ETRM - The ArcSight

Enterprise Threat & Risk Management Platform

Sandra Hilt
Senior Regional Sales Manager, Channel CEE
March 2011

2010 ArcSight, Inc. All rights reserved.

ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
www.arcsight.com 2010 ArcSight Confidential 1
 Introducing ArcSight

Company Background Analyst Recognition

Founded May 2000 #1 in Market Share

Last three reports
2000+ customers
550+ employees, offices worldwide #1 In-use for both SIEM
and Log Management
Acquired by HP in Oct 2010
Revenue in FY 2009: 136 Mio USD
SIEM Leaders
Revenue in FY 2010: 181 Mio USD Quadrant -
SIX years running

Industry Recognition

www.arcsight.com
www.arcsight.com 2010
2010 ArcSight
ArcSight Confidential
Confidential 22
ArcSight Understands Security

Gartner MQ Leader IDC Market Share Leader

www.arcsight.com 2010 ArcSight Confidential 3

 SIEM vs. ETRM

2010 ArcSight, Inc. All rights reserved.

ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
www.arcsight.com 2010 ArcSight Confidential 4
SIEM 1.0 Protect the Perimeter

Are the firewalls working?

Are the IPS devices working?

Which machines do I
quarantine and repair?

www.arcsight.com 2010 ArcSight Confidential 5

SIEM 2.0 Protect the Network

Are the patches installed?

Are the AV definitions updated?

Which machines do I
wipe and rebuild?

www.arcsight.com 2010 ArcSight Confidential 6

 Business has Changed Dramatically

Business is Now Digital & Interconnected

Commerce is Digital Processes are Digital

Assets are Digital Communications are Digital

Digital & Interconnected = More Business Risk

www.arcsight.com
www.arcsight.com 2010
2010 ArcSight
ArcSight Confidential
Confidential 77
 Modern Breaches Share a Pattern

Acquire target, sneak in, hop around

(Perimeter doesnt help)

Get privileged access to critical assets

(Impact takes time)

Conduct the crime for an extended time

(Early detection matters)

www.arcsight.com
www.arcsight.com 2010
2010 ArcSight
ArcSight Confidential
Confidential 88
 You Cant Fight What You Cant See

0010000
0000000
0010000 1010001
Unknown 0001000 100010011 0000100
0010000 001000000 0010000
110100000 1001000
Networked Systems 100001001 0 0 1 0 10 00 10 1 0 0 0 0
0 001100010000010010 00100000
Zero-day Threats 1 100100010110010001 00100001
1000000001 0 0 0 0 0 00100100
0100000111 0 0 0 0 0 10000011
Critical Data Stores 0000010000 0 0 0 0 1
1100001000
0010000001
Privileged Users
0010000
1101011
Network Connections 0001000
0010000
Fraud Techniques 1010001
00100000
00110001 00000010
00100000 10000000
Application Risk 00100000 10000010
00100
10010001 000010 00011010 00000
10001000 000001 10000
10101010 001100
000001

www.arcsight.com
www.arcsight.com 2010
2010 ArcSight
ArcSight Confidential
Confidential 99
Organizations Have More Risks

Data Breaches are Increasing

How do breaches occur? Who is behind data

breaches?
62% were attributed to a significant error
73% resulted from external sources
59% resulted from hacking and intrusions
18% were caused by insiders
31% incorporated malicious code
39% implicated business partners
22% exploited a vulnerability
30% involved multiple partners
15% were due to physical threats

Source: Verizon Business

www.arcsight.com 2010 ArcSight Confidential 10

Organizations Face Greater Threats

Regulations are Increasing

www.arcsight.com 2010 ArcSight Confidential 11

All Organizations Are Under Attack

Is Your Security Staff Increasing?

www.arcsight.com 2010 ArcSight Confidential 12

Whats Changing

More Outsourcing
More Contractors
More Trusted Outsiders

www.arcsight.com 2010 ArcSight Confidential 13

Impacts

Where is the
Perimeter?

www.arcsight.com 2010 ArcSight Confidential 14

ETRM: Protecting the Business

The Business

Network

Perimeter

www.arcsight.com 2010 ArcSight Confidential 15

The Enterprise Risk Challenge:
No Centralized Point of Command & Control

Applications
Applications
Applications
Applications
Firewalls
Firewalls Intrusion Applications
Applications Anti
Firewalls
Firewalls
Firewalls/ Vulnerability Network Server and Applications
Applications Anti
Firewalls Detection Anti-Virus Applications
Applications Virus
Databases
Virus
VPN Assessment Equipment Desktop OS
Systems

Sign-On
Identity
Sign-On Directory User Physical Business
Mainframes
Management Services Attributes Infrastructure Processes

100s of Millions Events Per Day

Multiple Vendor-Specific Consoles

Exposure Inability Risk

To Sophisticated Threats To Monitor Compliance To Business Continuity

www.arcsight.com 2010 ArcSight Confidential 16

16
ArcSight: Centralized Threat and Risk
Management

Applications
Applications
Applications
Applications
Firewalls
Firewalls Intrusion Applications
Applications Anti
Firewalls
Firewalls
Firewalls/ Vulnerability Network Server and Applications
Applications Anti
Firewalls Detection Anti-Virus Applications
Applications Virus
Databases
Virus
VPN Assessment Equipment Desktop OS
Systems

Sign-On
Identity
Sign-On Directory User Physical Business
Mainframes
Management Services Attributes Infrastructure Processes

Collect

Analyze Report
& &
Alert Archive

Respond

Address Monitor Ensure

Security Threats Compliance Controls Business Continuity
www.arcsight.com 2010 ArcSight Confidential 17
17
 ArcSight Is the Only Solution

ArcSight ETRM Platform

A comprehensive platform for

monitoring modern threats and risks

Capture any data from any system

Manage and store every event
Analyze events in real time
Identify unusual behavior
Respond quickly to prevent loss

www.arcsight.com
www.arcsight.com 2010
2010 ArcSight
ArcSight Confidential
Confidential 1818
Data Capture

Connectors
Any structured or unstructured log data
Collect native log formats from 275+ products
FlexConnector Wizards to collect custom log sources
Categorization (CEF) for future proofing and intuitive analysis
Send to centralized engines via secure, reliable delivery

Available as:

Rackable Appliances Branch Office/Store Appliance Installable Software

Benefit: Insulates device choices from analysis

www.arcsight.com 2010 ArcSight Confidential 19

Key Strength: Normalization

OS/390
Failed Login Event

UNIX
Failed Login Event

Oracle
Failed Login Event

Windows
Failed Login Event

Badge Reader
Entry Denied

www.arcsight.com 2010 ArcSight Confidential 20

Key Strength: Categorization

Common model for describing any event across devices and device types
Understand the real importance of events from different devices
Enable plain language and device independent analysis
Leverage device independent content

Without Categorization With Categorization

Benefit: Future-proof your analysis and monitoring

www.arcsight.com 2010 ArcSight Confidential 21

 Structured vs. Unstructured Data

Jun 17 2009 9:29:03: %ASA-6-106015: Deny TCP (no connection) from

10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside

versus
Time (Event Device Category Category Category Category
Time) name Vendor deviceProduct Behavior DeviceGroup Outcome Significance
/Informational/
6/17/2009 9:29 Deny CISCO ASA /Access /Firewall /Failure Warning
/Informational/
6/17/2009 9:30 Deny NetScreen Firewall/VPN /Access/Start /Firewall /Failure Warning
/Informational/
6/17/2009 9:31 Deny CISCO ASA /Access /Firewall /Failure Warning
/Informational/
6/17/2009 9:32 Deny NetScreen Firewall/VPN /Access/Start /Firewall /Failure Warning

Unstructured: Structured:
Raw original event Plain language
Audit Quality Data Device independent format
Gurus understand it SQL-compatible

www.arcsight.com
www.arcsight.com 2010
2010 ArcSight
ArcSight Confidential
Confidential 2222
Log Management Logger 5

Structured data: Connectors for 275+ Products plus custom apps

Unstructured data: Raw Syslog or File Based logs
Audit-quality collection (secure, reliable, bandwidth controls)
Categorization (CEF) for future proofing and intuitive analysis
Efficient, self-managed archiving of terabytes of log data
Fast searches on raw or normalized format
Pre-built reporting for security or compliance needs
Distributed queries across multiple appliances
Automated enforcement of multiple retention policies

Rackable Appliances Branch Office/Store Appliance Installable Software

Benefit: Insulates device choices from analysis

www.arcsight.com
www.arcsight.com 2009
2010 ArcSight
ArcSight Confidential
Confidential 2323
Event Correlation

ArcSight Express / ESM

Real-time, in memory analysis of business events

Activity profiling to create baselines for context
Flexible visualization for role-based presentation
Advanced correlation millions of events important incidents

Available as:

Data Center Rackable Appliance Installable Software

Benefit: Focus resources only on important issues

www.arcsight.com 2010 ArcSight Confidential 24

24
Correlation

Intelligent Correlation For Real-Time Monitoring of Unusual Behavior

In Memory Correlation Statistical Correlation Historical Correlation

100+ Real-Time Correlation Rules,
Real-Time Monitoring
Correlation of Past Events,
Find Baselines and Report Deviations
Scheduled or On-Demand
from Normal Behavior
Correlation

Risk Based Graphical Rules

Connector Active Lists
Automatic Threat Prioritization Editor
Categorization Escalation Reduction of
No programming needed
False Positives

Leverage Core Technologies

www.arcsight.com 2010 ArcSight Confidential 25
ArcSight Express

Your Security Expert In a Box

World-Class Event Correlation Capabilities
Market-Leading Log Management Functionality
Simple Browser-based Operator Console
Handles Most Common Security and Compliance Issues Out of the Box

Minimal Administrative Overhead

www.arcsight.com 2010 ArcSight Confidential 26

Express: Pre-Built Content for Every Use Case

Top bandwidth users

Understand Your Network Top external destinations

Terminated employee access attempts

Monitor User Behavior Shared accounts

VPN access counts

Track Remote Access Durations and errors

Top attackers
Prevent Intrusions & Viruses Infected systems

Database logins
Protect Personal Data Database errors and warnings

www.arcsight.com 2010 ArcSight Confidential 27

ArcSight Solution Modules

ArcSight Solution Modules

Pre-built rules, reports, dashboards, and connectors
Regulatory: Address compliance for public/industry regulations
Business: Address scenarios common to most organizations

Available as: Regulatory:

SOX/JSOX IT Gov
PCI FISMA

Business:
Installable Software IdentityView Pre-configured Appliance
Fraud Detection
Sensitive Data Protection

Benefit: Rapid deployment by leveraging best practices

www.arcsight.com 2010 ArcSight Confidential 28

Payment Card Industry (PCI)

Complete PCI Compliance Package

Rules, Policies, Alerts and Reports
Directly mapped to the 12 PCI requirements
Three key focus areas: Payment
Card Industry
Efficient on-going management of PCI requirements
Preparation for audit
Addressing audit requirements
Over 100 reports provide effective review of information
28 rules automatically detect PCI violations
Tiered dashboard system provides high level
and granular views of PCI Compliance status

www.arcsight.com 2010 ArcSight Confidential 29

PCI Content Coverage

Section Description Rules Dashboards Reports

1 Build and maintain a secure network

2 Do not use vendor-supplied defaults for system

passwords and other security parameters
Protect Stored Data
3
4 Encrypt transmission of cardholder data and
sensitive information across public networks

5 Use and regularly update Anti-virus software

6 Develop and maintain secure systems

and applications

7 Restrict access to data by business need-to-know

Assign a unique ID to each person with

8 computer access

9 Restrict physical access to cardholder data

10 Track and monitor all access to network

resources and cardholder data

11 Regularly test security systems and processes

12 Maintain a policy that addresses

information security
PCI Technical and executive overviews
Overview of PCI compliance status

www.arcsight.com 2010 ArcSight Confidential 30

PCI Real-time Rules and Dashboards

www.arcsight.com 2010 ArcSight Confidential 31

Why we Win

Unmatched in

Interoperability Correlation Scale

www.arcsight.com 2010 ArcSight Confidential 32

Value Proposition

Our solutions protect businesses through

continuous monitoring of
who and what is on their
enterprise IT infrastructure
in order to..

Address Monitor Ensure

Security Threats Compliance Controls Business Continuity

www.arcsight.com 2010 ArcSight Confidential 33

33
 Customers of All Sizes and Industries

Healthcare Finance Education Government

Energy Telecommunications Manufacturing Retail

www.arcsight.com
www.arcsight.com 2009 ArcSight
Confidential
2010 ArcSight Confidential 3434
ArcSight Customers: EMEA (partial list)

www.arcsight.com 2010 ArcSight Confidential 35

 Questions?
For More Information:
ArcSight Inc.: www.arcsight.com
Webcasts: www.arcsight.com/news_webinars.htm
Collateral: www.arcsight.com/whitepapers.htm

2010 ArcSight, Inc. All rights reserved.

ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
www.arcsight.com 2010 ArcSight Confidential 36
 Thank You!

2010 ArcSight, Inc. All rights reserved.

ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
www.arcsight.com 2010 ArcSight Confidential 37