ArcSight Data PlatformOpen Architecture Data Collection With Normalized Data Everywhere is needed.Eugenio “Gene” Marrero

Lead Solution Architect, Pre-sales

www.microfocus.com

This is a rolling (up to three year) Roadmap

and is subject to change without notice.

Forward-looking statements

This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Micro Focus ArcSight’s predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.

User Interface depictions should be considered non-final and subject to re-design and / or removal.

ArcSight Portfolio

An open security analytics suite

ArcSight ESMBroad detection

ArcSight MarketplaceCurated Content

ArcSight Data PlatformSimplicity @ Scale

ArcSight UBAInsider Threat

ArcSight InvestigateFaster & Smarter

Enriched for securityBroad sourcing (175 CEF partners)

Any destination/standard interfaceEasy scale outStream processing

Event Broker

ArcSight Connector

Centralized managementCentralized licensing

Management Console Logger

Cost efficient archivingImmutable dataReporting

ArcSight Data Platform A centralized collection framework supports a growing and sophisticated SOC

Store data securelyCollect Data, Send Anywhere Manage the ecosystem

The Challenge

5

Big Data challenges and How ArcSight addresses these

The Solution

Data doubles every 2 yrs.; expect 44 zettabytes by 2020

Collect data from diversified sources at high volumes and speed

Collect data once and send valuable security data to Hadoop, 3rd Party Tools.

Simplify management of pipelines, data transformation and ensure persistence

Different use cases for Big Data require multiple data destinations

Analytics cannot be performed on unstructured data

Increasing complexity of Mgmt/ distribution of good security data

Enrich data in real-time with security expertise for threat detection & analytics

6

1. Collect data once and send valuable security data to many places

Immutable Compliance Data Store

Graph based analytics

General security big data lake (SBDL)

Real Time Correlation

High end analytics notebook

7

It ends up being messy to manageExcept worse.. imagine hundreds of sources

data sources

destinations

8

Here’s the nice way to clean it upCollect it once, use it everywhere

ArcSight Stack

Others

data sources

destinations

Elastic Stack

Event Broker

Message Broker

9

Logstash

ArcSight

Module

Available Now

X-Pack Basic (Free)

ArcSight Certified

2. Enrich data in real-time with security expertiseLet’s talk about normalized data

10

Lesson: Structured data matters

Benefit: Future proofing, fast and efficient forensic analysis

Without…

With

Dec 2 2015 12:16:03: %PIX-6-106015: Deny TCP (no connection)

from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK

on interface outside

Dec 2 2015 14:53:16 drop gw.foobar.com >eth0 product VPN-1 &

Firewall-1 src 10.2.146.12 s_port 2523 dst 10.2.10.2 service ms-

sql-m proto udp rule 49

3. Simplify management, data transformation and ensure persistence

See the topography, deploy connectors, manage health of producers and subscribers

11

4. Collect data from diversified sources at high volumes and speed

• Real-time data normalization, categorization and enrichment adds security context to raw data

• 400+ out-of-the-box Smart Connectors add security expertise with better precision

Enrich data in real-time to give analysts organized information that can be acted upon instantly

11

Recent ADP Release HighlightsAvailable Now!

ADP 2.2: Event Broker Topology ViewArcMC 2.70, Event Broker 2.10

• Visibility in all EB topics

• Show all data flow paths

ADP 2.2: Instant Connector Deployment ArcMC 2.70, Connectors 7.70

Capability:

• Connector deployment on remote hosts through ArcSight UI

• In-context deployment View UI

• Re-usable deployment templates with configuration values for source and destination

• Multiple Connectors deployed on a single host

• Centralized management of long running deployment jobs

Benefit: Improve security administrator productivity by providing a quick and easy deployment option so that they onboard new data sources or readjust connectors deployment layout quickly with ease.

ADP 2.2: ArcSight Secure Data Add-on for ADPArcMC 2.70, Connectors 7.70

Capability:

• Configure fields for encryption

• Encrypt once in connectors

Benefit: Quickly protect PII information and reduce data spillage risk.

ADP 2.2: Logger 6.5 Updates

Capability:

• Create Reports from Logger Queries

• Archives will include Indexes

• ADP Logger standalone mode: both for appliances and software

• Complete support for SHA-2: receivers and forwarders, archiving, SSL signatures

• Complete support for TLS 1.2: peer communications, on-board connector

• Dark Theme for Logger

• Concurrent Searches

Benefit: Easy to use Logger reporting tools with an enhanced UI help optimize analyst time and generate comprehensive reports and dashboards for compliance and other use cases

ADP 2.2: Immutable Storage (long time Logger feature)Logger 6.5

Capability:

Data cannot be updated or deleted

Data stored in chunks with hashes for validation

Original raw event preserved

Confidence in accuracy with timestamps as record moves through chain of collection

Compliance packages available for PCI, HIPAA, ITGov, SOX, NERC

Up to 10:1 Compression ratio

Benefit: Validation the records have not been tampered with after collection

ADP RoadmapComing Soon!

ADP Event Broker Roadmap

“Guest Data” (pass through)

Kafka cluster replication

Complete CEB (Syslog)

File, DB, Flex CEB

Automatic parser selection

Connected entities service

JSON, Binary (ESM) transformation

Configurable transformations framework

Configurable enrichment framework

Multi-master deployment

Packaged deployment on external Kafka

EB appliance (G10)

ACL on topics

Rolling roadmap up to three years and is subject to change without notice

Any Sources Any Destinations Any ScaleThemes

Features

ADP Connectors Roadmap

Cloud connectors (AWS Cloud Watch – VPC, Azure Cloud Monitor – SSPR)

Certify more CEF partners (Checkpoint R80.10 coming)

FPE Voltage IP and MAC support

White listing DNS (DNS Analytics)

Connector updates: framework and parsers

WiNC on Linux

Universal editor for content

Parser authoring tool

CEF superset

Support Global Event ID

Rolling roadmap up to three years and is subject to change without notice

More Sources Smart Enrichment Ease of UseThemes

Features

Architecture

ADP Management Console Roadmap

Source device monitoring rules and notifications

Source devices behavior baselines and machine learning

Centralized health monitoring and management across portfolio

Detailed data flows measurement: for licensing and health monitoring

Centralized licensing across portfolio

Centralized user access management for all products

Rolling roadmap up to three years and is subject to change without notice

All Modules Better Monitoring Ease of UseThemes

Features

ADP Logger Roadmap

Voltage decryption from Logger UI

Secure authenticated SMTP notifications

Improved archive usability-retention policies, better ACL

Reporting as an ADP service (on ESM and Investigate data)

Custom fields suggestion based on the data

CEF superset

Search Logger peers from the Investigate UI

23

Rolling roadmap up to three years and is subject to change without notice

Secure Archive Reporting ArchitectureThemes

Features

Thanks!