#MicroFocusCyberSummit Data Simplicity: ArcSight Data Platform - - PowerPoint PPT Presentation

microfocuscybersummit data simplicity
SMART_READER_LITE
LIVE PREVIEW

#MicroFocusCyberSummit Data Simplicity: ArcSight Data Platform - - PowerPoint PPT Presentation

Nov 17, 2022 17 likes •219 views

#MicroFocusCyberSummit Data Simplicity: ArcSight Data Platform enhances enterprise data via the Common Event Format Peter Titov Micro Focus #MicroFocusCyberSummit Agenda Usage What do we ask of our data? Ingestion How do we get our data

slide-1
SLIDE 1

#MicroFocusCyberSummit

slide-2
SLIDE 2

#MicroFocusCyberSummit

Data Simplicity:

Peter Titov – Micro Focus

ArcSight Data Platform enhances enterprise data via the Common Event Format

slide-3
SLIDE 3

Usage What do we ask of our data? Ingestion How do we get our data where it needs to go? Management Where is the easiest place to manage data? Solutions Why I can have my cake & eat it too.

3

Agenda

slide-4
SLIDE 4

Smartconnector Ingest ArcMC Manage Event Broker Route Logger Immutable storage

4

ADP: Hold up! Wait a minute.

What is ADP, what is included with it, and what is CEF?

CEF: Common Event Format

slide-5
SLIDE 5

Normalized data Ideal for real-time correlation Ideal for known requests

  • Reports, dashboards, filters, lists, etc.…

Raw data Ideal for hunting expeditions of the unknown Compliance mandates

5

Normalized Data vs Raw Data: Usage

slide-6
SLIDE 6

Normalization of Raw Data Regardless when the data is analyzed, normalization will occur in some fashion.

  • Data will be formatted
  • Data will be read
  • Data will be interpreted

Approaches to Normalization Pre-ingest – Formatting

  • Parsing up stream as close to the

log source

  • Weight of normalization is on the

SmartConnector

Post-ingest – Modeling

  • Parsing down stream as close to the

log destination

  • Weight of normalization is on the Indexer

6

Normalized Data vs Raw Data: Ingestion

slide-7
SLIDE 7

Transport Encrypt or obfuscate Enrich Aggregate Secure Under budget

7

Normalized Data vs Raw Data: Management

slide-8
SLIDE 8

Events are lumped together ArcSight fields are not indexed and/or inaccurately captured Aggregated ArcSight data compounds this problem Indexing terabytes of data is exceptionally costly

8

Normalized Data vs Raw Data: Challenges

slide-9
SLIDE 9

9

Normalized Data vs Raw Data: Platform Solutions

Elastic Splunk Sumo HDFS ArcSight X-Pack ArcSight Integrator CEF Syslog Parsing Data Lake vs Data Warehouse

slide-10
SLIDE 10

Fully normalized data aligned to CEF via Logstash Aggregate data for faster searching Machine learning & analytics Awesome visualizations via Kibana Additional data routing and ETL capabilities

10

Platform Solutions: Elastic & ArcSight X-Pack

Best part, it’s bundled with Elastic when installed!!!

slide-11
SLIDE 11

Download and install Elastic:

  • https://www.elastic.co/downloads

Point ArcSight Connectors or Event Broker/Kafka to Logstash:

  • https://www.elastic.co/guide/en/logstash/current/arcsight-module.html

Helpful guide for beginning your journey:

  • https://community.softwaregrp.com/t5/ArcSight-User-Discussions/Elasticsearch-Installation-

and-ArcSight-Module-Configuration/m-p/1616812

11

ADP & Elastic: Implementation

slide-12
SLIDE 12

Fully normalized data aligned to CEF Aggregating data to drastically reduce Splunk licensing Splunk & ArcSight syntax similarities:

  • Share content quickly and easily between platforms

Increase efficiency of Splunk performance

12

Platform Solutions: Splunk & ArcSight Integrator

Simply add the ArcSight Integrator and point CEF Syslog or consume CEF Kafka topic.

slide-13
SLIDE 13

The Splunk Processing Language & ArcSight Interactive Search share many similarities A unified schema enables the cross-pollination of query syntax, e.g...

ArcSight

sourceAddress=“10.0.0.1” | top destinationAddress

Splunk

index=“arcsight” AND sourceAddress=“10.0.0.1” | top destinationAddress

13

ADP & Splunk: Powerful Together

slide-14
SLIDE 14

Reduce license utilization by 83% for one feed (from 9,000 to 1,500) $1.35 million in savings from this one example*

14

ADP & Splunk: Aggregation Testimonial

*Based upon ESM License pricing

slide-15
SLIDE 15

Add the ArcSight Technology Add-on (TA) for your ingest method:

  • Splunk_TA_ArcSight_Integrator_for_SmartConnectors
  • https://splunkbase.splunk.com/app/4133/
  • CEF Syslog Destinations
  • Splunk_TA_ArcSight_Integrator_for_EB_or_Kafka
  • https://splunkbase.splunk.com/app/4135/
  • Kafka topic of CEF data
  • https://splunkbase.splunk.com/app/4136/

Configure connectors to aggregate data per included instructions

  • Link to Protect724 for Splunk Add-On

15

ADP & Splunk: Implementation

Optional: Leverage the Splunk_SA_ArcSight_Integrator (Support Add-on) for CEF-based dashboards and queries

slide-16
SLIDE 16

Fully normalized data aligned to CEF Aggregating data to reduce Sumo licensing Increase efficiency of Sumo performance

16

Platform Solutions: Sumo & CEF Syslog

slide-17
SLIDE 17

17

Platform Solutions: HDFS Data Warehouse

Data Lake Data Warehouse

slide-18
SLIDE 18

When platforms collaborate:

  • They become a force multiplier for their customers
  • Everyone wins: users have faster searches AND managers have lower costs.

Big data means thinking big and looking at the big picture.

18

Final Thoughts

At the end of the day, we are all on the same team:

slide-19
SLIDE 19

Thank You.

#MicroFocusCyberSummit

Contact: Peter Titov

Peter.Titov@microfocus.com Peter.Titov@gmail.com (412)-720-7938

slide-20
SLIDE 20

#MicroFocusCyberSummit