ArcSight

ArcSight provides a centralized platform that can collect event data from multiple network end-points, such as firewalls, intrusion detection platforms, VPN gateways, OS logs, etc. Data such as alarms and alerts are automatically gathered and correlated into a centralized repository, and reporting and notification tools allow for the analysis and management of that data.

The ArcSight Platform consists of multiple modules that are sold separately depending on the needs of the customer.

Closest to the endpoint logs themselves are the optional ArcSight Connectors, which provide the ability to extract log data from multiple sources (the vendor's current two-page list of supported sources includes identity management, switches, A/V, A/S, individual applications, IDS, IPS, content filtering, mail servers, operating systems, and many more) and normalize it into a common format for use with downstream tools. Connectors are served in software and appliance-based flavors, the latter offered in three formats (all 1U) supporting 400, 2,500, and 5,000 events per second, respectively.

ArcSight Logger is an appliance (four versions currently available) that collects information either directly from sources (in raw form) or in the normalized form as provided by the Connectors and stores up to 35 TB worth of data (SAN-based storage is also supported). ArcSight Logger provides forensic abilities, including reporting and alerting (through a personal portal, E-mail, or SNMP), and the ability to drill down from a report/alert into the source of the event itself. The latest Logger release ratchets performance up to 100,000 events per second (capture) and 3,000,000 events (search).

ArcSight ESM is the center-piece of the vendor's offerings, it provides a centralized real-time correlation engine for collected events, attempting to gauge the overall relevance of an event by placing it in context with other system events and parameters, such as asset priorities, user activity, history, etc. Results are presented via dashboards, notifications, or reporting. An optional component--the ArcSight Threat Response Manager--provides admins with a "guided response engine" with workflow and knowledge-based assistance for the remediation of identified threats. ESM is also available as software or as an appliance, and can be deployed stand alone or in combination with Logger/Connectors.

Individual Compliance Automation modules are deployed atop the ArcSight platform and provide pre-defined rules, alerts, and reports focused on a specific regulatory entity; such as PCI DSS, SOX, HIPAA, NIST 800-53, etc.

Other modules available from the vendor seek to enhance the product's ability to discover malicious activity in captured data; including ArcSight Pattern Discovery (identifies malicious patterns and automatically creates alert rules for them); and Interactive Discovery, which provides a visual interface for the examination of event interactions.

Finally, ArcSight IdentityView seeks to combine the features of identity management products with event management products and produce data that correlates the two data sets for forensic purposes. IdentityView provides the ability to correlate multiple user identities to a single identity key, and includes connectors to retrieve data from "leading" identity and access management systems, including those from Oracle and Microsoft. The net goal is to provide a view of who is on the network and what they are doing; with reporting capabilities including activity-based role modeling, activity reporting (any time period and across systems), watch list processing, and application usage tracking, to name a few possibilities.

ArcSight is available now. The new Loggers are base priced at $20,000.

Visit the vendor's Web site for further information.