Вы находитесь на странице: 1из 58

Technology Day

Genève, 17 Mars 2010


Jean-Luc Labbe
ArcSight
Southern EMEA Sales Engineer
Cell +39 335 879 0307
jlabbe@arcsight.com

18/03/2010 © 2010 ArcSight Confidential 1


ArcSight - Company Overview

Company Background Analyst Recognition


SIEM Leader’s Quadrant -
 Founded May 2000 SIX years running
 2000+ customers
#1 in Market Share –
 450+ employees, offices worldwide Last three reports

 NASDAQ: ARST
#1 In-use for both SIEM &
Log Management

Industry Recognition

18/03/2010 © 2010 ArcSight Confidential 2


Agenda
- La collecte et la normalisation des logs, le premier pas de l’analyse
- Avec ArcSight Express, la corrélation à un moindre coût

18/03/2010 © 2010 ArcSight Confidential 3


The Real Challenge

Millions of events generated per day

No central point of collection and analysis

Too difficult to manage security and risk

Network Security Physical Servers Desktop Identity Email Databases Apps


Mobile
Devices Devices Access Sources

18/03/2010 © 2010 ArcSight Confidential 4


Reduce Risk by Understanding the Big Picture

Connect the dots

 Collect information everywhere


 Analyze it for a clear picture
 Take action to resolve problems early

18/03/2010 © 2010 ArcSight Confidential 5


Understanding the Big Picture

SIEM enables centralized visibility of enterprise events

Network Security Physical Mobile Servers Desktop Identity Email Databases Apps
Devices Devices Access Sources

18/03/2010 © 2010 ArcSight Confidential 6


ArcSight - Centralized Security Monitoring Platform

An integrated product set for collecting and assessing security and risk information.

Rules Rules Rules


Module IdentityView FraudView
Reports/Logic Reports/Logic Reports/Logic
Layer
Regulatory EnterpriseView
Business 3rd Party

ArcSightGuided
Threat Response
Response Module
Core Engine
Layer
ArcSight
Event ESM
Correlation ArcSight
Log Logger
Management

Integration
Layer Data Collection
ArcSight Connectors

Network Security Physical Mobile Servers Desktop Identity Email Databases Apps
Devices Devices Access Sources

18/03/2010 © 2010 ArcSight Confidential 7


Integration & Core Engine Layers – Flows & Interactions

Auto Response
ArcSight Threat Response Manager

Correlation

Log Management
ArcSight ESM ArcSight Logger

Integration Layer
ArcSight Smart Connectors

Network Security Physical Mobile Servers Desktop Identity Email Databases Apps
Devices Devices Access Sources

18/03/2010 © 2010 ArcSight Confidential 8


Integration Layer

18/03/2010 © 2010 ArcSight Confidential 9


Integration Layer – ArcSight Connectors

Connectors
 Collect in native log format from 275+ types of products
 Normalize to a common format
 Send to centralized engines via secure, reliable delivery

Available as:

Rackable Appliances Branch Office/Store Appliance Installable Software


(Connector Appliance) (Connector Appliance)

Benefit: Insulates device choices from analysis

18/03/2010 © 2010 ArcSight Confidential 10


ArcSight Connectors - 275+ Products, 50+ Categories, 80+ Partners

Access and Identity Data Security Integrated Security NBAD Policy Management Vulnerability Mgmt

Anti-Virus Firewalls Log Consolidation Network Management Router Web Cache

Applications Honeypot Mail Filtering Network Monitoring Security Management Web Filtering

Content Security Host IDS/IPS Mail Server Net Traffic Analysis Switch Web Server

Database Network IDS/IPS Mainframe Operating System VPN Wireless

18/03/2010 © 2010 ArcSight Confidential 11


ArcSight Connectors - Primary Functions

Event Extraction Layer

*
RAW
Event ArcSight SmartConnectors

Normalization Layer

ArcSight SmartConnectors

Categorization Layer

ArcSight SmartConnectors

Delivery Layer

ArcSight
ArcSight SmartConnectors Event
18/03/2010 © 2010 ArcSight Confidential 12
ArcSight Connectors - Event Extraction Layer

OR

Agent Agentless

Event Sources Event Extraction Layer Capabilities


Syslog
SNMP Traps Filtering
Files (Delimited RegEx, XML) Aggregation
ODBC Databases Filed Mapping
Custom Polling Options
Flex API

ArcSight SmartConnectors

18/03/2010 © 2010 ArcSight Confidential 13


ArcSight Connectors - Normalization Layer

Jun 02 2005 12:16:03: %PIX-6-106015: Normalization Layer Time (Event nam Device Category Category Category Category

Deny TCP (no connection) from Time) e Vendor deviceProduct Behavior DeviceGroup Outcome Significance

10.50.215.102/15605 to 6/17/2009
9:29
Den
y CISCO Pix /Access /Firewall /Failure
/Informational/
Warning

204.110.227.16/443 flags FIN ACK on 6/17/2009 Den /Informational/

interface outside 9:30 y NetScreen Firewall/VPN /Access/Start /Firewall /Failure Warning

6/17/2009 Den /Informational/

ArcSight SmartConnectors
9:31 y CISCO Pix /Access /Firewall /Failure Warning

6/17/2009 Den /Informational/


9:32 y NetScreen Firewall/VPN /Access/Start /Firewall /Failure Warning

18/03/2010 © 2010 ArcSight Confidential 14


ArcSight Connectors - Categorization Layer

Failed logins across the enterprise as simple as:


“/Authentication/Verify” AND “/Failure”

Jun 02 2005 12:16:03: CISCO PIX: PERMIT TCP Categorization Layer


Jun 02 2005 12:16:03: CHECK POINT: ALLOW TCP
Jun 02 2005 12:16:03: NETSCREEN: ACCEPT TCP

ArcSight SmartConnectors

18/03/2010 © 2010 ArcSight Confidential 15


ArcSight Connectors - Delivery Layer

- Encryption (Capable of FIPS 140-2 Encryption)


- Compression (Up to 80% over the wire compression)

Event Sources Delivery Layer ArcSight Destinations ESM


Encrypted
Guaranteed Delivery Compressed and/or
Batching Split Feeds
Scheduling Rate Limiting
CACHE Fail-Over

ArcSight SmartConnectors
Logger

- Split Feeds (Each feed has independent cache)


- Bandwidth Management (Rate Limiting based on Time of Day)
- HA (Failover Configuration)

Many options, scenarios…

DestinationA_FilterA
Or Or Or...
Failover
DestinationB_FilterB
HA

18/03/2010 © 2010 ArcSight Confidential 16


Integration Layer – Connector Appliance Specifications

Model C1000 C3200 C5200


Management Web browser, CLI
OS CentOS 4.6 64-bit Oracle Enterprise Linux 4 64-bit
Max EPS 400 2500 5000
Onboard Connectors 4 16 32
Remote Connector No Up to 500 Up to 1000
Management
Max Devices By EPS only
CPU 1 x Intel Celeron 220 1.2 GHz 1 x Intel Xeon Quad Core 2 x Intel Xeon Quad Core
RAM 1GB 6GB 12GB
Storage 120GB 500GB 2 x 500GB - RAID1
Chassis Table Top 1U 1U
Power External (100 - 240 VAC) 480 W (100 - 240 VAC) 2 x 500 W (100 - 240 VAC)
Redundant Power No Yes
Ethernet Interfaces 1 x Fast Ethernet 2 x Gigabit Ethernet
Dimensions (D x W x H) 10.83" x 8.27" x 2.56" 24.7" x 17.1" x 1.7"
Actual performance will depend on factors specific to a user's environment.

18/03/2010 © 2010 ArcSight Confidential 17


Log Management

18/03/2010 © 2010 ArcSight Confidential 18


Core Engine Layer - Log Management

ArcSight Logger ArcSight Logger


 Efficient, self-managed archiving of terabytes of log data
 Raw or normalized format
 Pre-built reporting for security or compliance needs

Available as:

Data Center Log Storage & SAN-Based Log SMB/Regional Log


Management Appliance Management Appliance Storage & Management
(35 TB max) Appliance

Benefit: Cost-efficient compliance retention/reporting

18/03/2010 © 2010 ArcSight Confidential 19


Logger – Efficient & Intelligent Storage (1/2)

• Up to 50TB of online data per appliance


• Onboard & External (SAN) storage options
• Automatic archival
• Analyze across onboard and externally archived data
• Granular role-based access controls
• Automated enforcement of multiple retention policies

LAN

SAN NAS SAN

18/03/2010 © 2010 ArcSight Confidential 20


Logger – Efficient & Intelligent Storage (2/2)

A
Each Storage Group can
have a different retention
Storage Rule
policy which is specified in B Device
Pirority 5
Storage
Group 1 Group 1
term of number of days that
events are stored, and Storage Rules create a
overall maximum size in GB. C mapping between the
Device Groups and the
Storage Groups. Logger 4 supports
up to 6 Storage

Events from specific IP Storage Rule


Groups
(Internal SG +
Storage
Device Volume
addresses can be routed to D
Group 2 Pirority 10
Default SG + 4
SGs that you can

particular Storage Groups,


create)

making it possible to store Each Storage Ruke has


a unique priority value,
all router events, for E and the lower value
has the higher priority.

example, to a Storage Group Storage


Group 2
with a short retention period,
F
and business/critical host
events to another Storage
Group with a longer Device
Storage Rule
G
retention period. Group 3 Pirority 15

H
Devices Device Groups Storage Rules Storage Groups Storage Volume

18/03/2010 © 2010 ArcSight Confidential 21


Logger – Hundreds of Out-of-the-Box Reports

i.e. PCI Package includes 70


reports based on the PCI DSS

18/03/2010 © 2010 ArcSight Confidential 22


Logger – Using Reports

Published
Run in Background Displays the list of previously-generated reports
Use this option to run reports that that are not yet expired. You can view the user
take long time to generate or the (user name) who generated the report, generate
ones that are not required online time, and expiry time of the report.
immediately. The report can be viewed as well as deleted from
the saved report list.

Quick Run Edit


Runs the report using default data Opens the Report Designer for the
filtering configuration, which was set associated report, where you can make
at report deploy time. changes to the underlying query the
Provides options to change start and Run report uses.
end time parameters, storage Provides options to modify the data
groups, and devices included in the filter criteria used by the report
scope of the report run. query for this run.
You can specify a maximum number
of rows to include in the report, and
perform various comparison and
logical operations on event fields.

18/03/2010 © 2010 ArcSight Confidential 23


Logger – Dive Into A Report Template (Example) 1/3

18/03/2010 © 2010 ArcSight Confidential 24


Logger – Forensics On-the-Fly (Dashboards)

18/03/2010 © 2010 ArcSight Confidential 25


Logger – Google Like Search Anything

“Google Like Search”  Requires no familiarity with various log syntaxes


failure windows mjohnson
 Clean and structured viewing of logs
 Active results for quick drill down

• Unstructured raw text search for fast forensic analysis


• Structured data search to simplify investigations
+
• Unified analysis across all data for complete visibility and fast
detection and remediation of cyber-attacks

ArcSight Cybersecurity survey: More than 75% said they very rarely or
hardly ever knew what exactly to look for when researching a cyber attack
18/03/2010 © 2010 ArcSight Confidential 2626
Logger – Logger Specifications

Model L3200 & L3200-PCI L7200-SAN L7200s L7200x


Management Web browser, CLI
Supported Sources Raw syslog (TCP/UDP), Raw file-based logs (FTP, SCP,SFTP)
Analysis optimized collection for 275+ commercial products
FlexConnector framework for legacy event sources
ArcSight Common Event Format (CEF), ArcSight ESM
OS Oracle Enterprise Linux 4, 64-bit
Compression Up to 10:1
Max Devices 200 Unrestricted 500 Unrestricted
RAW EPS 2000 75000 5000 100000
Onboard Connectors 4 No
Connector EPS 200 N/A
Remote Connector Management 20 (5 containers) No
CPU 1 x Intel Xeon Quad 2.0 GHz 2 x Intel Xeon Quad 2.0 GHz
RAM 12GB 24GB
Storage 2 x 1TB - RAID1 External SAN 6 x 1TB - RAID5
Chassis 1U 2U
Power 480W (Non-Redundant) 2 x 870W (Redundant)
Ethernet Interfaces 2 x 10/100/1000 4 x10/100/1000
Host Bus Adapter N/A Emulex Lpe 11002 N/A
Dimensions 24.7" x 17.1" x 1.7" 24.7" x 17.1" x 1.7"
Actual performance will depend on factors specific to a user's environment.

Logger Model Physical Capacity¹ Effective Capacity Compression


L3200 / L3200-PCI .78TB ~7.8TB
L7200s/L7200x 4.2TB ~42TB Up to 10:1
L7200-SAN 5TB² ~50TB
¹ Capacity prior to compression.
² Allocate 5.4TB in order to use 5TB.
18/03/2010 © 2010 ArcSight Confidential 27
Correlation

18/03/2010 © 2010 ArcSight Confidential 28


Core Engine Layer - Correlation

ArcSight ESM
 Real-time analysis of business events
 Activity profiling to create baselines for context
 Flexible visualization for role-based presentation

Available as:

Data Center Rackable Appliance Installable Software

Benefit: Focus resources only on important issues

18/03/2010 © 2010 ArcSight Confidential 29


Correlation - Filter Out the Noise and Focus on Key Issues

Who: User Identity Asset Value: What

Where: Contextual Analysis Time Window: When

Correlation Engine

How

From Millions of Events to the those that Matter


18/03/2010 © 2010 ArcSight Confidential 30
Lifecycle of an Event Through ESM

1- Data collection and event processing


2- Event priority evaluation & network model lookup
3- Correlation: Filters, rules, data monitors
4- Monitoring and investigation
5- Workflow
6- Reporting and incident analysis

18/03/2010 © 2010 ArcSight Confidential 31


Lifecycle of an Event Through ESM (1/6)

The Connector sends the aggregated & filtered events to the ESM…

18/03/2010 © 2010 ArcSight Confidential 32


Lifecycle of an Event Through ESM (2/6)

… where they are evaluated & tagged with Priority Levels and Network Modeling
information.
They are then stored in the ArcSight database and processed through the Correlation
Engine.

18/03/2010 © 2010 ArcSight Confidential 33


Lifecycle of an Event Through ESM (3/6)

Events that have been tagged with Event Categories, Priority Evaluations and Network
Modeling information are processed by the Correlation Engine, where Filters, Rules
and Data Monitors can evaluate them.

18/03/2010 © 2010 ArcSight Confidential 34


Lifecycle of an Event Through ESM (4/6)

Events that have been processed by the Correlation Engine can be monitored on Active
Channels, Dashboards and Event Graphs.

18/03/2010 © 2010 ArcSight Confidential 35


Lifecycle of an Event Through ESM (5/6)

Follow up investigation can be done manually or automatically using ArcSight workflow


components.

18/03/2010 © 2010 ArcSight Confidential 36


Lifecycle of an Event Through ESM (6/6)

ArcSight analysis tools work on processed events to produce Reports, discover new
patterns and analyze output data using interactive graphics.
Analysis and Reporting tools are highly customizable and can be run manually or
scheduled to output data at regular intervals to be viewed by the SOC staff

18/03/2010 © 2010 ArcSight Confidential 37


Correlation – ESM Specifications

Model E7200-2 E7200-4


Max EPS (Peak/Sustained) 2,500 EPS / 1,500 EPS 5,000 EPS / 3,000 EPS
OS Oracle Enterprise Linux 4
CPU 2 x Intel Xeon Quad
RAM 24GB
Ethernet Interfaces 4 x 10/100/1000
Storage 6 x 600GB - Serial Attached SCSI - RAID0
Chassis 2U
Power 2 x 870W ()Redundant)
Thermal 3000 BTU/hr
Weight 36 Kg (78 lbs)
Chassis 2U
Dimensions (D x W x H) 26.8" x 17.4" x 3.4"
Actual performance will depend on factors specific to a user's environment.

18/03/2010 © 2010 ArcSight Confidential 38


ArcSight Express vs. ArcSight ESM

ArcSight ArcSight
ArcSight Express vs. ArcSight ESM
Express ESM
Cross-Regulation Compliance Reporting √ √
End-User Web Console √ √
Appliance Deployment Option √ √
Pre-Built Out-of-Box Rules/Reports √ √
Market-Leading Correlation √ √
Customizable Regulatory Compliance Packages √ √
Unlimited Rule/Device Types √ √
Custom Rules/Report Creation √ √
Software Deployment Option √
Unlimited Device Expandability √
Activity Profiling (Pattern Discovery) √
User, Fraud, and Data Monitoring √
More Storage √
More Integration Options * √

* i.e. TRM, Remedy, etc integration

18/03/2010 © 2010 ArcSight Confidential 39


ArcSight Express – Your Security Expert “In A Box”

AE is an integrated event and log management solution


Uses the same collection & correlation as ArcSight ESM but,
Is appliance based for easier deployment and management
AE has pre-defined rules, reports, alerts and dashboards built-in
Solves the most important security & compliance issues right out of the box
Model M720-M M720-L M720-X L3200

Out-Of-The-Box AE OS Oracle Enterprise Linux 4, 64-bit


Coverage: Compression UP to 10:1
Max Network Devices 40 100 225 Same as M7200
 Bot, Worm and Virus
Attack Visibility and Max Desktops 100 250 500 Same as M7200
Alerting Max EPS 500 1000 2500 Same as M7200
 Hacker Detection Max Assets 5000 10000 25000 N/A
 Bandwidth Hogs and Web Users Unlimited Users
Policy Violations CPU 2 x Intel Xeon E5504 Quad Core 2.0 GHz 1 x Intel Xeon E5504 Quad Core 2.0 GHz
 Application Access Ethernet Interfaces 4 x10/100/1000 2 x 10/100/1000
Monitoring
RAM 24GB 12GB
 Remote Access Physical Capacity 2TB (2 x 1TB - RAID1)
3.6TB (6 x 600GB - RAID10)
 System and User Effective Capacity 1.6TB 1.6TB (+L3200) 7.8TB
Impact
Chassis 2U 1U
 Compliance controls
Power 2 x 870W (Redundant) 1 x 480W (Non-Redundant)
Dimensions (DxWxH) 26.8" x 17.4" x 3.4" 24.7" x 17.1" x 1.7"
Actual performance will depend on factors specific to a user's environment.
L3200 not included with Express-M

18/03/2010 © 2010 ArcSight Confidential 40


ArcSight Express Pre-Built Content for Top Scenarios

 Cross Device Reporting  Network Devices Reporting


• Top Bandwidth Users • Network Device Errors and Critical Events
• Configuration Changes • Network Device Status and “Down” Notifications
• Successful and Failed Logins • Bandwidth Usage
• Password Changes • Configuration Changes by User and Change Type
• Top Attackers and Internal Targets • Successful and Failed Logins
• Top Connections
 Anti-Virus Reporting
• Top Infected Systems  VPN Device Reporting
• All AV errors • VPN Authentication Errors
• AV Signature Update stats • Connection Counts
• Consolidated Virus Activity • Connection Durations
• AV Configuration Changes • Connections Accepted and Denied
 Database • Successful and Failed Logins
• Top Connections
• Database Errors and Warnings
• Top Bandwidth Users
• Database Successful and Failed Logins
• VPN Configuration Changes
• Database Configuration Changes
 IPS/IDS  Operating System Reporting
• Privileged User Administration
• IPS/IDS Alert Metrics
• Successful and Failed Logins
• Alert Counts
• Configuration Changes
• Top Alert Sources and Destinations
• Top Attackers and Internal Targets
 Firewall Reporting
 Access Management • Denied Inbound Connections
• User Authentication across hosts • Denied Outbound Connections
• Authentication Success and Failures • Bandwidth Usage
• User Administration Configuration Changes • Successful/Failed Login Activity

18/03/2010 © 2010 ArcSight Confidential 41


Solutions Modules

18/03/2010 © 2010 ArcSight Confidential 42


ArcSight Modules

ArcSight Solution Modules


 Pre-built rules, reports, dashboards, and connectors
 Regulatory: Address compliance for public/industry regulations
 Business: Address scenarios common to most organizations

Available as: Regulatory:


SOX/JSOX HIPAA
PCI NERC
FISMA

Business:
Installable Software Identity Monitoring Pre-configured Appliances
Fraud Detection
Insider Threat Detection

Benefit: Rapid deployment by leveraging best practices

18/03/2010 © 2010 ArcSight Confidential 43


EnterpiseView - Business Solution Package

 Solution Package that includes


– Installable Solution Module on top of ESM
– Prebuilt customizable Reports & Rules tuned for specific solution
– Pattern Discovery customizable configuration to create new monitoring rules

IdentityView
FraudView

18/03/2010 © 2010 ArcSight Confidential 44


IdentityView – Sample Reports (1/2)
Activity Report – For Users With The Developer Role

18/03/2010 © 2010 ArcSight Confidential 45


IdentityView – Sample Reports (2/2)
Activity Report – For Users in the Finance Department

18/03/2010 © 2010 ArcSight Confidential 46


FraudView – Multiple Engines
Multiple Engines for Detecting Fraudulent Activity

Multi-Path Risk Analysis Device Risk - Is Source address in Escalation List, Country of Concern, etc?

Transaction Risk - What is the Risk Associated with Transaction, etc?


Risk Scoring Engine
Account Risk - Is Account in Escalation List, etc?
Risk Score
Destination Risk – Is the Destination a suspicious Payee, Country of Concern, etc?

Investigate List 3- Source IP has used to access Account XYZ, both IP Address
a.b.c.d & Account XYZ are escalated to the Investigation List.

Escalation List Suspicious List 2- Source IP from which the website was scanned last week – the
Process IP is in the Suspicious List.

Watch List 1- Account authentication over the phone fails a second time…
Account is added to the Watch List.

Fraud-Based Transaction evaluation - Fraud Detection Correlation rules (against Real-Time events and Historical data).
Correlation Engine

Pattern Recognition Patterns Discovery – To find fraudulent behaviours that might not yet have been captured in rule definition.
Engine

Fraudulent transactions can be detected by FraudView in multiple ways.


18/03/2010 © 2010 ArcSight Confidential 47
Why is ArcSight Winning?
What Makes ArcSight Unique.

18/03/2010 © 2010 ArcSight Confidential 48


Deploying the Platform

ArcSight can be deployed to support a range of requirements

Alerting/Compliance Reporting Virtual SOC Fully Staffed SOC

•Log collection and retention •Lights out operations •24x7 operations


•Invest in report building •Invest in upfront automation •Invest in ongoing staffing
•Delayed incident response •Basic analysis/investigation •Live incident response

•ArcSight Logger •ArcSight Logger •ArcSight Logger


•Report focus •ArcSight ESM •ArcSight ESM
•Basic audit compliance •ArcSight Express •Pattern Discovery
•Limited correlation •Advanced correlation
•Email notification focus •Live Dashboard focus

18/03/2010 © 2010 ArcSight Confidential 49


Deployment: Simple to Start, Easy to Grow

Automated Response
• Workflow-based lockdown

Advanced Correlation
• Dashboards • Trend Reporting
• Correlation Rules • Activity Profiling

Log Management
• Live Alerting
• Data Collection/Storage
• Reporting
• Single Appliance

Connectors
More Connectors

18/03/2010 © 2010 ArcSight Confidential 50


What Makes ArcSight Unique

Unmatched in

Collection Correlation Scale

18/03/2010 © 2010 ArcSight Confidential 51


ArcSight – Collection (1/2)

 Largest Supported Products base


– 275+ products, 100+ vendors, 35+ categories
– FlexConnectors (for in-house device/source support)

Common Event
Format

 Audit quality data


– Integrity measures as data is received (FISMA requirement - NIST 800-92 recommendation)

18/03/2010 © 2010 ArcSight Confidential 52


ArcSight – Correlation (1/2)

Who: User Identity Asset Value: What

Where: Contextual Analysis Time Window: When

 Pre-packaged, extensible content Correlation Engine


Asset Model
– For regulatory compliance & security
– Includes report templates, trending & Device Severity Susceptibility
dashboards. Assign severity Is the asset
levels to device How susceptible to the
classes specific attack?
 Real-time Correlation & Alerting
– Simple and meaningful alerts.
Asset Criticality
– Device independent correlation. Attack History
How important is
History with High-Impact
this asset to the
this target? Assets
business?
 Context-based Correlation
– Based on vulnerability, asset & user context
– Criticality based model User Model

 Response management Identity


Who was
Policy
Impact of
– Native workflow, helpdesk integrations “behind the this event on
– Integrated comprehensive and intelligent rules IP address?” business risk?

based response for network/security devices


Role
Does the event User Profiling High-Impact
match the role of Is this normal Users
the person behavior?
performing it?
18/03/2010 © 2010 ArcSight Confidential 54
ArcSight – Correlation (2/2)

 Activity Profiling Engine


– Discover patterns in large collections of events that have already occurred.
– Can profile good and bad behaviors
– Machine-discovered patterns can be turned into correlation rules

Better security through more effective rules.

18/03/2010 © 2010 ArcSight Confidential 55


ArcSight – Scale

 Centralized and/or Distributed collection


– Controls for security, reliability, batching, integrity checks along with bandwidth controls
– Unique support for highly distributed environments

 Form factor flexibility & Range of Appliances


– Highest performance/price return (EPS/$)
• Up to 100K EPS (Events Per Second) / appliance with linear scalability
– Complete ArcSight platform (Connectors – Logger – ESM - TRM) is available in a range of modular
& turnkey appliances
– Added flexibility of software deployments for ESM and connectors

ArcSight Threat Response Module

 Cost effective scalable long term storage


– Up to 50TB of raw data capacity for long term storage appliance with linear scalability (peer)
– Support for external storage (NAS, SAN)
– Support for multiple retention policies.

18/03/2010 © 2010 ArcSight Confidential 56


So Why Choose ArcSight?

 Broadest customer base – Strong experience


solving the challenges in your industry.

 Best products – Most market share, most awards,


proven over years.

 Future proof – Insulate you from tomorrow’s


technology decisions.

18/03/2010 © 2010 ArcSight Confidential 57


Summary

 Proven, integrated products for monitoring and controlling security and risk
 Deployable together or incrementally
 Designed to fit within today’s IT environment while insulating tomorrow’s decisions

Audit Collect

Market Share SIEM


Leader Leader’s Quadrant
SIX Years Running
Respond Monitor (Most Visionary)

Protect Your Business - Choose the Best

18/03/2010 © 2010 ArcSight Confidential 58


Thank You

Jean-Luc Labbe
Southern EMEA Sales Engineer
Cell +39 335 879 0307
jlabbe@arcsight.com

18/03/2010 © 2010 ArcSight Confidential 59