IBM Xforce or HP Threat central?
Re: IBM Xforce or HP Threat central?
I am trying to find a link to download ArcMC software. Is there any link available?
To know more about ArcSight Architecture- and propose/ evaluate existing architecture- any suggestion of materials please?
Looking forward to your response. Thank you for your help and your enthusiasms to helping us is very inspiring.
Re: IBM Xforce or HP Threat central?
Just to answer your question directly though - a few things to consider:
1) Threat intelligence is an indicator, its not the proof - build a strategy based on identifying what the indicators are for an attack, but do not rely on threat intelligence as just the sole provider of this. Its an indicator at best, a false alert at worst. Be considerate, careful and understand what your use cases before you jump for a particular threat intelligence vendor.
2) There are other threat feeds available - following on from the situation points above, think about what vendor best fits your requirement. For example, if you have a major malware issue, maybe a malware focused threat intel list is better? Or maybe you have a locked down environment (users are actually banned from accessing suspicious sites totally), this will steer your selection and where to look. There are also consolidation and aggregation providers too - so take a look at them too! More doesnt always mean better either, look for quality, consistency and predictability over time. Threat intel is like AV vendors from a few years ago - some will claim 2 million entries, others will claim 20 million, largely its duplicated data and meaningless anyway. Quality is key.
3) Think about threat intelligence sharing - are there other companies, similar or competing companies or even an industry body that provides threat intel? Finance sectors have this, governments provide it and even larger ISP's will provide region specific data too. While I am not claiming its better, but it might be a bit more focused and targeted.
4) Collaboration is key - threat intel on its own is pretty meaningless. Look for a service where there is a platform to use to follow up, score, discuss and partner with others. RepSM is just the data feed from ArcSight, but Threat Central is the data and the community - take a look at this Cyber Threat Intelligence Analysis and Sharing Services | Hewlett Packard Enterprise.. IBM also has a community too, but look at what fits best.
5) Frequency of updates - this follows on from the volume point above, but how frequently is the data refreshed, updated and checked? AWS is frequently used (or at least was) for launching attacks and as a result, many threat intelligence providers let their automated systems list Amazon.com as a bad site. While there are bad sites on there, its not the whole service! This needs manual investigation as well as frequent updates. Many providers that are cheap dont update regularly and dont share the updates either. So check frequency, consistency and what is checked manually.
6) Content - getting the data in is one question, making it do something is another. RepSM (and Threat Central) does come with content that you can make use of out of the box. Other threat intel providers also provide content too (such as Anomali for an example) and some of it is actually really advanced. IBM is a competitor and hence they dont provide content. So its worth looking into and seeing what you can do. Because there is no content in ESM to drive it doesnt mean its bad though - just means you need to factor in how to use it. And as always, consider Activate as a platform for making use of the indicators involved.
My choice, and would always be, ArcSight RepSM as a minimum, but look at Threat Central for a more complete platform. But also look at others and see if a premium service works for you.