What's New with ArcSight: Data science, MITRE, and more

by Micro Focus Employee in CyberRes

Security Operations (SecOps) plays a critical role in defending modern organizations (and their sensitive data) from today’s advanced cyber threats. As threats evolve, it has become increasingly difficult to implement effective SecOps. In a survey conducted by ESG a few months ago, 63% of respondents shared that they find security analytics/operations to be more difficult today than it was 2 years ago. And the industry’s ongoing Talent War only magnifies this issue by limiting the number of skilled professionals available to help Security Operations Centers (SOCs) manage their work.

What's New with ArcSight.pngSOCs need solutions that can support greater analyst efficiency while still being powerful enough, and smart enough, to effectively monitor, detect, and respond to advanced threats in real-time. With these needs in mind, the ArcSight team recently announced our ArcSight December 2019 release, which incorporates the MITRE ATT&CK Framework into ArcSight and advances the simplicity and intelligence of our solutions, through ESM 7.2, Logger 7.0, Investigate 3.0, ArcMC 2.93, and Transformation Hub 3.1. We are also expecting to release SmartConnectors 7.14 on December 20th.

ArcSight December 2019

The latest ArcSight release spans all our products and many new capabilities, but three new things that I’d like to highlight are the incorporation of MITRE ATT&CK, the introduction of machine-learning data science packages to Logger, and the overall boost to performance and customer experience with our ArcSight solutions.

A Mightier ArcSight with MITRE ATT&CK

One issue SOC teams face today is having a clear understanding of the core cyber threat tactics they face and of their own organization’s risk and exposure to those tactics. This is a problem the MITRE ATT&CK Framework helps solve. It clearly maps out and defines known cyber tactics and techniques to help organizations understand and visualize what they are up against.

MITRE ATT&CK dashboard 1.pngArcSight’s latest releases incorporate the MITRE ATT&CK Framework into ArcSight ESM, Logger, and more, through MITRE ATT&CK dashboards that will map security events to the malicious techniques outlined in the Framework. These dashboards will provide a real-time view of all MITRE-related events happening in your environment and the top threat techniques facing your SOC, to support a more focused analysis and response. You’ll be able to gain a clear, birds-eye view of your overall threat exposure and security coverage, which will help to reduce your overall business risk.

To further support MITRE, Micro Focus has launched a new webpage (mitre.microfocus.com) that maps the capabilities of Security Operations solutions to MITRE’s list of techniques. You can also learn more about MITRE ATT&CK and ArcSight by reading our blog post, Leveraging MITRE ATT&CK for Security Operations and viewing our recent video, Next-Gen SOC | Episode 4: SecOps and the MITRE ATT&CK Framework.


Machine-Learning in ArcSight Logger

In the earlier mentioned ESG report, 91% of respondents noted that they were interested in leveraging, or already leveraging, machine learning technologies for security analytics and operations. Micro Focus is committed to delivering that technology, and not just through our Interset UEBA product.

With this latest ArcSight release, we’ve introduced machine-learning data science packages into ArcSight Logger. Users can access pre-built content, developed by our own security experts, or they can create their own content with python data science packages. This content will enable more intelligent security operations with more accurate threat detection, to enable your analysts with more focused investigations.

Our best-performing solutions ever

This release sees a number of improvements to overall performance and customer experience to deliver the fastest and best-performing ArcSight solutions we’ve ever offered. For one, we’ve taken the industry’s most powerful correlation engine, and we’ve made it even better.

ArcSight ESM 7.2 comes with numerous improvements to performance and stability, a new Global Event ID feature to facilitate easier investigations and cross-portfolio analysis, stronger integrations with ServiceNow for more controlled workflow processing, new out-of-the-box content to address basic use cases right off the bat for a faster time to value, and much more.

ArcSight Logger’s event storage has increased up to 24TB for each Logger instance in Logger 7.0, and its powerful reporting engine has also received a number of upgrades (demos can be viewed here). Investigate’s Vertica database can now be added as a data source in Logger Reporting, giving customers the ability to easily create reports using Investigate data.

ArcSight Investigate 3.0 includes some massive improvements to its search and ingestion performance; search results are now returned in near real-time. Container deployments (CDF) enable rolling upgrades to your entire Investigate setup to save your analysts hours, even days, of time on upgrades.

Finally, more data enables better analytics, and the upcoming SmartConnectors 7.14 release will include more Connectors to enable more comprehensive data ingestion and threat visibility (including Connectors for McAfee Network Security Manager DB, Microsoft Anti-malware, Microsoft Sysmon, and more).


The ArcSight December 2019 release will enable more intelligent security operations, more accurate threat detection, and greater analyst efficiency. We’re very excited to announce these improvements to our analytics, threat detection, and overall performance… they lay a foundation for much more to come from ArcSight in 2020! We’ve only hit on a few of the main points here, but if you’d like to learn more about the release, then we invite you to check out our recent community post about the ArcSight release.


Security Operations