SN17: ArcSight Architectures

Brook Watson
Solutions Architect
September 2010

© 2010 ArcSight, Inc. All rights reserved.

ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
www.arcsight.com © 2010 ArcSight Confidential 1
Agenda

 Overview of possible ArcSight Architectures including the use of

ArcSight ESM, ArcSight Logger, and ArcSight Connector
Appliance
 Discussion of several potential architectures
– Multiple tiered ArcSight ESM Instances
– Multiple ArcSight Loggers with a single ArcSight ESM Instance
– Traditional single ArcSight Logger with a single ArcSight ESM Instance
 Pros and cons overview and discussion of the best practices
surrounding each architecture
 The session is geared towards ArcSight administrators and
authors in charge of maintaining the health and content of each of
the ArcSight components

www.arcsight.com © 2010 ArcSight Confidential 2

Flexible Solutions to Satisfy Customer Needs

 Small environments  Global / distributed

– Low event throughput environments
(less than 1,000 EPS) – Low or high event throughputs
– 1 or 2 dedicated analysts – Customer data located throughout
the world or country
 Large environments
– Regional analytical teams feeding
– High event throughput global analytical team
(more than 10,000 EPS)
– 3 to 10 dedicated analysts  MSSP environments
– High event throughputs
– Customer data located throughout
the world or country
– Multiple customers with differing
SLA (content)

www.arcsight.com © 2010 ArcSight Confidential 3

Information Gathering

What information do I need to gather to make informed decisions on

possible architectures?
 Event throughput requirements (EPS / EPD)
 Event type requirements
 Log retention requirements
 High availability / fail over requirements
 Additional customer requirements
– Bandwidth consideration
– NAT’ing considerations
– MSSP considerations
– Regional / global considerations
– Compliance requirements
– Use case requirements
www.arcsight.com © 2010 ArcSight Confidential 4
ArcSight Platforms – ArcSight ESM

What key features and functionality allow ArcSight ESM to adapt to a

customer’s environment?
 Multiple ArcSight ESM Instances can be deployed in a hierarchal
configuration via the ArcSight ESM SuperConnector
 ArcSight ESM enriches the normalized event to add specific
organizational and event context
– Categorization
– Network and asset modeling
– Threat level priority determination
– Correlated events
 ArcSight ESM provides
– Customer designation to allow for multiple business units
– Store designations (retail)
– MSSP environments to segment data into logical groups
www.arcsight.com © 2010 ArcSight Confidential 5
ArcSight Platforms – ArcSight Logger

What key features and functionality allow the ArcSight Logger

appliance to adapt to a customer’s environment?
 ArcSight Logger provides a significantly lower cost of ownership
over ArcSight ESM to store large amounts of historical data
 ArcSight Logger accepts significantly higher event throughputs
than ArcSight ESM
 ArcSight Logger allows for multiple data retention policies
 Multiple ArcSight Logger appliances can be deployed as peers to
allow for cross appliance searching
 ArcSight Logger can forward or receive normalized events directly
to or from ArcSight ESM

www.arcsight.com © 2010 ArcSight Confidential 6

ArcSight Platforms – ArcSight Connector Appliance

What key features and functionality allow the ArcSight Connector

Appliance to adapt to a customer’s environment?
 ArcSight Connector Appliance reduces the management
overhead associated with SmartConnectors administrative tasks
 An ArcSight Connector Appliance can host up to 32 individual
SmartConnectors
 An ArcSight Connector Appliance can remotely manage
thousands of Software or CA based SmartConnectors

www.arcsight.com © 2010 ArcSight Confidential 7

Single ArcSight Logger
with a Single ArcSight ESM Instance

Typical customer requirements

 Low event throughput
 Small number of unique event sources
 Mid-to-long term retention policy
 Event sources located in single datacenter
 Regulatory compliance needs
 Standard perimeter and insider threat security seeds

www.arcsight.com © 2010 ArcSight Confidential 8

Single ArcSight Logger
with a Single ArcSight ESM Instance

www.arcsight.com © 2010 ArcSight Confidential 9

When Should ArcSight Logger
be Deployed Before ArcSight ESM?

 Ideally, ArcSight Logger is deployed behind ArcSight ESM for long

term storage of “enriched” events
 Alternatively, event rates may dictate that ArcSight Logger will
need to be deployed in front of ArcSight ESM
– Event rates are higher than ArcSight ESM can handle
– All events are captured and stored for long-term retention
– Only events of interest will be sent to ArcSight ESM for real-time
correlation
– Correlated events will be forwarded from ArcSight ESM to ArcSight
Logger for long-term storage
– Limited event enrichment occurs in this architecture at the ArcSight
Logger tier
– ArcSight ESM retains event enrichment
– ArcSight Connector Appliance required for management of
SmartConnectors
www.arcsight.com © 2010 ArcSight Confidential 10
Single ArcSight Logger
with a Single ArcSight ESM Instance: ArcSight Logger First

www.arcsight.com © 2010 ArcSight Confidential 11

Multiple ArcSight Loggers
with a Single ArcSight ESM Instance

Typical customer requirements

 Medium-to-high event throughput rates
 Medium-to-high number of unique event sources
 Long-term retention policy
 Event sources located in single or multiple datacenters and/or
regions
 Small MSSP workflow and customer access requirements
 Regulatory compliance needs
 Standard perimeter and insider threat security needs
 Some custom content development

www.arcsight.com © 2010 ArcSight Confidential 12

Multiple ArcSight Loggers
with a Single ArcSight ESM Instance

www.arcsight.com © 2010 ArcSight Confidential 13

Multiple Hierarchal ArcSight ESM Instances

Typical customer requirements

 Low-to-medium event throughput rates
 Medium-to-high number of unique event sources
 Short-term / various retention policies
 Event sources located in multiple datacenters and/or regions
 Regional administrative staff
 Regional SOC teams
 Large MSSP workflow and customer access requirements
 Regulatory compliance needs
 Standard perimeter and insider threat security needs
 Major custom content development

www.arcsight.com © 2010 ArcSight Confidential 14

Multiple Hierarchal ArcSight ESM Instances

www.arcsight.com © 2010 ArcSight Confidential 15

How Do I Manage ArcSight ESM Content?

 Very carefully and with a lot of planning

– MSSP and global environments typically have a dedicated content
author that manages and builds all custom content for all ArcSight
ESM instances in the environment
• Content author typically represents the global SOC team and works with the
various regional SOC teams to identify security threats impacting the
organization and builds content to detect such activity
• Globally correlated rules need to have consistent event types from the
regional ArcSight ESM instances
• If each regional SOC team can create their own custom content, it becomes
extremely difficult for the global content author to build relevant content to
represent the entire enterprise
 Utilizing ArcSight ESM 4.0 package functionality
– Once content has been agreed upon, the package functionality allows
the content author to build transportable ArcSight ESM content and
deploy throughout the global and regional ArcSight ESM tiers
www.arcsight.com © 2010 ArcSight Confidential 16
The Whole Enchilada!

Typical customer requirements

 High-to-extremely-high event throughput rates
 High number of unique event sources
 Long-term / various retention policies
 Event sources located in multiple datacenters and/or regions
 Regional administrative staff
 Regional SOC teams
 Large MSSP workflow and customer access requirements
 Regulatory compliance needs
 Standard perimeter and insider threat security needs
 Major custom content development

www.arcsight.com © 2010 ArcSight Confidential 17

The Whole Enchilada!

www.arcsight.com © 2010 ArcSight Confidential 18

Two Distinct Architecture Services to Ensure
Successful Customer Deployments
1. Architecture Review Service
– Primarily designed to help
customers define architectural
requirements for complex
environments
– Can be accomplished during a
one-day on-site visit or a remote
teleconference meeting
– The goal is to review and
document environmental
requirements needed for a
successful ArcSight Solution
www.arcsight.com © 2010 ArcSight Confidential
2. Architecture Design Service
– Created for existing customers
looking to make significant
upgrades or modifications to
their existing ArcSight Solution
– Perfect for new customers with
large scale environments who
have significant or unique
solution requirements
– Two days of on-site information
gathering and design planning
along with three days of off-site
Architecture plan authoring
– The goal is to detail the various
design components of the
customer proposed environment
to insure a successful ArcSight
solution is deployed
19
Your Feedback Builds a Better Conference!

 Text to 32075 (USA & Canada) or 447786204951 (Non-USA)

 Type ARCS <space> 17and the letter to each response

SMS body example: ARCS 17ae*your comments

Excellent Good Fair Poor

Rate the speaker a b c d

Rate the content e f g h

Please provide comments: (*) enter any comments/feedback

Download session replays after the conference:

https://protect724.arcsight.com/community/protect10/sessions
www.arcsight.com © 2010 ArcSight Confidential 20
 ArcSight, Inc.
Corporate Headquarters: 1 888 415 ARST
EMEA Headquarters: +44 (0)844 745 2068
Asia Pac Headquarters: +65 6248 4795
www.arcsight.com

www.arcsight.com © 2010 ArcSight Confidential 21