HP ArcSight Express Slide Deck (Correlate - Check Speaker Notes & Navigation Slide 1 Revisit Slide 3: Collect Myriad Devices

& Systems (Common Event Format) - Pulling in Data & Enriching Data - Not tied to ArcSight, for vendor supported devices Slide Quantitiy and Quality Collections - Largest Library of collection - Quality is importinant (Normalizing & Classifying) Garbage in Garbage Out - Not Tied to our Connectors. Feedback for Roadmap, but o Multi-Prong Appraoch (Flex Connector PS, You, Home Grown) vs Competitor. o Normalization Slide: - Apps & devices speak different languages o Take fields and insert into common schema  To use with correlation engine  We spend template (Structured)  (Our Schema is very flexibles (500 fields) y NOTE: Show how works with Win, Linux syslog from slide Categorization: - Not network guy, but Linux Admin o Lot longer to dig in - This is where Connector comes into place better organize data o Future proofing and faster forensic analysis  Ie Rules Firewall, write on Categorization /Firewall (Pix to Cisco) y No problem with rewriting content Robust Collections: - Feeding normalization & categorization into ArcSight Express o No need for agent on each system (Agentless)  TCO & Admin deploy savings - Log leves are on Verbose, we can drop info that we really want - Aggregation Deduplicating same event and send single event across network and count how many Good network citizen - Encrypt log before sending (CEF) - Trip connection to switch we buffer - Compliance perspective, make sure we connect o Deplet cache and manage bandwidth (30/70) Realtime vs cached - Central management of logs - What form factors do you want? (We have appliance, physical or virtual) Normalization categorization across all factors


Appliances some advantages, such as security access and updates

Detect: - Correlation Engine is very Robust o Who, What Where o Pattern Recognition from Simple to complex Slide not all correlation is created equal o Event, Threshohlld vs. Master correlation  Use Case Section y Click link o Malware & Botnet *CLICK* - Vulnerability Correlation  Corrlation Active Lists y Open Source Intelligent Services Malicious IP & Domains keep track y Right hand side you environment You keep list updated to correlate to your environment (Active List) y See activity on domain, we alert on it y From top list malicious ip domain, we populate other list within your environment, we specify how long you want to keep y Visually & Proactively report with dashboard to do a deep dive. y Click return to main presentation

Slide - Out of the Box Content (Map back to use case - General areas important to customers - How do I deploy solution (10+ years) o Out of box use cases we created as correlation & Common Issues o Templates for your modification Correlation with Context: Very important to Correlation Engine: - Asset Context o Vulnerability, Attack History (PCI attack credit cards), criticality Priority  Example If not listening on ports, (Severity of ports monitoring) y Specify Priority User Context o Why should Finance guy be using Nmap (Dept, Role, Accounts) Location Contects o Countries o Two & From


Physical or Logical y IE Data Center 

Slide: Role Violation Monitoring Salesforce.com Web Portal. Loggin into System if attempting to login directly to System, bypass

Shared Account Usage - System does not have specific controls for user name or psssword. Tie back fraudulent activity o Use case Bank Credit Union  Apps hard coded login names (Could not rewrite)  Bought us and two organization using Admin y Saved bunch money - Email address, badge ID phone Extension o Robert identity correlation tie activity device to tie into account  Ip Session to user name Slide - Activity Profiling Threat Detector Patters of malicious activity not written - Low & Slow not identified correlation - Look Baseling of patterns behavior - Create Correlation Rules for it. o Fraud Banking - Std Deviation detection  IE bank looks like small withdrawal or transfer (Deltas) Small or large withdrawal. Compliance Automated Compliance - Built into Express How Compliant are we? Slide Respond: Meaningful Response. o Tie into remedy Escalation System (We can integrate) o Email SNMP

Slide Analyze and Investigate y Drill in to visual perspective and how activity mapped out in evt. Slide Powerful and Flexible reporting - We bring information to you PDF HTML o Scheduled or ad-hoc. - Graphical reports (NO PROGRAMMING LANGUAGE REQUIRED) o FUD SQL. Slide: Built-in Workflow

Integration with Remedy and XML for escalating events Slide: Threat response manager - Correlation found events to meet offending issue. - We can automate actions to be taken, such as router shutdown. Scalable Growth path - Subset EPS o We add Connector Appliances  Store or Retain Data for longer time LOGGER o Exceeding express users 50

Detect Respond

Slide 2: Scale HP ArcSight Product Family Logger Log Collection and search events HP ArcSight Express

Sign up to vote on this title
UsefulNot useful