D2 - T1 - ARST Solutions Products Update - 092015

HP ArcSight Solution Products Update
HP ArcSight Partners Proof of Concept Boot Camp

Technical Day-1
Philippe JOUVELLIER- HP ESP | Global Partner Enablement
philippe.jouvellier@hpe.com
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is HP ArcSight?
HP’s ArcSight is an industry-leading solution suite monitoring, detecting and preempting threats and risks
across all organizations from the enterprise to the small-and medium-sized business.
1: 2: 3: 4: 5: 6:
Collect Normalize Enrich Store Search Analyze
machine data data from event data Years’ worth of using text Identify and
from almost various collected and logs and events based tool with trace the
any device vendors & parsed with through a high simple patterns of
such as: devices taxonomy, compression interface data in real-
Firewall, IPS, into a network and ratio of up to time to find
anti-virus, etc. industry assets 10:1-only any threats or
accepted specific solution to offer breaches
common details this cost savings
event compression
2 format
Effectively Tackle Complex Threats with Key Features
HP ArcSight is an integrated Security Intelligence Platform for collecting, analyzing and assessing security and risk information.
FEATURE SOLUTION DESCRIPTION

Collect everything from any device & from anywhere
• 350+ Connectors “available out of the box”
Smart/Flex • No toolkit for new connectors, no R&D needed from HP
Connectors • 1-2 weeks per custom connector
Consolidate & store in the long term

• Universal Log Management that scales with GB of log ingestion / Day
• Scalable data retention, worth store years of log data
Logger
• Efficient, fast investigations + Intelligence look up
Correlate and detect threats and risks

• Complete correlation – logs, users, network
• Sophisticated correlation for complex threats
ESM/Express • Mitigate modern threats, prevent breach and loss
Collaborate by combining solutions and services

• Application security
• Integrates Analytics (DNS Malware and User Behavior)
• Integrates Intelligence and Big Data
3 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Core Solution Products
HP ArcSight Logger
Business Needs
• Log management
• Quick investigations
• Compliance reporting
HighLights
LICENSED PRODUCT LICENSED OPTIONS
‘HP ArcSight Logger’ is a universal log
management solution that:
Compliance Insight Pack
Identity View • Collects any data, from any device,
anywhere, and in any format
Reputation Security Monitor • Aggregates them into a single
searchable format
Threat Detector • Analyzes data through built-in
ArcMC content
• Stores them through compressions
for as long as required
(1) Form factor: Logger can be deployed as an appliance, software, virtual machine.
What’s New in Logger 6.1?
Logger
6.1
1 2 3 4
Turn on the Cool Bigger is Better More to the Search Power All Central
(UI & Visualization) (Scale & Performance) (New Search Capabilities) (ArcMC Manageability)
• Dynamic Dashboards • ESM Forwarding Speeds • Archive indexing • User management

• Summary Dashboard in • Scale Out – 40 Peers • New Insubnet operator • Remote configuration
charts • Increased maximum # of • New eval operators • Logger peers
• Data Volume Summary real-time alerts to 25 • Multi-selection of fields in • Logger forwarders
improvements search results • And more!
HP ArcSight Express
Business Needs
• Real time correlation

• Log management
• Users/Flows/Apps monitoring
• Quick investigations
• Threat detector
• Compliance reporting
• Reputation
‘HighLights
Express is a SIEM appliance for price
Compliance Insight Pack sensitive customers that:
Identity View • Collects any data, from any device,
Reputation Security Monitor anywhere, and in any format
• Correlates cross device in real time
Threat Detector • Visualize threats and risk across
the business
Application View • Enables SMB to run SIEM
(1) Form factor: Express in only available as hardware appliance, no virtual machine with the current release of Express 6.9
7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What’s new in Express 6.9.0?
Description Express 6.9 Express 4.x ESM 6.8c
Feature parity with flagship ESM Yes No -

Appliance form factor Yes Yes No
Pricing in EPS Yes Yes WIP
Simplified licensing/ pricing Yes No WIP
Embedded Logger search Yes No Yes
Marketplace* enabled content Yes No Yes
ACC Web 2.0 UI Yes No Yes
On Board ConApp No Yes No
Open Box Yes Yes
*ArcSight Market Place: Use case repository launched as Beta in April 2015
Disabled / Restricted by License in Express 6.9.0
Description Express 6.9
Peering (with other Loggers/ESMs/Expresses) Disabled

Actor Modeling Disabled
Pattern Discovery Separate Feature
Risk Insight Separate Feature, not supported for Express
EPS 2500 Max
EPS
ESM Cost of EPS is not identical !
between Express and ESM. • AE750x customers with 2500 EPS or less have a simple migration SKU
Above 2500 EPS any Express
2500 customer becomes an ESM
• Customers with over 2500 EPS to get a new ESM appliance SKU in Q1
Customer.
Express
0
Ordering Info
On CPL Price List starting September 1, 2015
Model EE7600-250 EE7600-1000 EE7600-2500
Product Name HP ArcSight ESM Express EE7600- XXXX sustained EPS Server
Product Number (SKU) P0J86CA P0J91CA P0J92CA
Event capacity (sustained) 250 EPS 1,000 EPS 2,500 EPS
Add-on capacity (sustained) 50 EPS ($5,000 SKU# M3E77AAE)
Appliance Family HP DL380 Gen9 ZE5-2680v3 Kit
Processor 2x Intel Xeon E5-2680v3, 2.5GHz, 12-core Processor
Dimensions (H x W x D) 3.44 x 17.54 x 28.75 in (8.73 x 44.55 x 73.02 cm)
Memory 6 x 32 GB, 2133 MHz RAM
Storage 8 x 600 GB (2.4 TB RAID-10)
System OS Red Hat Enterprise Linux 7.1 64-bit
Storage System Storage - 316 GB, Event Storage - 1270 GB, Archive Storage - 316 GB
HP ArcSight ESM
Business Needs
•Real time correlation •Enterprise class SIEM

•Universal Log management
•Users/Flows/Apps monitoring •Users/Flows/Apps monitoring
•Quick investigations
•Behavior detection •Log management
•Compliance reporting
•Zero Day attacks detection •Fraud detection

HighLights
High Availability
Compliance Insight Pack ‘HP ArcSight ESM’ is the enterprise SIEM
Identity View solution that:
• Collects any data, from any device,
Reputation Security Monitor anywhere, and in any format
Threat Detector • Correlates cross device in real time
• Visualize threats and risk across the
Application View
business
Risk InSight • Scales in Enterprise across all
businesses and requirements
(1) Form factor: ESM available as a software.
Express 6.9.0 and ESM/Express 6.9.1
Version Express 6.9.0 ESM / Express 6.9.1

Code merging between ESM and Express
Description For net new customers only Version that both ESM Express existing
customers will upgrade to
Date Sep 1, 2015 Expected later ‘15
Express - Gen 7/8/9
Runs on Gen 9
ESM - Your own HW
Upgrades from NA Previous versions
What Upgrade Paths will be Supported?
ESM / Express 6.9.1 – due out later this year
Get to one of these versions based on previous migrations / upgrade paths
Express ESM
Express 6.9 (Gen9) ESM 6.5c SP1
Express 4.0 p1 (Gen 8 and Gen 7) ESM 6.8c
Some Optimized Cost Benefit Decisions in ESM Express 6.9.1

• Discontinue support for SuSE due to low update
• Standardize of RH 7.1 as the version for RH due to vulnerability churn
HP ArcSight Add-ons
HP Arcsight Solution Products Options
ArcSight Management Center
a.k.a ArcMC
Centralized management
MANAGE
Threat Response Manager

a.k.a TRM
Managing Security Incidents and Threats
REMEDIATE
Application View
a.k.a. AppView
Web applications security
APPLICATIONS MONITORING
ArcSight Central Management (a.k.a. ArcMC)
Simplifying Management
HIGHLIGHTS
• Centralized management of HP
On ArcSight solution
Roadmap
• Automate change management
• Reduce the resource requirement for
security information and event
management (SIEM)
Express ESM • Manage large deployments easily

Connector Mgt • Reduce the administrative overhead
• Efficient log traffic management
• Helps optimize bandwidth for log
collection
• Support IT operational analytics
• Unify the HP ArcSight deployment
Connectors
General Availability
• Software - September 10, 2015

• Product on SSO site for new and existing customers with valid support maintenance
• Appliance - Week of September 28, 2015

• Same Gen 8 Appliances with new ArcMC 2.1 software
What’s New with ArcMC 2.1?
Management Capabilities
ArcMC
Management
1 2 3 4
Nodes Configuration Monitoring Administration
• ArcMC • Create Config • Status Summary • User

• ConApp • Import Config • Monitoring Rule Management
• SmartConnector • Virtual Groups Editor • Schedule Backup
• Logger • Subscribers • EPS in/out, CPU, • Remotely and
• Bulk Operation disk, memory, parallel multiple
• FIPS Policy fan, and more… node upgrade
• Comparison • Email and SNMP • Security (SSL,
• Compliance notification FIPS)
18
Check
• Audit Log
Security Analytics
DNS Malware Analytics

Detects malware-infected hosts and endpoints
Identify “bad” traffic
Interactive Discovery
ArcSight Add on uncovering Threats and Risks with visual analytics
Advanced Visualization
User Behavior Analytics

Identify suspicious behavior
Identify & Remediate Insider
Threats
How Destructive is Malware?
Average cost of time

In an average week, wasted responding
an organization to inaccurate
receives 17,000 intelligence: $1.27
malware alerts million annually
229 median
51%
Percentage of malware
number of days that alerts that are deemed
threat groups were
28%
to be reliable
present on a victim’s 10%
8%
network before 3%
Mandiant
detection Less than 10%
Ponomon Institute
10% to 25% 26% to 50% 51% to 75% 76% to 100%
Challenges in collecting DNS Data
Volume and Detail
250 000
Events per second

Why is this a hard problem?
200 000
220,000
• 20-25B DNS packets move through
HP’s core data centers every day 150 000
• Logging severely impacts
performance 100 000
• The right information is not logged
• Every new employee, device, server 50 000
14,000
3,000
only adds to the total
200
80
7
0
Routers VPN McAfee ePO Active Web Proxy DNS
Directory
USE CASE:
I need a method to detect and identify hosts inside my Enterprise which:
• Are positively infected with malware, bots, or other unknown threats

• Are trying to contact Command and Control Servers or exfiltrate data,
• Other perimeter or internal security products have not detected,
• High fidelity – Low false-positive Alerts,
• Enable Operational Staff (L1) to mitigate/remediate,
• Data feeds/Alerts fit into my existing SOC infrastructure without expansion.
Proof Points from POCs
Operationally Tested
• On an Enterprise network that is one of the world’s largest (18 B /day)
• In service for over a year
• Over 10,000 infected domains detected (and reported)
Finds Infected Systems Quickly

• POC found attacks on the first day of operation which took their security
analyst teams 4 months to find
• First Alerts show at 20 minutes from going live
Accuracy is High
• Alerts from the system are treated as positively infected systems
DNS Malware: Service Architecture Web-based Detail &
Visual Drill Down
DNS Server / Cluster
Level 1
Analyst
Alerts (Infected System)
Hunt ESM
ANALYTICS CLOUD
Team
SOC
DNS Capture Module #1
DNS Analytics
DNS Capture Module #2
Packet Capture SaaS/Cloud

• Filter out 99% of traffic • Constantly analyze DNS data for security threats
• Tag events (blacklist matching, DGA detection) • Alerting
• Statistics and diagnostics • Data visualization & exploration
Enterprise Network
What kinds of things can we detect?
Blacklist Matching
Botnet to C&C
• Known Botnet Activity
– GameoverZeus, Cryptolocker, Expiro, Conficker.D, Dorkbot, Expiro, Pushdo, Ramdo, Zbot
• Unknown Botnet Activity
• Malware Mash-ups
Data Exfiltration
Cloud Platform Abuse
Standard Behavior and Conduct violations
Other Research in Progress
• Beaconing
• Cache Poisoning Attempts & other attacks against the DNS server itself
User Behaviour Analytics
HP ArcSight User Behavior Analytics
• HP ArcSight UBA, powered by Securonix, gives enterprises visibility into their users, making it
much easier to identify user-based threats through anomaly-based behavior patterns.
• UBA enables an enterprise to mitigate threats resulting from insiders who misuse access and
credentials, know the value of the data, and are aware of internal security controls.
• UBA adds user context to security monitoring by integrating with existing security information
and event management (SIEM) technology, attributing user behavior information, role, and
access to network alerts—enabling visibility on not only networking and application
monitoring but also user monitoring.
• Behavior-based anomaly detection for users, accounts, and resources is critical to lower the
risk and impact of cyber attacks.
HP ArcSight User Behavior Analytics
UBA Basic, UBA and UBA Premium
HIGHLIGHTS
• Enhanced visibility of all user
activity and processes.
• Streamlined investigations via
comprehensive user activity reports.
• Boils down the most suspicious and
abnormal activities, and transactions
and access across users, accounts,
systems, and applications to present
risk-ranked threats.
• Detects the bad guys and insider
threats, even if the bad guys are
using legitimate credentials.
• Therefore, it can help detect
breaches before significant damage
occurs by finding the adversary
faster.
HP ArcSight SmartConnectors
Highlights
• Added a new parser operation to extract IPv4 addresses embedded in IPv6 addresses.
• Check Point OPSEC NG : Added support for events (formerly SmartDefense) in the IPS Module
• Microsoft Windows Event Log – Native : Added localization support
• Sourcefire Defense Center eStreamer : Corrected parser and documentation for ‘Bugtraqid’ & ‘CVEID’ events. Removed
from ‘Intrusion Only’ event mappings to ‘RNA Only’ event mappings
• Symantec Endpoint Protection DB Added support for Malware Network Detection (INTRUSION_URL) and Advanced
Rootkit Detection (INSTRUSION_PAYLOAD_URL
• Symantec Messaging Gateway Syslog Added new event support for Messaging Gateway version 10.5.2
• Tenable SecurityCenter XML File Added support for Tenable SecurityCenter’s Assessment Summary Results (ASR) and
Asset Reporting Format (ARF) logs in .xml format
New Device, Component, or OS Version Support New Connector Support
SmartConnector Load Balancing
What is the Load Balancer ?
• New Component for Load Balancing for SmartConnectors – BEFORE data received
• Supports File (beta) and Syslog (UDP and TCP)
• Released as of 8th September 2015
• Version 1.0 – INITIAL RELEASE
• Stand-alone new software component

• Download from normal location
SmartConnector Load Balancer Definition
HP ArcSight SmartConnector Load Balancer provides a “SmartConnector-smart ” load balancing
mechanism by monitoring the status and load of SmartConnectors.
Currently it supports two types of event sources and SmartConnectors:
• One distributes the syslog input stream to syslog connectors using TCP or UDP
• The other downloads files from a remote server and distributes them to the file-based connectors.
Load Balancer is aware of the following information for SC defined as the SC pool:
• Availability (up or down) – Load Balancer monitors SmartConnectors for availability. Events are not
forwarded to a SmartConnector if it is not running (down). Instead, events are forwarded to the next
available SmartConnector in the pool per the defined load-balancing algorithm rules.
• SmartConnector Load - CPU usage, memory usage, and queue drop rate for events
NOTE: File-based load balancing is a beta feature for this release.
SmartConnector Load Balancer
Ingress: Events into SmartConnector
SmartConnector SmartConnector Pool
Load Balancer
Virtual IP
Syslog -TCP Syslog with
Event -UDP HA TCP or UDP
Source
ESM
Routing Route
Load 1. RR
Balancer 2. Weighted RR
Primary 3. Aggregation
Preferred
Load
File Balancer
Event Secondary
Source FTP Routing Route
1. RR
FTP
SCP
SmartConnector Logger Destination Pooling
Egress: SmartConnector load balancing events going to a pool of Loggers
Egress functionality available for all SmartConnector

Logger Pool
SmartMessage
All SC
SmartConnector Logger RR Routing
Event Source
Destination Pool
2
SmartConnector release 7.1.5 - by default SmartConnectors will use logger certificates
New SmartConnector load balancing capabilities
Combining the SmartConnector load balancing capabilities for ingress and egress
SmartConnector Pool Logger Pool
2
Syslog
Smart Logger 1
Event Source
Connector
1
SmartConnector
Load Balancer
Smart Logger
Syslog Load Connector
Event Source Balancer
2
SmartConnector with
File Logger Pool
Event Source Destination
File Smart Logger

Event Source Connector
SmartConnector Setup
New logger pool destination type
SmartConnector Load Balancing Requirements
SmartConnector Load Balancer (Ingress)
• Hardware requirements
• CPU 2 CPU X 4 Cores each (2 x Intel E5620, quad core, 2.4 GHz or better)
• RAM Memory 16 GB
• Disk 60 GB
• # of network interfaces (1 Dedicated GigE interface)
• Platform requirements (64 bits only)
• RHEL 6.6, 7.1
• Available on SSO Sept 2015
SmartConnector Logger Destination Pooling (Egress) SmartConnector Requirements

• Hardware requirements • HP ArcSight SmartConnector release 7.1.4.7445 or later
• Same as the current SmartConnector release. • Syslog daemon and/or file-based SmartConnectors
• OS Platform requirements
• Same as the current SmartConnector release.
• GA 7.1.5 (Q3R1) August 2015
Load Balancer
• Features
– Standalone mode using a single application server
• No HA as running on one node
– High availability (HA) mode, which can be configured with two hosts
• HA mode as a peer – the host that starts first is the active node, the other secondary
• HA mode as primary / secondary – designated primary and secondary node
• The High Availability feature, which is available using primary-secondary or peer mode, currently works
only within the same subnet.
Updated Sizing Tool
 Completely revamped Sizing Tool

 New algorithm
 Cost compare feature added
 Growth Requirements added
 Multiple instances quotes
 Logger – RAW and CEF mode
 Army of Logger
 ArcMC management sizing with cost compare
 Customer Output changes
HP ArcSight Solution Product Family Modules
IdentityView ApplicationView RepSM Compliance Packs
Correlation Risk Insight
Compliance Packs
Consolidation
Mgt
Collection
Security Network Systems

Event Sources
Upsells & Add-ons
Logger Express ESM
HA (IP Cluster*) ✖ ✖ ✔
CIPs ✔ ✔ ✔
Threat Detector ✖ ✔ ✔
Devices/Assets ✖ ✔ ✔
Console/Web Users ✖ ✔ ✔
IdView Users ✖ ✔* ✔*
RepSM ✖ ✔ ✔
Application View ✖ ✔ ✔
Risk Insight ✖ ✖ ✔
ArcMC ✔ ✖ ✖
Thank you
philippe.jouvellier@hpe.com
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use

D2 - T1 - ARST Solutions Products Update - 092015

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D2 - T1 - ARST Solutions Products Update - 092015

Uploaded by

Copyright:

Available Formats

HP ArcSight Solution Products Update

HP ArcSight Partners Proof of Concept Boot Camp

FEATURE SOLUTION DESCRIPTION

Consolidate & store in the long term

Correlate and detect threats and risks

Collaborate by combining solutions and services

• Dynamic Dashboards • ESM Forwarding Speeds • Archive indexing • User management

• Real time correlation

Feature parity with flagship ESM Yes No -

Peering (with other Loggers/ESMs/Expresses) Disabled

Product Number (SKU) P0J86CA P0J91CA P0J92CA

Event capacity (sustained) 250 EPS 1,000 EPS 2,500 EPS

Add-on capacity (sustained) 50 EPS ($5,000 SKU# M3E77AAE)

Appliance Family HP DL380 Gen9 ZE5-2680v3 Kit

Processor 2x Intel Xeon E5-2680v3, 2.5GHz, 12-core Processor

Dimensions (H x W x D) 3.44 x 17.54 x 28.75 in (8.73 x 44.55 x 73.02 cm)

Memory 6 x 32 GB, 2133 MHz RAM

Storage 8 x 600 GB (2.4 TB RAID-10)

System OS Red Hat Enterprise Linux 7.1 64-bit

•Real time correlation •Enterprise class SIEM

LICENSED PRODUCT LICENSED OPTIONS

Version Express 6.9.0 ESM / Express 6.9.1

Get to one of these versions based on previous migrations / upgrade paths

Express 4.0 p1 (Gen 8 and Gen 7) ESM 6.8c

Some Optimized Cost Benefit Decisions in ESM Express 6.9.1

Threat Response Manager

Express ESM • Manage large deployments easily

• Software - September 10, 2015

• Appliance - Week of September 28, 2015

Nodes Configuration Monitoring Administration

• ArcMC • Create Config • Status Summary • User

DNS Malware Analytics

User Behavior Analytics

Average cost of time

Events per second

I need a method to detect and identify hosts inside my Enterprise which:

• Are positively infected with malware, bots, or other unknown threats

Finds Infected Systems Quickly

DNS Capture Module #2

Packet Capture SaaS/Cloud

New Device, Component, or OS Version Support New Connector Support

• Stand-alone new software component

Currently it supports two types of event sources and SmartConnectors:

Egress functionality available for all SmartConnector

SmartConnector release 7.1.5 - by default SmartConnectors will use logger certificates

SmartConnector Pool Logger Pool

File Smart Logger

New logger pool destination type

SmartConnector Logger Destination Pooling (Egress) SmartConnector Requirements

 Completely revamped Sizing Tool

Correlation Risk Insight

Security Network Systems

You might also like