Post on 02-Jul-2015
transcript
18/03/2010 © 2010 ArcSight Confidential 1
Technology Day
Genève, 17 Mars 2010
Jean-Luc LabbeArcSight
Southern EMEA Sales Engineer
Cell +39 335 879 0307
jlabbe@arcsight.com
18/03/2010 © 2010 ArcSight Confidential 2
ArcSight - Company Overview
Company Background Analyst Recognition
Founded May 2000
2000+ customers
450+ employees, offices worldwide
NASDAQ: ARST #1 In-use for both SIEM & Log Management
#1 in Market Share –Last three reports
SIEM Leader’s Quadrant -SIX years running
Industry Recognition
18/03/2010 © 2010 ArcSight Confidential 3
Agenda
- La collecte et la normalisation des logs, le premier pas de l’analyse
- Avec ArcSight Express, la corrélation à un moindre coût
18/03/2010 © 2010 ArcSight Confidential 4
NetworkDevices
ServersMobile DesktopSecurityDevices
PhysicalAccess
AppsDatabasesIdentitySources
Millions of events generated per day
No central point of collection and analysis
Too difficult to manage security and risk
The Real Challenge
18/03/2010 © 2010 ArcSight Confidential 5
Reduce Risk by Understanding the Big Picture
Connect the dots
Collect information everywhere
Analyze it for a clear picture
Take action to resolve problems early
18/03/2010 © 2010 ArcSight Confidential 6
SIEM enables centralized visibility of enterprise events
Understanding the Big Picture
NetworkDevices
ServersMobile DesktopSecurityDevices
PhysicalAccess
AppsDatabasesIdentitySources
18/03/2010 © 2010 ArcSight Confidential 7
ArcSight - Centralized Security Monitoring Platform
An integrated product set for collecting and assessing security and risk information.
NetworkDevices
ServersMobile DesktopSecurityDevices
PhysicalAccess
AppsDatabasesIdentitySources
Data Collection
Log ManagementEvent Correlation
Guided Response
Rules
Reports/Logic
Rules
Reports/Logic
Rules
Reports/Logic
Business 3rd PartyRegulatory EnterpriseView
IdentityView FraudView
ArcSight ESM
ArcSight Connectors
ArcSight Logger
ArcSight Threat Response Module
ModuleLayer
Core EngineLayer
IntegrationLayer
18/03/2010 © 2010 ArcSight Confidential 8
ArcSight ESM ArcSight Logger
Integration & Core Engine Layers – Flows & Interactions
Correlation
ArcSight Smart Connectors
Integration Layer
Log Management
ArcSight Threat Response Manager
Auto Response
NetworkDevices
ServersMobile DesktopSecurityDevices
PhysicalAccess
AppsDatabasesIdentitySources
18/03/2010 © 2010 ArcSight Confidential 9
Integration Layer
18/03/2010 © 2010 ArcSight Confidential 10
Collect in native log format from 275+ types of products
Normalize to a common format
Send to centralized engines via secure, reliable delivery
Rackable Appliances(Connector Appliance)
Branch Office/Store Appliance(Connector Appliance)
Installable Software
Available as:
Benefit: Insulates device choices from analysis
Connectors
Integration Layer – ArcSight Connectors
18/03/2010 © 2010 ArcSight Confidential 11
ArcSight Connectors - 275+ Products, 50+ Categories, 80+ Partners
Access and Identity
Anti-Virus
Applications
Content Security
Database
Data Security
Firewalls
Honeypot
Network IDS/IPS
Host IDS/IPS
Integrated Security
Log Consolidation
Mail Filtering
Mail Server
Mainframe
NBAD
Network Management
Network Monitoring
Net Traffic Analysis
Policy Management
Security Management
Router Web Cache
Web Filtering
Switch
Vulnerability Mgmt
Web Server
Operating System VPN Wireless
18/03/2010 © 2010 ArcSight Confidential 12
ArcSight Connectors - Primary Functions
Normalization Layer
ArcSight SmartConnectors
Categorization Layer
ArcSight SmartConnectors
Event Extraction Layer
ArcSight SmartConnectors
Delivery Layer
ArcSight SmartConnectors
*RAW Event
ArcSight Event
18/03/2010 © 2010 ArcSight Confidential 13
ArcSight Connectors - Event Extraction Layer
OR
Agent Agentless
Event Extraction Layer
ArcSight SmartConnectors
Event Sources
SyslogSNMP Traps
Files (Delimited RegEx, XML)ODBC Databases
CustomFlex API
Capabilities
FilteringAggregation
Filed MappingPolling Options
18/03/2010 © 2010 ArcSight Confidential 14
ArcSight Connectors - Normalization Layer
Jun 02 2005 12:16:03: %PIX-6-106015:
Deny TCP (no connection) from
10.50.215.102/15605 to
204.110.227.16/443 flags FIN ACK on
interface outside
Time (Event Time)
name
DeviceVendor deviceProduct
CategoryBehavior
CategoryDeviceGroup
CategoryOutcome
CategorySignificance
6/17/2009 9:29
Deny CISCO Pix /Access /Firewall /Failure
/Informational/Warning
6/17/2009 9:30
Deny NetScreen Firewall/VPN /Access/Start /Firewall /Failure
/Informational/Warning
6/17/2009 9:31
Deny CISCO Pix /Access /Firewall /Failure
/Informational/Warning
6/17/2009 9:32
Deny NetScreen Firewall/VPN /Access/Start /Firewall /Failure
/Informational/Warning
Normalization Layer
ArcSight SmartConnectors
18/03/2010 © 2010 ArcSight Confidential 15
ArcSight Connectors - Categorization Layer
Jun 02 2005 12:16:03: CISCO PIX: PERMIT TCPJun 02 2005 12:16:03: CHECK POINT: ALLOW TCPJun 02 2005 12:16:03: NETSCREEN: ACCEPT TCP
Failed logins across the enterprise as simple as: “/Authentication/Verify” AND “/Failure”
Categorization Layer
ArcSight SmartConnectors
18/03/2010 © 2010 ArcSight Confidential 16
ArcSight Connectors - Delivery Layer
- Encryption (Capable of FIPS 140-2 Encryption)- Compression (Up to 80% over the wire compression)
- Split Feeds (Each feed has independent cache)- Bandwidth Management (Rate Limiting based on Time of Day)
- HA (Failover Configuration)
Delivery Layer
ArcSight SmartConnectors
Event Sources
Guaranteed DeliveryBatching
Scheduling
ArcSight Destinations
EncryptedCompressedSplit Feeds
Rate LimitingFail-OverCACHE
ESM
Logger
and/or
Failover
HA
Or Or
DestinationA_FilterA
DestinationB_FilterB
Or...
Many options, scenarios…
18/03/2010 © 2010 ArcSight Confidential 17
Integration Layer – Connector Appliance Specifications
Model C1000 C3200 C5200
Management
OS CentOS 4.6 64-bit
Max EPS 400 2500 5000
Onboard Connectors 4 16 32
Remote Connector
Management
No Up to 500 Up to 1000
Max Devices
CPU 1 x Intel Celeron 220 1.2 GHz 1 x Intel Xeon Quad Core 2 x Intel Xeon Quad Core
RAM 1GB 6GB 12GB
Storage 120GB 500GB 2 x 500GB - RAID1
Chassis Table Top 1U 1U
Power External (100 - 240 VAC) 480 W (100 - 240 VAC) 2 x 500 W (100 - 240 VAC)
Redundant Power Yes
Ethernet Interfaces 1 x Fast Ethernet
Dimensions (D x W x H) 10.83" x 8.27" x 2.56"
Actual performance will depend on factors specific to a user's environment.
24.7" x 17.1" x 1.7"
By EPS only
Web browser, CLI
Oracle Enterprise Linux 4 64-bit
2 x Gigabit Ethernet
No
18/03/2010 © 2010 ArcSight Confidential 18
Log Management
18/03/2010 © 2010 ArcSight Confidential 19
Available as:
Data Center Log Storage & Management Appliance
(35 TB max)
SAN-Based Log Management Appliance
SMB/Regional Log Storage & Management
Appliance
ArcSight Logger
Efficient, self-managed archiving of terabytes of log data
Raw or normalized format
Pre-built reporting for security or compliance needs
ArcSight Logger
Benefit: Cost-efficient compliance retention/reporting
Core Engine Layer - Log Management
18/03/2010 © 2010 ArcSight Confidential 20
• Up to 50TB of online data per appliance
• Onboard & External (SAN) storage options
• Automatic archival
• Analyze across onboard and externally archived data
• Granular role-based access controls
• Automated enforcement of multiple retention policies
SAN NAS SAN
LAN
Logger – Efficient & Intelligent Storage (1/2)
18/03/2010 © 2010 ArcSight Confidential 21
Logger – Efficient & Intelligent Storage (2/2)
C
D
E
F
A
BStorage Rule
Pirority 5
Storage Rule
Pirority 10
G
H
Device Group 1
Device Group 2
Device Group 3
Storage Rule
Pirority 15
Devices Device Groups Storage Rules Storage Groups
Storage Group 1
Storage Group 2
StorageVolume
Storage Volume
Logger 4 supports up to 6 Storage
Groups (Internal SG + Default SG + 4
SGs that you can create)
Storage Rules create a mapping between the Device Groups and the
Storage Groups.
Each Storage Ruke has a unique priority value,
and the lower value has the higher priority.
Each Storage Group can have a different retention policy which is specified in term of number of days that events are stored, and overall maximum size in GB.
Events from specific IP addresses can be routed to particular Storage Groups, making it possible to store all router events, for example, to a Storage Group with a short retention period, and business/critical host events to another Storage Group with a longer retention period.
18/03/2010 © 2010 ArcSight Confidential 22
Logger – Hundreds of Out-of-the-Box Reports
i.e. PCI Package includes 70 reports based on the PCI DSS
18/03/2010 © 2010 ArcSight Confidential 23
Logger – Using Reports
Quick RunRuns the report using default data filtering configuration, which was set at report deploy time.Provides options to change start and end time parameters, storage groups, and devices included in the scope of the report run.
Run in BackgroundUse this option to run reports that take long time to generate or the ones that are not required online immediately.
RunProvides options to modify the data filter criteria used by the report query for this run.You can specify a maximum number of rows to include in the report, and perform various comparison and logical operations on event fields.
PublishedDisplays the list of previously-generated reports that are not yet expired. You can view the user (user name) who generated the report, generate time, and expiry time of the report.The report can be viewed as well as deleted from the saved report list.
EditOpens the Report Designer for the associated report, where you can make changes to the underlying query the report uses.
18/03/2010 © 2010 ArcSight Confidential 24
Logger – Dive Into A Report Template (Example) 1/3
18/03/2010 © 2010 ArcSight Confidential 25
Logger – Forensics On-the-Fly (Dashboards)
18/03/2010 © 2010 ArcSight Confidential 2626
“Google Like Search” Requires no familiarity with various log syntaxes
Clean and structured viewing of logs
Active results for quick drill down
Logger – Google Like Search Anything
failure windows mjohnson
ArcSight Cybersecurity survey: More than 75% said they very rarely or hardly ever knew what exactly to look for when researching a cyber attack
• Unstructured raw text search for fast forensic analysis
• Structured data search to simplify investigations
+
• Unified analysis across all data for complete visibility and fast detection and remediation of cyber-attacks
18/03/2010 © 2010 ArcSight Confidential 27
Logger – Logger Specifications
Model L3200 & L3200-PCI L7200-SAN L7200s L7200x
Management
OS
Compression
Max Devices 200 Unrestricted 500 Unrestricted
RAW EPS 2000 75000 5000 100000
Onboard Connectors 4
Connector EPS 200
Remote Connector Management 20 (5 containers)
CPU 1 x Intel Xeon Quad 2.0 GHz
RAM 12GB
Storage 2 x 1TB - RAID1 External SAN
Chassis 1U
Power 480W (Non-Redundant)
Ethernet Interfaces 2 x 10/100/1000
Host Bus Adapter N/A Emulex Lpe 11002
Dimensions 24.7" x 17.1" x 1.7"
N/A
2 x 870W (Redundant)
4 x10/100/1000
2 x Intel Xeon Quad 2.0 GHz
24GB
6 x 1TB - RAID5
Supported Sources
24.7" x 17.1" x 1.7"
N/A
Actual performance will depend on factors specific to a user's environment.
ArcSight Common Event Format (CEF), ArcSight ESM
Oracle Enterprise Linux 4, 64-bit
Up to 10:1
No
No
2U
Web browser, CLI
Raw syslog (TCP/UDP), Raw file-based logs (FTP, SCP,SFTP)
Analysis optimized collection for 275+ commercial products
FlexConnector framework for legacy event sources
Logger Model Physical Capacity¹ Effective Capacity Compression
L3200 / L3200-PCI .78TB ~7.8TB
L7200s/L7200x 4.2TB ~42TB
L7200-SAN 5TB² ~50TB
Up to 10:1
¹ Capacity prior to compression.
² Allocate 5.4TB in order to use 5TB.
18/03/2010 © 2010 ArcSight Confidential 28
Correlation
18/03/2010 © 2010 ArcSight Confidential 29
Real-time analysis of business events
Activity profiling to create baselines for context
Flexible visualization for role-based presentation
Available as:
Benefit: Focus resources only on important issues
ArcSight ESM
Data Center Rackable Appliance Installable Software
Core Engine Layer - Correlation
18/03/2010 © 2010 ArcSight Confidential 30
From Millions of Events to the those that Matter
Who: User Identity
Where: Contextual Analysis
Asset Value: What
Time Window: When
Correlation Engine
How
Correlation - Filter Out the Noise and Focus on Key Issues
18/03/2010 © 2010 ArcSight Confidential 31
Lifecycle of an Event Through ESM
1- Data collection and event processing
2- Event priority evaluation & network model lookup
3- Correlation: Filters, rules, data monitors
4- Monitoring and investigation
5- Workflow
6- Reporting and incident analysis
18/03/2010 © 2010 ArcSight Confidential 32
Lifecycle of an Event Through ESM (1/6)
The Connector sends the aggregated & filtered events to the ESM…
18/03/2010 © 2010 ArcSight Confidential 33
Lifecycle of an Event Through ESM (2/6)
… where they are evaluated & tagged with Priority Levels and Network Modeling information.
They are then stored in the ArcSight database and processed through the Correlation Engine.
18/03/2010 © 2010 ArcSight Confidential 34
Events that have been tagged with Event Categories, Priority Evaluations and Network Modeling information are processed by the Correlation Engine, where Filters, Rules and Data Monitors can evaluate them.
Lifecycle of an Event Through ESM (3/6)
18/03/2010 © 2010 ArcSight Confidential 35
Events that have been processed by the Correlation Engine can be monitored on Active Channels, Dashboards and Event Graphs.
Lifecycle of an Event Through ESM (4/6)
18/03/2010 © 2010 ArcSight Confidential 36
Follow up investigation can be done manually or automatically using ArcSight workflow components.
Lifecycle of an Event Through ESM (5/6)
18/03/2010 © 2010 ArcSight Confidential 37
ArcSight analysis tools work on processed events to produce Reports, discover new patterns and analyze output data using interactive graphics.
Analysis and Reporting tools are highly customizable and can be run manually or scheduled to output data at regular intervals to be viewed by the SOC staff
Lifecycle of an Event Through ESM (6/6)
18/03/2010 © 2010 ArcSight Confidential 38
Correlation – ESM Specifications
Model E7200-2 E7200-4
Max EPS (Peak/Sustained) 2,500 EPS / 1,500 EPS 5,000 EPS / 3,000 EPS
OS
CPU
RAM
Ethernet Interfaces
Storage
Chassis
Power
Thermal
Weight
Chassis
Dimensions (D x W x H) 26.8" x 17.4" x 3.4"
2U
Actual performance will depend on factors specific to a user's environment.
Oracle Enterprise Linux 4
2 x Intel Xeon Quad
24GB
4 x 10/100/1000
6 x 600GB - Serial Attached SCSI - RAID0
2U
2 x 870W ()Redundant)
3000 BTU/hr
36 Kg (78 lbs)
18/03/2010 © 2010 ArcSight Confidential 39
ArcSight Express vs. ArcSight ESM
ArcSight Express vs. ArcSight ESMArcSight
Express
ArcSight
ESM
Cross-Regulation Compliance Reporting √ √
End-User Web Console √ √
Appliance Deployment Option √ √
Pre-Built Out-of-Box Rules/Reports √ √
Market-Leading Correlation √ √
Customizable Regulatory Compliance Packages √ √
Unlimited Rule/Device Types √ √
Custom Rules/Report Creation √ √
Software Deployment Option √
Unlimited Device Expandability √
Activity Profiling (Pattern Discovery) √
User, Fraud, and Data Monitoring √
More Storage √
More Integration Options * √
* i.e. TRM, Remedy, etc integration
18/03/2010 © 2010 ArcSight Confidential 40
ArcSight Express – Your Security Expert “In A Box”
AE is an integrated event and log management solution
Uses the same collection & correlation as ArcSight ESM but,
Is appliance based for easier deployment and management
AE has pre-defined rules, reports, alerts and dashboards built-in
Solves the most important security & compliance issues right out of the box
Bot, Worm and Virus Attack Visibility and Alerting
Hacker Detection
Bandwidth Hogs and Policy Violations
Application Access Monitoring
Remote Access
System and User Impact
Compliance controls
Out-Of-The-Box AE Coverage:
Model M720-M M720-L M720-X L3200
OS
Compression
Max Network Devices 40 100 225 Same as M7200
Max Desktops 100 250 500 Same as M7200
Max EPS 500 1000 2500 Same as M7200
Max Assets 5000 10000 25000 N/A
Web Users
CPU 1 x Intel Xeon E5504 Quad Core 2.0 GHz
Ethernet Interfaces 2 x 10/100/1000
RAM 12GB
Physical Capacity 2TB (2 x 1TB - RAID1)
Effective Capacity 1.6TB 7.8TB
Chassis 1U
Power 1 x 480W (Non-Redundant)
Dimensions (DxWxH) 24.7" x 17.1" x 1.7"26.8" x 17.4" x 3.4"
1.6TB (+L3200)
L3200 not included with Express-M
Oracle Enterprise Linux 4, 64-bit
UP to 10:1
Actual performance will depend on factors specific to a user's environment.
Unlimited Users
2 x Intel Xeon E5504 Quad Core 2.0 GHz
4 x10/100/1000
24GB
3.6TB (6 x 600GB - RAID10)
2U
2 x 870W (Redundant)
18/03/2010 © 2010 ArcSight Confidential 41
ArcSight Express Pre-Built Content for Top Scenarios
Cross Device Reporting• Top Bandwidth Users• Configuration Changes• Successful and Failed Logins• Password Changes• Top Attackers and Internal Targets
Anti-Virus Reporting• Top Infected Systems• All AV errors• AV Signature Update stats• Consolidated Virus Activity• AV Configuration Changes
Database• Database Errors and Warnings• Database Successful and Failed Logins• Database Configuration Changes
IPS/IDS• IPS/IDS Alert Metrics• Alert Counts• Top Alert Sources and Destinations• Top Attackers and Internal Targets
Access Management• User Authentication across hosts• Authentication Success and Failures• User Administration Configuration Changes
Network Devices Reporting• Network Device Errors and Critical Events• Network Device Status and “Down” Notifications• Bandwidth Usage• Configuration Changes by User and Change Type• Successful and Failed Logins• Top Connections
VPN Device Reporting• VPN Authentication Errors• Connection Counts• Connection Durations• Connections Accepted and Denied• Successful and Failed Logins• Top Connections• Top Bandwidth Users• VPN Configuration Changes
Operating System Reporting• Privileged User Administration• Successful and Failed Logins• Configuration Changes
Firewall Reporting• Denied Inbound Connections• Denied Outbound Connections• Bandwidth Usage• Successful/Failed Login Activity
18/03/2010 © 2010 ArcSight Confidential 42
Solutions Modules
18/03/2010 © 2010 ArcSight Confidential 43
Pre-built rules, reports, dashboards, and connectors
Regulatory: Address compliance for public/industry regulations
Business: Address scenarios common to most organizations
Available as:
ArcSight Solution Modules
Pre-configured AppliancesInstallable Software
Regulatory:
SOX/JSOXPCIFISMA
HIPAANERC
Business:
Identity MonitoringFraud DetectionInsider Threat Detection
Benefit: Rapid deployment by leveraging best practices
ArcSight Modules
18/03/2010 © 2010 ArcSight Confidential 44
Solution Package that includes
– Installable Solution Module on top of ESM
– Prebuilt customizable Reports & Rules tuned for specific solution
– Pattern Discovery customizable configuration to create new monitoring rules
EnterpiseView - Business Solution Package
IdentityView
FraudView
18/03/2010 © 2010 ArcSight Confidential 45
IdentityView – Sample Reports (1/2)
Activity Report – For Users With The Developer Role
18/03/2010 © 2010 ArcSight Confidential 46
IdentityView – Sample Reports (2/2)
Activity Report – For Users in the Finance Department
18/03/2010 © 2010 ArcSight Confidential 47
FraudView – Multiple EnginesMultiple Engines for Detecting Fraudulent Activity
Risk Scoring Engine
Fraud-BasedCorrelation Engine
Pattern Recognition Engine
Escalation List Process
Multi-Path Risk Analysis
Transaction evaluation - Fraud Detection Correlation rules (against Real-Time events and Historical data).
Device Risk - Is Source address in Escalation List, Country of Concern, etc?
Transaction Risk - What is the Risk Associated with Transaction, etc?
Account Risk - Is Account in Escalation List, etc?
Destination Risk – Is the Destination a suspicious Payee, Country of Concern, etc?Risk Score
Investigate List
Suspicious List
Watch List
2- Source IP from which the website was scanned last week – the IP is in the Suspicious List.
1- Account authentication over the phone fails a second time… Account is added to the Watch List.
3- Source IP has used to access Account XYZ, both IP Address a.b.c.d & Account XYZ are escalated to the Investigation List.
Patterns Discovery – To find fraudulent behaviours that might not yet have been captured in rule definition.
Fraudulent transactions can be detected by FraudView in multiple ways.
18/03/2010 © 2010 ArcSight Confidential 48
Why is ArcSight Winning?What Makes ArcSight Unique.
18/03/2010 © 2010 ArcSight Confidential 49
ArcSight can be deployed to support a range of requirements
•ArcSight Logger•Report focus•Basic audit compliance
Alerting/Compliance Reporting
•Log collection and retention•Invest in report building•Delayed incident response
•ArcSight Logger•ArcSight ESM•Pattern Discovery•Advanced correlation•Live Dashboard focus
Fully Staffed SOC
•24x7 operations•Invest in ongoing staffing•Live incident response
Virtual SOC
•Lights out operations•Invest in upfront automation•Basic analysis/investigation
•ArcSight Logger•ArcSight ESM•ArcSight Express•Limited correlation•Email notification focus
Deploying the Platform
18/03/2010 © 2010 ArcSight Confidential 50
Automated Response
• Workflow-based lockdown
Advanced Correlation
• Dashboards
• Correlation Rules
• Trend Reporting• Activity Profiling
Log Management
• Live Alerting• Data Collection/Storage• Reporting• Single Appliance
Deployment: Simple to Start, Easy to Grow
ConnectorsMore Connectors
18/03/2010 © 2010 ArcSight Confidential 51
What Makes ArcSight Unique
Unmatched in
Collection Correlation Scale
18/03/2010 © 2010 ArcSight Confidential 52
ArcSight – Collection (1/2)
Largest Supported Products base– 275+ products, 100+ vendors, 35+ categories – FlexConnectors (for in-house device/source support)
Audit quality data– Integrity measures as data is received (FISMA requirement - NIST 800-92 recommendation)
Common Event Format
18/03/2010 © 2010 ArcSight Confidential 54
ArcSight – Correlation (1/2)
Pre-packaged, extensible content– For regulatory compliance & security– Includes report templates, trending &
dashboards.
Real-time Correlation & Alerting– Simple and meaningful alerts.– Device independent correlation.
Context-based Correlation– Based on vulnerability, asset & user context– Criticality based model
Response management– Native workflow, helpdesk integrations– Integrated comprehensive and intelligent rules
based response for network/security devices
Who: User Identity
Where: Contextual Analysis
Asset Value: What
Time Window: When
Correlation Engine
How
High-Impact Users
Role Does the event
match the role of the person
performing it?
User ProfilingIs this normal
behavior?
IdentityWho was
“behind the IP address?”
PolicyImpact of
this event on business risk?
User Model
High-Impact Assets
SusceptibilityIs the asset
susceptible to the specific attack?
Attack HistoryHistory withthis target?
Asset CriticalityHow important is this asset to the
business?
Device SeverityAssign severity levels to device
classes
Asset Model
18/03/2010 © 2010 ArcSight Confidential 55
Activity Profiling Engine– Discover patterns in large collections of events that have already occurred.– Can profile good and bad behaviors – Machine-discovered patterns can be turned into correlation rules
ArcSight – Correlation (2/2)
Better security through more effective rules.
18/03/2010 © 2010 ArcSight Confidential 56
ArcSight – Scale
Centralized and/or Distributed collection– Controls for security, reliability, batching, integrity checks along with bandwidth controls– Unique support for highly distributed environments
Form factor flexibility & Range of Appliances– Highest performance/price return (EPS/$)
• Up to 100K EPS (Events Per Second) / appliance with linear scalability
– Complete ArcSight platform (Connectors – Logger – ESM - TRM) is available in a range of modular & turnkey appliances
– Added flexibility of software deployments for ESM and connectors
Cost effective scalable long term storage– Up to 50TB of raw data capacity for long term storage appliance with linear scalability (peer)– Support for external storage (NAS, SAN)– Support for multiple retention policies.
ArcSight Threat Response Module
18/03/2010 © 2010 ArcSight Confidential 57
So Why Choose ArcSight?
Best products – Most market share, most awards,
proven over years.
Broadest customer base – Strong experience
solving the challenges in your industry.
Future proof – Insulate you from tomorrow’s
technology decisions.
18/03/2010 © 2010 ArcSight Confidential 58
SIEMLeader’s QuadrantSIX Years Running
(Most Visionary)
Market Share Leader
Protect Your Business - Choose the Best
Proven, integrated products for monitoring and controlling security and risk
Deployable together or incrementally
Designed to fit within today’s IT environment while insulating tomorrow’s decisions
Summary
Collect
Monitor
Audit
Respond
18/03/2010 © 2010 ArcSight Confidential 59
Thank You
Jean-Luc Labbe
Southern EMEA Sales Engineer
Cell +39 335 879 0307
jlabbe@arcsight.com