Professional Documents
Culture Documents
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is HP ArcSight?
HP’s ArcSight is an industry-leading solution suite monitoring, detecting and preempting threats and risks
across all organizations from the enterprise to the small-and medium-sized business.
1: 2: 3: 4: 5: 6:
Collect Normalize Enrich Store Search Analyze
machine data data from event data Years’ worth of using text Identify and
from almost various collected and logs and events based tool with trace the
any device vendors & parsed with through a high simple patterns of
such as: devices taxonomy, compression interface data in real-
Firewall, IPS, into a network and ratio of up to time to find
anti-virus, etc. industry assets 10:1-only any threats or
accepted specific solution to offer breaches
common details this cost savings
event compression
2 format
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Effectively Tackle Complex Threats with Key Features
HP ArcSight is an integrated Security Intelligence Platform for collecting, analyzing and assessing security and risk information.
• Log management
• Quick investigations
• Compliance reporting
HighLights
LICENSED PRODUCT LICENSED OPTIONS
‘HP ArcSight Logger’ is a universal log
management solution that:
Compliance Insight Pack
Identity View • Collects any data, from any device,
anywhere, and in any format
Reputation Security Monitor • Aggregates them into a single
searchable format
Threat Detector • Analyzes data through built-in
ArcMC content
• Stores them through compressions
for as long as required
(1) Form factor: Logger can be deployed as an appliance, software, virtual machine.
5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What’s New in Logger 6.1?
Logger
6.1
1 2 3 4
Turn on the Cool Bigger is Better More to the Search Power All Central
(UI & Visualization) (Scale & Performance) (New Search Capabilities) (ArcMC Manageability)
6 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP ArcSight Express
Business Needs
‘HighLights
LICENSED PRODUCT LICENSED OPTIONS
Express is a SIEM appliance for price
Compliance Insight Pack sensitive customers that:
Identity View • Collects any data, from any device,
Reputation Security Monitor anywhere, and in any format
• Correlates cross device in real time
Threat Detector • Visualize threats and risk across
the business
Application View • Enables SMB to run SIEM
(1) Form factor: Express in only available as hardware appliance, no virtual machine with the current release of Express 6.9
7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What’s new in Express 6.9.0?
Description Express 6.9 Express 4.x ESM 6.8c
*ArcSight Market Place: Use case repository launched as Beta in April 2015
8 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Disabled / Restricted by License in Express 6.9.0
Description Express 6.9
EPS
ESM Cost of EPS is not identical !
between Express and ESM. • AE750x customers with 2500 EPS or less have a simple migration SKU
Above 2500 EPS any Express
2500 customer becomes an ESM
• Customers with over 2500 EPS to get a new ESM appliance SKU in Q1
Customer.
Express
0
9 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Ordering Info
On CPL Price List starting September 1, 2015
Model EE7600-250 EE7600-1000 EE7600-2500
Product Name HP ArcSight ESM Express EE7600- XXXX sustained EPS Server
Storage System Storage - 316 GB, Event Storage - 1270 GB, Archive Storage - 316 GB
10 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP ArcSight ESM
Business Needs
12 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What Upgrade Paths will be Supported?
ESM / Express 6.9.1 – due out later this year
Express ESM
Express 6.9 (Gen9) ESM 6.5c SP1
13 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP ArcSight Add-ons
HP Arcsight Solution Products Options
ArcSight Management Center
a.k.a ArcMC
Centralized management
MANAGE
REMEDIATE
Application View
a.k.a. AppView
Web applications security
APPLICATIONS MONITORING
15 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ArcSight Central Management (a.k.a. ArcMC)
Simplifying Management
HIGHLIGHTS
• Centralized management of HP
On ArcSight solution
Roadmap
• Automate change management
• Reduce the resource requirement for
security information and event
management (SIEM)
16 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
General Availability
17 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What’s New with ArcMC 2.1?
Management Capabilities
ArcMC
Management
1 2 3 4
Interactive Discovery
ArcSight Add on uncovering Threats and Risks with visual analytics
Advanced Visualization
19 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
DNS Malware Analytics
How Destructive is Malware?
229 median
51%
Percentage of malware
number of days that alerts that are deemed
threat groups were
28%
to be reliable
present on a victim’s 10%
8%
network before 3%
Mandiant
detection Less than 10%
Ponomon Institute
10% to 25% 26% to 50% 51% to 75% 76% to 100%
21 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Challenges in collecting DNS Data
Volume and Detail
250 000
220,000
• 20-25B DNS packets move through
HP’s core data centers every day 150 000
• Logging severely impacts
performance 100 000
• The right information is not logged
• Every new employee, device, server 50 000
14,000
3,000
only adds to the total
200
80
7
0
Routers VPN McAfee ePO Active Web Proxy DNS
Directory
22 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
DNS Malware Analytics
USE CASE:
23 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Proof Points from POCs
Operationally Tested
• On an Enterprise network that is one of the world’s largest (18 B /day)
• In service for over a year
• Over 10,000 infected domains detected (and reported)
Accuracy is High
• Alerts from the system are treated as positively infected systems
24 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
DNS Malware: Service Architecture Web-based Detail &
Visual Drill Down
DNS Server / Cluster
Level 1
Analyst
Alerts (Infected System)
Hunt ESM
ANALYTICS CLOUD
Team
SOC
DNS Capture Module #1
DNS Analytics
Enterprise Network
25 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What kinds of things can we detect?
Blacklist Matching
Botnet to C&C
• Known Botnet Activity
– GameoverZeus, Cryptolocker, Expiro, Conficker.D, Dorkbot, Expiro, Pushdo, Ramdo, Zbot
• Unknown Botnet Activity
• Malware Mash-ups
Data Exfiltration
Cloud Platform Abuse
Standard Behavior and Conduct violations
Other Research in Progress
• Beaconing
• Cache Poisoning Attempts & other attacks against the DNS server itself
26 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
User Behaviour Analytics
HP ArcSight User Behavior Analytics
• HP ArcSight UBA, powered by Securonix, gives enterprises visibility into their users, making it
much easier to identify user-based threats through anomaly-based behavior patterns.
• UBA enables an enterprise to mitigate threats resulting from insiders who misuse access and
credentials, know the value of the data, and are aware of internal security controls.
• UBA adds user context to security monitoring by integrating with existing security information
and event management (SIEM) technology, attributing user behavior information, role, and
access to network alerts—enabling visibility on not only networking and application
monitoring but also user monitoring.
• Behavior-based anomaly detection for users, accounts, and resources is critical to lower the
risk and impact of cyber attacks.
28 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP ArcSight User Behavior Analytics
UBA Basic, UBA and UBA Premium
HIGHLIGHTS
• Enhanced visibility of all user
activity and processes.
• Streamlined investigations via
comprehensive user activity reports.
• Boils down the most suspicious and
abnormal activities, and transactions
and access across users, accounts,
systems, and applications to present
risk-ranked threats.
• Detects the bad guys and insider
threats, even if the bad guys are
using legitimate credentials.
• Therefore, it can help detect
breaches before significant damage
occurs by finding the adversary
faster.
29 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP ArcSight SmartConnectors
Highlights
• Added a new parser operation to extract IPv4 addresses embedded in IPv6 addresses.
• Check Point OPSEC NG : Added support for events (formerly SmartDefense) in the IPS Module
• Microsoft Windows Event Log – Native : Added localization support
• Sourcefire Defense Center eStreamer : Corrected parser and documentation for ‘Bugtraqid’ & ‘CVEID’ events. Removed
from ‘Intrusion Only’ event mappings to ‘RNA Only’ event mappings
• Symantec Endpoint Protection DB Added support for Malware Network Detection (INTRUSION_URL) and Advanced
Rootkit Detection (INSTRUSION_PAYLOAD_URL
• Symantec Messaging Gateway Syslog Added new event support for Messaging Gateway version 10.5.2
• Tenable SecurityCenter XML File Added support for Tenable SecurityCenter’s Assessment Summary Results (ASR) and
Asset Reporting Format (ARF) logs in .xml format
30 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SmartConnector Load Balancing
What is the Load Balancer ?
• New Component for Load Balancing for SmartConnectors – BEFORE data received
• Supports File (beta) and Syslog (UDP and TCP)
• Released as of 8th September 2015
• Version 1.0 – INITIAL RELEASE
32 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SmartConnector Load Balancer Definition
HP ArcSight SmartConnector Load Balancer provides a “SmartConnector-smart ” load balancing
mechanism by monitoring the status and load of SmartConnectors.
• One distributes the syslog input stream to syslog connectors using TCP or UDP
• The other downloads files from a remote server and distributes them to the file-based connectors.
Load Balancer is aware of the following information for SC defined as the SC pool:
• Availability (up or down) – Load Balancer monitors SmartConnectors for availability. Events are not
forwarded to a SmartConnector if it is not running (down). Instead, events are forwarded to the next
available SmartConnector in the pool per the defined load-balancing algorithm rules.
• SmartConnector Load - CPU usage, memory usage, and queue drop rate for events
NOTE: File-based load balancing is a beta feature for this release.
33 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SmartConnector Load Balancer
Ingress: Events into SmartConnector
SmartConnector SmartConnector Pool
Load Balancer
Virtual IP
Syslog -TCP Syslog with
Event -UDP HA TCP or UDP
Source
ESM
Routing Route
Load 1. RR
Balancer 2. Weighted RR
Primary 3. Aggregation
Preferred
Load
File Balancer
Event Secondary
Source FTP Routing Route
1. RR
FTP
SCP
34 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SmartConnector Logger Destination Pooling
Egress: SmartConnector load balancing events going to a pool of Loggers
All SC
SmartConnector Logger RR Routing
Event Source
Destination Pool
2
35 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
New SmartConnector load balancing capabilities
Combining the SmartConnector load balancing capabilities for ingress and egress
2
Syslog
Smart Logger 1
Event Source
Connector
1
SmartConnector
Load Balancer
Smart Logger
Syslog Load Connector
Event Source Balancer
2
SmartConnector with
File Logger Pool
Event Source Destination
36 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SmartConnector Setup
37 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SmartConnector Load Balancing Requirements
SmartConnector Load Balancer (Ingress)
• Hardware requirements
• CPU 2 CPU X 4 Cores each (2 x Intel E5620, quad core, 2.4 GHz or better)
• RAM Memory 16 GB
• Disk 60 GB
• # of network interfaces (1 Dedicated GigE interface)
• Platform requirements (64 bits only)
• RHEL 6.6, 7.1
• Available on SSO Sept 2015
• Features
– Standalone mode using a single application server
• No HA as running on one node
– High availability (HA) mode, which can be configured with two hosts
• HA mode as a peer – the host that starts first is the active node, the other secondary
• HA mode as primary / secondary – designated primary and secondary node
• The High Availability feature, which is available using primary-secondary or peer mode, currently works
only within the same subnet.
39 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Updated Sizing Tool
Compliance Packs
Consolidation
Mgt
Collection
41 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Upsells & Add-ons
Logger Express ESM
HA (IP Cluster*) ✖ ✖ ✔
CIPs ✔ ✔ ✔
Threat Detector ✖ ✔ ✔
Devices/Assets ✖ ✔ ✔
Console/Web Users ✖ ✔ ✔
IdView Users ✖ ✔* ✔*
RepSM ✖ ✔ ✔
Application View ✖ ✔ ✔
Risk Insight ✖ ✖ ✔
ArcMC ✔ ✖ ✖
42 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
philippe.jouvellier@hpe.com
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use