ArcSight Enterprise Security Management (ESM)
consolidates and normalizes data from
disparate devices across your enterprise network,
provides tools for advanced analysis and
investigation, and offers options for automatic and
workflow-managed remediation. ESM
gives you a holistic view of the security status of
all relevant IT systems, and integrates
security into your existing management processes and
workflows.
ESM
Enables Situational Awareness
Like the security system at a major art museum, your
network security operation must
flawlessly protect objects of vital importance to
your organization. At the art museum,
security operations teams monitor, analyze, and
investigate a continuous feed of data,
including surveillance video, card reader logs, and
tightly calibrated climate controls.
One of the surveillance cameras detects a man
testing a locked door. A card reader
registers a log-in from a janitor who only works one
day a week. The humidity control in
the priceless painting collection wavered by a
fraction of a percent. Are these isolated
events, or part of a coordinated break-in attempt?
Being able to correlate data from many different
collection points and add logic, such as
checking whether it’s the janitor’s day to work, or
whether the man checking the locked
door has done it before to this or other doors in
the building, is vital to knowing when and
how to act.
ArcSight ESM collects, normalizes, aggregates, and
filters millions of events from
thousands of assets across your network into a
manageable stream that is prioritized
according to risk, exposed vulnerabilities, and the
criticality of the assets involved. These
prioritized events can then be correlated,
investigated, analyzed, and remediated using
ESM tools, giving you situational awareness and
real-time incident response time.
Correlation—Many interesting activities are
often represented by more than one
event. Correlation is a process that discovers the
relationships between events, infers
the significance of those relationships, prioritizes
them, then provides a framework for
taking actions.
Monitoring—Once events have been processed
and correlated to pinpoint the most
critical or potentially dangerous of them, ESM
provides a variety of flexible monitoring
tools that enable you to investigate and remediate
potential threats before they can
damage your network.
Workflow—The workflow framework provides a
customizable structure of escalation
levels to ensure that events of interest are
escalated to the right people in the right
timeframe. This enables members of your team to do
immediate investigations, make
informed decisions, and take appropriate and timely
action.
Analysis—When events occur that require
investigation, ESM provides an array of
investigative tools that enable members of your team
to drill down into an event to
discover its details and connections, and to perform
functions, such as NSlookup, Ping,
PortInfo, Traceroute, WebSearch, and Whois.
Reporting—Briefing others on the status of
your network security is vital to all who
have a stake in the health of your network,
including IT and security managers,
executive management, and regulatory auditors. ESM’s
reporting and trending tools
can be used to create versatile, multi-element
reports that can focus on narrow topics
or report general system status, either manually or
automatically, on a regular
schedule.
ArcSight offers on-demand, ready-made security
solutions for ESM that you can implement
as-is, or you can build your own solutions
customized for your environment using ESM’s
advanced correlation tools.
ESM
Anatomy
ESM consists of several separately installable
components that work together to process
event data from your network. These components
connect to your network via sensors
that report to ArcSight SmartConnectors. SmartConnectors
translate a multitude of device
output into a normalized schema that becomes the
starting point for correlation.
The graphic below illustrates ESM’s basic components
and additional ArcSight products that
manage event flow, facilitate event analysis, and
provide centralized network management
and incident response. These components are
described in the following pages.
Figure - Individual SmartConnectors and/or a Connector
Appliance gather and process
event data from network devices and pass
it to the Manager. The Manager processes and
stores event data in the Database. Users
monitor events and run reports with ArcSight Web,
and develop resources, perform advanced
investigation and system administration using the
ESM Console. A comprehensive series of
optional products provide forensic-quality log
management, network management and instant
remediation, regulatory compliance, and
advanced event analysis.
Smart Connectors
SmartConnectors, hosted individually or as part of
ArcSight Connector
Appliance, are the interface to the objects on your
network that generate
correlation-relevant data on your network. After
collecting event data from
network nodes, they normalize the data in two ways:
normalizing values (such
as severity, priority, and time zone) into a common
format, and normalizing the data
structure into a common schema. SmartConnectors can
then filter and aggregate events to
reduce the volume of events sent to the Manager,
which increases ESM’s efficiency and
accuracy, and reduces event processing time.
SmartConnectors also support commands that alter the
source and/or execute commands
on the local host, such as instructing a scanner to
run a scan. SmartConnectors also add
information to the data they gather, such as looking
up IP and/or host names in order to
resolve IP/host name lookup at the Manager.
SmartConnectors perform the following functions:
Collect all the data you need from a source
device, so you do not have to go back to
the device during an investigation or audit.
Save network bandwidth and storage space by
filtering out data you know will not be
needed for analysis.
Parse individual events and normalize them into a
common schema (format) for use by
ESM.
Aggregate events to reduce the quantity of events
sent to the Manager.
Categorize events using a common, human-readable
format. This saves you from
having to be an expert in reading the output from a
myriad of devices from multiple
vendors, and makes it easier to use those event categories
to build filters, rules,
reports, and data monitors.
Pass events to the Manager after they have been
processed.
Depending on the network node, some
SmartConnectors can also instruct the device
to issue commands to devices. These actions can be
executed manually or through
automated actions from rules and some data monitors.
ArcSight releases new and updated SmartConnectors
regularly.
Connector
Appliance
ArcSight Connector Appliance is a hardware solution
that hosts the
ArcSight SmartConnectors you need in a single device
with a web-based
user interface for centralized management.
The Connector Appliance offers unified control of
SmartConnectors on the Connector
Appliance itself, remote Connector Appliances, and
software-based SmartConnectors
installed on remote hosts.
The Connector Appliance:
Supports bulk operations across all SmartConnectors
and is ideal in ArcSight
deployments with a large number of SmartConnectors
Provides a SmartConnector management facility in
Logger-only environments
Provides a single interface through which to
configure, monitor, tune, and update
SmartConnectors
The Connector Appliance does not affect working
SmartConnectors unless it is used to
change their configuration.
Connector Appliance is an ideal solution when
connectors target multiple heterogeneous
destinations (for example, when ArcSight Logger is
deployed along with ESM), in a
Logger-only environment, or when a large number of
SmartConnectors are involved, such
as in a MSSP deployment.
Supported
Data Sources
ESM collects output from data sources with network
nodes, such as intrusion detection and
prevention systems, vulnerability assessment tools,
firewalls, anti-virus and anti-spam
tools, encryption tools, application audit logs, and
physical security logs.
The graphic below shows the types of data sources
that ESM supports.
Figure - Common network security data
sources and ways you can analyze their output
in ESM.
ArcSight
Interactive Discovery
ArcSight Interactive Discovery (AID) is a
plug-and-play software application that
augments Pattern Discovery, dashboards, reports, and
analytical graphics. AID
provides enhanced historical data analysis and
reporting capabilities using a
comprehensive selection of pre-built interactive
statistical graphics.
You can use AID to:
Quickly gain visibility into your complex security
data
Explore and drill down into security data with
precision control and flexibility
Accelerate discovery of hard-to-find events that
may be dangerous
Present state of security in compelling visual
summaries
Build a persuasive, non-technical call to action
Prove IT Security value and help justify budgets
Figure- Using Interactive Discovery’s
visual selection tools, you can easily find and
investigate potential attacks. This
example shows an attacker with failed connections to many
targets, which could indicate a port scan
or worm.
AID enables you to analyze your network security
activity using graphical summaries of
event data. During daily analysis of the past day’s
data, you may find new things that were
missed by automated analysis alone. You can use this
data to build new rules that improve
your overall enterprise security management process.