ArcSight IntelligentSecurity OperationsPetr Hněvkovský, CISSP, CISM, CISA, CEHSenior Solution Architect, EMEA

June, 2017

ArcSight empowersIntelligent Security Operations

Challenges to the Security Operations Center

Increasing rate of data

Limited detection and response tools

Complex and slow investigation capabilities

Intelligent Security Operations Increase Speed, Simplicity and Effectiveness Across Entire Workflow

7

Visibility Without Boundaries Comprehensive Detection Intuitive Investigation

Proven, accurate and fast

ArcSight Investigate

ArcSight ESM

ArcSight ADP

8

Open, relevant and intuitive

ArcSight Investigate

• Investigation | Analytics

ArcSight ESM

• Real-time Correlation | Alerting | Workflow

ArcSight Data Platform

• Connectors | Event Broker | Management | Retention

9

ArcSight master architectureActively evolving beyond traditional SIEM to support the Intelligent SOC

10

Investigation

SearchEntity

Profiling

Hunt

Linked Data Analytics

Intelligent Queue

SIEMAlerts

User BehaviorAnalytics

DNS MalwareAnalytics

App Defender Analytics

Other Analytics

Smart ConnectorsEvent Streams

Event Broker

Dashboards | Reports | Workflow | Case Mgmt | Runbooks

Analytics Engines & Investigation modules

Use Case Library

INV

ES

ITG

AT

ION

&

RE

ME

DIA

TIO

N

CO

MP

RE

HE

NS

IVE

D

ET

EC

TIO

N &

A

NA

LY

TIC

SV

ISIB

ILIT

Y

Response

3rd Party Integration

IT OT IoT Physical

Third Party Repositories (i.e. Hadoop)

External Information

Data Sources(Structured & Unstructured)

+ Control points

Security Operations(On-prem & Managed)

Users

Cloud

Apps

Servers &

Workloads

Network

Endpoints

IoT

Security AnalystsLevel 1

Security AnalystsLevel 2

Hunt Team

Ticketing & Workflow

Identity & Configuration

Intelligence Feeds

Threat Central

3rd Party Feeds

Active Directory

Config MgmtDB

IT Operations & Management Systems

Real-timeCorrelation engine (ESM)

ArcSight Data PlatformExpand the visibility of your data

12

Visibility Without Boundaries

14

Faster detection with business optics

Real-time security context

Keeping up with growing environments

Scalability through variety and velocity

Integrating data lakes with security apps

Open architecture to maximize usage

ArcSight Data Platform summary

Platform • Universal platform for ArcSight portfolio

Complete

bundle

• Unlimited Connectors & FlexConnectors

• Brand new Quick Flex parser tool

• Unlimited device & Connector management ArcMC

• New resilient Kafka Event Broker

• Licensed Logger

Simplified Licensing

• Volume only in GB/day - pay once, consume many

HA & NP • HA/NP does not license additional capacity

3rd party • Support 3rd party destinations like Hadoop

15

Event Broker

What’s new?

22

L

Event Broker

Arc

MC

L L L

The ADP Innovation

Event Broker

23

Key Attributes

– Open

• Documented Kafka based standard interface

• HDFS integration

– Scale

• 1M EPS

• Connector scale improved, reduce dual feed impact

– Security Focus

• Built In HA reliability, 4 9’s

• TLS 1.2 encryption for data in motion

Data hub that enables getting data from aby where and send

it to any destination including ArcSight applications, third

party applications and in-house data lakes.

Kafka in a nutshell

Producer Push the message into Kafka

topic

Consumer subscribe to topics/s, pulls the

message from Kafka

Topics messages are placed in topics

Kafka Cluster typically odd number of nodes

Zookeeper coordinate the services in Kafka

Messages pushed to kafka topics and

pulled by the consumers

subscribe to these topics

24

Event Broker

25

L

L

L

3rd Parties

Vertica ESM

SparkArcMC Event Broker

L LL L

ESM

Without Event Broker With Event Broker

Open Architecture

Scalable – sources and destinations

Centralized data manipulation

Investigate

3rd

party

Event Broker: above and beyond open source Kafka

Kafka Event Broker

Message bus Distributed, High Performance pub-sub

message buss

Y Y

Resilience, redundant message pipelines Y Y

Enterprise readiness Qualified Open Source Packages Y

Best practices planning guide Y

Container based deployment Y

Centralized and Local Management Y

System and App Monitoring Y

Fine-tuned for SOC Ready-to-go Security hardening Y - FIPS 140-2

Event Filtering and Routing Y – CEF messages

Format Transformation Engine Y – CEF to Binary, CEF to AVRO

Ready-to-go producer topics Y - CEF, Binary (ESM)

Ready-to-go consumer topics Y - CEF, Binary (ESM), AVRO, HDFS

26

Connector

What’s new?

27

L

Event Broker

Arc

MC

L L L

The ADP Innovation

Connector

28

Key Attributes

Augments data with security context to make it better suited

for security application.

– Open

• Collect data from any data source and make it security relevant

• Support new device versions by releasing parsers every 4 weeks

– Scale

• Support a large variety of devices in large environments with 350+ out-of-the-box connectors

– Security Focus

• Normalize, categorize and enrich data for better correlation and analytics

New Quick Flex tool available

Speed up flex develoment

Available free with ADP

https://www.protect724.hpe.com/groups/arcsight-product-announcements/blog/2016/12/20/quick-flex-is-now-available

See the video tutorial on

https://www.protect724.hpe.com/docs/DOC-14871

29

Logger

What’s new?

L

Event Broker

Arc

MC

L L L

The ADP Innovation

Data Retention (Logger)

31

Key Attributes

– Scale

• 1M EPS in a 100 peers architecture

• 100 Concurrent search

– Performance

• Search speed for typical used search improved by 50%, some by X2

• 10:1 compression ration to store up to 1200 TB of data

– Security

• Data at rest encryption on ADP appliances

Cost-effective universal log management solution that

unifies searching, reporting, alerting, and analysis

across any type of enterprise machine data.

ArcSight Management Console

What’s new?

32

L

Event Broker

Arc

MC

L L L

The ADP Innovation

Management Console

33

Key Attributes

– Ease of Management

• Single-view centralized management

• Topology & System Health Monitoring

• Bulk operations for destination configuration and managing upgrades

– Performance

• Easily supports hundreds of connectors and entities

• Screen response time slashed by 70%

Centralized Management Console for end-to-end monitoring

of the entire security posture.

Management Console- End to end Monitoring

‒ Topology view for consolidated view

‒ Display device information on hover

‒ Sort devices by region / groups

34

‒ Detect health related issues, like events dropping

• Shows you which devices not sending events (inactive devices)

• Suspicious EPS spike or drop

‒ Health feedback with ability to drill down

• All devices by product type and drill down capabilities to locate specific device

Management Console- Device Monitoring

Management Console- Centralized ADP license tracking

‒ Track ADP licenses in one place

ArcSight Data Platform (ADP)

39

Capabilities/Benefits

– Event Broker – Extend visibility to third party applications with Kafka-based open architecture data hub

– 1M EPS ingestion rate – Scale seamlessly to expand security posture

– Centralized management console – Simplify management with end-to-end environment monitoring and bulk operations with ArcMC

– 1:10 data compression ratio – Reduce cost of data storage with compressed logs up to 1200 TB

– Data enrichment –Improve threat detection and analysis by security applications through data augmented with security context

– 350+ pre-built connectors – Extend data collection sources without manual customization

Open and scalable security data solution that can take data from

any source and send it to any location, including third-party

applications like Hadoop.

HPE Security ArcSight Data Platform – Quick OverviewLaying the foundation for intelligent security operations

• Open and scalable architecture for multiple

DBs/apps

• Enhance manageability of hundreds of entities

• Augment data with security context in real time

enabling faster threat detection

Data

Collection

Built for

Security

Open architecture with scale and security

• Send data to any destination

• 1 million events per second

data ingestion

• Compress/store up to 480 TB

• 100 concurrency search

• +350 out of the box connectors

• Encrypted, compressed logs

• FlexConnector Wizard

automates connections

• One management console

simplifying deployment and

updates

Open Architecture

ScalabilityBuilt for Security

ArcSight ESMComprehensive detection

41

ESM functionality in 2 mins

- Asset Model- Network

Model- Vulnerability

Model- User Model

Enrichment Rules EngineActiveChannel Context

Detection Investigation

Case Management

- Match or Lightweight rules

- Aggregation rules

- Prioritization

- Active Channel news feeds –

visual representation

of real time correlation

- Enrichment- Baselines/

trends- Lists- Search

- Integration Commands

- Action Connectors

- Partners

- Annotations- Case

management

3rd Party Context

Basic Log Events

Alerts from other engines

Advances in ESM 6.11 – At A Glance

IPv6 Support

Support super-enterprise scale with native IPv6 and

dual stack capabilities

ACC Functional

Enhancements

Now with improved case management functionality, integration commands, and

more, for easier investigation

UI Overhaul

Completely revamped looks in the Console and

Web UIs

Big Data

Next gen architecture with support for Kafka-enabled Event Broker

and Investigateintegrations

IPv6Modern Data

IPv6 Support

Support super-enterprise scale with native IPv6 and

dual stack capabilities

Problem: Supersize enterprises, Telcos and Government agencies have run out of IPv4 address space & need products that support their new IPv6 environments

ACC EnhancementsModern Feel

ACC Enhancements(ArcSight Command Center)

Now with improved case management functionality, integration commands, and

more, for easier investigation

Problem: ACC has seen limited adoption due to missing features and limited usability compared to console

UI ThemesModern Look

Problem: ESM has long been criticized for its dated look, especially in the consoleUI Themes

Modernized looks in the Console and Web UIs with new light and dark themes!

EB & Investigate IntegrationModern Architecture

Problem: 1) Event storms –

unanticipated spikes in EPS levels that cause ESM to become unstable

2) Seamless integration between ESM & new products

Event Broker & ArcSight

Investigate Integrations

Next gen architecture with support for Event Broker and ArcSight Investigate

integrations

EB

ESM

Investigate Logger

Hadoop 3rd Party

ESM 6.11 – Q2FY17Modern Look, Architecture, and Data

IPv6 Support

Support super-enterprise scale with native IPv6 and

dual stack capabilities

ACC Enhancements(ArcSight Command Center)

Now with improved case management functionality, integration commands, and

more, for easier investigation

UI Themes

Modernized looks in the Console and Web UIs with new light and dark themes!

Event Broker & ArcSight

Investigate Integrations

Next gen architecture with support for Event Broker and ArcSight Investigate

integrations

Other

- BytesIn, BytesOut fix

- Favoriting Resources

- Common Criteria on 6.91

- New MSSP licensing reports

ArcSight Enterprise Security Manager 6.11 + fresh content

− Market-leading Real-time Correlation

− Threat Lifecycle

− Tailored use cases

− Central integration point for the SOC process

− Integrated SOC platform

4x more with same headcount

ESM & Activate adoption increased SOC efficiency 4x

Open, relevant and intuitive

ArcSight Investigate

• Investigation | Analytics

ArcSight ESM

• Real-time Correlation | Alerting | Workflow

ArcSight Data Platform

• Connectors | Event Broker | Management | Retention

55

ArcSight InvestigateIntuitive investigation

56

Complex tools are not helping

Challenges to performing security investigation

Running queries to analyze data at scale without understanding of complex

language and schema is hard

Every second counts

Speed is the key when security teams are looking for “previously unknown”

and advanced threats

Need the full picture

Disparate data storage delays the investigation process and limits ability

to track multi-stage attacks

57HPE CONFIDENTIAL

Work Smarter

What Do We Need to Address These Challenges?

Accurately analyze higher-priority threats with intuitive solution

Act faster

Instantly process large volumes of data to identify threats

Reach Further

Leverage data lakes to store and access a full range of data

58

Intelligent Threat Investigation Solution

HPE CONFIDENTIAL

NEW! ArcSight Investigate

− 10x faster data retrieval

− Guided natural language search box

− Modern and intuitive data manipulations

− Powerful built-in analytics modules

− HDFS integration

− Next Generation Platform

Act Faster

60

Instantly process large volumes of data to identify threats

• Using Vertica, specially designed to solve the big data queries, ArcSight Investigate can execute searches up to 10x faster than competition to hunt for unknown threats

• Massively Parallel Processing (MPP) can run multiple searches instantly and take advantage of insights from Big Data to drive real value

HPE CONFIDENTIAL

Work Smarter

61

Accurately analyze higher-priority threats with intuitive solution

• Intuitive search and analysis translates search terms in security context and dynamically suggests relevant queries

• Enables junior security analysts to create queries without having to learn a specific query language and schema

• Create custom dashboards and visualizations with a few clicks to identify patterns, anomalies and relations of security events

HPE CONFIDENTIAL

Reach Further

62

Confidently hunt with a holistic view of all your data

• Integrated UI provides a seamless view to search and access data of any timeframe across Hadoop and ArcSightInvestigate

• Access to all your data all the time with efficient storage options of both short-term data in Investigate and long-term data in Hadoop

Companies of all sizes are considering data lakes as a way to deal with terabytes of security data that serve as an early indicator to identify bad or relevant behavior.Raffael Marty - CEO, Pixlcloud

“ ”

VerticaEvent Broker

Store data

Search &

Analyze

Hadoop/HDFS

Search Application

Data flow

Data lake

Connectors

HPE CONFIDENTIAL

ArcSight Investigate benefits

Act Faster to Identify and Respond to Threats

63

Work Smarter with an Intuitive Solution

Reach Further by Leveraging Data Lakes

HPE CONFIDENTIAL

• Decrease the impact of security incidents

• Minimize downtime by uncovering hidden threats

• Be productive from “Day 1”

• Reduce response time to advanced attacks

• Reduce risk by expanding the scope of investigation

• Lower TCO by optimizing data management cost

Backup slidesPetr.Hnevkovsky@hpe.com

75

ArcSight GDPR use cases

Log activities

and changes

Notify the DPO within deadline

Private data

de-identification

77

Detect and validate the breach

2017 State of Security Operations- 4th annual report (Jan2017)

Read the full report at hpe.com/software/StateOfSecOps

North America: 1.52

South America: 1.89

DACH: 1.47

UK: 1.26

Nordics: 1.33

Asia: 1.37

Oceania: 1.00

MEMA: 1.09

BeNeLux: 1.79

Europe: 1.30

82%of organizations are not meeting their business goals

27%of SOCs are failing to achieve minimum security monitoring capabilities

183assessments

Top observations

Full automation of operations is

unrealistic

Hunt-only search & response

does not provide full coverage and effectiveness

Increased capabilities come from hybrid staffing solutions

Continuing trend Proliferation of threat hunt programs

Emerging trendDevelopment of security fusion centers

Industry findings

Telecommain concern is service

availability

Healthcarepreferred target of

ransomware

Governmentstruggle with

long-term maturity

EnergyIncrease in physical and ISC

attacks and monitoring

Financialplagued by SWIFT attacks