Arcsight SIEM

Sunday, 4 September 2016

Regex Flex Connector

Regex Flex Connector can be configured to read logs from several devices and lot of customization

can ben done using regex in config files.Duplicacy can be removed using Field based aggregation .

Tuesday, 16 February 2016

Life Cycle of Event in Arcsight ESM

Event goes through 3 phases in ESM

1. Data is collected from data sources by Smart Connectors and after parsing sent to ESM

2. ESM monitors specific events and escalates as per defined rules and generates reports for review

3. Events are stored and archived as per retention policy

User Interfaces within Arcsight ESM

User Interfaces within Arcsight

Arcsight Command Centre :

Manages users,storage and event data.
Monitors events
Generate Reports
Updates Licence

Arcsight Console :

Builds filters,rules,reports,pattern discovery and dashboards
Monitors data
Administer users and workflow

Arcsight Web :

Web interface to Manager
Monitors events .
Used to drill down dashboard ,reporting and notification for Security Analyst

Arcsight Risk Insight :

Assess business impact due to specific threat as per defined rules

Pattern Discovery :

Detects various patterns of events flow and used to

Discover day zero attacks
Discover low and slow attacks
Profile common patterns in network
Automatically creates rules

Arcsight Express :

Separately licenced SIEM appliance and it is easy to deploy enterprise level security monitoring and response system with inbuilt rules,dashboard and reports.

Logger :

Receives events from syslog messages ,log files and smart connectors.
Stores events in compressed form
Forwards specific events to ESM

Arcsight NCM/TRM

Locates devices in network
Applies protocal filters to curb intrusion
Blocks specific IP ranges
Disable individual user accounts
Audits changes

Monday, 15 February 2016

Components of Arcsight ESM

Smart Connector :

Collects all required logs from devices in network
Filters data and thus saves storage and bandwidth
Parse all events and normalize in common schema for ESM
Aggregate events to reduce events count
Categorizes events in common format inorder to build rules,filters and reports
Processed events are passed to Manager

Arcsight Manager :

It is Java based server
Evaluates each events as per network model and vulnerability information
Develops real time threat summaries
Writes events to CORR engine

Corr Engine : (Correlation Optimized Retention and Retrieval Engine)

ESM organizes event by date and stores in Corr Engine as per event retention period .Correlation of events takes place in Corr Engine and then archived for long term use.

User Interfaces within Arcsight

Functions of Arcsight SIEM

ESM collects ,normalizes.aggregates and filters events from assets in network.

Events are prioritized according to risk,vulnerabilities and criticality.

Prioritized events are then correlated ,monitored,analyzed and remediated by ESM tools.

Correlation : It is a process to discover relationship between events and based on relationship events are prioritized and later according to priority events are handled.

Monitoring : Critical events are monitored and remedial action taken before incident occurrence

Workflow : Workflow framework is defined for timely escalation of critical events

Analysis : Critical events can be analysed and drilled by tools within Arcsight

Reporting : Reports are generated manually/scheduled

Saturday, 13 February 2016

What is Arcsight ESM

HP ArcSight ESM is the premiere security event manager that analyzes and correlates every event in order to help your IT SOC team with security event monitoring, from compliance and risk management to security intelligence and operations.

We can say that it is an enterprise security management software that combines event correlation and security analytics to identify and prioritize threats in real time and remediate incidents.

Arcsight is used by Network Security Analysts ,System Administrators and Business Users.

ESM consists of CORR Engine which receives and processes events at high speed.