Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... ·...
Transcript of Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... ·...
1
strongest selling points
(ADP)Connectors – Flex , out of the box , separate domains, voltage integration .(ADP)Event Broker – KAFKA , redundancy , Third Party , order (spaghetti data center) , one focal point(ADP)ArcMC – Central management , device monitoring,Deployment view , Rules for health monitoring
ESM – The best correlation engine , Experience , HA and DR , on premise or cloud , License .
Logger – Long term , performance , distribution , part of the ADP lower price
Investigate – Vertica, Integration , Simple to use ,user experience ,Road map.
ArcSightArchitecture and
sizing
Cfir Homeri
Security Presales
2
How To
Start ?
3
How To
Start ?
• Top Risk• Business • Who working at the SOC
• Network topology• How match employees• Main services• Cloud or On premise• Security solution you have
Micro Focus ArcSight Sizing Discovery.xlsx
The New ArcSight Architecture
User Cloud App Servers & Workloads
Network Endpoints IoT Physical
ARCSIGHT ENTERPRISE SECURITY MANAGER24x7 Real-time Monitoring & Correlation
UEBAUser Entity Behavior Analytics
ARCSIGHT LOGGERCompliance | Search |Retention
ARCSIGHT INVESTIGATEHunt | Investigation
SECURITY OPEN DATA PLATFORM
MANAGEMENT CENTERSuite Management & Administration
TRANSFORMATION HUBInformation delivery
SMART/FLEX CONNECTORSData Collection, Enrichment, and Normalization
CONTENTUnified | Actionable | Insight
WEB CONSOLEAccessible Monitoring & Platform Management
ArcSight – in a Nutshell
Integrated, Single Solution working towards the same goal:Intelligent Security Operations !
ArcSight ESM for Real Time Prevention and Detection @ 100K+ EPS ADP Logger for long-term log retention & compliance @ 1M+ EPS ArcMC for Single-Pane-of-Glass Management Investigate for hunting & analytics at blazing speed @ 1M+ EPS Event Broker to be the Message Bus of choice to feed the Single Security
Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc…) for 1M+ EPS
You invest in the vision of Micro Focus who sees Intelligent Security Operations at the center of the Enterprise Security paradigm.
7
Building
High level
Design
Example
1
“Solution with low cost, regulation , investigation if needed”
8
Building
High level
Design
Example
1
“low cost, regulation , Correlation if needed there is no people”
Logger/ESM
9
Building
High level
Design
Example
2
“ We just starting to build our SOC , Need early success Save data for one year ”
LoggerESM
ArcMc
10
Building
High level
Design
Example
3
“ We run the SOC at the last 2 years , we are looking for high speed investigation tool , SOAR support to take out capabilities to the next level”
Logger ESM
ArcMc
investigate
Event Broker
SOAR
11
Building
High level
Design
Example
3
“ We run the SOC at the last 2 years , we are looking for high speed investigation tool , SOAR support to take out capabilities to the next level”
Logger ESM
ArcMc
investigate
Event Broker
SOAR
12
Building
High level
Design
Example
3
Full support DR and HA
Logger ESM
ArcMc
investigate
Event Broker
SOAR
Intelligent Security Operations
ArcMC
Event Broker
Any
User Cloud App Servers & Workloads
Network Endpoints
E.g. Hadoop
3rd Parties
Vertica Logger Pool / Cluster
Logger 6.4 or up Logger Pool / Cluster
Logger 6.4 or up Logger Pool / Cluster
Logger 6.4 or up
ArcSight Data Platform (ADP)
ESM
ESM 6.11 or Up
ArcMC
ArcMC 2.6 or Up
Vertica Cluster Node 1
Vertica DB Vertica Cluster Node 2
Vertica DB Vertica Cluster Node 3
Vertica DB Vertica Cluster Node n
(where n is an odd number)
Vertica DB
ArcSight Investigate
Investigate
Management Traffic
Event Broker Cluster Node 1
Event Broker Event Broker Cluster Node 2
Event Broker Event Broker Cluster Node 3
Event Broker
Event Broker Cluster Node n (where n is an odd number)
Event Broker
Add Event Broker Nodes as performance required
SmartConnectors SmartConnectors SmartCo nnectors SmartCo nnectors SmartConnector
Cluster
SmartConnector
Cluster
Event Flow
Correlation LayerHunting & Analytics & Investigation
Integration Command
Log Collection Layer
Logger Pool / Cluster
Logger 6.4 or up Logger Pool / Cluster
Logger 6.4 or up Logger Pool / Cluster
Logger 6.4 or up
Production
HA/DR
Compliance & Reporting
14
Building
High level
Design
15
Sizing
HPE ArcSight Sizing Worksheet FY18-16-
0801.xlsm
16
Event Broker Sizing
Sizing: Event Broker – 2 days retention (caching) – 10K EPS3 nodes
Sizing: Event Broker – 2 days retention (caching) – 10K EPS5 nodes
Sizing: Event Broker – 2 days retention (caching) – 25K EPS5 nodes
Sizing: Event Broker – Best Practices [5] x nodes of VM/physical server, each with the following hardware specs
- ___ TB of disk space + OS (100 GB)
- Recommend Gen9/Gen10 hardware (ProLiant DL380, etc…)
- 64GB RAM (32 GB RAM is OK – this is the absolute minimum - DO NOT GO BELOW THIS NUMBER)
- 2 x CPU with 12 cores per CPU = 24 CPU cores
- 15K RPM SAS (10K RPM is OK)
- 10 Gbit/s NIC’s (most important) – DO NOT GO BELOW THIS NUMBER
VM is OK to use, if the recommended hardware specs can be guaranteed per VM.
- At least equivalent to Gen9 if virtual environment.
It is about choosing an appropriate “cookie cutter” (VM) hardware configuration. Same hardware as nodes added over time
Low latency critical - 10Gbit network only
Consider the multiple topics that need to be fulfilled based on Consumers – CEF, CEF Binary for ESM (two Connector destinations) and AVRO for Investigate (transformation performed at Event Broker)
___ TB of disk space space PER NODE for events/index only. Can be SAN, but needs to be lowest latency possible. SSD not mandatory.
Keep in mind that compression in KAFKA is performed on the Producer (eg the Smart Connector) using GZIP. KAFKA itself plays no role in compression of data.
MSSP
32
MSSP solutionGoals
• Managing different customers on the same platform
• Easy to implement
• Enable accesses using policy and permission
• Separate data
• Flexible growth
• Full audit
• GDPR and compliance on a privacy issues
33
Single ESM Server
34
Multiple ESM Servers
35
Network Model
Asset ranges - represent a set of network nodes addressable by a contiguous block of IP addresses.
Zones - represent portions of the network itself and are also characterized by a contiguous block of addresses.
Locations - describe the geographic location of assets, asset groups, or zones.
End point detection – Stage 2
Micro Focus Confidential
10.0.2.0\24 10.0.3.0\24
10.0.1.0\24
Cyber_1
BYOD –Asset ranges
Zones
Network
Con 1
Con 2
Con 3
Locations
37
• Tagging is a feature developed mainly to support MSSP
environments.
• Designation identifies who owns the events. This
ensures each customer (tenant) can view only its own
events.
Customer
End point detection – Stage 2
Micro Focus Confidential
10.0.2.0\24 10.0.3.0\24
10.0.1.0\24
Cyber_1
Con 1
Con 2
Con 3
Zone Network Customer Connectors Raw data
Location
39
Access Control Lists (ACLs)
What you can See
What you can do
40
MSSP Content Management
Guidelines
• Events
• Cases
• Reports
• Data Monitors
• Dashboards
• Notifications• Rules
41
Managing Storage Groups
This ensures all events from a connector go to the
designated storage group.
42
Rule: Event Counts Detected
43
Query: Daily Average EPS
44
Report 1: Daily EPS Usage for All Customers
45
• Flexible architecture• Support multi tenant• Permissions (can see , can do)• storage separation• Full audit log• Data encryption – privacy issue • Customer reports
MSSP