a look at the latest hp arcsight esm · •faster search for needle-in-the-haystack scenarios −...
TRANSCRIPT
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
A look at the latest HP ArcSight ESM Ken Mermoud, Product Management
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
This is a rolling (up to three year) Roadmap and is subject to change without notice.
Forward-looking statements
This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
This is a rolling (up to three year) Roadmap and is subject to change without notice.
HP confidential information
This Roadmap contains HP Confidential Information. If you have a valid Confidential Disclosure Agreement with HP, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of 3 years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from HP and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with HP’s prior written approval.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Agenda
• Agenda
• ArcSight journey
• ESM Next Beta features
• Beta details @Protect
• Q&A
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
Predict
Visualize
Search
Collect
Correlate
Respond
Analytics SIEM
HP ArcSight Portfolio strategy: Next Gen Cyber Defense
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
ESM: What’s next?
Automatic Rule
Optimization
Storage Up To 12 TB
Web services APIs
Faster Queries with
Bloom
Active Channels in
ACC High
Availability
Next Future Roadmap
Disaster Recovery
Data Visualization
Distributed Correlation
UI/UX Redesign
Out-of-Box Content Revamp
Predictive Analytics
Security Ecosystem
Seamless Integration
w/ Analytics
Clustering for Scalability App Store
Quality: Stability
Quality: Reliability
Quality: Scalability
Quality: Customer
Bugs
Quality: Maintain-
ability
Quality: Resiliency
Quality: Customer
Bugs
This is a rolling (up to 3 year) roadmap and is subject to change without notice
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ESM Next Beta
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
What is part of the Beta?
ESM Next Beta
• Main Beta features • High Availability • Active Channel in Web UI • CFC Connector Capabilities • Improved Search/Query speed with Bloom Filters • ESM Web Service APIs • Correlation Enhancements • Support for 12 TB storage • Transition to Java 7
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
High Availability (HA)
ESM Next Beta
• What is ESM HA? − Two server installation of ESM for improved
reliability and availability. − Active/passive cluster (Primary running ESM,
Secondary on hot standby) • How does it work?
− Secondary backs up Primary disk (Disk Mirroring - DRBD)
− Automatic Failover • System failures are automatically detected • Secondary switches to primary and runs
ESM − Audit events and notifications available for
monitoring status of HA
This is a rolling (up to 3 year) roadmap and is subject to change without notice
Connectors Clients
ESM HA
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Active Channel in Web UI (ACC)
ESM Next Beta
• What is available? − Open and use pre-defined Active Channels − Annotate events − Add events to cases − Mark events as reviewed − Visualize event summary − Drill down by filter conditions
This is a rolling (up to 3 year) roadmap and is subject to change without notice
All product views are illustrations and might not represent actual product screens
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
ESM Web Service APIs
ESM Next Beta
• When do you need Web Service APIs? − Integrations with ESM − Building custom UI − Extending functionality
• What is the list of APIs? − LoginService, GroupService, CasesService,
SecurityEventService, ArchiveReportService, ActiveListService
• What are we making available? − Developer’s Guide − Javadoc (html + pdf) − Client side SDK (utilities/sdk/lib) − Examples (utilities/sdk/examples/)
This is a rolling (up to 3 year) roadmap and is subject to change without notice
ESM
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
Improved Search/Query speed with Bloom Filters
ESM Next Beta
• What’s New? − Super Indexing & Bloom Filters: Question: Is the value
in a Time Chunk? • Answer: Possibly in Time Chunk, or • Answer: Definitely not in Time Chunk
• Faster Search for needle-in-the-haystack scenarios − Peer Search Improvements − Search up to 1000x FASTER than ESM 6.5c on the most
frequently used fields − Search up to 500% FASTER with the use of new super
indexes on certain fields • Note: Re-activated ESM archives will also take advantage
of the increased search performance, as the Bloom filter data is stored in the archive
This is a rolling (up to 3 year) roadmap and is subject to change without notice
Master super-index
CORR-engine storage
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
CFC Connector Capabilities
ESM Next Beta
• What is CFC? − Correlation (event) Forwarding Connector − Allows forwarding base and correlation events from
one ESM to another − Push Mechanism (base events going along with
correlation events to destination) + Pull Mechanism (base events can be pulled to destination on user demand)
• What is CFC? − Ability to send up to 1,500 EPS of base + correlation
events − CFC Annotation moved to separate storage (minimize
performance hit on base annotation volume growth) − Automatic cleanup of old forwarded events every 3
days
This is a rolling (up to 3 year) roadmap and is subject to change without notice
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Correlation Enhancements
ESM Next Beta
• Rule/Data Monitor Enhancements − Profiling: auto-reordering of rules/data monitor
conditions for better efficiency − Average 25% evaluation time enhancements
• Pattern Discovery Enhancements − Lighter process for building transactions in Pattern
Discovery − Going from O(nlog(n)) to O(n), n as number of events − Support for up to 15,000 EPS − Up to 66x execution time speed up
• Additional List Look-Up Functions − GetCurrenTime, DistinctListValue, ListIntersection,
ListUnion, NonNullListValues, SortListValues, etc.
This is a rolling (up to 3 year) roadmap and is subject to change without notice
All product views are illustrations and might not represent actual product screens
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Additional Features
ESM Next Beta
• Storage − Support for 12 TB of Storage Capacity
• Java − Upgrade to Java 7
• OS Support − Support for RHEL 6.5, CentOS 6.5
• Upgrade − SW Upgrade from ESM 6.0c and ESM 6.5c SP1
This is a rolling (up to 3 year) roadmap and is subject to change without notice
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Beta Details @ Protect
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Beta Details @Protect Tuesday Wednesday
1:00pm – TB3255 A look at the latest HP ArcSight ESM
10:30am – TT3129 ESM Performance and Optimization
1:30pm – TB3255 A look at the latest ArcSight ESM
11:00am – TT3041 Dynamic rule and data monitor Optimization
2:00pm – TT3126 CFC Support on CORRE
12:00pm – BoF Lunch Tuning your ESM Correlation Engine
2:30pm – TB3069 HP ArcSight ESM 24/7
4:00pm - TT3139 An Intro to ESM APIs
4:30pm – TT3058 Building an HA ArcSight solution
Thursday
5:00pm – TT3099 Leveraging Super-indexed searches
10:00am – TT2978 ESM APIs and Applications
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session TB3255 Speaker Ken Mermoud
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.