#MicroFocusCyberSummit

Transcription

1 #MicroFocusCyberSummit

2 Data Simplicity: ArcSight Data Platform enhances enterprise data via the Common Event Format Peter Titov Micro Focus #MicroFocusCyberSummit

3 Agenda Usage Ingestion Management Solutions What do we ask of our data? How do we get our data where it needs to go? Where is the easiest place to manage data? Why I can have my cake & eat it too. 3

4 ADP: Hold up! Wait a minute. What is ADP, what is included with it, and what is CEF? Smartconnector ArcMC Event Broker Logger Ingest Manage Route Immutable storage CEF: Common Event Format 4

5 Normalized Data vs Raw Data: Usage Normalized data Ideal for real-time correlation Ideal for known requests Reports, dashboards, filters, lists, etc. Raw data Ideal for hunting expeditions of the unknown Compliance mandates 5

6 Normalized Data vs Raw Data: Ingestion Normalization of Raw Data Regardless when the data is analyzed, normalization will occur in some fashion. Data will be formatted Data will be read Data will be interpreted Approaches to Normalization Pre-ingest Formatting Parsing up stream as close to the log source Weight of normalization is on the SmartConnector Post-ingest Modeling Parsing down stream as close to the log destination Weight of normalization is on the Indexer 6

7 Normalized Data vs Raw Data: Management Transport Encrypt or obfuscate Enrich Aggregate Secure Under budget 7

8 Normalized Data vs Raw Data: Challenges Events are lumped together ArcSight fields are not indexed and/or inaccurately captured Aggregated ArcSight data compounds this problem Indexing terabytes of data is exceptionally costly 8

9 Normalized Data vs Raw Data: Platform Solutions Elastic ArcSight X-Pack Splunk ArcSight Integrator Sumo CEF Syslog Parsing HDFS Data Lake vs Data Warehouse 9

10 Platform Solutions: Elastic & ArcSight X-Pack Fully normalized data aligned to CEF via Logstash Aggregate data for faster searching Machine learning & analytics Awesome visualizations via Kibana Additional data routing and ETL capabilities Best part, it s bundled with Elastic when installed!!! 10

11 ADP & Elastic: Implementation Download and install Elastic: Point ArcSight Connectors or Event Broker/Kafka to Logstash: Helpful guide for beginning your journey: 11

12 Platform Solutions: Splunk & ArcSight Integrator Fully normalized data aligned to CEF Aggregating data to drastically reduce Splunk licensing Splunk & ArcSight syntax similarities: Share content quickly and easily between platforms Increase efficiency of Splunk performance Simply add the ArcSight Integrator and point CEF Syslog or consume CEF Kafka topic. 12

13 ADP & Splunk: Powerful Together The Splunk Processing Language & ArcSight Interactive Search share many similarities A unified schema enables the cross-pollination of query syntax, e.g... ArcSight sourceaddress= top destinationaddress Splunk index= arcsight AND sourceaddress= top destinationaddress 13

14 ADP & Splunk: Aggregation Testimonial Reduce license utilization by 83% for one feed (from 9,000 to 1,500) $1.35 million in savings from this one example* 14 *Based upon ESM License pricing

15 ADP & Splunk: Implementation Add the ArcSight Technology Add-on (TA) for your ingest method: Splunk_TA_ArcSight_Integrator_for_SmartConnectors CEF Syslog Destinations Splunk_TA_ArcSight_Integrator_for_EB_or_Kafka Kafka topic of CEF data Optional: Leverage the Splunk_SA_ArcSight_Integrator (Support Add-on) for CEF-based dashboards and queries Configure connectors to aggregate data per included instructions Link to Protect724 for Splunk Add-On 15

16 Platform Solutions: Sumo & CEF Syslog Fully normalized data aligned to CEF Aggregating data to reduce Sumo licensing Increase efficiency of Sumo performance 16

17 Platform Solutions: HDFS Data Warehouse Data Lake Data Warehouse 17

18 Final Thoughts At the end of the day, we are all on the same team: When platforms collaborate: They become a force multiplier for their customers Everyone wins: users have faster searches AND managers have lower costs. Big data means thinking big and looking at the big picture. 18

19 Contact: Peter Titov (412) #MicroFocusCyberSummit Thank You.

20 #MicroFocusCyberSummit