#MicroFocusCyberSummit

#MicroFocusCyberSummit

Data Simplicity:

Peter Titov – Micro Focus

ArcSight Data Platform enhances enterprise data via the Common Event Format

Usage What do we ask of our data?

Ingestion How do we get our data where it needs to go?

Management Where is the easiest place to manage data?

Solutions Why I can have my cake & eat it too.

3

Agenda

Smartconnector Ingest

ArcMC Manage

Event Broker Route

Logger Immutable storage

4

ADP: Hold up! Wait a minute.

What is ADP, what is included with it, and what is CEF?

CEF: Common Event Format

Normalized data

Ideal for real-time correlation

Ideal for known requests

Reports, dashboards, filters, lists, etc.…

Raw data

Ideal for hunting expeditions of the unknown

Compliance mandates

5

Normalized Data vs Raw Data: Usage

Normalization of Raw Data

Regardless when the data is analyzed, normalization will occur in some fashion.

Data will be formatted

Data will be read

Data will be interpreted

Approaches to Normalization

Pre-ingest – Formatting

Parsing up stream as close to the log source

Weight of normalization is on the SmartConnector

Post-ingest – Modeling

Parsing down stream as close to the log destination

Weight of normalization is on the Indexer

6

Normalized Data vs Raw Data: Ingestion

Transport

Encrypt or obfuscate

Enrich

Aggregate

Secure

Under budget

7

Normalized Data vs Raw Data: Management

Events are lumped together

ArcSight fields are not indexed and/or inaccurately captured

Aggregated ArcSight data compounds this problem

Indexing terabytes of data is exceptionally costly

8

Normalized Data vs Raw Data: Challenges

9

Normalized Data vs Raw Data: Platform Solutions

Elastic

Splunk

Sumo

HDFS

ArcSight X-Pack

ArcSight Integrator

CEF Syslog Parsing

Data Lake vs Data Warehouse

Fully normalized data aligned to CEF via Logstash

Aggregate data for faster searching

Machine learning & analytics

Awesome visualizations via Kibana

Additional data routing and ETL capabilities

10

Platform Solutions: Elastic & ArcSight X-Pack

Best part, it’s bundled with Elastic when installed!!!

Download and install Elastic:

https://www.elastic.co/downloads

Point ArcSight Connectors or Event Broker/Kafka to Logstash:

https://www.elastic.co/guide/en/logstash/current/arcsight-module.html

Helpful guide for beginning your journey:

https://community.softwaregrp.com/t5/ArcSight-User-Discussions/Elasticsearch-Installation-and-ArcSight-Module-Configuration/m-p/1616812

11

ADP & Elastic: Implementation

Fully normalized data aligned to CEF

Aggregating data to drastically reduce Splunk licensing

Splunk & ArcSight syntax similarities:

Share content quickly and easily between platforms

Increase efficiency of Splunk performance

12

Platform Solutions: Splunk & ArcSight Integrator

Simply add the ArcSight Integrator and point CEF Syslog orconsume CEF Kafka topic.

The Splunk Processing Language & ArcSight Interactive Search share many similarities

A unified schema enables the cross-pollination of query syntax, e.g...

ArcSight

sourceAddress=“10.0.0.1” | top destinationAddress

Splunk

index=“arcsight” AND sourceAddress=“10.0.0.1” | top destinationAddress

13

ADP & Splunk: Powerful Together

Reduce license utilization by 83% for one feed (from 9,000 to 1,500)

$1.35 million in savings from this one example*

14

ADP & Splunk: Aggregation Testimonial

*Based upon ESM License pricing

Add the ArcSight Technology Add-on (TA) for your ingest method:

Splunk_TA_ArcSight_Integrator_for_SmartConnectors

https://splunkbase.splunk.com/app/4133/

CEF Syslog Destinations

Splunk_TA_ArcSight_Integrator_for_EB_or_Kafka

https://splunkbase.splunk.com/app/4135/

Kafka topic of CEF data

https://splunkbase.splunk.com/app/4136/

Configure connectors to aggregate data per included instructions

Link to Protect724 for Splunk Add-On

15

ADP & Splunk: Implementation

Optional: Leverage the Splunk_SA_ArcSight_Integrator (Support Add-on) for CEF-based dashboards and queries

Fully normalized data aligned to CEF

Aggregating data to reduce Sumo licensing

Increase efficiency of Sumo performance

16

Platform Solutions: Sumo & CEF Syslog

17

Platform Solutions: HDFS Data Warehouse

Data Lake Data Warehouse

When platforms collaborate:

They become a force multiplier for their customers

Everyone wins: users have faster searches AND managers have lower costs.

Big data means thinking big and looking at the big picture.

18

Final Thoughts

At the end of the day, we are all on the same team:

Thank You.

#MicroFocusCyberSummitContact: Peter TitovPeter.Titov@microfocus.comPeter.Titov@gmail.com(412)-720-7938

#MicroFocusCyberSummit