ArcSight Security

Event Collection

Organizations collect log data for a variety of uses ranging from security monitoring to IT operations and from regulatory compliance to fraud detection. Event logs are generated throughout an organization in a large variety of formats.

ArcSight Connectors solve the problem of managing log records in hundreds of different formats. While the ArcSight SIEM Platform can collect log records in native formats, ArcSight Connectors provide normalization to a common format, which greatly improves reporting and analysis. By normalizing all events into one common event taxonomy, ArcSight Connectors decouple analysis from vendor selection. This approach has three significant advantages:

This unique architecture is supported across hundreds of commercial products out of the box as well as legacy systems. ArcSight Connectors also offer various audit quality controls including secure, reliable transmission and bandwidth controls. In addition to software-based deployments, ArcSight Connectors are available in a range of plug-and-play appliances that can cost effectively scale from small store or branch office locations to large data centers. Connector appliances enable rapid deployment and eliminate delays associated with hardware selection, procurement and testing.

ArcSight ESM Enterprise Security Manager

Event management takes the step beyond storage and alerting to provide real-time monitoring, historic analysis and automated response necessary to manage the higher level of risk associated with doing business in today’s digital world. ArcSight delivers real-time event management with ArcSight ESM. As a key component of the ArcSight SIEM Platform, ArcSight ESM delivers “forensics on the fly,” the ability to drill down from an alert to the source events that triggered the alert.

The advanced real-time correlation capability of ArcSight ESM identifies the relevance of any given event by placing it within context of who, what, where, when and why that event occurred and its impact on business risk. ArcSight ESM correlates incoming events with asset prioritization and vulnerability, user activity, and threat history to deliver accurate and automated prioritization of security risks and compliance violations. The powerful correlation engine of ArcSight ESM processes many millions of log entries down to the few critical events that matter. These incidents are then presented through real-time dashboards, notifications, or reports to the security administrator.

With built-in concepts of network asset and user models, ArcSight ESM is uniquely able to understand who is on the network, what data they are seeing, and which actions they are taking with that data.

Once risks are identified, ArcSight ESM provides a built-in workflow engine that guides risk containment activities including case management and handing off the threat information to ArcSight Threat Response Manager (TRM), for threat isolation and remediation options.

Event-Driven Automatic Response

ArcSight TRM, the optional response engine for ESM, pinpoints the exact location of threats on your network, presents available response actions, and allows the operation to respond immediately with specific, policy-based actions within a self-documenting and auditable framework. Possible response actions include:

Event-Driven Activity Profiling

ArcSight ESM Pattern Discovery module mines historical trends to baseline and profile expected behavior to allow for the automatic detection of aberrant activity occurring in the environment which can be used to detect policy violations or suspicious or fraudulent activities. Pattern Discovery detects repeating patterns across a wide variety of sources including users, sensitive data, applications, systems and network assets. Administrators can then use the discovered patterns as a basis for policies that govern authorized or restricted activity, thus improving their overall risk posture.

ArcSight ESM is available either as installable software or as a rack-mountable appliance.

Appliance Specifications

Minimum System Requirements – ArcSight ESM Manager Software

Hardware Requirements

ArcSight Express – Comprehensive perimeter monitoring

In the modern networked world, organizations of all sizes are at risk to attacks from both the inside and outside. Malware, breaches, and regulations (and associated penalties) continue to increase. Unfortunately for most mid-size firms, the security staff is not increasing, but in many cases is declining. These organizations do not have a dedicated staff of security administrators, and many firms have almost no security expertise on staff at all.

However, these firms, like their larger counterparts, must manage and secure valuable information such as financial records, private customer data, and intellectual property. These organizations are often subject to the same legal mandates as their larger competitors, who have bigger security and compliance budgets and more resources. A recent analysis by the Small Business Technology Institute showed that over half of the companies surveyed lack the funding, expertise, and dedicated resources to put good security practices in place.

For organizations struggling to improve security and compliance with reduced budgets and time, ArcSight Express delivers world-class security monitoring in a simple, cost-effective appliance solution.

ArcSight Express includes a set of rules, reports, alerts and dashboards that allow smaller security teams to gain visibility into their environment on the first day, with no rule/report development required. Already-stretched IT teams do not have to define and build extensive content on a development platform. ArcSight Express automates security incident detection, prioritization and resolution – operations that may otherwise require a staffed Security Operations Center (SOC) can be managed via email, SMS or pager notifications.

ArcSight Express acts as your Security Expert “In a Box” by addressing these and other key security and compliance challenges:

ArcSight Express addresses regulatory mandates through a set of common monitoring controls that can be applied to multiple regulations. With ArcSight Express’ pre-built rules, reports, alerts and dashboards, companies can demonstrate compliance with Sarbanes-Oxley, PCI DSS, Gramm-Leach-Bliley, FISMA, Basel II and HIPAA. ArcSight Express can also be extended with ArcSight Compliance Insight Packs, specialized solution modules designed to deliver full reporting against specific regulations.

ArcSight Logger – Log Management

Log Management is typically used to streamline compliance audits, enhance security posture, and adhere to service level agreements. Effective log management requires broad event collection, efficient storage and straightforward analysis of large amounts of log data. ArcSight Logger uniquely addresses those challenges along with simplicity in deployment and management, small to enterprise scale, and elimination of tradeoffs between performance and efficiency.

By leveraging the event normalization abilities of ArcSight Connectors, ArcSight Logger can manage and report on log data from hundreds of types of commercial products. It can also easily manage raw events in syslog or other formats based on customer preference.

Many customers capture logs for compliance reporting, and so efficient storage is important. ArcSight Logger can store an effective 35 TB of log data on a single appliance, and can also be deployed to work with SAN-based storage. In either case, ArcSight Logger provides a variety of means to ensure audit-quality log data storage.

A key differentiator for ArcSight Logger is the ability to drill down from alerts and reports directly to the source events behind each alert and report. As a result, customers using ArcSight Logger enjoy the ability to perform “forensics on the fly”, without the need to run new reports to understand why an alert occurred. The benefit is faster response and less time spent researching alerts. High performance search and reporting can reduce hours of manual effort down to minutes or seconds but too many solutions deliver analysis performance only by compromising collection rates and storage efficiency. Only ArcSight offers Log Management without compromising performance or efficiency!

Alerts and reports can be presented through a personalized portal, or sent to other systems such as email or SNMP consoles. Through ArcSight Compliance Reporting modules, customers gain the benefit of best practices for specific regulations, packaged as pre-built rules, reports, alerts, and dashboards.

ArcSight Logger appliances are available in a range of performance options and price points for organizations of any size. Specialized configurations, such as the ArcSight PCI Logger, offer all-in-one turnkey appliance for collection, storage, and pre-packaged audit content for small merchants to jumpstart their PCI initiative with minimal effort. Large distributed organizations benefit from the ability to scale collection and storage layers across remote locations and data centers.