer setup.

5. **Service Description**: ArcSight commits to installing and configu,ring all necessary ArcSight appliances and will work with Intermountain to set up data collection from applicable devices. They will also install and configure the HIPAA compliance package for monitoring and reporting purposes. Overall, this document outlines the services and support details that both parties agree upon as part of their partnership for implementing the ArcSight software at Intermountain Healthcare. This text outlines the responsibilities of both the vendor (ArcSight) and Intermountain for the installation and implementation of a product. 1. Vendor Responsibilities: ArcSight is responsible for ensuring the success of the solution by assisting with the installation, configuration, and tuning of the product. They also help configure and tune all system content. Additionally, they assume that the client has already created a security plan and defined rules to be enforced by the ArcSight software. 2. Intermountain Responsibilities:

  • Project Management: A designated primary point of contact (POC) from the customer will manage resources for required meetings, interviews, and other project-related needs within specified parameters. The POC will also participate in status meetings and act as the first point of escalation for any requests or issues.

  • Equipment: All non-purchased hardware needed for implementation, such as those used for URL filtering, virus checking, reporting, intrusion detection, and firewall management, must be configured and staged by Intermountain. This includes network hardware like routers, hubs, switches, all cabling, and cords.

  • Security Plan: ArcSight expects the client to have a pre-defined security plan that outlines the rules they wish to enforce through the ArcSight software.

  • Access: The client must provide access to physical facilities and systems during normal business hours. They should also have knowledgeable personnel available to provide necessary support.

The provided text outlines a contractual agreement between two parties regarding the deployment of ArcSight, a software solution for advanced security information and event management, at Intermountain Healthcare. Key points from the text include: 1. **Proprietary Information Access**: Customer (Intermountain Healthcare) must provide all necessary proprietary information, applications, and systems to ensure successful project implementation. 2. **Data Conversion Requirements**: Compliance Insight Packages within ArcSight require a specific list of IT assets to be imported and mapped for advanced reporting purposes. This implies that Intermountain will need to supply initial asset data upon the start of the engagement. 3. **No Data Conversion Required**: According to ArcSight comments, no actual data conversion is necessary as part of this project. 4. **Interfaces to Directories**: The capability to develop and implement interfaces to additional Intermountain directories is confirmed, with ArcSight offering FlexConnector SDK for custom parser development if needed. 5. **Implementation Plan**: An implementation plan should include all tasks from installation and training to data conversion, interface development, and programming, aiming to make the system "production ready." A defined timeline for these tasks is crucial to avoid surprises post-implementation. 6. **Previous Problems and Suggestions**: The text does not provide specific details about problems encountered by previous customers or how they were addressed, which would typically be relevant in a support or enhancement context within ArcSight Implementation Plans. In summary, the agreement emphasizes clear communication of expectations, including access to data and systems, and outlines a structured approach for implementation that includes development and deployment of necessary interfaces and tools like FlexConnector SDK. The absence of detailed information about previous issues might be a limitation in understanding potential challenges or how they can be mitigated effectively. The deployment of a security monitoring solution like ArcSight by Intermountain Healthcare requires coordination across multiple departments due to the data ownership residing outside the immediate deploying group. To ensure a successful implementation, it is crucial that access to necessary data is secured prior to ArcSight's on-site presence. Additionally, comprehensive preparation and information gathering are recommended before the deployment. This setup allows the ArcSight team to concentrate more on transitioning the solution to Intermountain's staff after training. Intermountain will require specific training to effectively utilize ArcSight Express. The suggested training is the ArcSight Express Administration and Operations course, which provides a comprehensive curriculum tailored for enterprise security event management. This course includes both theoretical learning and hands-on practical exercises, enabling participants to swiftly deploy the ArcSight Express appliance into operational use after initial installation. The scope of this training can be delivered in various formats including in-person sessions at ArcSight's location or on-site at Intermountain Healthcare, virtual classroom settings, or self-paced eLearning modules. The objectives of the course are to equip participants with skills such as using built-in functionalities like Channels, Filters, Rules, Active Lists, and Reports, along with implementing Network and Asset Modeling for customized business-oriented solutions in security event management. The provided text outlines various aspects related to ArcSight, including its monitoring, detection features, storage appliance configuration, and training options. Here's a summarized breakdown: **ArcSight Express Environment:**

  • Implemented monitoring and detection features to isolate, investigate, analyze, and remediate exposed security issues.

  • Configured global, platform, and system settings for both appliances and user resources based on network and business access requirements.

  • Utilized Search and Report Query facilities to define and locate matching events from the Storage Appliance, deploying high usage queries as filters, saved searches, or scheduled reports.

**Training Options:**

  • ArcSight offers various education classes with different participation methods including on-site at customer locations, on-site at ArcSight, Virtual Classroom, and self-paced eLearning.

  • Full descriptions of courses and participation options can be found through the ArcSight training website.

**Product Maintenance:**

  • ArcSight commits to maintaining its products and providing "bug" fixes and work-around solutions, emphasizing the company's focus on customer success.

  • The Customer Success Organization supports this commitment by continuously improving product maintenance and enhancing market leadership in SIEM tools.

**Software Updates:**

  • ArcSight plans to provide updates and new versions of the software, with a summary indicating activities planned for 2010-2011 focusing on continuous improvement and customer success as indicated by market share gain, customer satisfaction, and analyst recognition.

Overall, the text provides detailed information about how ArcSight supports its products through training, maintenance commitments, and updates to ensure effective security monitoring and incident response capabilities for customers. ArcSight has an annual release schedule for their software, which includes both functional upgrades and patch fixes, as well as updates to connectors throughout the year. They offer these updates free of charge during the maintenance period with Intermountain Healthcare. The support model provided under the maintenance fee includes telephone support available 24 hours a day, 7 days a week, with two main programs: Standard maintenance offering support during local business hours and access to the ArcSight Support Center, and Premium maintenance providing 24x7 support, accelerated response times, and full access to the ArcSight Support Center. Additionally, there is an online support portal available for product upgrades, a knowledge base, incident status updates, and more. The text provides information about several aspects of the relationship between Intermountain and ArcSight, including known product issues, resolution descriptions, a download center for updates, a support center forum, other support services, service level commitments, and contractual obligations related to problem responses. Here's a summary: 1. **Known Product Issues and Resolution Descriptions**: The text does not provide specific details about known product issues or their resolutions, but it implies that there are such issues which have been addressed in some manner by ArcSight. 2. **Download Center**: Intermountain has access to a centralized repository where the latest versions of products, software patches, and product documentation can be downloaded. This indicates a robust system for updating and providing resources related to their technology solutions. 3. **Support Center Forum**: Customers (presumably users or stakeholders) have a platform to communicate with each other and with support staff regarding issues, updates, or general inquiries. This community-based support mechanism helps in sharing information and resolving queries collectively. 4. **Other Support Services**: ArcSight commits to providing additional services such as consultation, custom programming, and implementation services at favorable rates when needed by Intermountain Healthcare. 5. **Service Levels for Defects or Problems**: The text outlines various service level commitments based on the criticality of the problem reported by Intermountain. These include response times for different priority levels (1 through 4) ranging from within 1 hour to up to 7 business days, depending on the severity and urgency of the issue. 6. **Contractual Obligations**: ArcSight is contractually bound by specific response times based on problem criticality, which are outlined in the text. These obligations include being willing to compensate Intermountain if service levels are not met. 7. **Incentives for Meeting Service Levels**: The text suggests that meeting these service level commitments might be incentivized or tied to contractual agreements between the parties. 8. **Contractual Binding of Response Times**: ArcSight is bound by response times as per the outlined priorities, which are detailed in the table provided. These timeframes range from immediate responses for high-priority issues to progressively longer timelines for lower priority issues. In summary, this text sets out various aspects of how Intermountain Healthcare and ArcSight interact regarding technical support, software updates, community engagement, and contractual obligations related to problem resolution. The provided text discusses the technical support options and compatibility for the ArcSight product, detailing its offerings and how they align with Intermountain Healthcare's standards. Here's a summary of key points: 1. **Web Support and Documentation:**

  • **Download Center:** ArcSight maintains an extensive download center where users can access the latest versions of products, software patches, and comprehensive documentation. This serves as a centralized repository for all necessary resources.

  • **Online Support Portal:** The company offers an online support portal that provides customers with on-demand access to product upgrades, a knowledge base, status updates on support incidents, and more. This portal is designed to facilitate quick resolution of customer issues by providing direct channels for troubleshooting and information retrieval.

2. **Remote Access Support:**

  • **VPN Tunnels (Required):** To provide remote assistance, ArcSight requires customers to establish VPN tunnels, which are essential for securely accessing and managing the platform from a distance.

  • **ArcSight vs. Intermountain Requirements Comparison:** The support requirements set by ArcSight generally align with those of Intermountain Healthcare, indicating that both entities expect effective remote access capabilities through secure means like VPNs.

3. **Technical Solution Details:**

  • **Product Compatibility:** ArcSight's components are compatible with the "Standards Profile" outlined in the Intermountain Overview section. Exceptions include the ArcSight Console and Web Viewers, which have specific supported platforms that meet Intermountain's standards:

  • **ArcSight Console:** Compatible OS platforms include MS Windows XP Pro, MS Windows Vista, MS Windows Server 2003, MacOS X, Red Hat Enterprise Linux WS and AS, and Sun Solaris (SPARC).

  • **ArcSight Web Browser:** Supports web browsers IE 6.0 across all platforms that support these browsers.

  • This compatibility ensures seamless integration within Intermountain's IT infrastructure while leveraging ArcSight's robust capabilities for effective management and monitoring of systems.

**Summary:** **1. Software Requirements:**

  • Mozilla, Netscape, Firefox, and Safari are compatible with specific versions on different operating systems. The compatibility table is as follows:

  • Mozilla: Windows, Solaris, Linux, Mac (versions 1.7 or greater)

  • Safari: Mac OS X (versions 1.2 or greater)

  • Netscape: Mac, Windows, Linux (versions 8 or greater)

  • Firefox: Windows, Linux, Solaris, Mac (versions 1.5 or greater)

**2. User Management Software Integration:**

  • The software does not require the purchase and implementation of other software for integration into a software framework. All required software is bundled in the ArcSight solution being proposed.

**3. Directory and Non-out-of-box Integrations:**

  • ArcSight’s solution does not need to be integrated with Intermountain Healthcare corporate directory unless collecting as an event source. If needed, appropriate configuration guides will be provided for integration, documenting necessary credentials.

**4. Deliverables:**

  • **A. Hardware:**

  • 2 x ArcSight C5200 Connector Appliance hardware, licensing and support

  • 2 x ArcSight L7200s Logger Appliance hardware, licensing and support

  • 1 x ArcSight M7200-XL Express Appliance hardware, licensing and support

  • **B. Software:**

  • 1 x Compliance Insight Pack for HIPAA

  • ArcSight Consoles

  • Unlimited ArcSight Web Viewers

  • FlexConnector SDK

  • **C. Documentation:**

  • The required documentation includes configuration guides specific to the integration of credentials and other necessary information. Copies are unlimited as per the deliverable details provided.

  • **D. Other:**

  • This category is not specified in detail but likely encompasses any additional services or support that may be part of the overall solution being delivered to Intermountain Healthcare.

**Summary Comments from ArcSight:**

  • The ArcSight software and hardware requirements are clearly outlined, indicating a comprehensive solution for deployment. The integration with Intermountain’s corporate directory is optional based on specific use cases, and all necessary documentation will be provided for setup and configuration.

This document outlines several key aspects related to Intermountain's product offerings, including documentation, site requirements, market presence, and references from customers. Here's a summary of the main points: 1. Documentation: All product documentation is included with the purchase of the product, and additional documentation can be found on the support site and within the Protect 7x24 customer portal for download. 2. Site Requirements: These include all equipment, computer programs, and other items needed by Intermountain to use the product, which are not supplied by the vendor. This also includes environmental requirements such as air conditioning, insulation, special flooring or support, utilities, cabling, and any other specialized needs. As part of the ArcSight engagement, Professional Services will provide a checklist of all prerequisites needed prior to onsite implementation. 3. Market Presence: The document provides information about current market share for ArcSight's products compared to its main competitors, as well as details on the length of time the product has been available in the market and the software lifecycle status of both flagship products (Enterprise Security Manager and Logger). According to this report, ArcSight held a 19% market share in 2008, significantly higher than its closest competitor's 9.6%. Both products have been on the market since their respective years of launch: Enterprise Security Manager since 2000 and Logger since 2006. They are currently in their fifth generation of major functional upgrades. 4. References: The document requests names, addresses, and telephone numbers of six customers who are currently using ArcSight's products. These customers should have situations and needs that closely match those of the users mentioned in the references section. This document outlines a request for information from ArcSight, which is seeking details about Intermountain Healthcare's situation and needs. The information requested includes specific contacts at various healthcare organizations who might be potential reference calls for ArcSight to discuss their services with Intermountain. Additionally, the response should include copies of annual reports or equivalent financial statements from previous years, as well as a description of the company size (number of employees and sales revenues) and details about the research and development budget over the past three accounting years and the next three years. Here is a summary of each section: 1. ArcSight requests information on Intermountain Healthcare's specific needs to better understand their situation, which would be useful for scheduling reference calls with relevant customers like Weill Cornell Medical College, Boston Medical Center, Priority Health, and Long Term Care Partners. These contacts are suggested as potential references for ArcSight to engage in a discussion about their services. 2. ArcSight includes its own annual report from 2010 as part of the response template, providing a case study example that Intermountain should follow or model their information after. 3. The size of the company is described, including current figures for number of employees and sales revenues, which are generally provided in an annual report format. Here, ArcSight states they have 500 employees and had $189M in revenue during their fiscal year 2010. 4. Details about research and development expenditures are requested over the last three accounting years and projected for the next three years. For ArcSight, these figures were $X million spent on R&D each year up to the present and a similar amount projected into the future. In summary, Intermountain Healthcare is asked to provide detailed information about their company's structure and financial performance history as well as plans for future development, which will be useful for ArcSight in establishing business relationships and potentially providing services or solutions tailored to Intermountain’s needs and operations. ArcSight has a strong commitment to innovation by continuously developing new products and enhancing existing ones to stay competitive. The company invests heavily in research and development, with a team focused on improving and expanding the capabilities of their major product lines as well as creating additional offerings. By closely collaborating with customers and technology partners, they ensure that their products meet evolving market needs and requirements. ArcSight has offices globally, but Intermountain Healthcare is supported out of the Cupertino, CA office. The company guarantees adherence to specified requirements in all agreements and takes responsibility for product quality and functionality, ensuring merchantable quality and suitability for intended use as outlined in the RFP process. ArcSight provides a warranty for its software products, stating that if there are any programming errors or defects reported by Intermountain within 90 days of delivery, these issues will be corrected at no additional cost as part of the warranty. The main limitations and disclaimers in this warranty include that it does not guarantee specific outcomes, uninterrupted operation, error-free performance, nor complete security features. ArcSight's liability for any breach of this warranty is limited to using commercially reasonable efforts to provide an error correction or workaround if notified within the 90-day period. The warranty does not extend beyond this period. The document outlines a warranty for hardware provided by ArcSight to the licensee (referred to as "Intermountain" in this context). During the Hardware Warranty Period of one year, the hardware is guaranteed to be free from defects in material and workmanship under normal use. If the hardware has any issues during this period, Intermountain's sole remedy from ArcSight or its licensors is either repair efforts by ArcSight (if feasible) or a replacement of the hardware according to ArcSight's policies detailed elsewhere in the document. This warranty requires that the hardware be returned following specific procedures as authorized by ArcSight. The warranty also states that replacements may consist of new, used, or previously installed components and will cover the remaining portion of the original Hardware Warranty Period. However, ArcSight does not guarantee that the hardware is free from vulnerabilities to intrusion or attack. Any claim for remedies under this warranty must be made within the specified period. Additionally, ArcSight agrees to allow a test of a working demo before complete implementation of the product. Lastly, the document confirms that the product and its use will not infringe on any third-party intellectual property rights, with ArcSight agreeing to indemnify Intermountain against claims of infringement by others. This text outlines a contractual agreement where ArcSight agrees to indemnify and defend the Licensee in case of any infringement suit or action. The obligations are conditional upon several factors including providing prompt written notice, granting sole control of defense and settlement negotiations to ArcSight, and assisting at ArcSight's expense. It specifically excludes certain scenarios such as use of a superseded release, combination with non-ArcSight software, use outside specified terms, modifications by parties other than ArcSight, and compliance with Licensee’s specifications or plans. If the Software becomes subject to an infringement suit, ArcSight can either replace it, modify it to be non-infringing, procure rights for continued use, or accept return of the infringing software at its discretion and expense. This document outlines several key points regarding software usage and obligations between ArcSight and Intermountain Health Services, Inc. In section 12, it is clarified that neither the product nor its documentation should include any Unauthorized Code or Self-Help Code as defined. These terms are specified to encompass malicious components such as viruses, Trojan horses, worms, or other harmful software elements designed to unlawfully access, control, harm, or disrupt computer systems. ArcSight agrees to include mutually agreeable language in their agreement to address this requirement. In section 13, it is emphasized that the license granted extends not only to Intermountain Health Services, Inc., but also to all other members of the "Intermountain Organization." The agreement must ensure that all rights and obligations under the agreement are extended to these affiliated entities, with only Intermountain Health Services, Inc. being legally bound as the signatory. The document outlines the terms of an agreement between Intermountain Health Services, Inc., its subsidiaries, and a third-party software company named ArcSight. Intermountain is responsible for ensuring that access to the licensed product is granted to all entities within the organization, including "Independent Clinics" as defined by the agreement. These Independent Clinics are health care facilities with a working relationship with members of the Intermountain Organization. ArcSight has confirmed their willingness to include language in the Agreement that satisfies this requirement, which means they agree to add terms allowing remote access via PCs or terminals for Independent Clinics who have signed a confidentiality agreement. The agreement also specifies certain limitations; it does not apply to hospitals with more than 50 beds. The document outlines the terms and conditions for licensing a product to Intermountain, including no restrictions on its location or transfer within the Intermountain Organization. It also states that Intermountain expects to have the right to maintain and modify the product as needed without any obligation from ArcSight if they choose to do so. Additionally, it mentions that Intermountain has certain expectations regarding system performance and requests a description of how ArcSight will ensure this. Lastly, there is a proposed cost table attached for the licensing of the product by Intermountain site. The table provided outlines the costs associated with a project over several years, categorized into one-time and ongoing costs. In terms of hardware and servers, there were significant initial expenditures in 2011 amounting to $217,000. This was followed by an annual maintenance fee for hardware starting from 2011 until 2015, which steadily increased each year: $39,060 (2011), $43,400 (2012-2015). The software costs included a one-time expenditure of $21,700 for the license in 2011. The implementation cost was $40,250 also incurred in 2011. There were no separate costs mentioned for interface development within the table itself, but it is noted that this falls under software implementation as per the description provided. An annual support and maintenance fee of $9,541 began from 2011 until 2015 was also budgeted. Documentation and training costs were set at $2,880 in 2012, with an increase to unspecified amounts for later years. Travel and lodging expenses were estimated initially at 20% of the implementation services cost ($40,250) which comes out to be $8,050 in 2011, without any further costs mentioned after that. The total expenditure was highest in 2011 with a sum of $338,481, and thereafter decreased as maintenance fees were spread over fewer years.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page