ArcSight Activate framework - Hewlett Packard Enterpriseh41382. · of key events . Challenge . SANS...

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ArcSight Activate framework Mary Karnes, Solutions Innovation Portfolio Manager #HPProtect

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

A SIEM is the cornerstone of a security program

Currently a SIEM is the BEST (and often ONLY) way to:

Manage risk Risk and compliance

Disrupt the adversary Look for bad guys


44% Have trouble managing their SIEM eIQnetworks 2013 SIEM Survey


#1 Identification of key events

Challenge

SANS 2012 Log Management and Event Management Survey


34% Have trouble writing rules

Information Week Report


There are three main challenges with long-term SIEM maintenance

Train and retain Resources

Maintain SIEM Content

Keep up with Security

challenges

Spaghetti content phenomenon • Multi-generation/inconsistencies • Hard-to-support • Lots of rework


We’ve built a framework that will revolutionize SIEM engineering

HP’s Activate makes it easy to create, maintain, and mature your SIEM This offering is designed to distill 10+ years of experience with SIEM deployments into what works best.

Train and retain Resources

• Standardized framework enables consistent and repeatable processes that reduce training time for new employees

• Sharable content facilitates technology use and knowledge transfer

Maintain SIEM Content

• Install packages drive fast deployment and efficient use of resources

• Common, reusable methodology to create content and rules

Keep up with Security

challenges

• Guidance, advice, standard use cases, and content packages optimize catching the bad guy

• Documented common framework enables knowledge sharing of threats, trends and monitoring capabilities


Activate

Technology Process

Application, Network, & System Owners

Incident Handler

Resolution

Escalation People

Level 1 Level 2

Engineer

1

Firewall

Router Intrusion Detection

Web Server Proxy

Server

ESM Server

2

3 4

5

6

KPIs & ROI

Business Stakeholders

7

a mature SIEM Solution

Spend more time integrating

people, process and technology

Spend less time building with

basic content


How does it work?


• Installers • Content Packages

• Methodology • Best Practices • Standardization • Customization

• Install technology • Train tech team • Implement use cases • Develop maturity roadmap

Technology Foundational content with instructions and install packages for end-to-end integration.

Framework Documentation and guidance for content development.

Services Supplemental services offer a wide range of assistance to customers running a SIEM at different maturity levels.

Activate includes three critical components


Useful for current users and new users alike

New customers New ESM and Express customers benefit from quick ROI by focusing on SIEM integration rather than content development. They simply bypass all the basic use case research and development.

Struggling clients External expertise is packaged and delivered while providing measures to handle customization. They can collaborate and share ideas with a community using a standard framework.

Anyone following an informed framework improves the community


Current content There may be some conflicts with internal components. These can be identified and resolved with minimal outage.

Corrective measures If there are major issues regarding the architecture, content best practices or network modeling rework might be required.

Current content can exist side by side

Will work with your current deployment


What is my return on investment?


Standardization and simplification result in cost savings

Success factors Before After Comments

Time to train SIEM engineers 6-18 months 2-8 weeks 65-95% time reduction in training time

Use case implementation months days 50-75% reduction in time to implement

Content portable and shareable unavail available Gain efficiencies over time

Weed out irrelevant logs challenging obvious Reduction in storage costs

Use Case Efficiency varies standard Able to catch more bad guys

Best practices = catching more bad guys


OK, but does it actually work? Do you have success stories?


An overview of a practical experience deploying Activate

Case study of a beta client

• Enabled inexperienced users to develop useful content in 3 days • Accelerated return on value by 50% • Reduced use case implementation time by 50% • Content easier to understand • More easily able to weed out irrelevant logs & collect relevant logs

Does not replace security know-how (forensics, packet analysis, understanding of indicators and warnings, event flow)

Success

Lessons learned


How can I get more details?


For more information Attend these sessions

• TB3267 - Technical overview of the Activate Framework

• Activate workshop will be directly following Protect on Thursday afternoon and Friday all day

After the event

• Contact your sales rep

Speak to our experts

• [email protected]@hp.com

• [email protected]

mailto:[email protected]@hp.com



mailto:[email protected]

mailto:[email protected]


Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TT3266 Speaker Mary Karnes

Please give me your feedback


Thank you

ArcSight Activate framework - Hewlett Packard Enterpriseh41382. · of key events . Challenge . SANS...

Documents

Transcript of ArcSight Activate framework - Hewlett Packard Enterpriseh41382. · of key events . Challenge . SANS...