Why ArcSight Remains the Cornerstone of Security Operations

by in Security

Five reasons top organizations have used ArcSight for nearly two decades and don’t plan to stop 

Guest post by Mary Writz Director of Product Management, ArcSight 

In today’s digital environment, we are at an inflection point both for IT and security. Organizations are embracing new technologies across mobile, IoT, cloud and containers, while still maintaining many of their back-end legacy systems, applications and on-premise infrastructure. These hybrid IT environments are often very complex, and in the case of security, bringing new avenues for adversaries to exploit. As the landscape continues to evolve, so too must our security solutions to keep pace with these attackers. Security operations teams will require an industrial strength approach in their tools to provide the context and visibility to do security correctly.

Why ArcSight Remains.jpgThat’s why we are continuing to evolve and innovate ArcSight to specifically address the needs of our customers, which include the public sector and the largest banks, retailers, and more around the world. We believe customers require integrated, open and powerful solutions to tackle the increasing sophistication of attackers. Following the merger with Micro Focus, ArcSight is now the foundation of one of the largest security portfolios in the space, and we have already began work in integrating ArcSight with heritage Micro Focus security solutions to provide additional capabilities and address new use cases. Here are five reasons why ArcSight continues to be mission critical and relevant in the most advanced cyber defense centers in the world. 

1. Clean Data

Normalized, structured data matters greatly for analytics and breach detection.

Finding and stopping the bad guys in today’s environment is a bit like solving a giant puzzle. You have all of these different pieces of data and logs, and need to see how they all fit together to paint the broader picture. The only way to truly get value out of your disparate logs, is to enrich, normalize, and structure them.  If you want to use Nth degree clustering to hunt for anomalous behavior across disparate log sources, you must have structured data.  If you need to write a rule to correlate events in the stream to detect known threats as early as possible, you need clean data in that stream. 

ArcSight has the leading data platform (ADP) with a decade of investment in connector and parser intellectual property spanning hundreds of disparate sources to support breach detection. The solution takes security logs and normalizes, structures, and enriches the data immediately upon ingest, taking into account security specifics such as security context (network, asset, time). Doing so at ingest is critical in getting the appropriate real-time context, because the nature of IP addresses can be ephemeral. ArcSight data platform produces a standardized common event format (CEF) that is very useful downstream when trying to put together puzzle pieces of different data sets to look for multi-pronged attacks. 

2. Search is NOT Real-time Correlation

When you need to protect mission critical environments, real-time-correlation is non-negotiable. 

Seasoned cyber professionals know that there is a huge difference between search and real-time correlation. More immature cyber ops may be able to get away with coding up various searches to look for different behaviors in “near” real-time, but there are significant differences that can’t be overlooked.  Let’s say you want to search for a specific kind of suspicious activity – looking for any system in an unusual geography logging into a critical asset followed by DLP (data loss prevention) trigger in a 5-minute period.  Coding up a “near” real-time search will look for this activity in 5-minute chunks, which means each 5 minutes a script runs to look for that specific combination of activity.  But what if the login happened in the last minute of one 5-minute chunk and the unusual DLP activity happened in the first minute of a second 5-minute chunk?  The search script would miss it because the activity was spread across the two chunks of time.  On the other hand, real-time correlation holds information in memory and constantly looks for the activity in any possible 5-minute window.  There’s other differences, but this one small example shows how real-time-correlation is non-negotiable when you are protecting mission critical environments, because you cannot afford gaps in coverage using “near” real-time searches. 

ArcSight brings a world class real-time correlation product, ArcSight Enterprise Security Manager (ESM), that dramatically reduces the time to intuitively detect, identify, react, and triage cyber-security threats at scale.  You can rely on ESM to monitor thousands of security threats and variables accurately so you can mitigate attacks before critical systems are impacted. 

3. Open Architecture – Evolving for Big Data in Security Operations

The old proprietary SIEMs locking up cyber security data are in the past; the future is an open and flexible architecture. 

It’s no secret that attackers are more sophisticated and faster than ever before. Organizations need their security operations solutions to provide greater visibility and shorten time-to-detection by applying multiple detection techniques to the data.  A well-planned solution will leverage the same data collection infrastructure, which then creates a single reference point for all threats identified.  However, I get frustrated when I see industry analysts and competitors assume consolidating breach detection on a single, closed technology and a single data lake can adequately solve breach detection issues.  The dirty truth is that, for large organizations in particular, a single lake and a single analytics tool is impractical.  Different data stores are capable of different analytic capabilities.  If you want graph based analytics, you need a graph-based data store.  If you need an immutable data lake for compliance, then you have different considerations and potentially a different destination for your data.  Same goes as you consider the different detection engines you need for discovering breaches – one single data store will not be feasible if you want to keep all analytic options open.  As much as we want a “single perfect data lake and detection analytics tool” neither will exist anytime soon. 

We at ArcSight make our design decisions based on what our customers need, and we know our customers have to deal with a “chain” of data lakes in cyber security, and our job is to support the ecosystem.  That’s why we’ve undertaken a huge transformation over the past several years of deconstructing the ArcSight portfolio so that our rich, clean data can be sent anywhere and provide visibility across the organization. ArcSight pushes structured data into a Kafka-based message bus and gives our customers full control of where it goes.  At ArcSight, we are adamantly against the idea of a proprietary SIEM locking up cyber security data; we favor an open and flexible architecture. 

4. Advanced Analytics – looking for knowns and unknowns

Integration and continued learning are the keys to building a strong, sustainable security posture.

As big data becomes more affordable, there is now an opportunity to move beyond only searching for known threats, and apply big data analytics to security and look for unknown threats.  The more an organization knows about their risk environment, the better positioned they will be to detect and respond.  ArcSight introduced a complimentary suite of detection engines and hunting capabilities over the last few years supporting a variety big data analytics use cases such as baselines, trends and user behaviors.  In 2017 we released a completely new capability for hunt and exploration, ArcSight Investigate, that has a simple-to-use UI and a fully unlocked back end to use the power of Vertica on your cyber data. With this, ArcSight now has the ability to easily hunt for unknowns, using one of the world’s fastest data stores.  Detecting knowns and unknowns are two sides of the same coin and are very complimentary.  As cyber hunters look for unknown attacks, they need to be able to automate future similar hunts, and need to have access to a system that can pivot quickly to real-time correlation.  ArcSight supports mature security operations focusing on methods to integrate one detection technique with another, thus, building a learning organization. 

5. Scalable, modern, and secure

ArcSight services a wide range of enterprise sizes, and we take into consideration scalability, IT management, and security.  We have embraced containers to help with the demanding needs of rapid patching and maintenance.  All our products are hardened and meet FIPS compliance standards and common criteria.   ArcSight products are also truly scalable, for example, they handle 1M EPS data ingest.  When we design product releases, we consider all aspects of a solution, from how to ingest data, to breach detection, to system hardening, to UI experience. 

We believe today’s security landscape needs to provide broader coverage and better integrations that protects customers’ sensitive data, applications, endpoints, and identities, and ArcSight is at the foundation of it all – collecting, normalizing and enriching all the data and logs to provide analytics and insight in the SOC. With the integrations of Micro Focus’s comprehensive portfolio of leading data security, application security, and identity and access management solutions, we are providing the breadth and depth to support GDPR compliance, bring app security logs into SecOps, and enhancing identity and access governance. This is just the beginning and we’re excited to continue delivering customer-centric innovation now and in the future.


Security Operations