first aid for it: automated, integrated & dynamic operations

www.arcsight.com 1© 2010 ArcSight Confidential

©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Twitter hashtag #HPSWU

BTOS-TU-1700Twitter hashtag #HPSWU


© 2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

First AID for IT –Automated, Integrated & Dynamic Operations

Hugh Njemanze

Founder, CTO, Executive VP of Research & Development

ArcSight – an HP Company


Today’s Agenda

Today’s Challenges

– IT Ops and Service Availability

– Compliance

– Security Threats

How do SIEM and Log Management enable the Automated, Integrated and Dynamic Enterprise

– What do SIEM and Log Management Products Do?

How can HP BTO and security products together help?


Today’s Challenges

ComplianceSecurity Threats Compliance Controls & Reporting

IT OperationsIT Operations & Service Availability


Security and IT Operations Challenges for the Enterprise

Audit & Risk

NetworkingApplications

Forensics

IT Operations

Security

Change Management

Infrastructure

?

? ????

?ComplianceReporting

Network Availability User Monitoring

Investigations

SLA Monitoring

Threat Monitoring

Configuration Monitoring

System Health

LOGS

Security Monitoring IT Operations

Manual Security Monitoring

Challenging SLAs

Slow Forensics Response


Today’s Problems

ComplianceIT Operations Compliance IT OperationsSecurity

• 80% of application downtime is due to people or processes

• 1 hour of downtime means a loss of 250K USD or more for most companies

• Change management can reduce downtime by 35% and save 30% in costs

• Quickly resolve FCAPS issues to keep MTTR as short as possible


Log Collection Challenges

7www.arcsight.com © 2009 ArcSight Confidential 7

Network Devices

Servers

Mobile

Desktop

Security Devices

Physical Access

Apps

Databases

Identity Sources

Email

•More devices and growing log volumes

• Collection agents are not a feasible option

• Ensuring complete collection from all devices & locations


Log Storage Challenges

www.arcsight.com © 2009 ArcSight Confidential 8

• Retention requirements drive up storage costs

• Hard to manage logs distributed across native devices

• Tedious and error prone log rotation

• Enforcing security and access controls


Log Analysis Challenges


• Lots of different and cryptic log formats

• No simple search and reporting interface for users

• High-performance search and reporting is critical

• Expertise required to build regulation specific content

• Lots of different and cryptic log formats

• No simple search and reporting interface for users

• High-performance search and reporting is critical

• Expertise required to build regulation specific content


Today’s Problems

Security ComplianceIT OperationsIT Operation

• 46 of 50 states in US require disclosure of breaches

• Europe currently reviewing similar laws

• Non-compliance means fines of millions of dollars, criminal charges and imprisonment

• Individual compliance solutions cost 10x more than consolidated ones

• Shrinking budgets and growing # of regulations require automation to maximize ROI


More Compliance

Canada• The Privacy Act 1983• PIPEDA 2001

Asia Pacific • New Zealand – Privacy Act 1993• Australia – PA/PA(PS)A 1988/2000

2001• South Korea – eCommerce Act

1999• Taiwan – CPPDP Law 1995• Hong Kong – Personal Data 1996,

Code of Practice on Consumer Credit Data (2003, Privacy at Work (2004)

• India – Information Technology Act 2000 and Amendment Act 2006

South America• Chile – APPD 1998• Argentina – PDPA 2000

Mexico• eCommerce Act 2000

U.S.A. • Sarbanes-Oxley• NERC CIP 002-009• SB1386• S239• S248• S495• S806• S1178• S1260• HIPAA 1996/2002• FSMA/GLBA

1999/2001• COPPA 1998/2000• DMPEA 1999/2000• State Breach Laws

• Slovakia – Protection of Personal Data Act 2002 and Amendment Act 2005

• Slovenia – (99) • Hungary – On the Protection of

Personal Data and the Disclosure of Data of Public Interest 1992

• Czech – (00) • Latvia – (00) • Lithuania – (00) • EU Directive• Basel II • Greece – PIPPD 1995/1997• Portugal – PDPA 1995/1998• Italy – Data Protection Code• Malta – Data Protection Act 2001• Norway – Personal Data Act 2000• Finland – FPDA 1995/1999

• Germany – FDPA 1995/2001, S 93 Telecommunications Act

• Austria – DPA 1995/2000• Luxembourg – “EUD” 1995/2002• Netherlands – PDPA 1995/2001,

Telecommunications Act• France – ADPDFIL 1978, “EUD” 1995,

Postal and Electronic Communications Code

• Spain – Personal Data Protection Act, Telecommunications Act

• Ireland – Data Protection Act (1988) and Amendment Act (2003) and Ireland Data Protection Commission

• Belgium – LPPLRPPD 1992, DPA 1995/2001

• Sweden – PDPA 1995/1998, Electronic Communications Act

• UK – DPA 1995/2000, Proposal by House of Lords Committee, Privacy and Electronic Communications Regulations

• Denmark – DPRA 1978, Act on Processing of Personal Data 1995/2000

• Estonia – (96)• Poland – (98)

Europe

Africa• SALRC 2009

11

More Regulations Affect More Companies

www.arcsight.com 12© 2010 ArcSight Confidential 12

Confusing Compliance Requirements


Today’s Problems

IT Operations Compliance Security

• 859% of employees steal data on the way out

• Average cost of financial fraud is $500,000

• Cybercrime is committed every 10 seconds; twice the rate of actual real-world robberies

• 362 million identity records lost by the top ten known incidents


More Security: Recent Cyber Attacks


• 27 American and South Korean government agencies attacked

• 50,000 to 65,000 computers used in the attack• Attackers were generating about 23 megabits of

data/second• Attackers used 86 IP addresses in 16 countries,

including the United States, Guatemala, Japan and China, but North Korea was not among them


01010101111101010101010101000010101010101010101010101010101010101111111111111111111100000000000000111111111111111000000000000000000001000000000000000010101011111010101010101010000101010101010101010101010101010101011111111111111111111000000000000001111111111111110000000000000000000010000000

000000000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000000000

00000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000011111

11111111110101010111

01010101111101010101010101000010101010101010101010101010101010101111111111111111111100000000000000111111111111111000000000000000000001000000000000000010101011111010101010101010000101010101010101010101010101010101011111111111111111111000000000000001111111111111110000000000000000000010000000

000000000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000000000

00000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000011111

11111111110101010111

The line of sight has been digitized


ZombieZombieVirusVirusFraudFraud

MalwareMalware

HackingHacking

SpamSpam

Target

Attacker

Zombie

Zombie Control center


It is Fairly Easy to Launch a Cyber-attack


An Ounce of Prevention is Worth a Pound of Cure!


Malware is Getting Worse

Source: F-Secure

More Widespread and More Malicious

20x over the last 5 years

3x in the last year alone

1,600,000

1,500,000

1,400,000

1,300,000

1,200,000

1,100,000

1,000,000

900,000

800,000

700,000

600,000

500,000

400,000

300,000

200,000

100,000

86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08


Is Your Staff Growing?

18

Bottom-line: The Problems are Growing

Regulations are Growing

Breaches are GrowingMalware is Growing

Problems moving downstream and impacting more and more for SMBs


Effective log management can save you money by:…

ComplianceHelping to Identify and mitigate

security vulnerabilities

Helping with compliance

reporting & controls

IT OperationsSimplifying and improving IT operations


Leveraging SIEM and Log Management Products

www.arcsight.com © 2009 ArcSight Confidential


What is SIEM?



SIEM in action

Firewalls/VPN

IntrusionDetectionSystems

VulnerabilityAssessment

NetworkEquipment

Server and Desktop OS Anti-Virus Applications Databases

PhysicalInfrastructure

IdentityManagement

DirectoryServices

System HealthInformation

WebTraffic

Risk-based Prioritization Critical Events Surfaced

Identified .Threats

Known Vulnerabilities

Business-critical IT Assets

Millions:Raw Events

Thousands:Security Relevant Events

Hundreds:Correlated Events


Before and After

Helps in reducing cost, time and resources

Manual & Dispersed Automated & Centralized

SIEM & Log Management

vs.

23

www.arcsight.com 24© 2010 ArcSight Confidentialwww.arcsight.com © 2009 ArcSight Confidential 24

Problem: Security

“Everything looks like a one-off”

Too Many Devices on the Network

Too Many Different Device Types

Too Many Systems Exposed to the Internet

“I can’t understand the impact of this problem”

“We don’t even know when we are being attacked”


Solution: Real-Time Correlation + Event History

SIEM and/or Log Management

Collect, categorize, correlate network/application activities

Alert staff, take automated action

Find unusual behavior in time to prevent lossWorms spreading through the firewall

Viruses spreading across desktops

Hackers accessing the network

Users running p2p applications

Remote accesses through the VPN

Use Log Management for forensics investigation:How long has this been happening

Who else is involved

What systems are affected


Problem: Compliance

“Even simple investigations require my best people”

Too Much Data

Too Many Formats

Too Hard to Consolidate

Too Expensive to Store

“My databases can’t retain this many years’ of audit data”

“We spend too much time preparing for an audit”


Solution: Automated Compliance Reporting

Log Management

Collect, categorize, and capture for long term storage

Produce up-to-date and automatic reports for auditors

Perform forensics investigations in minutes

Low TCO to support multiple retention policies

Reports mapped directly to regulatory requirements


Problem: IT Ops

“We are not aware of the downtime unless a ticket is

opened”

Too Many Log Formats

Unplanned and unknown downtimes

Change management is difficult

Mean Time To Repair (MTTR) is too high

“Root cause analysis is difficult and takes a lot of time and resources”

“We never know who made the change that resulted in failure”


Solution: Real-Time Correlation + Event History

SIEM and/or Log Management

Collect, categorize, correlate network/application activities

Alert staff, take automated action

Find unusual behavior in time to resolve issues

Fault

Configuration

Accounting

Performance

Security

Use Log Management for forensics investigation:

Who made the change

How well are your systems/resources are being utilized

What other systems are impacted


The Automated Integrated and Dynamic Enterprise

Insider Threat Perimeter Threat Forensics SANS

SecurityOperations

PCISOX

Regulations & Industry Mandates

System Health Network Avail SLA

IT Operations

+ HIPAAFISMA


Key Evaluation Criteria

Does the technology…

•Collect from everything?

•Make events easy to read?

•Provide built-in security rules?

•Enable regulation-specific audit reporting?

•Efficiently retain and manage my data?

•Expand when I need it?


The AID Platform That Delivers More

Audit & Risk

NetworkingApplications

Security

IT Operations

IT Governance

Change Management

Infrastructure

SIEM NSMsForensic Tools

HP BTO & ArcSight SIEM/LogHP BTO & ArcSight SIEM/LogManagement SuiteManagement Suite


Customer Case Study: University of Tennessee

Compliance challenges quickly addressed after 2-day deployment

"Finding needles in the haystack" reduced from 45 minutes to 2 minutes

Reduced budgets highlight the operational efficiencies of ArcSight Logger

“Tremendous cost savings from ArcSight Logger”- James Perry, U. of Tenn

“We continue to find new applications for the product“• e.g. Early detection of network outage warning signs

• e.g. PCI reporting across stores/restaurants on all campuses (150+ collection locations)


Customer Success Profile:Large Healthcare Provider

We need a scalable log management solution for HIPAA compliance. Plus ability to proactively protect our infrastructure and improve SLA. The ArcSight Log Management solution streamlines our audit and delivers ongoing visibility into security risk. It saves time for our system, application support and forensic teams. We now provide the right log data to the right staff in a cost-effective manner.

► Top 10 provider of health insurance plans in the nation

► 565,000 customers► 1000 employees► 10,500 healthcare providers

► Homegrown log management did not scale to event rates of network and server devices

► Compliance: containing the cost of HIPAA and other audits

► IT Operations: increasing pressure on SLA adherence

► Security team overburdened by forensics follow up

► Significant improvements in event rate collection and cost effective long term storage

► Automated HIPAA audits► Continuous real time awareness and

notification on security threats► Dramatic reduction in troubleshooting

complex IT system issues► Direct access to forensic team

CHALLENGES

COMPANY OVERVIEW

RESULTS

COMPANY PERSPECTIVE

—CIO


ArcSight for IT Operations

NSM tool provides system (CPU, memory, etc.) alerts but lacks source context

With ArcSight Log Management– Helpdesk user launches ArcSight

Logger Web interface– IP, hostname, and/or application

search shows all activity in last x minutes

– Dynamic result set and drill down capabilities provide intuitive navigation path to root cause analysis

Customer Success Profile


ArcSight for IT Operations

Turnkey

– Eliminate HW procurement and deployment delays – rapid deployment

Consolidated log repository

– Avoid separate log storage investment

– Reduce direct access to critical infrastructure

– Rapid cross device troubleshooting

Device independent search taxonomy

– Reduced training cost and faster root cause analysis

Analytics portal

– Rapid conversion of searches to alerts – reduce future incidence

– SLA reports and dashboards



ArcSight for Forensics Investigations

Investigative tools (ex: Encase, iLook) take a snapshot of volatile machine activity as evidence

With ArcSight Log Management

– Search by user or host can quickly reveal similar past behavioral trends – reconnaissance activity

– Across years of historical data

Readily accessible audit quality data can provide strong evidentiary trails to support forensics investigations



ArcSight for Security Monitoring

Advanced Threat Detection–Multi-event correlation–Session extrapolation–User correlation–Pattern discovery–Comprehensive case management

ArcSight Logger

ArcSight Connectors

Any SIEM(ESM)

Proactive Security Awareness– Reports– Real time alerts– Anomaly detection– Tier 1 notification – Ad hoc investigations


Phase I Phase II


ArcSight SIEM & Log Management Suite Delivers

ArcSight LogArcSight LogManagement SuiteManagement Suite

Uncontrolled Log Infrastructure

Manual & Expensive Audits

Inefficient IT Operations

Small to Enterprise ScaleAutomated & Cost-effective AuditsProactive Security MonitoringIT Operations SLA Efficiency

Before

+

Real-Time Protectionwith ArcSight ESM


Automated and Integrated Real Time Operations

DETECT

PR

IOR

ITIZ

E

ISOLATE

DIA

GN

OS

ER

EP

AIR

CO

NSO

LIDATE

1. Discover, monitor and measure. Events detected, alerts are sent.

2. Topology, events and performance metrics are consolidated cross domains into BSM. Events are automatically correlated.

3. Affected Business Servicesand SLAs are determined.

4. Find root cause and escalate as needed.

5. Diagnose root cause through subject matter expert investigation tools.

6. Repair problem through automated response and close event/incident once resolved.

www.arcsight.com 41© 2010 ArcSight Confidential41

HP C

on

fid

en

tial

IT OPERATIONS & SECURITY: SYNERGIES

REAL TIME REAL TIME SERVICE SERVICE MODELMODEL((CMDB)CMDB)

APPLICATIONS, BUSINESS SERVICES RISK & APPLICATIONS, BUSINESS SERVICES RISK & COMPLIANCECOMPLIANCE

APPLICATIONS, BUSINESS SERVICES RISK & APPLICATIONS, BUSINESS SERVICES RISK & COMPLIANCECOMPLIANCE

Changes

Pro

ble

ms

Ale

rts.

Inci

dents

Vuln

era

bili

ties

Thre

ats

Events

, Lo

gs

SIEMSIEMSIEMSIEM

IT OPSIT OPS SECURITY OPSSECURITY OPSSECURITY OPSSECURITY OPS

POLICYPOLICYPOLICYPOLICY

REMEDIATION REMEDIATION (BSA)(BSA)

DISCOVERDISCOVERYY

THE IT ENVIRONMENTTHE IT ENVIRONMENTTHE IT ENVIRONMENTTHE IT ENVIRONMENT

CIs

COMPLIANCECOMPLIANCECOMPLIANCECOMPLIANCE

Upd

ate

s

Rules

Polic

y

Upd

ate

sA

ctio

ns

CommonContext

Alignment

RISK & RISK & COMPLAINCE COMPLAINCE

OFFICEOFFICE

RISK & RISK & COMPLAINCE COMPLAINCE

OFFICEOFFICE

Event Event CorrelationCorrelation

Problem Problem IsolationIsolation AnalyticsAnalytics Event Event

CorrelationCorrelationProblem Problem IsolationIsolation AnalyticsAnalytics

www.arcsight.com 42© 2010 ArcSight Confidentialwww.arcsight.com © 2009 ArcSight Confidential

To learn more, contact ArcSight at: [email protected] or 1-888-415-ARST

ArcSight, Inc. (NASDAQ: ARST)5 Results Way, Cupertino, CA 95014, USACorporate Headquarters: 1 888 415 ARST EMEA Headquarters: +44 870 351 6510 Asia Pac Headquarters: 852 2166 8302http://www.arcsight.com/

Questions?


© 2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

Backup Slides


Integrated Platform for Closed Loop Work Flow

InfrastructureInfrastructure Network, Hosts, VM, OS

Network, Hosts, VM, OS

UsersUsers Database, Apps, Identity

Database, Apps, Identity

PhysicalPhysical Datacenter, Doors, Cameras

Datacenter, Doors, Cameras

Application TransactionsApplication Transactions Financial, Retail, Insurance, TelcoFinancial, Retail, Insurance, Telco

www.arcsight.com 45© 2010 ArcSight Confidential45

HP C

on

fid

en

tial

SECURITY: VISION & MISSION

Proactively manage application security and vulnerabilities across the applications lifecycle with continuous, real time assessment and remediation of business risk at

lower cost.

Customer needs Disruptions & Inflections Beliefs

• Align the security organization’s priorities with the business

• A single control framework to facilitate governance, compliance and security

• Reduce the cost of managing security while maintaining or improving risk and compliance levels

• Reduce the number of tools and vendors required to manage security related practices

• Convergence of governance, risk management and compliance into a single practice

• The scope and breadth of business expectations from the CISO group has increased significantly due to higher complexity

• Managed Security Services market is growing at an increasing rate and provides a viable alternative to in house implementations.

• The most proactive and cost-effective way to manage application security risks and vulnerabilities is as part of quality assurance in pre production

• Once deployed, applications security and compliance needs to be continuously monitored in real time.

• Risk assessment for the enterprise must be aggregated, assessed, prioritized and remediated at the business service level

Improve application security & vulnerability assessment to proactively reduce business risk in real time

CONFIDENTIAL


Analysis Optimization

Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside

Device Independent CategorizationOne Common Taxonomy

“Plain language” analysis

Universal device content applicability

Avoids content explosion

“Plain language” analysis

Universal device content applicability

Avoids content explosion


2. Real Time Alerting

SECURITY MONITORING

Reporting Real Time Alerting


3. Automation of Analysis Lifecycle

Dashboards

Drill DownReports

Forensic Searches

Real TimeAlerting


Personalized, Interactive Dashboards

Browser-based, ready-to-use out of the box Hyperlink to KB articles, remediation procedures and other

internal or external referential documents Fully customizable

– Role-based views

– Active reports ondrill down

– Drag-and-drop monitors

– Comprehensive reporting

– Configurable auto refresh rates


Workflow Simulation: Drill Down Reporting


Forensic Search

Distributed, device independent search based on time or term Meta-search filters for retention policies, devices, device groups,

and peer Logger appliances Dynamic time and term based drill down/drill across


Real Time Alerting

Based on

– Any expression

– Metadata

• Device

• Device group

• Retention policy

– Taxonomy

Anomalous activity

– Time + term thresholds

Console, syslog, SMTP, SNMP Internal system health


ArcSight Log Managementfor Compliance, Security & IT Operations

Com

plia

nce

Com

plia

nce

Secu

rity

Secu

rity

Op

era

tion

sO

pera

tion

s

IT

IT

Op

era

tion

sO

pera

tion

s

Log Management Log Management NeedsNeeds

Universal Event Collection

Scalable Architecture

Automated Analysis Lifecycle

High Performance Collection


ArcSight Log Managementfor Compliance, Security & IT Operations

Com

plia

nce

Com

plia

nce

Secu

rity

Secu

rity

Op

era

tion

sO

pera

tion

s

IT

IT

Op

era

tion

sO

pera

tion

s

Log Management Log Management NeedsNeeds

Transaction AssuranceMinimal Footprint at Remote

SitesAudit & Litigation Quality Data

Storage Flexibility


Continue the conversation with your peers at the HP Software Community hp.com/go/swcommunity

first aid for it: automated, integrated & dynamic operations

Documents

operations compliance

operations challenges

s problems security

security products

s problems compliance

log collection challenges

log storage challenges

compliance canada