ArcSight ESM: Delivering
Comprehensive Business Protection
Your business faces a range of
threats--from external attacks, malicious
insiders and compliance breaches. Get
one solution that helps guard against
them all.
ArcSight ESM offers:
In just a few years, the nature of
security and compliance management has
changed in three fundamental ways.
First, enterprises and government
agencies must contend with
infrastructures that have grown
increasingly dynamic and complex.
Security isn't just about firewalls
anymore. It's an array of hundreds of
event sources--IPS, IDS, application
level firewalls, encryption, identity
management and more. It's now a matter
of literally millions of events each day
that must be monitored, logged, analyzed
and correlated.
Highlights:
Monitor all event
sources--including all security
devices, custom applications and
physical security monitors.
Gain comprehensive protection
against risks--whether from
external attacks, insider
threats or compliance breaches.
Leverage a single source for
conveniently, effectively and
intuitively reporting to all
stakeholders. |
|
Second, the risks have broadened.
Stopping the latest worm is only a part
of the picture. Insider threats,
physical security, compliance audits and
fraud are all now essential
considerations. Third, stakeholders in
an organization's security have grown
along with its strategic importance to
the company. Today, it's no longer just
about the security administrator. From
the board room, to legal counsel,
operations, the CIO and CSO, business
line management--all have a stake, and a
critical role to play.
To meet this broader need for
business risk management, organizations
need a solution that transcends
traditional IT security boundaries, a
solution that delivers protection
against business risk--in all its forms.
They need a solution that can manage the
vast amount of data being generated and
turn it into actionable information.
ArcSight ESM is that solution.
Robust Capabilities for Reducing
Business Risk
ArcSight ESM helps protect your business
against the range of threats it faces
today--helping ensure compliance and
combat security threats, fraud, physical
breaches, malicious insiders and more.
ArcSight ESM collects and intelligently
parses data from the vast array of event
sources--and delivers a single view into
that information that can be used by
corporate stakeholders across your
organization.
ArcSight ESM offers the robust,
complete capabilities required to
address business risk in all its forms:
- Comprehensive data collection
and intelligent storage
- Powerful correlation and
analysis for identifying real
threats
- Streamlined investigation,
interactive analysis and response
- Real time monitoring,
historical, trend and ad-hoc
reporting
- Scalable, flexible and
extensible platform
<back
to top>
Comprehensive Data Collection and
Intelligent Storage
ArcSight ESM offers the most
advanced collection capabilities
available, as well as the broadest event
source support--providing out-of-the-box
integration with hundreds of different
products from a multitude of vendors in
more than thirty different solution
categories. In addition, ArcSight ESM
enables organizations to integrate with
custom or unique data sources--including
home grown applications and physical
security systems.
By using the Common Event Format (CEF)
standard, ArcSight ESM enables easy
integration with a range of applications
as well a as the growing number of
commercial systems. The CEF standard
provides ArcSight ESM customers with a
seamless way to harness an array of
third-party application development and
product capabilities, including wireless
security, network layer encryption,
network behavior analysis and many more.
The ArcSight ESM ability to collect,
normalize and categorize 100 percent of
event data ensures that rich information
is securely and efficiently captured and
made available for real time and
historical analysis.
To identify long-term trends,
investigate attack patterns and manage
the increasing pressures created by
legal and regulatory requirements,
today's companies must capture and store
dramatically expanding volumes of
security information. To
cost-effectively and intelligently
address this demand, ArcSight ESM offers
compression and archiving solutions that
combine the inherent reliability and
performance of enterprise databases with
innovative archiving and retrieval
management capabilities.
<back
to top>
Powerful Correlation and Analysis for
Identifying Real Threats
ArcSight ESM provides the correlation
infrastructure to help identify the
meaning of any given event by placing it
within context of who, what, where, when
and why that event occurred and its
impact on business risk. ArcSight ESM
correlation delivers accurate and
automated prioritization of security
risks and compliance violations in a
business relevant context. The powerful
correlation engine of ArcSight ESM
processes millions of log entries down
to a few dozen critical events that
require review by the security
administrator.
ArcSight ESM sophisticated
correlation capabilities include:
- Real time identity and role
correlation. Enabling fast
association of observable events
with a specific individual and their
business role and organizational
membership.
- Real time dynamic network
correlation. Enabling
intelligent association of logical
assets with dynamically addressable
IP addresses over time.
- Real time location
correlation. Enabling the
association of any IP address-based
reported events with events from the
enterprise's physical
infrastructure--for example, a badge
reader, the physical authentication
system or other devices such as
video analytics or environmental
sensors.
-
Multi-stage attack correlation.
Combining and correlating values
from multiple events, for example
from an IDS and a firewall, to
uncover successful attacks that may
otherwise be undetected.
- Contextual correlation.
Drawing on an enterprise's asset
model to provide insights into which
parts of the organization are
affected by an incident as well the
contextual background of the target
system.
<back
to top>
Streamlined Investigation, Interactive
Analysis and Response
When seconds mean the difference
between a thwarted attack or a long
recovery from a successful one,
obtaining relevant data--and being able
to instantly and effectively respond--is
essential. With a simple mouse click,
ArcSight ESM offers rich investigative
context and event drill down
capabilities from the event console.
These features provide analysts with
relevant information and enable
immediate, policy-based responses to
breaches, such as disabling the switch
port node, implementing a filter on the
node's traffic, moving the node to a
virtual quarantine network and disabling
user accounts. ArcSight ESM offers
seamless collaboration through an
integrated knowledge base, native case
management with a complete audit trail
and the ability to launch investigation
tools directly from the case. Roll-up
and individual user case resolution
metrics allow organizations to show
processes for compliance and analyze
operational effectiveness. Third-party
trouble-ticketing systems such as BMC
Remedy easily integrate with ArcSight
ESM. In addition to the extensive case
management support, real time
risk-relevant notification levels ensure
that the most critical threats are
addressed immediately.
<back
to top>
Real time Monitoring for Situational
Awareness, Historical, Trend and Ad-hoc
Reporting
ArcSight ESM allows organizations to
maintain a state of continuous
situational awareness. ArcSight ESM
offers a range of features that ensure
fast, convenient and intuitive access to
information including simultaneous real
time and historical views via consoles
and web-based interfaces. Customizable
and graphically rich dashboards ensure
business and technical views are
tailored to deliver insights to the
appropriate individuals in the
organization. These unique views distill
large amounts of data down to relevant,
role-based information.
Additionally, a real time threat
radar provides a single view of a
company's security status based on
validated attacks and business risk
while geographic and network map views
allow users to maintain awareness in
areas of their organizational
responsibility. The self-monitoring and
self-tuning capabilities of ArcSight ESM
help ensure optimized performance,
continuous reliability and simplified
management.
ArcSight ESM delivers ad-hoc as well
as scheduled comprehensive technical,
operational and trend reports that
communicate security status and satisfy
regulatory reporting requirements.
ArcSight ESM reporting melds richly
correlated information into
comprehensive views that enable
stakeholders to identify areas of risk,
communicate the value and effectiveness
of security operations and easily answer
key business questions. The reporting
features of ArcSight ESM make creating
business-level reports easy through both
standard and customizable templates for
compliance status, business risk and
user profiling. Trend reporting enables
tracking of events and their impact over
time. Through correlation technology,
trend reporting can additionally be used
to simulate "what if" scenarios showing
the impact that policy changes may make
to the company. ArcSight ESM reports
provide multiple focal levels to address
enterprise reporting needs.
<back
to top>
Scalable, Flexible and Extensible
Platform
ArcSight ESM is proven to scale to
some of the world's largest networks.
Built on a flexible, extensible
platform, it allows content portability
from one implementation to another,
within and across organizations. In
addition, ArcSight solutions include a
variety of pre-packaged capabilities
such as network monitoring, intrusion
monitoring, configuration monitoring and
administration and workflow monitoring.
Optional Solution Packages can support
and address top-of-mind issues and
initiatives like insider threat, SOX, PCI, HIPAA, GLBA and IT governance.
Independent solution vendors, systems
integrators and customers have built a
variety of applications which can be
deployed atop of ESM to address a wide
range of business issues including fraud
detection, social engineering exploit
detection, process control network
monitoring and business risk monitoring.
<back
to top>
Extended Capabilities and Functionality
ArcSight ESM can be extended to
provide advanced analytics, threat
response management and low-cost,
long-term storage capabilities. These
capabilities include:
-
Pattern Discovery. Provides
the ability to discover patterns in
historical event data and automate
the creation of rules to detect
these patterns. Pattern discovery
helps extract important trends from
seemingly unsuspicious or unrelated
events, such as zero-day worms, low
and slow brute force attacks,
unauthorized user access to
controlled servers, social
engineering exploits, as well as
business fraud.
-
Interactive Discovery.
Provides robust data visualization
tools to uncover hidden security and
compliance violations. Visual
charts, including parabox,
time-slice, histogram and scatter
plot, as well as rich visual reports
deliver persuasive, non-technical
interactive reports to a broad range
of technical and non-technical
users.
-
Threat Response. Provides
the ability to pinpoint the exact
location of any compromise on your
network and respond immediately with
specific, policy-based actions
within a self-documenting and
auditable framework.
-
Log Management. Provides the
ability to cost-effectively store,
retain and search data for years as
required by compliance mandates.
Logs can also be stored for ad-hoc
and future use in addition to the
real-time monitoring of events to
more immediately handle security,
compliance and business violations
and risk.
<back
to top>
|
