arcsight data platform - open architecture data collection ... · arcsight connector centralized...
TRANSCRIPT
ArcSight Data PlatformOpen Architecture Data Collection With Normalized Data Everywhere is needed.Eugenio “Gene” Marrero
Lead Solution Architect, Pre-sales
www.microfocus.com
This is a rolling (up to three year) Roadmap
and is subject to change without notice.
Forward-looking statements
This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Micro Focus ArcSight’s predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.
User Interface depictions should be considered non-final and subject to re-design and / or removal.
ArcSight Portfolio
An open security analytics suite
ArcSight ESMBroad detection
ArcSight MarketplaceCurated Content
ArcSight Data PlatformSimplicity @ Scale
ArcSight UBAInsider Threat
ArcSight InvestigateFaster & Smarter
Enriched for securityBroad sourcing (175 CEF partners)
Any destination/standard interfaceEasy scale outStream processing
Event Broker
ArcSight Connector
Centralized managementCentralized licensing
Management Console Logger
Cost efficient archivingImmutable dataReporting
ArcSight Data Platform A centralized collection framework supports a growing and sophisticated SOC
Store data securelyCollect Data, Send Anywhere Manage the ecosystem
The Challenge
5
Big Data challenges and How ArcSight addresses these
The Solution
Data doubles every 2 yrs.; expect 44 zettabytes by 2020
Collect data from diversified sources at high volumes and speed
Collect data once and send valuable security data to Hadoop, 3rd Party Tools.
Simplify management of pipelines, data transformation and ensure persistence
Different use cases for Big Data require multiple data destinations
Analytics cannot be performed on unstructured data
Increasing complexity of Mgmt/ distribution of good security data
Enrich data in real-time with security expertise for threat detection & analytics
6
1. Collect data once and send valuable security data to many places
Immutable Compliance Data Store
Graph based analytics
General security big data lake (SBDL)
Real Time Correlation
High end analytics notebook
7
It ends up being messy to manageExcept worse.. imagine hundreds of sources
data sources
destinations
8
Here’s the nice way to clean it upCollect it once, use it everywhere
ArcSight Stack
Others
data sources
destinations
Elastic Stack
Event Broker
Message Broker
2. Enrich data in real-time with security expertiseLet’s talk about normalized data
10
Lesson: Structured data matters
Benefit: Future proofing, fast and efficient forensic analysis
Without…
With
Dec 2 2015 12:16:03: %PIX-6-106015: Deny TCP (no connection)
from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK
on interface outside
Dec 2 2015 14:53:16 drop gw.foobar.com >eth0 product VPN-1 &
Firewall-1 src 10.2.146.12 s_port 2523 dst 10.2.10.2 service ms-
sql-m proto udp rule 49
3. Simplify management, data transformation and ensure persistence
See the topography, deploy connectors, manage health of producers and subscribers
11
4. Collect data from diversified sources at high volumes and speed
• Real-time data normalization, categorization and enrichment adds security context to raw data
• 400+ out-of-the-box Smart Connectors add security expertise with better precision
Enrich data in real-time to give analysts organized information that can be acted upon instantly
11
ADP 2.2: Event Broker Topology ViewArcMC 2.70, Event Broker 2.10
• Visibility in all EB topics
• Show all data flow paths
ADP 2.2: Instant Connector Deployment ArcMC 2.70, Connectors 7.70
Capability:
• Connector deployment on remote hosts through ArcSight UI
• In-context deployment View UI
• Re-usable deployment templates with configuration values for source and destination
• Multiple Connectors deployed on a single host
• Centralized management of long running deployment jobs
Benefit: Improve security administrator productivity by providing a quick and easy deployment option so that they onboard new data sources or readjust connectors deployment layout quickly with ease.
ADP 2.2: ArcSight Secure Data Add-on for ADPArcMC 2.70, Connectors 7.70
Capability:
• Configure fields for encryption
• Encrypt once in connectors
Benefit: Quickly protect PII information and reduce data spillage risk.
ADP 2.2: Logger 6.5 Updates
Capability:
• Create Reports from Logger Queries
• Archives will include Indexes
• ADP Logger standalone mode: both for appliances and software
• Complete support for SHA-2: receivers and forwarders, archiving, SSL signatures
• Complete support for TLS 1.2: peer communications, on-board connector
• Dark Theme for Logger
• Concurrent Searches
Benefit: Easy to use Logger reporting tools with an enhanced UI help optimize analyst time and generate comprehensive reports and dashboards for compliance and other use cases
ADP 2.2: Immutable Storage (long time Logger feature)Logger 6.5
Capability:
Data cannot be updated or deleted
Data stored in chunks with hashes for validation
Original raw event preserved
Confidence in accuracy with timestamps as record moves through chain of collection
Compliance packages available for PCI, HIPAA, ITGov, SOX, NERC
Up to 10:1 Compression ratio
Benefit: Validation the records have not been tampered with after collection
ADP Event Broker Roadmap
“Guest Data” (pass through)
Kafka cluster replication
Complete CEB (Syslog)
File, DB, Flex CEB
Automatic parser selection
Connected entities service
JSON, Binary (ESM) transformation
Configurable transformations framework
Configurable enrichment framework
Multi-master deployment
Packaged deployment on external Kafka
EB appliance (G10)
ACL on topics
Rolling roadmap up to three years and is subject to change without notice
Any Sources Any Destinations Any ScaleThemes
Features
ADP Connectors Roadmap
Cloud connectors (AWS Cloud Watch – VPC, Azure Cloud Monitor – SSPR)
Certify more CEF partners (Checkpoint R80.10 coming)
FPE Voltage IP and MAC support
White listing DNS (DNS Analytics)
Connector updates: framework and parsers
WiNC on Linux
Universal editor for content
Parser authoring tool
CEF superset
Support Global Event ID
Rolling roadmap up to three years and is subject to change without notice
More Sources Smart Enrichment Ease of UseThemes
Features
Architecture
ADP Management Console Roadmap
Source device monitoring rules and notifications
Source devices behavior baselines and machine learning
Centralized health monitoring and management across portfolio
Detailed data flows measurement: for licensing and health monitoring
Centralized licensing across portfolio
Centralized user access management for all products
Rolling roadmap up to three years and is subject to change without notice
All Modules Better Monitoring Ease of UseThemes
Features
ADP Logger Roadmap
Voltage decryption from Logger UI
Secure authenticated SMTP notifications
Improved archive usability-retention policies, better ACL
Reporting as an ADP service (on ESM and Investigate data)
Custom fields suggestion based on the data
CEF superset
Search Logger peers from the Investigate UI
23
Rolling roadmap up to three years and is subject to change without notice
Secure Archive Reporting ArchitectureThemes
Features