arcsight intelligent security operations - event calendar · pdf filearcsight intelligent...
TRANSCRIPT
ArcSight IntelligentSecurity OperationsPetr Hněvkovský, CISSP, CISM, CISA, CEHSenior Solution Architect, EMEA
June, 2017
ArcSight empowersIntelligent Security Operations
Challenges to the Security Operations Center
Increasing rate of data
Limited detection and response tools
Complex and slow investigation capabilities
Intelligent Security Operations Increase Speed, Simplicity and Effectiveness Across Entire Workflow
7
Visibility Without Boundaries Comprehensive Detection Intuitive Investigation
Proven, accurate and fast
ArcSight Investigate
ArcSight ESM
ArcSight ADP
8
Open, relevant and intuitive
ArcSight Investigate
• Investigation | Analytics
ArcSight ESM
• Real-time Correlation | Alerting | Workflow
ArcSight Data Platform
• Connectors | Event Broker | Management | Retention
9
ArcSight master architectureActively evolving beyond traditional SIEM to support the Intelligent SOC
10
Investigation
SearchEntity
Profiling
Hunt
Linked Data Analytics
Intelligent Queue
SIEMAlerts
User BehaviorAnalytics
DNS MalwareAnalytics
App Defender Analytics
Other Analytics
Smart ConnectorsEvent Streams
Event Broker
Dashboards | Reports | Workflow | Case Mgmt | Runbooks
Analytics Engines & Investigation modules
Use Case Library
INV
ES
ITG
AT
ION
&
RE
ME
DIA
TIO
N
CO
MP
RE
HE
NS
IVE
D
ET
EC
TIO
N &
A
NA
LY
TIC
SV
ISIB
ILIT
Y
Response
3rd Party Integration
IT OT IoT Physical
Third Party Repositories (i.e. Hadoop)
External Information
Data Sources(Structured & Unstructured)
+ Control points
Security Operations(On-prem & Managed)
Users
Cloud
Apps
Servers &
Workloads
Network
Endpoints
IoT
Security AnalystsLevel 1
Security AnalystsLevel 2
Hunt Team
Ticketing & Workflow
Identity & Configuration
Intelligence Feeds
Threat Central
3rd Party Feeds
Active Directory
Config MgmtDB
IT Operations & Management Systems
Real-timeCorrelation engine (ESM)
ArcSight Data PlatformExpand the visibility of your data
12
Visibility Without Boundaries
14
Faster detection with business optics
Real-time security context
Keeping up with growing environments
Scalability through variety and velocity
Integrating data lakes with security apps
Open architecture to maximize usage
ArcSight Data Platform summary
Platform • Universal platform for ArcSight portfolio
Complete
bundle
• Unlimited Connectors & FlexConnectors
• Brand new Quick Flex parser tool
• Unlimited device & Connector management ArcMC
• New resilient Kafka Event Broker
• Licensed Logger
Simplified Licensing
• Volume only in GB/day - pay once, consume many
HA & NP • HA/NP does not license additional capacity
3rd party • Support 3rd party destinations like Hadoop
15
Event Broker
What’s new?
22
L
Event Broker
Arc
MC
L L L
The ADP Innovation
Event Broker
23
Key Attributes
– Open
• Documented Kafka based standard interface
• HDFS integration
– Scale
• 1M EPS
• Connector scale improved, reduce dual feed impact
– Security Focus
• Built In HA reliability, 4 9’s
• TLS 1.2 encryption for data in motion
Data hub that enables getting data from aby where and send
it to any destination including ArcSight applications, third
party applications and in-house data lakes.
Kafka in a nutshell
Producer Push the message into Kafka
topic
Consumer subscribe to topics/s, pulls the
message from Kafka
Topics messages are placed in topics
Kafka Cluster typically odd number of nodes
Zookeeper coordinate the services in Kafka
Messages pushed to kafka topics and
pulled by the consumers
subscribe to these topics
24
Event Broker
25
L
L
L
3rd Parties
Vertica ESM
SparkArcMC Event Broker
L LL L
ESM
Without Event Broker With Event Broker
Open Architecture
Scalable – sources and destinations
Centralized data manipulation
Investigate
3rd
party
Event Broker: above and beyond open source Kafka
Kafka Event Broker
Message bus Distributed, High Performance pub-sub
message buss
Y Y
Resilience, redundant message pipelines Y Y
Enterprise readiness Qualified Open Source Packages Y
Best practices planning guide Y
Container based deployment Y
Centralized and Local Management Y
System and App Monitoring Y
Fine-tuned for SOC Ready-to-go Security hardening Y - FIPS 140-2
Event Filtering and Routing Y – CEF messages
Format Transformation Engine Y – CEF to Binary, CEF to AVRO
Ready-to-go producer topics Y - CEF, Binary (ESM)
Ready-to-go consumer topics Y - CEF, Binary (ESM), AVRO, HDFS
26
Connector
What’s new?
27
L
Event Broker
Arc
MC
L L L
The ADP Innovation
Connector
28
Key Attributes
Augments data with security context to make it better suited
for security application.
– Open
• Collect data from any data source and make it security relevant
• Support new device versions by releasing parsers every 4 weeks
– Scale
• Support a large variety of devices in large environments with 350+ out-of-the-box connectors
– Security Focus
• Normalize, categorize and enrich data for better correlation and analytics
New Quick Flex tool available
Speed up flex develoment
Available free with ADP
https://www.protect724.hpe.com/groups/arcsight-product-announcements/blog/2016/12/20/quick-flex-is-now-available
See the video tutorial on
https://www.protect724.hpe.com/docs/DOC-14871
29
Logger
What’s new?
L
Event Broker
Arc
MC
L L L
The ADP Innovation
Data Retention (Logger)
31
Key Attributes
– Scale
• 1M EPS in a 100 peers architecture
• 100 Concurrent search
– Performance
• Search speed for typical used search improved by 50%, some by X2
• 10:1 compression ration to store up to 1200 TB of data
– Security
• Data at rest encryption on ADP appliances
Cost-effective universal log management solution that
unifies searching, reporting, alerting, and analysis
across any type of enterprise machine data.
ArcSight Management Console
What’s new?
32
L
Event Broker
Arc
MC
L L L
The ADP Innovation
Management Console
33
Key Attributes
– Ease of Management
• Single-view centralized management
• Topology & System Health Monitoring
• Bulk operations for destination configuration and managing upgrades
– Performance
• Easily supports hundreds of connectors and entities
• Screen response time slashed by 70%
Centralized Management Console for end-to-end monitoring
of the entire security posture.
Management Console- End to end Monitoring
‒ Topology view for consolidated view
‒ Display device information on hover
‒ Sort devices by region / groups
34
‒ Detect health related issues, like events dropping
• Shows you which devices not sending events (inactive devices)
• Suspicious EPS spike or drop
‒ Health feedback with ability to drill down
• All devices by product type and drill down capabilities to locate specific device
Management Console- Device Monitoring
Management Console- Centralized ADP license tracking
‒ Track ADP licenses in one place
ArcSight Data Platform (ADP)
39
Capabilities/Benefits
– Event Broker – Extend visibility to third party applications with Kafka-based open architecture data hub
– 1M EPS ingestion rate – Scale seamlessly to expand security posture
– Centralized management console – Simplify management with end-to-end environment monitoring and bulk operations with ArcMC
– 1:10 data compression ratio – Reduce cost of data storage with compressed logs up to 1200 TB
– Data enrichment –Improve threat detection and analysis by security applications through data augmented with security context
– 350+ pre-built connectors – Extend data collection sources without manual customization
Open and scalable security data solution that can take data from
any source and send it to any location, including third-party
applications like Hadoop.
HPE Security ArcSight Data Platform – Quick OverviewLaying the foundation for intelligent security operations
• Open and scalable architecture for multiple
DBs/apps
• Enhance manageability of hundreds of entities
• Augment data with security context in real time
enabling faster threat detection
Data
Collection
Built for
Security
Open architecture with scale and security
• Send data to any destination
• 1 million events per second
data ingestion
• Compress/store up to 480 TB
• 100 concurrency search
• +350 out of the box connectors
• Encrypted, compressed logs
• FlexConnector Wizard
automates connections
• One management console
simplifying deployment and
updates
Open Architecture
ScalabilityBuilt for Security
ArcSight ESMComprehensive detection
41
ESM functionality in 2 mins
- Asset Model- Network
Model- Vulnerability
Model- User Model
Enrichment Rules EngineActiveChannel Context
Detection Investigation
Case Management
- Match or Lightweight rules
- Aggregation rules
- Prioritization
- Active Channel news feeds –
visual representation
of real time correlation
- Enrichment- Baselines/
trends- Lists- Search
- Integration Commands
- Action Connectors
- Partners
- Annotations- Case
management
3rd Party Context
Basic Log Events
Alerts from other engines
Advances in ESM 6.11 – At A Glance
IPv6 Support
Support super-enterprise scale with native IPv6 and
dual stack capabilities
ACC Functional
Enhancements
Now with improved case management functionality, integration commands, and
more, for easier investigation
UI Overhaul
Completely revamped looks in the Console and
Web UIs
Big Data
Next gen architecture with support for Kafka-enabled Event Broker
and Investigateintegrations
IPv6Modern Data
IPv6 Support
Support super-enterprise scale with native IPv6 and
dual stack capabilities
Problem: Supersize enterprises, Telcos and Government agencies have run out of IPv4 address space & need products that support their new IPv6 environments
ACC EnhancementsModern Feel
ACC Enhancements(ArcSight Command Center)
Now with improved case management functionality, integration commands, and
more, for easier investigation
Problem: ACC has seen limited adoption due to missing features and limited usability compared to console
UI ThemesModern Look
Problem: ESM has long been criticized for its dated look, especially in the consoleUI Themes
Modernized looks in the Console and Web UIs with new light and dark themes!
EB & Investigate IntegrationModern Architecture
Problem: 1) Event storms –
unanticipated spikes in EPS levels that cause ESM to become unstable
2) Seamless integration between ESM & new products
Event Broker & ArcSight
Investigate Integrations
Next gen architecture with support for Event Broker and ArcSight Investigate
integrations
EB
ESM
Investigate Logger
Hadoop 3rd Party
ESM 6.11 – Q2FY17Modern Look, Architecture, and Data
IPv6 Support
Support super-enterprise scale with native IPv6 and
dual stack capabilities
ACC Enhancements(ArcSight Command Center)
Now with improved case management functionality, integration commands, and
more, for easier investigation
UI Themes
Modernized looks in the Console and Web UIs with new light and dark themes!
Event Broker & ArcSight
Investigate Integrations
Next gen architecture with support for Event Broker and ArcSight Investigate
integrations
Other
- BytesIn, BytesOut fix
- Favoriting Resources
- Common Criteria on 6.91
- New MSSP licensing reports
ArcSight Enterprise Security Manager 6.11 + fresh content
− Market-leading Real-time Correlation
− Threat Lifecycle
− Tailored use cases
− Central integration point for the SOC process
− Integrated SOC platform
4x more with same headcount
ESM & Activate adoption increased SOC efficiency 4x
Open, relevant and intuitive
ArcSight Investigate
• Investigation | Analytics
ArcSight ESM
• Real-time Correlation | Alerting | Workflow
ArcSight Data Platform
• Connectors | Event Broker | Management | Retention
55
ArcSight InvestigateIntuitive investigation
56
Complex tools are not helping
Challenges to performing security investigation
Running queries to analyze data at scale without understanding of complex
language and schema is hard
Every second counts
Speed is the key when security teams are looking for “previously unknown”
and advanced threats
Need the full picture
Disparate data storage delays the investigation process and limits ability
to track multi-stage attacks
57HPE CONFIDENTIAL
Work Smarter
What Do We Need to Address These Challenges?
Accurately analyze higher-priority threats with intuitive solution
Act faster
Instantly process large volumes of data to identify threats
Reach Further
Leverage data lakes to store and access a full range of data
58
Intelligent Threat Investigation Solution
HPE CONFIDENTIAL
NEW! ArcSight Investigate
− 10x faster data retrieval
− Guided natural language search box
− Modern and intuitive data manipulations
− Powerful built-in analytics modules
− HDFS integration
− Next Generation Platform
Act Faster
60
Instantly process large volumes of data to identify threats
• Using Vertica, specially designed to solve the big data queries, ArcSight Investigate can execute searches up to 10x faster than competition to hunt for unknown threats
• Massively Parallel Processing (MPP) can run multiple searches instantly and take advantage of insights from Big Data to drive real value
HPE CONFIDENTIAL
Work Smarter
61
Accurately analyze higher-priority threats with intuitive solution
• Intuitive search and analysis translates search terms in security context and dynamically suggests relevant queries
• Enables junior security analysts to create queries without having to learn a specific query language and schema
• Create custom dashboards and visualizations with a few clicks to identify patterns, anomalies and relations of security events
HPE CONFIDENTIAL
Reach Further
62
Confidently hunt with a holistic view of all your data
• Integrated UI provides a seamless view to search and access data of any timeframe across Hadoop and ArcSightInvestigate
• Access to all your data all the time with efficient storage options of both short-term data in Investigate and long-term data in Hadoop
Companies of all sizes are considering data lakes as a way to deal with terabytes of security data that serve as an early indicator to identify bad or relevant behavior.Raffael Marty - CEO, Pixlcloud
“ ”
VerticaEvent Broker
Store data
Search &
Analyze
Hadoop/HDFS
Search Application
Data flow
Data lake
Connectors
HPE CONFIDENTIAL
ArcSight Investigate benefits
Act Faster to Identify and Respond to Threats
63
Work Smarter with an Intuitive Solution
Reach Further by Leveraging Data Lakes
HPE CONFIDENTIAL
• Decrease the impact of security incidents
• Minimize downtime by uncovering hidden threats
• Be productive from “Day 1”
• Reduce response time to advanced attacks
• Reduce risk by expanding the scope of investigation
• Lower TCO by optimizing data management cost
ArcSight GDPR use cases
Log activities
and changes
Notify the DPO within deadline
Private data
de-identification
77
Detect and validate the breach
2017 State of Security Operations- 4th annual report (Jan2017)
Read the full report at hpe.com/software/StateOfSecOps
North America: 1.52
South America: 1.89
DACH: 1.47
UK: 1.26
Nordics: 1.33
Asia: 1.37
Oceania: 1.00
MEMA: 1.09
BeNeLux: 1.79
Europe: 1.30
82%of organizations are not meeting their business goals
27%of SOCs are failing to achieve minimum security monitoring capabilities
183assessments
Top observations
Full automation of operations is
unrealistic
Hunt-only search & response
does not provide full coverage and effectiveness
Increased capabilities come from hybrid staffing solutions
Continuing trend Proliferation of threat hunt programs
Emerging trendDevelopment of security fusion centers
Industry findings
Telecommain concern is service
availability
Healthcarepreferred target of
ransomware
Governmentstruggle with
long-term maturity
EnergyIncrease in physical and ISC
attacks and monitoring
Financialplagued by SWIFT attacks