Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

Find out what’s cooking in the ArcSight Kitchen at RSA

Security_Guest Frequent Contributor.
Frequent Contributor.
1 0 2,725

Guest post by Chas Clawson – Senior ArcSight Engineer at MicroFocus Government Solutions

Many of our customers have been wondering what would come from folding ArcSight into Micro Focus, to become the 7th largest pure play software company in the world. Would it be the end of a great SIEM legacy, or the beginning of a renewed effort to make it the best of breed? Peeling back the curtain, some might assume that with so many mergers, portfolio changes and changing of personnel that the ArcSight kitchen would be akin to the Swedish Chef with food & popcorn flying around a chaotic kitchen.  A better visual might be that of an Iron Chef competition with masters feverishly working on their product with speed and renewed vigor. And the fruit of their labors are starting to show!  Let’s take a look at some of what’s new in the world of ArcSight.

Distributed Correlation

distributed_cluster_view.pngPerhaps the biggest addition to the core product in the ArcSight suite, ESM, is distributed correlation.  Customers have been scaling up their SIEM instances in creative ways to account for higher event ingestion rates and more complex correlation content and rules sets. Starting with ESM 7.0, all of the components under the hood have been decoupled and modularized in order to bring the latest clustering and distribution technology to the world of SIEM. This makes ESM the first major SEIM to support distributed correlation for the enterprise. Need more horsepower? Stand up another correlator or aggregator node without having to make any changes to your SOC triage rules, active lists and the rest. ESM 7.0 spreads correlation loads across nodes, even of disparate hardware profiles, supporting up to 100,000 events per second! I could stop there, and that would be enough ArcSight goodness to feast on… but there’s more. For a deeper explanation see The Evolution of SIEM: Why Distributed Correlation is so Critical.

New UI Options in ESM and ArcSight Command Center

Adding to the popular light and dark console themes, ESM 7.0 brings with it more user interface and visual improvements. Check out the new charts in console, and within the ArcSight Command Center Web interface we’re introducing two new dashboards. The Global SOC Dashboard shows events of interest on a map overlay and the SOC Manager dashboard provides an easy view of open cases and metrics. Speaking of metrics, ESM now includes new audit events for tracking SLAs, case changes & rule modifications!global_soc_view.png

Event Broker event collection

Many organizations continue to struggle with the volume and velocity of events generated by their internal security tools. As part of the ArcSight Data Platform (ADP), Micro Focus has adopted the leading edge, open message bus technology based on Apache Kafka. ArcSight connectors normalize, aggregate and enrich event data across nearly 400 device products, with new tools for creating custom regex connectors as well. We’ve been doing this for years and are arguably the best in the business in that regard.  Now the connectors can push these normalized events in a common event format (CEF) onto the Event Broker (EB) bus where ArcSight ESM participates as both a consumer and topic subscriber.  As a part of the stronger together & open-ness push, we now encourage our customers to leverage this enriched data feed by forking the event streams off to other big data and analytic tools they may already own.  For example existing Hadoop, Elastic and Splunk customers can maximize the ROI in these tools by delivering instantly actionable structured data and the ability to send  only relevant security data to these consuming applications by means of EB routing and subscribing topics.

Activate Framework & the Content Brain

ESMs best practice content framework, Activate, continues to gain traction by allowing customers to build and share correlation rule sets and logic in their SIEM.  In addition to being a best practice framework and methodology, Activate solutions now include more than 250 use cases and packages, and the list of support vendor products included with Activate continues to grow. For example as part of our Cyber Threat Intelligence (CTI) solution, Activate Threat Intelligence package now includes support for the common threat sharing standard Structured Threat Information Expression (STIX).Any CTI that supports STIX or Collective Intelligence Framework (CIF) (almost all of them) can now get their indicators into ESM for real time correlation.

Knowing what use cases (rule sets & content) apply to your environment can be a challenge.  Not every rule fits the requirements for every customer, and we’re rolling out new Activate content all the time.  In order to help bring all our content into one place, and allow customer to track what is deployed and in testing, we have a revamped cloud hosted tool called The Content Brain.  content_brain.JPG

 Intuitive investigation with Arcsight Investigate 

Arcsight Investigate builds security analytics into the SOC to help enterprises hunt and de­feat unknown threats.  You can now speed-up incidence response by finding users impacted by a security event, gain valuable insights on host activity with the Host Profiler dashboard and create search queries easily with guided suggestions on an intuitive search interface. ArcSight Investigate enables you to empower your Level 1 analysts to participate in the hunt process, while supporting advanced capabilities for level-4 hunters. 

See us at the RSA Conference in April 

Want to know more? The ArcSight SecOps team will be at the RSA Conference in San Francisco on April 16-20. The RSA conference is probably one of the biggest security conferences out there and we continue to sponsor it, first as HP, the HPE and now as Micro Focus. Stop by the Micro Focus Security Booth #3417 North Expo to learn more about our intelligent security operations and get a free demo. 

While there, be sure to see our session, "Demystifying Big Data, Analytics and Machine Learning in Cyber Security," on April 19th. You'll get practical considerations when trying to use big data, analytics, and machine learning to solve security problems. Speaker Mary Writz and her team pioneered early work in this space and this session will take you through lessons learned (including missteps) in building data lakes and show examples of machine learning and analytics techniques that are effective. 

The Micro Focus Security team is offering a free pass into the RSA exhibit hall.  Use promotional code X8SMCRFCS when you register for an expo pass.  Hope to see you there! 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.