Arcsight Complete Overview
Arcsight Complete Overview
Arcsight Complete Overview
It is intended for HP
and Channel Partner Internal Use only. If you are not an intended recipient as identified on the front cover of this
document, you are strictly prohibited from reviewing, redistributing, disseminating, or in any other way using or
relying on the contents of this document. 1
Selling HP ArcSight Information
Security Solutions
Self-Enablement Guide
Version 1.0
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
2
Introduction ........................................................................................................................... 4
HP ESP Overview ..................................................................................................................... 5
Key security trends ..................................................................................................................... 5
The rise of the cyber threat ............................................................................................... 5
Disruptive technology trends ............................................................................................ 5
The ESP Value Proposition ......................................................................................................... 6
Security Intelligence and Risk Management platform ...................................................... 6
The holistic approach ......................................................................................................... 6
Enterprise security priorities ............................................................................................. 7
The HP Enterprise Security vision ...................................................................................... 7
The security areas in which ESP is active ................................................................................... 8
The HP ArcSight Solution ................................................................................................... 8
HP Fortify Software Security Center .................................................................................. 8
HP TippingPoint Network Defense System ....................................................................... 9
Security and Threat Research .................................................................................................... 9
Leading Security Research ................................................................................................. 9
Business Drivers / HP ArcSight Value proposition ..................................................................... 10
Technology and business Background ..................................................................................... 10
The challenge customers face.................................................................................................. 10
The challenge: No point of control ........................................................................................... 10
HP ArcSight Value Proposition ................................................................................................. 10
Elevator Pitch for HP ArcSight ......................................................................................... 10
Where HP ArcSight will add value .................................................................................... 11
The new way to reduce risk ............................................................................................. 11
Three things HP ArcSight does better than anyone else ......................................................... 11
Collect .............................................................................................................................. 12
Consolidation ................................................................................................................... 12
Correlation ....................................................................................................................... 12
Collaboration ............................................................................................................................ 13
HP ArcSight Business Drivers ................................................................................................... 13
IT Operations Drivers ....................................................................................................... 14
Compliance Drivers .......................................................................................................... 14
Security Drivers ................................................................................................................ 15
Describe the Solution ............................................................................................................. 16
HP ArcSight Logger ................................................................................................................... 16
HP ArcSight Logger Elevator Pitch ................................................................................... 16
Universal Data Collection ................................................................................................. 16
Intelligent Analysis Engine .............................................................................................. 16
Performance without Compromise ................................................................................. 17
HP ArcSight Express ................................................................................................................. 18
.......................................................................................................................................... 18
Universal Data Collection ................................................................................................. 19
Connectors: Quantity and Quality Collection ................................................................... 19
Intelligent Threat and Risk Detection .............................................................................. 20
Meaningful Response ....................................................................................................... 20
ESM ........................................................................................................................................... 22
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
3
EMS Anatomy ................................................................................................................... 22
Smart Connectors ............................................................................................................ 23
Connector Appliance ........................................................................................................ 23
ESM Manager .................................................................................................................... 24
ESM Database .................................................................................................................. 24
EnterpriseView ......................................................................................................................... 25
EnterpriseView Elevator Pitch ......................................................................................... 25
Qualify the Solution ............................................................................................................... 26
Qualification questions & pain points ...................................................................................... 26
Universal Pain Points ....................................................................................................... 26
Questions leading to HP ArcSight Logger ........................................................................ 26
Questions leading to ESM/HP ArcSight Express .............................................................. 27
HP footprint: cross-HP Software Sales plays ........................................................................... 28
HP ArcSight Logger to BSM .............................................................................................. 28
HP ArcSight Logger to BSM qualifying questions ..................................................................... 29
Competitive Landscape .......................................................................................................... 30
Competitive analysis ................................................................................................................ 30
Gartner Magic Quadrant for SIEM (May 2012) ................................................................. 30
Top Competitors, their strengths and their attack angles .............................................. 31
Competitors Log Management ........................................................................................ 31
Competitors SIEM ............................................................................................................. 32
Competitors Suite ............................................................................................................ 33
Handling common objections ................................................................................................... 34
Common Objections or FUD (Fear, Uncertainty, and Doubt) ........................................... 34
Demonstrate unique business value and build a proposal ......................................................... 35
Main case studies ...................................................................................................................... 35
Foxconn / Hon Hai ............................................................................................................ 35
Customer references ................................................................................................................ 36
Proof points .............................................................................................................................. 36
Proof Points ..................................................................................................................... 36
Business justification ................................................................................................................ 37
IdentityView ..................................................................................................................... 37
Compliance Insight Packages (CIP) .................................................................................. 38
Unique differentiators for Logger ............................................................................................ 39
Key Performance Indicators (KPIs) .................................................................................. 40
Pricing/licensing model ............................................................................................................ 43
Breaking down the project ............................................................................................... 43
Top-down approach ......................................................................................................... 43
Pricing & Licenses ............................................................................................................ 44
Evaluation/Demo Version ................................................................................................ 45
Additional resources ................................................................................................................. 46
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
4
Introduction
This Self-Enablement Guide is designed to help you prepare for meeting with customers and selling
HP ArcSight. This guide will help you understand HP ArcSight and deliver the right messages. This
guide will also prepare you for successfully completing the HP certification. After completing this
guide, you will be able to:
Recognize key security trends and the security areas ESP is active in
Explain the ESP Solution/Value Proposition
Understand the challenge customers face
Identify HP ArcSight Value Propositions
Understand the three things HP ArcSight does better than anyone else
Describe HP ArcSight Business Drivers
Describe the HP ArcSight Solution
Identify, describe, and categorize qualification questions
Leverage the HP footprint : cross HP Software Sales plays
Identify competitors and perform basic competitive analysis
Demonstrate capability to handle common objections
Demonstrate unique business value and build a proposal
Demonstrate knowledge of pricing/licensing models
HP ArcSight collects, analyzes and
correlates your security data to give
you better visibility into your risk.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
5
HP ESP Overview
Key security trends
The rise of the cyber threat
Few people would deny that Enterprises and Governments are facing the most aggressive
threat environment in their history. Make no mistake; the adversaries have become smarter,
better organized, and more persistent as they look to gain information capital and IP. There is a
sense that the number of cyber threats is proliferating faster than companies can defend
against them. Many Enterprises and Governments have being the target of some very
sophisticated and targeted attacks. Attacks which have caused very profound and wide
reaching change for both users and organizations.
A survey conducted recently by Coleman Parkes on behalf of HP, provides some telling
insights from senior business and technology executives.
Currently less than 1/3 of them believe their organization is well defended against threats.
Threats can be internal as well as external. 29% of technology executives said their
organizations had been breached internally and 20% of technology executives said that a
breach happened more than once.
From an external breach perspective, the numbers are slightly lower. But still, more than 1
in 10 technology execs said they had suffered a breach from unauthorized external access.
While the stories in the press focus on singular high profile breaches, it is clear that there
are many more occurrences that are not reported.
Disruptive technology trends
In the Instant-On enterprise, theres an increased drive to adopt new technologies, around
devices and data in particular. These trends also mean that the traditional corporate perimeter,
with clearly identifiable boundaries, has diminished. Further compounding this situation is the
rapid rise of security compliance and all of this leads to complexity in the business. Complexity
often yields significant blind spots within an organization and forces their security controls to be
reactive to the latest threat or fire drill.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
6
Moving security to the next level means facing these rising challenges. Effective security should
be incorporated into processes throughout an enterprise, not just on the perimeter. We work
with our clients to help them take a proactive, risk based approach. We call this SECURITY 2.0
The ESP Value Proposition
Security Intelligence and Risk Management platform
HP Business Service Automation (BSA) lets customers track their compliance state across
servers and networks and helps manage their virtualized environments. It mines data from HP
Server Automation, HP Network Automation, and HP Operations Orchestration. The players in
this area include:
Vulnerability Management: McAfee, Symantec, Nessus, Qualys
Asset Profiling: real time from HP ArcSight ESM, HP uCMDB or csv file
Risk Management: user input
The holistic approach
HP has a holistic approach to reducing risk. The proactive risk reduction approach is used to
increase security by:
seeing everything
providing context
acting appropriately
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
7
Enterprise security priorities
HP Security solutions address the priorities that our customers are grappling with including:
Managing information risk: being able to see the threats that cause risk.
Protecting against cyber threats: having intelligence to combat complex threats.
Improving reaction time when an incident does occur: having the right process, and smart
automation.
Spending wisely on security: having the experience to know where to concentrate the
money and resources; putting resources where they matter most.
Achieving compliance: understanding industry and customer requirements, geographical
concerns.
The HP Enterprise Security vision
The HP Enterprise Security vision must:
be driven by business priorities
see everything in the context of business processes and enable fast, efficient resource
prioritization
deliver standalone and intelligently integrated solutions
achieve compliance goals and manage security costs
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
8
HP Products & Services One Team, One Vision to Assure
HP ArcSight Log Management
HP Fortify Application Security
HP TippingPoint Network Security
DVLabs Threat Research
The security areas in which ESP is active
The HP ArcSight Solution
HP ArcSight solution architecture is a comprehensive platform for monitoring modern threats
and risks, augmented by services expertise and the most advanced security user community,
Protect724. It assures customers can:
Establish complete visibility
Analyze events in real time to deliver insight
Respond quickly to prevent loss
Measure security effectiveness across people, process and technology
The HP ArcSight solution gives organizations the ability to collect information from any device,
any time anywhere to ensure they have complete enterprise security visibility. Whats more, HP
ArcSight is supported by the revolutionary CORR Engine which delivers industry-leading
correlation speeds with significant storage requirement decreases from prior versions. The HP
ArcSight solution allows staff to capture logs, correlate events, monitor applications, check for
fraud and manager uses and controls. Focusing on turning information into intelligence, the HP
ArcSight solution stands apart in the industry.
HP Fortify Software Security Center
HP Fortify provides advanced technologies to ensure applications are secure. HP Fortify inspects
applications at the source code level (static testing) and while they are running (dynamic
testing. It identifies and eliminates risk in existing applications and prevents the introduction of
risk during application development, in-house or from vendors.
Protects business critical applications from advanced cyber attacks by removing security
vulnerabilities from software
Accelerates time-to-value for achieving secure applications
Increases development productivity by enabling security to be built into software, rather
than added on after it is deployed
Delivers risk intelligence from application development to improve operational security
HP Fortify supports more languages than any other application security vendor with significant
strengths in the area of mobile application security. But its not just built for custom
applications, HP Fortify can determine if vulnerabilities exist in commercial, custom and open
source activities. Fortify can be delivered as purchased software or as a service. With
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
9
unmatched flexibility and depth of coverage, HP Fortify ensures organizations have a world
class application security program in place.
HP TippingPoint Network Defense System
HP TippingPoint is a complete set of security solutions that address today's advanced security
threats at the perimeter and core of a business. It provides:
Scalable infrastructure to address current and future security deployment models (NGIPS)
Dynamic analytics and policy deployment with real time management (NG Mgmt)
Predictive intelligence to proactively address current and future threat activity (DV Labs)
Security and Threat Research
Leading Security Research
Security effectiveness is only as good as the security research behind it. HPs global security
research:
Collects network and security data from around the globe.
Partners with other leading research organizations like SANS, CERT and NIST to consolidate
security intelligence resulting in the most advanced intelligence network anywhere in the
world.
Is a collaborative effort of market leading HP teams: DV Labs, HP ArcSight, Fortify, HP Labs,
and Application Security Center.
Continuously finds more vulnerabilities than the rest of the market combined; HP discovers
4-6 times more software vulnerabilities than other IPS, NGFW vendors.
DVLabs
In addition to HPs own in-house security researchers, DVLabs (the industry leader for years)
manages the Zero Day Initiative (ZDI), a global organization of researchers constantly looking
for new application vulnerabilities.
1,500+ researchers registered
Typical profile: male, teen to mid-twenties, hobbyist
3,400+ 0-day vulnerabilities submitted by these researchers
1100+ 0-day vulnerabilities purchased (30+%)
ThreatLinQ Security Portal
Over 2000 customers leverage and contribute information to HPs ThreatLinQ security portal.
ThreatLinQ houses up to the minute security information from around the globe that customers
have access to 24 hours a day, 7 days a week.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
10
Business Drivers / HP ArcSight Value
proposition
Technology and business Background
The challenge customers face
Our customers face huge shifts in IT, moving to the cloud and handling whats often called the
consumerization of IT. That is, using the devices and services at work that they use at home. For
IT departments, this means staying secure while fundamentally rebuilding the platforms on
which they operate. Customers want to move from the traditional IT stack to a modern cloud
architecture (Infrastructure as a service, Platform as a service, or Software as a service) to take
advantage of cost and agility improvements.
The challenge: No point of control
HP ArcSight prospects typically all have these similar challenges:
Millions of Events generated per day
No central point of collection and analysis for these Events
Too difficult to manage security and risk
HP ArcSight Value Proposition
Elevator Pitch for HP ArcSight
HP ArcSight is the industry leading security information
and event management (SIEM) solution for collecting,
consolidating, and correlating enterprise-wide security
events, in order to rapidly identify, prioritize and
respond to cyber security attacks, insider threats, and
streamline regulatory compliance.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
11
Where HP ArcSight will add value
HP ArcSight will add value in:
Security Incident Detection (APT as well)
Integration of Security into existing Incident Management Processes
Measuring security KPIs and KRIs
Monitoring Controls (Compliance)
Delivering information for GRC solution
The new way to reduce risk
Proactive Risk Reduction means you:
See everything in both Security and IT Ops
Provide Context
Act Appropriately
SECURITY IT OPERATIONS
User Provisioning
Identity & Access Mgmt
Database Encryption
Anti-Virus, Endpoint
Firewall, IDS/IPS
User Management
App Lifecycle Mgmt
Information Mgmt
Operations Mgmt
Network Mgmt
Three things HP ArcSight does better than anyone
else
HP ArcSight collects, analyzes and correlates
your security data to give you better visibility
into your risk.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
12
Collect
HP ArcSight does three things better than anyone,
Collect events from any system or application
Consolidate using Universal Log Management
Cutting edge threat analysis via advanced correlation, packaged in a simple and automated
form
HP ArcSight enables organizations to collect information from anything and everything, safely and
securely. HP maintains hundreds of prebuilt connectors off the shelf. You can keep it raw or parse it for
better analysis, your choice. Most importantly, you can extend this collection to any new type of device
whenever you need to, even without HPs involvement, using our toolkit. This means that the choices you
make today for monitoring wont limit your information strategy tomorrow.
Consolidation
HP ArcSight provides an enterprise wide log management solution. HP ArcSight lets
organizations deploy one solution to manage all the enterprise-wide log data that is collected.
Consolidation yields these results:
Universal Log Management of any data to support IT operations, security, compliance and
application development
Search + report on years of data to investigate outages and incidents quickly and easily
Complete management of any data to support security, compliance and IT operations
Cut SAN/storage cost with cheap simple management of petabytes of log data
The ability to scale to meet needs of compliance, security, IT Operations, and applications
by adding multiple loggers
The platform supports management of raw and structured data for any type of usage in any
department. Store, search and report on years worth of data very quickly and dramatically cut
the cost of storing years of data using HPs leading compression and storage mechanisms.
Correlation
The HP ArcSight Correlation Engine (CORR) allows organizations to:
Identify modern advanced threats through pattern recognition and anomaly detection
Analyze roles, identities, histories and trends to detect business risk violations
Use Identity Correlation to correlate common identifiers such as email address, badge ID
and phone number
Find very subtle and sophisticated threats with ThreatDetector
Get smarter - the more you collect, the smarter the system gets
HP ArcSight uses modern techniques to detect modern cybercrime. These include HPs patented
ThreatDetector engine, a pattern matching and anomaly detection system which can find very
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
13
subtle and sophisticated threats including zero-day outbreaks and fraud. It includes correlating
user roles and trends to determine who is violating policies and putting the business at risk.
The net result is that with HP ArcSight you can detect, and therefore prevent not only the basic
stuff, but especially the attacks that you cant predict. Customers use HP ArcSight not only to
defend against the worst attacks, but also to improve their overall compliance and operations.
Collaboration
HP ArcSight also incorporates application security from HP Fortify and integrates reputation
data from HP DVLabs. Use its Cloud Connections Program to get visibility into cloud data in
addition to physical and virtual layers. It also provides bi-directional integration with HP BSM
products.
HP ArcSight Business Drivers
The main audience for HP ArcSight is the CIO/CISO, Compliance, and Network Eng, IT Operations.
They are driven by:
The need to expand security metrics business-wide
The need to manage risk information of new architectures like cloud (e.g. PaaS, IaaS) or
mobile
Regulatory issue with security monitoring information
Compliance project or audit failure based on lack of information
The realization: we have too much data and need effective correlation to prioritize
HP is the only company that can correlate across
who-what-where, that is, roles, logs and flows,
to understand not only whats happening but if
its really a problem. And the best part is that the
more information you collect and store, the
smarter the system gets.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
14
IT Operations Drivers
When talking with IT Operations, it is important to be aware of their key concerns and what they
need to know.
Key concerns that HP ArcSight can address What IT Operations Needs to know
Main Driver: Troubleshooting
Searches for specific strings, check
flows and debug logs
Some alerting based on information in
event
Some reporting based on management
requirement or SLA
System and User Impact
What users and equipment are
affected?
What is the level of degradation in
my environment?
When talking about IT Operations we mainly talk about availability. When any of these problems
affects the IT environment, it is possible that business critical systems and users are impacted
either through performance degradation, or by being completely off-line. This has a severe
effect on business operations, impacting both revenue and the bottom line.
Detecting fraud
There are also special SIEM drivers you may see when talking to customers. One concern is
always that somebody internally is behaving in a malicious manner. HP ArcSights User
Monitoring can be used to detect internal fraud. This solution helps understand who is in an
organizations network and what are they doing. Privileged user monitoring is a typical use case
here as well as shared user account monitoring. Another concern may be transactional Fraud.
This can be fraud in online banking, insurance or even gambling. It can be anything where
transactional business data is involved.
Compliance Drivers
Monitoring approaches affect compliance and can lead to failed audits, fines and penalties for
three reasons.
Manual monitoring
approaches
Semi-Automated Monitoring
approaches
Automated Monitoring
approaches
error prone, labor
intensive, blind spots
impossible to ensure
continuous
compliance and
protect against the
breach
Discrete/disjointed
auditing process
Error-prone and not
continuous
Capture all logs
Direct event feeds
Are the least intrusive,
most comprehensive
approach to continuous
audit coverage
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
15
Security Drivers
The tools security engages to combat Bot, Worm and Virus attacks, Hackers and VPN Sneak
Attacks include:
User Provisioning
Identity & Access Mgmt
Database Encryption
Anti-Virus, Endpoint
Firewall, Email Security
Bot, Worm and Virus attacks
Viruses are a constant threat to corporations. It is
essential to know:
What malware is infiltrating my environment and
how is it propagating?
Is my AntiVirus system able to mitigate malware
threats?
Hacker Detection
Organizations need to know:
Who is attacking me and where are they attacking from?
Which of my internal systems are they attacking?
VPN Sneak Attacks
Businesses have to allow remote users to access internal systems, but at the same time cannot
control the sources of access. Organizations need to know:
Where are my remote users coming from and what area they accessing?
Are the remote computers secure and up-to-date?
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
16
Describe the Solution
HP ArcSight Logger
HP ArcSight Logger Elevator Pitch
ArcSight Logger is a Universal Log Management solution that can Collect Everything,
Analyze Anything and can be Used Anywhere. It unifies searching, reporting, alerting and
analysis across ANY type of enterprise log data. It supports multiple deployment options
and can be installed as an appliance and as software.
HP ArcSight Logger
unifies searching, reporting, alerting and analysis across any type of enterprise log data
supports multiple deployment options and can be installed as an appliance and as a
software
is optimized for extremely high event throughput
stores security events onboard in compressed form
can be deployed stand-alone to receive events from syslog messages or log files, or to
receive events in Common Event Format from SmartConnectors
can forward selected events as syslog messages or to ESM
can work together (Multiple Loggers) to scale up to support high sustained input rates.
Universal Data Collection
HP ArcSight Logger enables organizations to collect information from anything and everything,
safely and securely. HP maintains hundreds of prebuilt connectors off the shelf. Organizations
can keep data raw or parse it for better analysis. Most importantly, you can extend this
collection to any new type of device whenever you need to, even without our involvement, using
HPs toolkit. This means that the choices you make today for monitoring wont limit your
information strategy tomorrow.
Collect events from any device
Broadest coverage (300+ sources out of the box) and raw data feeds
Extend to new data types whenever needed, without HP ArcSight involvement
Intelligent Analysis Engine
HP ArcSights Intelligent Analysis Engine provides enterprise-wide log management to handle
all that data that you collect. The platform supports management of raw and structured data
for any type of usage in any department. You can store, search and report on years worth of
data very quickly, and you can dramatically cut the cost of storing that data using our leading
compression and storage mechanisms.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
17
Deploy a single solution to manage all log data across your enterprise
Google-like search interface for any structured or unstructured logs
Top-down or bottom-up analysis
Pre-packaged content with forensics on the fly capability
Why does this matter? The questions managers now ask require information that cuts across
departments. For example, when investigating a breach, you may find that a user visited a site,
inadvertently downloaded malware, which then stole credentials, accessed a database, queried
credit card records, phoned home and sent out the numbers. To see this, you need logs from
your web team, IT, security, identity management, etc. You need universal log management.
Performance without Compromise
A key benefit of HP ArcSight Logger is that you can Use it Everywhere, providing cutting edge
threat analysis via advanced correlation, packaged in a simple and automated form. HP uses
modern techniques to detect modern cybercrime. These include our patented ThreatDetector
engine, a pattern matching and anomaly detection system which can find very subtle and
sophisticated threats including zero-day outbreaks and fraud. It includes correlating user roles
and trends to determine who is violating policies and putting the business at risk. It offers:
Multiple deployment options Appliance, software, Virtual or within cloud
Fast collection
Storage efficiency and deployment flexibility
Quick analysis
HP is the only company that can correlate across WHO-WHAT-WHERE, that is, roles, logs and
flows, to understand not only whats happening but if its really a problem. And the best part is
that the more information you collect and store, the smarter the system gets. The net result is
that with HP ArcSight, you can detect and therefore prevent not only the basic stuff, but
especially the attacks that you cant predict.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
18
HP ArcSight Express
HP ArcSight Express is a separately licensed Security Information and Event Management (SIEM)
appliance that provides the essentials for network perimeter and security monitoring by
leveraging the superior correlation capabilities of HP ArcSight ESM in combination with an HP
ArcSight Logger storage appliance. HP ArcSight Express delivers an easy-to-deploy, enterprise-
level security monitoring and response system through a series of coordinated resources, such
as dashboards, rules, and reports included as part of HP ArcSight Express Content.
HP ArcSight Express does these three things better than anyone.
The ESM portion of the HP ArcSight Express solution comes with a series of coordinated
resource systems that address common enterprise network security and HP ArcSight
administration tasks. These resource systems are referred to collectively as HP ArcSight
Express content. With some basic configuration done using the ESM Console, HP ArcSight
Express content enables you to get started using HP ArcSight Express right away to effectively
manage enterprise security operations without having to create additional resources.
HP ArcSights Correlation Optimized Retention and Retrieval (CORR) Engine is a breakthrough
technology that delivers orders of magnitude improvement in log correlation and storage,
helping security administrators thwart the complex threats they face today. Using HP ArcSight
Express administrators and analysts are able to:
Detect more incidents
The new architecture will allow event correlation rates of up to 5x the current performance
using the same hardware.
Address more data
The new architecture will enable storage capacity of up to 10x the current capacity for
correlated events using the same disk space.
Operate more efficiently
The use of a common data store allows both the real-time correlation application and the
log management application to use the same set of data, providing a seamless workflow
that includes detection, alerting, and forensic analysis and reporting.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
19
Universal Data Collection
Organizations archive and analyze log data for a broad set of reasons ranging from security
monitoring to IT operations, and from regulatory compliance to fraud detection. An effective log
collection infrastructure layer simplifies and optimizes the aggregation of logs across
thousands of devices and hundreds of locations. It serves as the foundation of log management
and security information and event management (SIEM) platforms. HP ArcSight Express can:
Collect events from any system, application or device in your environment including raw
data, normalized and categorized events for improved analysis
Extend to new event sources whenever needed, without HP ArcSight involvement
HP ArcSight Connector technology addresses these core challenges through a powerful log
aggregation and optimization interface layer that also represents the foundation for its broader
log management and SIEM platform.
Connectors: Quantity and Quality Collection
HPs out of the box Connectors support a wide range of technologies, from security to
compliance to IT operations. And this list does not include those Connectors created by our
customers and partners using our FlexConnector. Customers have developed their own
connectors using the FlexConnector, for everything from physical building security badge
readers, to telephone PBX and fax systems.
The benefits to our HP customers include:
Fast, low-cost deployments; no need to develop these Connectors
Customers can easily leverage best-of-breed technologies
Not only the largest quantity of vendors and products, but heavy focus on the quality of
that collection
A single pane of glass, HP ArcSight Express, supporting the broadest set of inputs in the
industry
Multi-pronged collection strategy; customers are not reliant on the SIEM vendor
The systems and applications in an organizations environment log their events in different
formats. Even when devices use a common log transport, such as routers and switches using
syslog, the events from each product and vendor are still formatted differently. One of the
primary functions of the HP ArcSight Connector is to normalize this event data, and categorizes
events using a common, human-readable format.
HP ArcSight has the largest library of Connectors,
supporting more products, from more vendors in more
categories than any other SIEM vendor.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
20
Intelligent Threat and Risk Detection
HP ArcSight Express correlates seemingly unrelated events using the most advanced real-time
correlation techniques. By correlating disparate events from disparate event sources, it can
detect even the most subtle attacks. With deep understanding of users and roles, network
activities and flows, HP ArcSight Express is uniquely able to understand:
who is on the network
what data they are seeing
which actions they are taking with that data
how that affects business risk
HP ArcSight Express can then apply modern
techniques including pattern recognition and
behavioral analysis to detect the sophisticated threats
that are hurting organizations every day. As a result, organizations can cut through millions of
events to focus on the most critical incidents affecting your organization. This provides better
security and faster response with fewer resources.
Traditional SIEM vendors focus on some of the basics of correlation, including event, threshold
and statistical correlation. While these are important building blocks of correlation, HP ArcSight
Express goes far beyond them with a robust and mature correlation engine.
HP ArcSight Express also packages Out of the Box content for common use cases the rules,
reports, alerts and dashboards for a wide variety of common problems faced by an IT staff
network visibility, security, privileged user monitoring and sensitive data protection so staff
does not have to spend weeks and months to realize value out of HP ArcSight Express.
Meaningful Response
HP ArcSight Express offers a range of features that ensure fast, convenient and intuitive access
to information.
Integrated notifications, case management and workflow
Complete reporting and documentation of all activities
Automated response to threats, risks, and compliance violations
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
21
Dashboards
Customizable and graphically rich
dashboards provide business and
technical views that are tailored to
deliver insights to the appropriate
individuals in the organization. The
reporting framework makes
business-level reporting easy
through both standard and
customizable templates for
compliance status, business risk
and user profiling.
The HP ArcSight Express console provides a single view of a companys status based on
validated attacks and business risk, while geographic and network map views allow users to
maintain awareness in areas of their organizational responsibility. Once threats and risks are
identified, HP ArcSight Express uses its built-in workflow engine to manage incidents, prevent
damage and respond appropriately.
Real-Time Alerting and Notifications
Analyze and Investigate
Powerful and Flexible Reporting
Built-In Workflow
Threat Response
With HP ArcSight, threat response is fast, flexible,
and effective; HP provides the right response for
the right impact.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
22
ESM
EMS Anatomy
HP ArcSight ESM consists of several separately installable components that work together to
process event data from networks. These components connect to a network via sensors that
report to ESM SmartConnectors. SmartConnectors translate a multitude of device output into a
normalized ESM schema that becomes the starting point for ESM correlation capabilities. The
graphic below illustrates ESMs basic components and additional HP ArcSight products that
manage event flow, facilitate event analysis, and provide centralized network management and
incident response. These components are described in the following pages.
Individual SmartConnectors and/or a Connector Appliance gather and process event data from
network devices and pass it to the Manager. The ESM Manager processes and stores event data
into the ESM Database. Users interact with ESM using the ESM Console or ArcSight Web.
A comprehensive series of optional products provide forensic-quality log management, network
management and instant remediation, regulatory compliance, and advanced event analysis.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
23
Smart Connectors
SmartConnectors are the interface to the objects on a network that generate ESM-
relevant data on the network. They collect event data from network nodes, and then
normalize the data in two ways: first they normalize values (such as severity, priority,
and time zone) into a common format, and then they normalize the data structure into
a common schema. SmartConnectors can then filter and aggregate events to reduce the volume
of events sent to the ESM Manager, which increases ESMs efficiency and accuracy, and reduces
event processing time. SmartConnectors support commands that alter the source and/or
execute commands on the local host, such as instructing a scanner to run a scan.
SmartConnectors also add information to the data they gather, such as looking up IP and/or
host names in order to resolve IP/host name lookup at the Manager. SmartConnectors perform
the following functions:
Collect all the data needed from a source device, so you do not have to go back to the
device during an investigation or audit.
Save network bandwidth and storage space by filtering out data you know will not be
needed for analysis.
Parse individual events and normalize them into a common schema (format) for use by
ESM.
Aggregate events to reduce the quantity of events sent to the Manager.
Categorize events using a common, human-readable format. This saves staff from having
to be an expert in reading the output from a myriad of devices from multiple vendors, and
makes it easier to use those event categories to build filters, rules, reports, and data
monitors.
Pass events to the Manager after they have been processed.
Depending on the network node, some SmartConnectors can also instruct the device to issue
commands to devices. These actions can be executed manually or through automated actions
from rules and some data monitors. HP ArcSight releases new and updated SmartConnectors
regularly.
Connector Appliance
HP ArcSight Connector Appliance is a hardware solution that hosts the HP
ArcSight SmartConnectors needed in a single device with a web-based user
interface for centralized management of multiple devices. The Connector
Appliance centralizes SmartConnector management and offers unified control of
SmartConnectors on the Connector Appliance itself, remote Connector Appliances, and
software-based SmartConnectors installed on remote hosts.
The Connector Appliance:
Supports bulk operations across all SmartConnectors and is ideal in HP ArcSight ESM
deployments with a large number of SmartConnectors
Provides an HP ArcSight ESM-like SmartConnector management facility in Logger-only
environments
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
24
Provides a single interface through which to configure, monitor, tune, and update
SmartConnectors
The Connector Appliance does not affect working SmartConnectors unless it is used to change
their configuration. Connector Appliance is an ideal solution when connectors target multiple
heterogeneous destinations (for example, when HP ArcSight Logger is deployed along with
ESM), in a Logger-only environment, or when a large number of SmartConnectors are involved,
such as in a MSSP deployment.
ESM Manager
The ESM Manager is the heart of the ESM solution. It is a Java-based server that
drives ESM analyses, workflow, and services. The Manager is portable across a
variety of operating systems and hardware platforms. It also correlates output
from a wide variety of security systems. The Manager writes events to the ESM
Database as they stream into the system. It simultaneously processes them
through the correlation engine, which evaluates each event with network model and
vulnerability information to develop real time threat summaries. ESM comes with default
configurations and standard foundation use cases consisting of filters, rules, reports, data
monitors, dashboards, and network models designed to be usable as soon as ESM is installed.
Organizations can also design the entire process that the ESM Manager drives, from detection,
to correlation, to escalation. HP ArcSight Professional Services is available to help with this
design and set-up.
ESM Database
As events stream into the Manager from the SmartConnectors, they are written to the ESM
Database with a normalized schema. This enables ESM to collect all the events generated by
devices on a network for later analysis and reference. The ESM Database is based on Oracle. A
typical installation retains active data online for a period ranging from weeks to months.
SmartStorage Partition Management
SmartStorage partitions are chronological slices of the database that can be compressed, and
then archived for later retrieval. By default, ESM creates a new partition every day.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
25
EnterpriseView
EnterpriseView Elevator Pitch
HP EnterpriseView provides CISOs with the decision intelligence required to allocate budget
and resources to most efficiently remediate and mitigate IT risk. HP EnterpriseView integrates
with existing technologies to map IT devices to the business services they support. This
frames IT risk in a business context in heat maps, reports and a dynamic risk register. Further
efficiencies are achieved through integrations with CMDBs, SIEMs and SCM solutions as this
capability allows for automated assessments of technical controls.
The problem today driving the need for HP EnterpriseView:
The Problem The Cost
No actionable intelligence
Manual audits
Reduced ROI on existing technology
$1,000,000,000 in misallocated IT
spending annually
$100,000s in potential savings by
automating
CISOs are buried under a sea of
technical data without business
context.
What is HP Enterprise View?
HP EnterpriseView is: HP EnterpriseView is NOT:
Purpose-driven (IT GRC)
Dedicated Development and Quality
Assurance
Technical Support
Maintenance
Updates/Patches
a dashboard
direct competition to
SecureBoardroom or Executive
Scorecard
dependent on HP ArcSight ESM or a
SIEM add-on
EnterpriseView HP Integration Points
HP uCMDB - Asset importation to build framework
HP BSA - Automate technical control
assessments
HP ArcSight ESM
Asset importation to build framework
SIEM event stats
HP ArcSight Vulnerability
SmartConnectors
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
26
Qualify the Solution
Qualification questions & pain points
Universal Pain Points
The target for the HP ArcSight SIEM solution is the CISO, CCO and CIO and their teams. The list
below describes pain points to listen for when talking to prospective customers.
Cant get to the important data (understand business impact)
Cant get to the important data quick enough (when time matters)
Too manual and expensive to get to the important data (resource intensive)
We dont even know when we are under attack(needle in the hay stack)
Questions leading to HP ArcSight Logger
Ask these questions for prospective customers for HP ArcSight Logger.
Are you using three separate solutions one each for cybersecurity, compliance and IT
operations?
Do you want to lower your TCO and increase your ROI by combining all this into one
solution?
Do you have distributed silos of information scattered around the enterprise?
Do you want to centralize all that information to paint the complete picture of who is
doing what and when in your organization?
Are you supposed to be compliant with one or more regulations and are supposed to store
logs for multiple months/years?
Do you find yourself in situations where you do not know who made a change or why a
server went down?
What did a contractor or a terminated employee do a month before or after the
termination date?
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
27
Where to start in case of an audit and how to efficiently demonstrate compliance to the
auditor?
Do you have a simple, unified, fast and efficient way to sift through terabytes of logs within
seconds?
Questions leading to ESM/HP ArcSight Express
Ask these questions for prospective customers for ESM / HP ArcSight Express.
Do you have complete visibility into the threats and attacks faced by your organization?
Do you need to manually interpret logs from several different systems to understand
what is happening in your environment?
Are you able to identify security threats to your environment accurately in a short span of
time?
Does the volume of alerts coming from your IT infrastructure overwhelm your staff?
Do you have too many false positives?
Do you have to be compliant with any regulations?
Does it take a long time for you to generate compliance reports?
Are you able to identify and respond to security threats in real-time?
Are you able to monitor the activity of privileged users in your sensitive assets?
Are you able to track which users accessed what critical data/assets at any time?
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
28
HP footprint: cross-HP Software Sales plays
HP ArcSight Logger to BSM
Convergence of data from IT Operations and Security Operations
Benefits of Bi-directional integration between OM/NNM/NNMi and HP ArcSight ESM/Logger:
Complete visibility into anomalies and threats, a 360 view of security and IT events.
Single pane of glass view of security, compliance and IT operations
Reduced gap between NOC and SOC
Security and compliance related Key Performance Indicators (KPIs) to IT operations service
health dashboards
Automate business process and workflows to enable effective business risk management
IT operations capture exceptions, incidents, fault, and performance events from business
critical applications and network infrastructure supporting them. The target-specific data is
captured through pre-written policies that trigger an event from those specific devices or
applications. Therefore, some events simply do not show up on the IT operations console.
Log management captures all logs from same devices plus any other log source in the network.
Log management can capture up to 100,000 events per second.
The convergence of this data helps IT operations understand the security context on the
exceptions along with a second set of eyes for comprehensive infrastructure log monitoring
from a security perspective, and helps to identify the security vulnerabilities in the system.
To identify prospects (IT operations practitioners or Directors) should either:
Have some form of Log Management point vendor solution such as Q1/ Nitro/ Splunk to
look at their IT operations
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
29
Be current HP IT operations customers who have BSM suite of products such as OMi, NNMi,
BAC, or legacy OpenView software
HP ArcSight Logger to BSM qualifying questions
Questions for Directors/ Executives: Questions for Practitioners:
Do you have two separate teams for
security and operations with little or no
interaction between the two?
Do you want to add security layer and
metrics to your existing HP Software
investment?
Is it cumbersome and error prone to
collect all the health events from all the
systems you have deployed?
How can your Operations team detect
and manage external threats security
vulnerabilities?
Do you need help to understand
integrating SOC and NOC?
Do you want to accelerate the adoption
of your HPs IT Operations investments?
Do you find it difficult to search
across events that happened last
week, last month, last year or in the
last decade?
How do you troubleshoot and identify
problem servers, networks or storage
devices caused due to load or security
threats?
How do you ensure compliance
enforcement/ IT security
management?
How long does it take to create
compliance / IT security reports?
How many people are assigned to
compliance/ security related tasks?
Educate the prospects that HP has a seamless integration
between the log management solution and IT operations
software that helps in comprehensive log management,
and simplified integration.
It helps cut costs, enables organization to be more agile,
and can be deployed with an appliance, software, virtual
machine or within the cloud in both Windows and Linux
environment.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
30
Competitive Landscape
Competitive analysis
Gartner Magic Quadrant for SIEM (May 2012)
Summary of the Gartner Magic Quadrant:
HP rated #1 in 8 out of 12 categories
HP ArcSight is still in the Leaders quadrant
RSA (EMC) exits Leaders quadrant
LogLogic has not just fallen off the Leaders quadrant but is now the last in Challengers
quadrant
Symantec also exits Leaders quadrant
LogRhythm enters Leaders quadrant - the only new entry into the leaders quadrant this
year
Nitro has gained on execution because of the McAfee acquisition
Q1 (now IBM) is more or less at the same place as last year
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
31
Challenges:
Gartner was not too happy about HPs complexity and pricing of ESM both of which HP plans to
address in the next major release of ESM (6.0) scheduled for 2H 2012. They also mentioned HP
was separated from the pack in the previous years Magic Quadrants because HP was the only
public company in the SIEM space. That has changed now with recent acquisitions of Q1 and
Nitro which is why they have placed all these three vendors very close to each other.
McAfee and IBM, now identified in the Leaders quadrant in the Magic Quadrant, are both coming
at SIEM from an IT management position that mimics the HP approach, broadening SIEM within a
larger security and risk platform. For example, our competitors ongoing efforts to copy HP
(while talking HP down to customers) is proof that HP has set the gold standard in SIEM, and is
baking SIEM into something with long term evolutionary legs/roadmap.
Top Competitors, their strengths and their attack angles
The top competitors for HP ArcSight, their strengths, and the sales attack approach
Competitor Their Primary Strength Primary Attack Angle
IBM/Q1 Labs Out of the box usability The HP product is a framework, not a solution.
Ours is faster to deploy and easier to use.
McAfee/NitroSecurity Slick interface and pricing We will discount or include additional products,
as needed to win the deal.
RSA enVision Established customer base We are just like ArcSight, but cheaper and
easier to use.
Symantec Brand recognition Buy from the #1 name in IT Security.
Splunk Simple and easy to use. Free
offering.
We collect data from anything and everything.
Try us for free. We have a huge user
community.
LogRhythm We have said all along that LM and SIEM are
one in the same, and we are the only solution
that provides it on the same appliance.
Competitors Log Management
HP ArcSight Competitors in the Log Management arena are currently Splunk, LogLogic, and
LogRhythm. These vendors emerged in 2006/2007 with a different value proposition.
LogLogic log management + light correlation
Network Intelligence log management + light correlation
Splunk IT Operations search
Competitive Differentiation
Splunk weakness
Not a universal log management solution. Positions itself as IT operations solution
No event correlation or strong SIEM capability
Structured data analysis is limited
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
32
Available ONLY as a software
Licensed version 2X to 4X higher than Logger; 50 to 75% more expensive to buy and
maintain the software
Splunk does not have normalization and categorization
LogLogic weakness
Minimum two appliances needed to do what Logger can accomplish using one
instance
Available ONLY as an appliance
Long term reporting only on metadata
LogLogic has around 2 dozen connectors as compared to more than 300+ from HP
ArcSight they dismiss Smart Connectors as unnecessary
LogRhythm weakness
Available ONLY as an appliance - single box solution has many limitations
Fat client ONLY which does not allow remote management
They have database correlation which is slow and detects threats after the damage is
done
Competitors SIEM
SIEM emerged from SIM and SEM (SIM + SEM = SIEM), because ~ 70% of buyers required both SIM
and SEM.
SIM = Historical analysis, compliance focused
SEM = Real time analysis, perimeter threat focused
HP ArcSights current competitors in the SIEM space include: Q1Labs/QRadar, RSA, nitroSecurity,
Symantec, netforensics, and alienvault.
Competing with Q1Labs/QRadar
Stress Correlation capabilities
HP has 3X faster correlation, 5X faster reporting, and 10X more storage
IdentityView capability far outreaches Q1s version of identity
Stress Rich Console Usability, customizable, live dashboard and ability to drill down into
real data.
Stress TCO; their Q1 maintenance costs are based on LIST pricing, ArcSights are based on
NET.
Competing with RSA/enVision
Push for a trial to emphasize differentiation slides and a demo do not do it justice
Exploit enVision Weaknesses
enVision LS does not support SAN storage
enVision does not collect NetFlow data
enVision does not have Pattern Recognition
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
33
enVision is not a pillar for RSA - 2 years between versions 4.0 and 4.1
Competing with nitroView (McAfee)
Primary market in government sector
Supports approximately 200 devices
Flash-driven GUI sleek but limits navigation
High Availability accomplished by duplication of hardware vs. replication
Competing with Symantec
Scalability issues using their approach of one SESA agent with collectors plugged in
Exists only as web interface, no console option available
SSIM has very few installations and is mainly used as an enhanced reporting engine for
other Symantec products
Normalization and categorization is very limited
No significant release in 2 years.
Make sure success criteria to include a FlexConnector they show poorly here
Competing with NetForensics
HP ArcSight has over 5X the storage space (42TB vs. 8TB)
HP ArcSight consistently replacing netForensics in MSSP environments
Claim to support over 1,000 devices, but website only lists 120
Competitors Suite
Suite vendors emerged in 2007/2008 with a wave of acquisitions.
Novell acquires eSecurity
Attachmate buys NetIQ Mainly in the Windows Event Management space
Cisco acquired Protego (now called MARS), but still focuses on networking. Relationship
with NetForensics eroded.
CA dropped SCC and Audit and came up with Enterprise LogManager
IBM still there, trying to integrate TSOM and TSIM
Symantec Round #3 of trying to come up with a competitive product
Today
Hewlett Packard acquires HP ArcSight
one year elapses
IBM acquires Q1 Labs
McAfee acquires NitroSecurity
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
34
What does it mean?
HP Security Strategy is validated
SIEM MUST be a core component that every CIO MUST invest in
Enterprises need to address security concerns in a comprehensive, connected fashion
Other recent actions and acquisitions
Cisco killed MARS
RSA acquired Netwitness and doesnt really know what to do with it
Symantec is still around in some countries
Splunk went public
LogLogic aquired by Tipco
Handling common objections
Common Objections or FUD (Fear, Uncertainty, and Doubt)
Logger cant capture all the data
Third party verified audit quality data capture
Secure, Reliable transport, multiple time stamps, hashing and caching
Collection from 300+ log generating source or build your own connector easily
Logger is difficult to deploy with connectors
Logger can be deployed with or without connectors
Connectors bring a lot of value to the table which competitors cannot match
HP ArcSight offers more than 300 connectors from more than 100 vendors in more than 35
categories for simple out of the box collection and fast and simple forensic analysis
Logger has no real- time correlation
Logger does offer basic correlation, real-time search and real-time alerts
For more advanced correlation customers chose HP ArcSight ESM or Express with best-in-
class correlation capabilities
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
35
Demonstrate unique business value and
build a proposal
Main case studies
Foxconn / Hon Hai
HP was on-site in Shenzhen, China within 48 hours of notification
Landed 3 top-level consultants from 3 countries and 2 continents (S. Korea, HK, USA)
HP ArcSight SIEM Platform was installed and configured within 3 hours and receiving data
within 5 hours
They identified 25 serious active security events in 72 hours including 3 major discoveries
and several real-time intrusions
Here are the observations, risks, and recommendations for Foxconn.
Observation Risk Recommendations
No central security
operations or monitoring
of security devices
Customer has challenges detecting,
analyzing and reporting on threats
in real-time.
Implement HP ArcSight SIEM to centralize
log management.
No centralized security
Program or Ownership
Client has limited workflow,
processes and procedures to quickly
respond to threats
Form security operations organization to
centralize security people and processes
DMZ allows brute force
user/password attacks on
SSH and FTP servers.
Disallow external inbound SSH, use
TippingPoint to block brute force attacks,
enable 3 failed and locked type rules as
well as HP ArcSight content to report on
activity.
Take-aways from the FOXCONN / Hon Hai Q2 Win
11 Days from Breach to Order meant The Perfect Solution Selling Storm.
What we learned:
Build C-level relationships early
Run C-level security intelligence workshops
Follow market news closely
Always pull in HP Tipping Point
Leverage the HP AGM & AM
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
36
Customer references
http://www.hpenterprisesecurity.com/customers
Proof points
Proof Points
The critical elements for
success are a combination
of People, Process and
Technology. Its
important that
organizations understand
this concept to balance
their vision. Technology
is only a third of the
problem or better stated
a third of the solution. It
does not solve anything
by itself; it only solves
things when integrated
with people and processes. In addition, people need to be trained and there has to be
awareness in the company. Processes have to exist to make sure you know what to do and
when.
Simply installing a SIM does not solve any problem. A SIM helps automate and improve your
security, compliance and incident response program. Its SIM + Strategy + Development =
Solution.
Enterprise Project
People (size o) - Trained & Experienced
Process (x-axis) - Focus on Relevant Business Objectives, Enterprise Project Team
Technology (y-axis) - Tuned and Stable
Measuring the success of a SIEM implementation
When trying to measure the success of a SIEM implementation, something like this Magic
quadrant helps. It has three dimensions: the people trained and experienced, the Process
focused on relevant BO and the project team, and the technology tuned and stable. Of course,
its the goal to get the customer in the upper right corner with a big circle.
How to get customers there:
Successful Implementation Get Enterprise technical experts, do a well-designed overall
architecture analysis and advise the customer on key considerations.
Educate the customer Learning on the job, Instructor-Led Training, or web-based training
through HP ArcSight University.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
37
Implement the process and strategy Advise customers on the business of information
security in an HP ArcSight context, provide functional as well as technical security expertise;
it should be highly focused on customer workflow.
Business justification
IdentityView
HP Identity View lets you understand who is on your network, what they are looking at
and what actions they are taking, giving you better compliance at lower cost.
HP ArcSight IdentityView - User Activity Monitoring
HP ArcSight IdentityView (IdView) helps organization understand who is on their network, what
data they are seeing, and which actions they take with that data.
Correlates user identity across accounts and systems
Compares user activity to role to detect violations
Enriches all monitored events with user data for better context
The benefits to customers include:
High business value use cases for user monitoring
Lower risk from malicious insiders, shared and privileged accounts, and high risk users
Increased compliance with IAM best practices
HP ArcSight IdentityView correlates IP addresses with a users identity information across
multiple accounts. Then it compares that users rolled up activity to the persons roles, to
determine any violations. It can also profile user behavior to understand what they are doing,
giving better visibility into all business processes and the activities within those processes.
HP ArcSight IdentityView lets organizations retain control over their network as they open it up
to partners and customers, because tracking what these outsiders do can make compliance
easier.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
38
Compliance Insight Packages (CIP)
Compliance Insight Packages (CIP) are pre-packaged solutions for regulatory compliance and IT
Governance, consisting of comprehensive sets of best practices based reports, rules, active lists
and dashboards for audit and compliance.
Standards-based log management solution
Applicable offerings for governance approach and regulation specific approach
organizations
HP ArcSight Compliance Insight Packages help clarify confusing log review practices for
compliance by providing an immediate, pre-developed log structure. HP has multiple
offerings based on the way your organization needs to structure compliance reporting.
HP ArcSight Compliance Insight Package for IT Governance
For organizations that are taking a governance approach to the compliance problem (such as
adopting a standard as the underlying basis of their security program such as ISO-17799), HP
offers the HP ArcSight Compliance Insight Package for IT Governance. This package offers over
80+ reports based on of a combination of the ISO and NIST standards.
HP ArcSight Packages:
HP ArcSight ESM CIP for IT Governance
HP ArcSight Logger CIP for IT Governance
Customer Requirements:
Moderate for regulation specific
Low to medium for standards specific
Value:
Pre-developed log review in an ISO-17799 specific context
Technical checks based on NIST 800-53
Reporting structure in ISO-17799 and NIST 800-53 specific format
Regulation-specific Compliance Insight Packages
For organizations that wish to take a regulation specific approach to their compliance program,
such as checks directly mapped to the HIPAA security standard, SOX specific reporting, etc., HP
offers and continues to develop regulation-specific Compliance Insight Packages that provide
out-of-the box technical, business and policy based checks directly mapped to major
compliance standards.
HP ArcSight Packages:
HP ArcSight ESM CIP for SOX, JSOX, PCI, FISMA, HIPAA, NERC
HP ArcSight Logger CIP for SOX, PCI
Customer Requirements:
Needs regulation specific program
Seeking guidance from vendor
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
39
Value:
Pre-developed log review in a regulation specific context
Supports control frameworks through best practice based approach
Reporting structure in regulation specific format
Unique differentiators for Logger
Captures Everything: Broadest LM solution
Any structured or unstructured data collection
300+ Products
FlexConnectors
Raw Syslog (TCD/UDP)
Raw File Based logs
CEF Partners
Analyze Anything: Business intelligence at your fingertips
Unified search interface for all structured and unstructured logs
Top-down or bottom-up analysis
Pre-packaged content (PCI, SOX, IT Governance , ISO/NIST)
Eliminates Tradeoffs: Patented Technology
Log capture rate of up to 100K events per second
Compresses and stores up to 42 TB of logs/appliance
Analysis speed of millions of events per second
SIEMple Integration: A True SIEM solution under one umbrella
Seamless integration with ArcSight ESM/Express
Common collection for low TCO
Common taxonomy of events
Common Event Format (CEF): One language to understand
Future-proofs customers investment
Device independent analysis
Removes the need for device expertise
Deployment Flexibility: Optimal solution for any environment
Hardware and software form factors
On-board or SAN/NAS/DAS storage flexibility
Optimized for centralized and distributed environments
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
40
Market Leadership: Trusted and tested solution
Gartner MQ Leader: SEVEN years running
IDC #1 Market Share
InfoPro - #1 In Plan & "In Use" SIEM and Log management solution
First LM solution to offer FIPS and CAC
Solution Viability: Where most LM vendors are privately held
An HP company
Growing at 30%+ every quarter
2000 customers in 70+ countries
10 years of innovation and thought leadership
Key Performance Indicators (KPIs)
Key Performance
Indicator
Figures
Number of events/ Number
of events per source
Why:
Base for a lot of
other KPIs
Trend shows
quality of event
management
Data sources: All
How:
Logger: Daily
report counting
events
ESM: Trend with
reports on top
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
41
Number of privileged users
failed logins
Why:
Potential security
breach
Data sources:
OS
Apps
Authentication
servers
How:
Logger: Report
using hard-coded
user names in
query
ESM: Report using
active list
populated by e.g.
ADS integration
Number of security
incidents
Why:
Base for other KPIs
Shows trend of
security incidents
in the organization
Data sources:
HP ArcSight ESM
Service Desk,
Ticketing System
How:
Logger: Just
applicable if feed
from ticketing
system is
integrated or
critical events are
by default an
incident
ESM: Applicable if
ESM is used for
case management
or ticketing system
is integrated.
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
42
Number of identified IT
risks/ Number of newly
identified IT risks
(compared to previous
exercise)
Why:
Shows security
posture of
organization
Shows trend in
mitigating risks
Data Source
Vulnerability
Scanner
How
Logger: Report in
Vulnerability
Scanner events
ESM: Reports on
Vulnerability
Scanner, reports
per asset, trends
Number of unauthorized IP
addresses, ports and traffic
types denied
Why:
Shows security
violations
Indicator for
success of
awareness training
Data sources:
Firewalls and
routers with ACLs
IDS/IPS
How
Logger: Report
using information
in query
ESM: Report using
active list and
zones
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
43
Pricing/licensing model
Breaking down the project
Basic Principles of how to break the project down
Succeed or fail, SIEM can be expensive
Get it right and it works well
Get it wrong and it can doom a strategy
Spot the early signs and correct the plan
Building The Project - Starting to put it all together
Where do we start? What can we do?
Dont get lost can seem daunting
Impacts different areas of business
Conflicting demands from business
Overly complex
Top-down approach
Top Down or Bottom Up - which is the best approach?
Easy to build bottom up business case encompass all needed
Try the bottom up approach
200,000 desktops
10,000 servers
10,000 other devices
Probably $5m+ product, $1m staff (6), $1m on-going, $3m internal
Top Down Approach Works...and why bottom up doesnt!
High level sample use case on PCI-DSS
200,000 desktops down to zero out of scope
10,000 servers down to 10% - only impacted assets
10,000 other devices down to 10% - only impacted assets
Cost now $1m+ product, $100k staff (2?), $100k on-going, $300k internal costs much
cheaper
Know what the alternative costs are with different approach
Do the simple calculations on ROI / Cost
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
44
Pricing & Licenses
ESM is sold as a Suite, but can also be used stand-alone as an Appliance or Software version.
These are the Factors that determine pricing for each.
Appliance version
EPS events per second
# of devices or sources
on-board capacity of the appliance (built-in)
Software version
GB per 24-hr day (data flow rate)
# of devices is constrained
capacity for reporting, search (governors)
Table: ArcSight Logger: Appliance Pricing
Logger
Appliance
List NFR HA CIPs
Max
Devices
Physical
Capacity
(TB)
Effective
Capacity
Raw
EPS
Connector
EPS
Onboard
Connectors
Remote
Connector
Management
L7400x $130
K
$11,00
0
$91,00
0
$10
K
unlimite
d
6.0 ~42TB 100
K
NA No No
L7400-
SAN
$90K $11,16
0
$63,00
0
$10
K
unlimite
d
5.4 on SAN ~50TB 75K NA No No
L7400s $70K $11,00
0
$49,00
0
$10
K
500 6.0 ~42TB 5K NA No No
L3400-PCI $30K $5,700 $21,00
0
incld 200 2.0 ~7.8TB 2K 200 4 20
(5 containers)
L3400 $30K $5,700 $14,00
0
$10
K
200 2.0 ~7.8TB 2K 200 4 20
(5 containers)
Pricing based on incoming EPS and number of devices
Channel/SMB friendly starting price point
Pricing shown for North America standard uptick applies in EMEA and APAC
Additional CIPs are $2500 for each additional appliance
Low cost NFR units for internal use, demos and evaluations
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
45
Upgrade SKUs available and a special SKU L3x00-DSKTOP
Table: ArcSight Logger Software Pricing
SW SKU
SW Price in
NA
Corresponding
HW SKU
Corresponding
HW Price
GB/day
Effective
Capacity
Devices
L750MB $0 N/A N/A 0.75 500GB 10
L5GB $7.5K N/A N/A 5 2.5TB 50
L30GB $15K L3400 $20K 30 8TB 200
L80GB $60K L7400s $70K 80 42TB 500
L160GB $115K L7400x $130K 160 42TB No license
restriction
Price neutral to appliances
No equivalent SW SKU to L7400-SAN. Users can use SAN with any of the above SW SKUs
Upgrade prices are designed to promote customers to buy higher priced SKUs early on
For more information
Please review the pricing and licensing data that is available in the HP Software IT Performance
Suite - Enterprise Security Price Guide. The guide can be downloaded from the Pricing page on
Partner Central
https://h20229.www2.hp.com/partner/protected/bto/pricingguide/pricing.html.
The page contains pricing Information for the HP Software Business Technology Optimization,
Information Management and Security Portfolios, along with key documents on HP Software
pricing.
Evaluation/Demo Version
The SKU L750MB has no price because is a free demo version a tool prospects can use for
evaluation. The features and limits to the free, evaluation product, are compared with those of
the Enterprise version in this table.
Feature Evaluation version Enterprise version
Daily limit on log data 750MB License-dependent
Total searchable space (compressed) 50MB License-dependent
Distributed search reports No Yes
Support for ArcSight SmartConnectors Restricted set Full set
Searching Report and Real-time alerting Yes Yes
Granular Role-Based Access Yes Yes
Authentication and Authorization Yes Yes
Community Support Yes Yes
Enterprise support No Yes
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
46
Additional resources
Please see the following sources for more information:
ESP on HP Software Partner Portal:
https://h20229.www2.hp.com/partner/protected/bto/portfolio/centers/esc.html
ESP University: http://www.hpenterprisesecurity.com/services/education/
ESP Customer website: http://www.hpenterprisesecurity.com/
ESP on HP Learning Center:
http://www.hp.com/certification/whats_learning_center.html
Access to product and technical manuals on Software Support Online:
http://support.openview.hp.com/selfsolve/manuals
HP Secure on YouTube: http://www.youtube.com/user/HPSecure