#MicroFocusCyberSummit Global Protection and Awareness through Data - - PowerPoint PPT Presentation

#MicroFocusCyberSummit

#MicroFocusCyberSummit

Global Protection and Awareness through Data Analytics, Threat Detection and Pattern Recognition

Charles Clawson, ArcSight Marketing Manager Steven Riley, ArcSight Technical Marketing Manager

Log Management Data Analysis Real time alerting & monitoring Security Analytics Intelligent Security Operations

Visual Agenda

Discover Micro Focus Security strategy Intelligent SecOps use case & Maturity roadmap

ArcSight Marketplace ArcSight ESM ArcSight Data Platform

ArcSight Investigate

3rd party Security Analytics

Activate Use case

Threat Intel

Company

Discover the New

Network Management/ Data Protector

COBOL

The New Combined Company: Micro Focus

Built on stability, acquisition and innovation

Years Years

$7.1 $5.1 $4.9 $4.4 $4.0 $3.4 $3.3 $3.2 $3.1 $2.5 $2.5 $2.4 $2.3 $2.1 $2.1 $2.0 $2.0 $1.9 $1.9 $1.8 $1.7 $1.7 $1.4 $1.3 $1.2 $1.1

Microsoft Oracle SAP Salesforce Adobe Symantec HPE SW / MF CA Gemalto Citrix Dassault SAS HPE SW Infor Veritas Autodesk Synopsys CDK Global Red Hat Asseco BMC Nuance Constellation Open Text Cadence Check Point Microfocus Workday ServiceNow Informatica

Combined Micro Focus: An Industry Shaper

#12

HPE SW HPE SW / MF

#7

Micro Focus

#26

4 Focus Areas

Four Focus Areas

DevOps

Hybrid IT Management Security & Data Management Predictive Analytics

Users Apps Data

Security Analytics

Protecting

What Matters Most

One of the Worlds Most

Powerful Security Portfolios

ArcSight Empowers Intelligent Security Operations

Click icon to add picture Decrease impacts of security events Detect and stop security threats Reduce business downtime and non-compliance

What Are the Top CISO Priorities

Challenges to the Security Operations Center

Increasing rate

• f data

Limited detection and response tools Complex and slow investigation capabilities

Intelligent Security Operations

Increase Speed, Simplicity and Effectiveness Across Entire Workflow Visibility Without Boundaries Comprehensive Detection Intuitive Investigation

ArcSight Drives Business Profits

Open architecture Reduce data and licensing costs Comprehensive detection Minimize risk and data loss Intuitive investigation Reduce time and human struggle

Security & Risk management IT operations Compliance & Legal Line of Business

All Departments Benefit

Proven, Accurate and Fast

ArcSight Investigate ArcSight ESM ArcSight ADP

Open, Relevant and Intuitive

ArcSight Investigate

Investigation | Security Analytics

ArcSight ESM

Real-time correlation | Alerting | Workflow

ArcSight Data Platform

Connectors | Event Broker | Management | Logger

Security Operations Use Cases & Maturity Roadmap

Intelligent Security Operations – Use case Roadmap

Log Management

• Centralize Logs
• Retain data
• Compliance

Data Analysis

• Forensics
• Rapid Search
• Reporting

Real time alerting & monitoring

• Detect & identify
• Respond in time
• Build workflow

Security Analytics

• Behavior Profiling
• Threat detection
• Know the unknown

Intelligent Security Operations

• Integrated monitoring
• People & Process &

Technology

• Efficiency & Resilience

Intelligent Security Operations – Capability Roadmap

Log Management

• Centralize Logs
• Retain data
• Compliance

Data Analysis

• Forensics
• Rapid Search
• Reporting

Real time alerting & monitoring

• Detect & identify
• Respond in time
• Build workflow

Security Analytics

• Behavior Profiling
• Threat detection
• Know the unknown

Intelligent Security Operations

• Integrated monitoring
• People & Process &

Technology

• Efficiency & Resilience

ArcSight Data Platform ArcSight ESM ArcSight Investigate Analytics & SIOC

ArcSight Data Platform

Expand the visibility of your data

Visibility Without Boundaries

Faster detection with business optics Real-time security context

Keep up with growing environments Scalability through variety and velocity

Integrate data lakes with security apps Open architecture to maximize usage

ArcSight Security Technology Partners

Partners

DDoS

GRC SIEM Application Security Threat Intelligence

Technology

ArcSight Data Platform in Nutshell

Collect Enrich Distribute Retain Search Report Connector Event Broker Logger Arcsight Management Console

• Cost-effective universal log management
• Unifies searching, reporting and analysis
• Scale
• 1M EPS in a 100 peers architecture
• 100 Concurrent search
• Performance
• Search speed improvements by 50-200%
• 10:1 compression ration to store up to 1200 TB
• Security
• Data at rest encryption on ADP appliances

Data Retention (Logger)

Management Console – End to End Monitoring

Topology view for consolidated overview Display device information

• n hover

Sort devices by region / groups

Instant Connector Deployment

ArcMC 2.70, Connectors 7.70

Capability:

• Connector deployment on remote hosts through

ArcSight UI

• In-context deployment View UI
• Re-usable deployment templates with

configuration values for source and destination

• Many Connectors to a single host
• Centralized management of long running

deployment jobs

45

Benefit: Improve security administrator productivity by providing a quick and easy deployment option so that they onboard new data sources or readjust connectors deployment layout quickly with ease.

Enhanced Topology View

ArcMC 2.70, Event Broker 2.10

Capability:

• View Event Broker topics in Topology view on

ArcMC

• Get visibility into consumer connectivity through

ArcMC

47

Benefit: Improve analyst productivity by giving them a centralized monitoring tool so that they can optimize their time and do more with ease.

Logger 6.5 Updates

Capability:

• Create Reports from Logger Queries
• Archives will include Indexes
• ADP Logger standalone mode: both for

appliances and software

• Complete support for SHA-2: receivers and

forwarders, archiving, SSL signatures

• Complete support for TLS 1.2: peer

communications, on-board connector

• Dark Theme for Logger

48

Benefit: Easy to use Logger reporting tools with an enhanced UI help optimize analyst time and generate comprehensive reports and dashboards for compliance and other use cases

Data De-identification for Privacy (GDPR, health..)

Format Preserving Encryption by Voltage embedded

Source Event data Logger ESM 3rd party ArcSight Connector

john.doe@arcsight.com uwol.clu@qnmpdsaa.kle

De-identify sensitive data

ArcSight ESM

Comprehensive Detection

54

ArcSight ESM in Nutshell

Enrichment

• Asset Model
• Network Model
• Vulnerability

Rules Engine

• Real-time rules
• Data Monitors
• Prioritization

Active Channel

• Rich news feeds
• Drill down
• Visuals

Context

• Enrichment
• Baselines/ trends
• Lists
• Search

3rd party action

• Integration

Commands

• Action

Connectors

• Partners

Case Management

• Annotations
• Stages and

impact

• Integration

Detection Investigation

250 Ready Made, Tested and Documented Use Cases

Activate use case configurator

Value for Everyone

• Actionable Output
• Structured event

handling

• Community
• Components &

Solutions

• Methodology
• Increase TTV via

Marketplace content

• SOC Workflow

Efficiency

• Content Maintainability
• Reduced Training Cost
• Detailed data

source configuration information

• Categorization +

Product Packages

Engineer SOC Manager Analyst Content Author

Openness

4x more with same headcount

ESM & Activate adoption increased SOC efficiency 4x

Activate Content Layers

ArcSight ESM with Fresh & Relevant Content

Activate example: Wanna Cry Dashboard released in few hours

Market-leading Real-time Correlation Threat Lifecycle Tailored use cases Central integration point for the SOC process Integrated SOC platform

70

Secure the New

ArcSight

Security Operations

Voltage

Data Security

NetIQ

Identity

Fortify

App Security

Enriched Data Powerful Correlation Quick Detection Multi-tenancy

ArcSight Enterprise Security Manager (ESM) Summary

Threat Intelligence

Threat Intel context is the king!

Who

is behind this?

Where

is it comming from?

How

bad is it?

Do

we know them?

Is

it related to ..?

75

But what Threat Intel?

ArcSight Threat Intelligence Program

Reputation Security Monitor Activate Threat Intelligence

Currated list of malicious IPs and domains Open TI program for Activate use case

Ingest 1 Populate 2 Context 3 Track

Activate TI Data Fusion Model

78

Threat Intel Activity Dashboard

ArcSight Investigate

What Do We Need to Address These Challenges?

Intelligent Threat Investigation Solution Act faster Work smarter Reach further

ArcSight Investigate

Analytics optimized and robust engine Guided natural language search box Modern and intuitive data manipulations Powerful built-in analytics modules

Reach Further

Confidently hunt across all of your data Seamless view Accross Investigate and Hadoop Optimize storage Short term in Investigate Long term in Hadoop

Vertica

Event Broker

Store data Search & Analyze

Hadoop /HDFS Investigate application

Data flow Data lake Connectors

HPE CONFIDENTIAL

Act Faster to Identify and Respond to Threats

• Decrease the impact of security incidents
• Minimize downtime by uncovering hidden threats

Work Smarter with an Intuitive Solution

• Be productive from “Day 1”
• Reduce response time to advanced attacks

Reach Further by Leveraging Data Lakes

• Reduce risk by expanding the scope of investigation
• Lower TCO by optimizing data management cost

92

ArcSight Investigate Benefits

HPE CONFIDENTIAL

Capability:

• Ready made security-centric visuals out of

the box

• Graphs include field assignments without

input from analyst

• Retool visualizations to your needs
• Categories available- Authentication Activity,

Source Activity, Destination Activity & others

94

Built-in Security Analytics

Benefit: Increase analyst efficiency and provide ease of use with pre-defined visuals defined for specific use cases and removes guess work from the security investigation process

Capability:

• Perform database table join
• Query the Investigate database

to determine if anyone in the environment established a connection with a host on the malicious IP address list

95

Lookup List (Joins) Feature

Benefit: Security practitioners can now run searches and add additional context information while importing a list for data enrichment purposes.

Capability:

• Instantly identify the users impacted by a

security event

96

Find the User

Benefit: Ability to search for and find the authenticated user for a particular event or incident helps analysts save time finding who was impacted and speed up incidence response.

Capability:

• Ready made security-centric visuals out of

the box

• Graphs include field assignments without

input from analyst

• Retool visualizations to your needs
• Categories available- Authentication

Activity, Source Activity, Destination Activity & others

98

Built-in Security Analytics

Benefit: Increase analyst efficiency and provide ease of use with pre-defined visuals defined for specific use cases and removes guess work from the security investigation process

Investigate: Quick Security Insights (pre-defined viz)

Login by username Login by User

Unresolved Malware – Infected Host Investigation

Pivoting from search results to enable intuitive investigations.

100

101

Time-chart Based Hunting – Detect the Outliers

DNS Domain Analysis over Time

102

Outlier Detection to Assist SOC Analyst

103

User Behavior Analytics – Peer Comparison

104

Search to Detection in Seconds – Complete Visibiliy

• Detected the C2 server (fansfootball.com)
• Detected a compromised account (Luke)
• Detected lateral movement
• Detected an additional compromised host (10.100.1.8)
• Found indication of data exfiltration (bytes out through SSH)
• Established the attack timeline

105

Value Proposition & Key Benefits

Thank You.

#MicroFocusCyberSummit

#MicroFocusCyberSummit