Selling HP ArcSight Information Security Solutions Self-Enablement Guide Version 1.0
2012 HP Restricted. This document contains confidential and/or legally privileged information. It is intended for HP and Channel Partner Internal Use only. If you are not an intended recipient as identified on the front cover of this document, you are strictly prohibited from reviewing, redistributing, disseminating, or in any other way using or relying on the contents of this document.
1
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Introduction ........................................................................................................................... 4 HP ESP Overview ..................................................................................................................... 5 Key security trends ..................................................................................................................... 5 The rise of the cyber threat ............................................................................................... 5 Disruptive technology trends ............................................................................................ 5 The ESP Value Proposition ......................................................................................................... 6 Security Intelligence and Risk Management platform ...................................................... 6 The holistic approach ......................................................................................................... 6 Enterprise security priorities ............................................................................................. 7 The HP Enterprise Security vision ...................................................................................... 7 The security areas in which ESP is active ................................................................................... 8 The HP ArcSight Solution ................................................................................................... 8 HP Fortify Software Security Center .................................................................................. 8 HP TippingPoint Network Defense System ....................................................................... 9 Security and Threat Research .................................................................................................... 9 Leading Security Research ................................................................................................. 9 Business Drivers / HP ArcSight Value proposition .....................................................................10 Technology and business Background ..................................................................................... 10 The challenge customers face.................................................................................................. 10 The challenge: No point of control ........................................................................................... 10 HP ArcSight Value Proposition ................................................................................................. 10 Elevator Pitch for HP ArcSight ......................................................................................... 10 Where HP ArcSight will add value .................................................................................... 11 The new way to reduce risk ............................................................................................. 11 Three things HP ArcSight does better than anyone else ......................................................... 11 Collect .............................................................................................................................. 12 Consolidation ................................................................................................................... 12 Correlation ....................................................................................................................... 12 Collaboration ............................................................................................................................ 13 HP ArcSight Business Drivers ................................................................................................... 13 IT Operations Drivers ....................................................................................................... 14 Compliance Drivers .......................................................................................................... 14 Security Drivers ................................................................................................................ 15 Describe the Solution .............................................................................................................16 HP ArcSight Logger ................................................................................................................... 16 HP ArcSight Logger Elevator Pitch ................................................................................... 16 Universal Data Collection ................................................................................................. 16 Intelligent Analysis Engine .............................................................................................. 16 Performance without Compromise ................................................................................. 17 HP ArcSight Express ................................................................................................................. 18 .......................................................................................................................................... 18 Universal Data Collection ................................................................................................. 19 Connectors: Quantity and Quality Collection ................................................................... 19 Intelligent Threat and Risk Detection .............................................................................. 20 Meaningful Response....................................................................................................... 20 ESM ........................................................................................................................................... 22
2
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
EMS Anatomy ................................................................................................................... 22 Smart Connectors ............................................................................................................ 23 Connector Appliance ........................................................................................................ 23 ESM Manager .................................................................................................................... 24 ESM Database .................................................................................................................. 24 EnterpriseView ......................................................................................................................... 25 EnterpriseView Elevator Pitch ......................................................................................... 25 Qualify the Solution ...............................................................................................................26 Qualification questions & pain points ...................................................................................... 26 Universal Pain Points ....................................................................................................... 26 Questions leading to HP ArcSight Logger ........................................................................ 26 Questions leading to ESM/HP ArcSight Express .............................................................. 27 HP footprint: cross-HP Software Sales plays........................................................................... 28 HP ArcSight Logger to BSM .............................................................................................. 28 HP ArcSight Logger to BSM qualifying questions ..................................................................... 29 Competitive Landscape ..........................................................................................................30 Competitive analysis ................................................................................................................ 30 Gartner Magic Quadrant for SIEM (May 2012) ................................................................. 30 Top Competitors, their strengths and their attack angles .............................................. 31 Competitors Log Management ........................................................................................ 31 Competitors SIEM ............................................................................................................. 32 Competitors Suite ............................................................................................................ 33 Handling common objections ................................................................................................... 34 Common Objections or FUD (Fear, Uncertainty, and Doubt) ........................................... 34 Demonstrate unique business value and build a proposal .........................................................35 Main case studies...................................................................................................................... 35 Foxconn / Hon Hai ............................................................................................................ 35 Customer references ................................................................................................................ 36 Proof points .............................................................................................................................. 36 Proof Points ..................................................................................................................... 36 Business justification................................................................................................................ 37 IdentityView ..................................................................................................................... 37 Compliance Insight Packages (CIP) .................................................................................. 38 Unique differentiators for Logger ............................................................................................ 39 Key Performance Indicators (KPIs) .................................................................................. 40 Pricing/licensing model ............................................................................................................ 43 Breaking down the project ............................................................................................... 43 Top-down approach ......................................................................................................... 43 Pricing & Licenses ............................................................................................................ 44 Evaluation/Demo Version ................................................................................................ 45 Additional resources ................................................................................................................. 46
3
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Introduction This Self-Enablement Guide is designed to help you prepare for meeting with customers and selling HP ArcSight. This guide will help you understand HP ArcSight and deliver the right messages. This guide will also prepare you for successfully completing the HP certification. After completing this guide, you will be able to: •
Recognize key security trends and the security areas ESP is active in
•
Explain the ESP Solution/Value Proposition
•
Understand the challenge customers face
•
Identify HP ArcSight Value Propositions
•
Understand the three things HP ArcSight does better than anyone else
•
Describe HP ArcSight Business Drivers
•
Describe the HP ArcSight Solution
•
Identify, describe, and categorize qualification questions
•
Leverage the HP footprint : cross HP Software Sales plays
•
Identify competitors and perform basic competitive analysis
•
Demonstrate capability to handle common objections
•
Demonstrate unique business value and build a proposal
•
Demonstrate knowledge of pricing/licensing models
HP ArcSight collects, analyzes and correlates your security data to give you better visibility into your risk.
4
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
HP ESP Overview Key security trends The rise of the cyber threat Few people would deny that Enterprises and Governments are facing the most aggressive threat environment in their history. Make no mistake; the adversaries have become smarter, better organized, and more persistent as they look to gain information capital and IP. There is a sense that the number of cyber threats is proliferating faster than companies can defend against them. Many Enterprises and Governments have being the target of some very sophisticated and targeted attacks. Attacks which have caused very profound and wide reaching change for both users and organizations. •
A survey conducted recently by Coleman Parkes on behalf of HP, provides some telling insights from senior business and technology executives.
•
Currently less than 1/3 of them believe their organization is well defended against threats.
•
Threats can be internal as well as external. 29% of technology executives said their organizations had been breached internally and 20% of technology executives said that a breach happened more than once.
•
From an external breach perspective, the numbers are slightly lower. But still, more than 1 in 10 technology execs said they had suffered a breach from unauthorized external access.
•
While the stories in the press focus on singular high profile breaches, it is clear that there are many more occurrences that are not reported.
Disruptive technology trends In the Instant-On enterprise, there’s an increased drive to adopt new technologies, around devices and data in particular. These trends also mean that the traditional corporate perimeter, with clearly identifiable boundaries, has diminished. Further compounding this situation is the rapid rise of security compliance and all of this leads to complexity in the business. Complexity often yields significant blind spots within an organization and forces their security controls to be reactive to the latest threat or fire drill.
5
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Moving security to the next level means facing these rising challenges. Effective security should be incorporated into processes throughout an enterprise, not just on the perimeter. We work with our clients to help them take a proactive, risk based approach. We call this SECURITY 2.0
The ESP Value Proposition Security Intelligence and Risk Management platform HP Business Service Automation (BSA) lets customers track their compliance state across servers and networks and helps manage their virtualized environments. It mines data from HP Server Automation, HP Network Automation, and HP Operations Orchestration. The players in this area include: •
Vulnerability Management: McAfee, Symantec, Nessus, Qualys
•
Asset Profiling: real time from HP ArcSight ESM, HP uCMDB or csv file
•
Risk Management: user input
The holistic approach HP has a holistic approach to reducing risk. The proactive risk reduction approach is used to increase security by: •
seeing everything
•
providing context
•
acting appropriately
6
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Enterprise security priorities HP Security solutions address the priorities that our customers are grappling with including: •
Managing information risk: being able to see the threats that cause risk.
•
Protecting against cyber threats: having intelligence to combat complex threats.
•
Improving reaction time when an incident does occur: having the right process, and smart automation.
•
Spending wisely on security: having the experience to know where to concentrate the money and resources; putting resources where they matter most.
•
Achieving compliance: understanding industry and customer requirements, geographical concerns.
The HP Enterprise Security vision The HP Enterprise Security vision must: •
be driven by business priorities
•
“see everything” in the context of business processes and enable fast, efficient resource prioritization
•
deliver standalone and intelligently integrated solutions
•
achieve compliance goals and manage security costs
7
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
HP Products & Services
One Team, One Vision to Assure
HP ArcSight
Log Management
HP Fortify
Application Security
HP TippingPoint
Network Security
DVLabs
Threat Research
The security areas in which ESP is active The HP ArcSight Solution HP ArcSight solution architecture is a comprehensive platform for monitoring modern threats and risks, augmented by services expertise and the most advanced security user community, Protect724. It assures customers can: •
Establish complete visibility
•
Analyze events in real time to deliver insight
•
Respond quickly to prevent loss
•
Measure security effectiveness across people, process and technology
The HP ArcSight solution gives organizations the ability to collect information from any device, any time anywhere to ensure they have complete enterprise security visibility. What’s more, HP ArcSight is supported by the revolutionary CORR Engine which delivers industry-leading correlation speeds with significant storage requirement decreases from prior versions. The HP ArcSight solution allows staff to capture logs, correlate events, monitor applications, check for fraud and manager uses and controls. Focusing on turning information into intelligence, the HP ArcSight solution stands apart in the industry.
HP Fortify Software Security Center HP Fortify provides advanced technologies to ensure applications are secure. HP Fortify inspects applications at the source code level (static testing) and while they are running (dynamic testing. It identifies and eliminates risk in existing applications and prevents the introduction of risk during application development, in-house or from vendors. •
Protects business critical applications from advanced cyber attacks by removing security vulnerabilities from software
•
Accelerates time-to-value for achieving secure applications
•
Increases development productivity by enabling security to be built into software, rather than added on after it is deployed
•
Delivers risk intelligence from application development to improve operational security
HP Fortify supports more languages than any other application security vendor with significant strengths in the area of mobile application security. But it’s not just built for custom applications, HP Fortify can determine if vulnerabilities exist in commercial, custom and open source activities. Fortify can be delivered as purchased software or as a service. With 8
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
unmatched flexibility and depth of coverage, HP Fortify ensures organizations have a world class application security program in place.
HP TippingPoint Network Defense System HP TippingPoint is a complete set of security solutions that address today's advanced security threats at the perimeter and core of a business. It provides: •
Scalable infrastructure to address current and future security deployment models (NGIPS)
•
Dynamic analytics and policy deployment with real time management (NG Mgmt)
•
Predictive intelligence to proactively address current and future threat activity (DV Labs)
Security and Threat Research Leading Security Research Security effectiveness is only as good as the security research behind it. HP’s global security research: •
Collects network and security data from around the globe.
•
Partners with other leading research organizations like SANS, CERT and NIST to consolidate security intelligence resulting in the most advanced intelligence network anywhere in the world.
•
Is a collaborative effort of market leading HP teams: DV Labs, HP ArcSight, Fortify, HP Labs, and Application Security Center.
•
Continuously finds more vulnerabilities than the rest of the market combined; HP discovers 4-6 times more software vulnerabilities than other IPS, NGFW vendors.
DVLabs In addition to HP’s own in-house security researchers, DVLabs (the industry leader for years) manages the Zero Day Initiative (ZDI), a global organization of researchers constantly looking for new application vulnerabilities. •
1,500+ researchers registered
•
Typical profile: male, teen to mid-twenties, hobbyist
•
3,400+ 0-day vulnerabilities submitted by these researchers
•
1100+ 0-day vulnerabilities purchased (30+%)
ThreatLinQ Security Portal Over 2000 customers leverage and contribute information to HP’s ThreatLinQ security portal. ThreatLinQ houses up to the minute security information from around the globe that customers have access to 24 hours a day, 7 days a week.
9
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Business Drivers / HP ArcSight Value proposition Technology and business Background The challenge customers face Our customers face huge shifts in IT, moving to the cloud and handling what’s often called the consumerization of IT. That is, using the devices and services at work that they use at home. For IT departments, this means staying secure while fundamentally rebuilding the platforms on which they operate. Customers want to move from the traditional IT stack to a modern cloud architecture (Infrastructure as a service, Platform as a service, or Software as a service) to take advantage of cost and agility improvements.
The challenge: No point of control HP ArcSight prospects typically all have these similar challenges: •
Millions of Events generated per day
•
No central point of collection and analysis for these Events
•
Too difficult to manage security and risk
HP ArcSight Value Proposition Elevator Pitch for HP ArcSight
HP ArcSight is the industry leading security information and event management (SIEM) solution for collecting, consolidating, and correlating enterprise-wide security events, in order to rapidly identify, prioritize and respond to cyber security attacks, insider threats, and streamline regulatory compliance.
10
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
HP ArcSight collects, analyzes and correlates your security data to give you better visibility into your risk.
Where HP ArcSight will add value HP ArcSight will add value in: •
Security Incident Detection (APT as well)
•
Integration of Security into existing Incident Management Processes
•
Measuring security KPIs and KRIs
•
Monitoring Controls (Compliance)
•
Delivering information for GRC solution
The new way to reduce risk Proactive Risk Reduction means you: •
See everything in both Security and IT Ops
•
Provide Context
•
Act Appropriately SECURITY
IT OPERATIONS
User Provisioning
User Management
Identity & Access Mgmt
App Lifecycle Mgmt
Database Encryption
Information Mgmt
Anti-Virus, Endpoint
Operations Mgmt
Firewall, IDS/IPS
Network Mgmt
Three things HP ArcSight does better than anyone else
11
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Collect HP ArcSight does three things better than anyone, •
Collect events from any system or application
•
Consolidate using Universal Log Management
•
Cutting edge threat analysis via advanced correlation, packaged in a simple and automated form
HP ArcSight enables organizations to collect information from anything and everything, safely and securely. HP maintains hundreds of prebuilt connectors off the shelf. You can keep it raw or parse it for better analysis, your choice. Most importantly, you can extend this collection to any new type of device whenever you need to, even without HP’s involvement, using our toolkit. This means that the choices you make today for monitoring won’t limit your information strategy tomorrow.
Consolidation HP ArcSight provides an enterprise wide log management solution. HP ArcSight lets organizations deploy one solution to manage all the enterprise-wide log data that is collected. Consolidation yields these results: •
Universal Log Management of any data to support IT operations, security, compliance and application development
•
Search + report on years’ of data to investigate outages and incidents quickly and easily
•
Complete management of any data to support security, compliance and IT operations
•
Cut SAN/storage cost with cheap simple management of petabytes of log data
•
The ability to scale to meet needs of compliance, security, IT Operations, and applications by adding multiple loggers
The platform supports management of raw and structured data for any type of usage in any department. Store, search and report on years’ worth of data very quickly and dramatically cut the cost of storing years of data using HP’s leading compression and storage mechanisms.
Correlation The HP ArcSight Correlation Engine (CORR) allows organizations to: •
Identify modern advanced threats through pattern recognition and anomaly detection
•
Analyze roles, identities, histories and trends to detect business risk violations
•
Use Identity Correlation to correlate common identifiers such as email address, badge ID and phone number
•
Find very subtle and sophisticated threats with ThreatDetector
•
Get smarter - the more you collect, the smarter the system gets
HP ArcSight uses modern techniques to detect modern cybercrime. These include HP’s patented ThreatDetector engine, a pattern matching and anomaly detection system which can find very
12
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
subtle and sophisticated threats including zero-day outbreaks and fraud. It includes correlating user roles and trends to determine who is violating policies and putting the business at risk.
HP is the only company that can correlate across who-what-where, that is, roles, logs and flows, to understand not only what’s happening but if it’s really a problem. And the best part is that the more information you collect and store, the smarter the system gets. The net result is that with HP ArcSight you can detect, and therefore prevent not only the basic stuff, but especially the attacks that you can’t predict. Customers use HP ArcSight not only to defend against the worst attacks, but also to improve their overall compliance and operations.
Collaboration HP ArcSight also incorporates application security from HP Fortify and integrates reputation data from HP DVLabs. Use its Cloud Connections Program to get visibility into cloud data in addition to physical and virtual layers. It also provides bi-directional integration with HP BSM products.
HP ArcSight Business Drivers The main audience for HP ArcSight is the CIO/CISO, Compliance, and Network Eng, IT Operations. They are driven by: •
The need to expand security metrics business-wide
•
The need to manage risk information of new architectures like cloud (e.g. PaaS, IaaS) or mobile
•
Regulatory issue with security monitoring information
•
Compliance project or audit failure based on lack of information
•
The realization: we have too much data and need effective correlation to prioritize
13
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
IT Operations Drivers When talking with IT Operations, it is important to be aware of their key concerns and what they need to know. Key concerns that HP ArcSight can address
What IT Operations Needs to know
•
Main Driver: Troubleshooting
•
Searches for specific strings, check flows and debug logs
•
What users and equipment are affected?
•
Some alerting based on information in event
•
What is the level of degradation in my environment?
•
Some reporting based on management requirement or SLA
System and User Impact
When talking about IT Operations we mainly talk about availability. When any of these problems affects the IT environment, it is possible that business critical systems and users are impacted either through performance degradation, or by being completely off-line. This has a severe effect on business operations, impacting both revenue and the bottom line. Detecting fraud There are also special SIEM drivers you may see when talking to customers. One concern is always that somebody internally is behaving in a malicious manner. HP ArcSight’s User Monitoring can be used to detect internal fraud. This solution helps understand who is in an organization’s network and what are they doing. Privileged user monitoring is a typical use case here as well as shared user account monitoring. Another concern may be transactional Fraud. This can be fraud in online banking, insurance or even gambling. It can be anything where transactional business data is involved.
Compliance Drivers Monitoring approaches affect compliance and can lead to failed audits, fines and penalties for three reasons. Manual monitoring approaches
Semi-Automated Monitoring approaches
• error prone, labor intensive, blind spots
• Discrete/disjointed auditing process
• impossible to ensure continuous compliance and protect against the breach
• Error-prone and not continuous
Automated Monitoring approaches • Capture all logs • Direct event feeds • Are the least intrusive, most comprehensive approach to continuous audit coverage
14
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Security Drivers The tools security engages to combat Bot, Worm and Virus attacks, Hackers and VPN Sneak Attacks include: •
User Provisioning
•
Identity & Access Mgmt
•
Database Encryption
•
Anti-Virus, Endpoint
•
Firewall, Email Security
Bot, Worm and Virus attacks Viruses are a constant threat to corporations. It is essential to know: •
What malware is infiltrating my environment and how is it propagating?
•
Is my AntiVirus system able to mitigate malware threats?
Hacker Detection Organizations need to know: •
Who is attacking me and where are they attacking from?
•
Which of my internal systems are they attacking?
VPN Sneak Attacks Businesses have to allow remote users to access internal systems, but at the same time cannot control the sources of access. Organizations need to know: •
Where are my remote users coming from and what area they accessing?
•
Are the remote computers secure and up-to-date?
15
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Describe the Solution HP ArcSight Logger HP ArcSight Logger Elevator Pitch ArcSight Logger is a Universal Log Management solution that can Collect Everything, Analyze Anything and can be Used Anywhere. It unifies searching, reporting, alerting and analysis across ANY type of enterprise log data. It supports multiple deployment options and can be installed as an appliance and as software. HP ArcSight Logger •
unifies searching, reporting, alerting and analysis across any type of enterprise log data
•
supports multiple deployment options and can be installed as an appliance and as a software
•
is optimized for extremely high event throughput
•
stores security events onboard in compressed form
•
can be deployed stand-alone to receive events from syslog messages or log files, or to receive events in Common Event Format from SmartConnectors
•
can forward selected events as syslog messages or to ESM
•
can work together (Multiple Loggers) to scale up to support high sustained input rates.
Universal Data Collection HP ArcSight Logger enables organizations to collect information from anything and everything, safely and securely. HP maintains hundreds of prebuilt connectors off the shelf. Organizations can keep data raw or parse it for better analysis. Most importantly, you can extend this collection to any new type of device whenever you need to, even without our involvement, using HP’s toolkit. This means that the choices you make today for monitoring won’t limit your information strategy tomorrow. •
Collect events from any device
•
Broadest coverage (300+ sources out of the box) and raw data feeds
•
Extend to new data types whenever needed, without HP ArcSight involvement
Intelligent Analysis Engine HP ArcSight’s Intelligent Analysis Engine provides enterprise-wide log management to handle all that data that you collect. The platform supports management of raw and structured data for any type of usage in any department. You can store, search and report on years’ worth of data very quickly, and you can dramatically cut the cost of storing that data using our leading compression and storage mechanisms. 16
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
•
Deploy a single solution to manage all log data across your enterprise
•
Google-like search interface for any structured or unstructured logs
•
Top-down or bottom-up analysis
•
Pre-packaged content with forensics on the fly capability
Why does this matter? The questions managers now ask require information that cuts across departments. For example, when investigating a breach, you may find that a user visited a site, inadvertently downloaded malware, which then stole credentials, accessed a database, queried credit card records, phoned home and sent out the numbers. To see this, you need logs from your web team, IT, security, identity management, etc. You need universal log management.
Performance without Compromise A key benefit of HP ArcSight Logger is that you can Use it Everywhere, providing cutting edge threat analysis via advanced correlation, packaged in a simple and automated form. HP uses modern techniques to detect modern cybercrime. These include our patented ThreatDetector engine, a pattern matching and anomaly detection system which can find very subtle and sophisticated threats including zero-day outbreaks and fraud. It includes correlating user roles and trends to determine who is violating policies and putting the business at risk. It offers: •
Multiple deployment options – Appliance, software, Virtual or within cloud
•
Fast collection
•
Storage efficiency and deployment flexibility
•
Quick analysis
HP is the only company that can correlate across WHO-WHAT-WHERE, that is, roles, logs and flows, to understand not only what’s happening but if it’s really a problem. And the best part is that the more information you collect and store, the smarter the system gets. The net result is that with HP ArcSight, you can detect and therefore prevent not only the basic stuff, but especially the attacks that you can’t predict.
17
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
HP ArcSight Express HP ArcSight Express is a separately licensed Security Information and Event Management (SIEM) appliance that provides the essentials for network perimeter and security monitoring by leveraging the superior correlation capabilities of HP ArcSight ESM in combination with an HP ArcSight Logger storage appliance. HP ArcSight Express delivers an easy-to-deploy, enterpriselevel security monitoring and response system through a series of coordinated resources, such as dashboards, rules, and reports included as part of HP ArcSight Express Content. HP ArcSight Express does these three things better than anyone.
The ESM portion of the HP ArcSight Express solution comes with a series of coordinated resource systems that address common enterprise network security and HP ArcSight administration tasks. These resource systems are referred to collectively as HP ArcSight Express content. With some basic configuration done using the ESM Console, HP ArcSight Express content enables you to get started using HP ArcSight Express right away to effectively manage enterprise security operations without having to create additional resources. HP ArcSight’s Correlation Optimized Retention and Retrieval (CORR) Engine is a breakthrough technology that delivers orders of magnitude improvement in log correlation and storage, helping security administrators thwart the complex threats they face today. Using HP ArcSight Express administrators and analysts are able to: Detect more incidents •
The new architecture will allow event correlation rates of up to 5x the current performance using the same hardware.
Address more data •
The new architecture will enable storage capacity of up to 10x the current capacity for correlated events using the same disk space.
Operate more efficiently •
The use of a common data store allows both the real-time correlation application and the log management application to use the same set of data, providing a seamless workflow that includes detection, alerting, and forensic analysis and reporting.
18
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Universal Data Collection Organizations archive and analyze log data for a broad set of reasons ranging from security monitoring to IT operations, and from regulatory compliance to fraud detection. An effective log collection infrastructure layer simplifies and optimizes the aggregation of logs across thousands of devices and hundreds of locations. It serves as the foundation of log management and security information and event management (SIEM) platforms. HP ArcSight Express can: •
Collect events from any system, application or device in your environment including raw data, normalized and categorized events for improved analysis
•
Extend to new event sources whenever needed, without HP ArcSight involvement
HP ArcSight Connector technology addresses these core challenges through a powerful log aggregation and optimization interface layer that also represents the foundation for its broader log management and SIEM platform.
Connectors: Quantity and Quality Collection HP ArcSight has the largest library of Connectors, supporting more products, from more vendors in more categories than any other SIEM vendor. HP’s out of the box Connectors support a wide range of technologies, from security to compliance to IT operations. And this list does not include those Connectors created by our customers and partners using our FlexConnector. Customers have developed their own connectors using the FlexConnector, for everything from physical building security badge readers, to telephone PBX and fax systems. The benefits to our HP customers include: •
Fast, low-cost deployments; no need to develop these Connectors
•
Customers can easily leverage best-of-breed technologies
•
Not only the largest quantity of vendors and products, but heavy focus on the quality of that collection
•
A single pane of glass, HP ArcSight Express, supporting the broadest set of inputs in the industry
•
Multi-pronged collection strategy; customers are not reliant on the SIEM vendor
The systems and applications in an organization’s environment log their events in different formats. Even when devices use a common log transport, such as routers and switches using syslog, the events from each product and vendor are still formatted differently. One of the primary functions of the HP ArcSight Connector is to normalize this event data, and categorizes events using a common, human-readable format.
19
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Intelligent Threat and Risk Detection HP ArcSight Express correlates seemingly unrelated events using the most advanced real-time correlation techniques. By correlating disparate events from disparate event sources, it can detect even the most subtle attacks. With deep understanding of users and roles, network activities and flows, HP ArcSight Express is uniquely able to understand: •
who is on the network
•
what data they are seeing
•
which actions they are taking with that data
•
how that affects business risk
HP ArcSight Express can then apply modern techniques including pattern recognition and behavioral analysis to detect the sophisticated threats that are hurting organizations every day. As a result, organizations can cut through millions of events to focus on the most critical incidents affecting your organization. This provides better security and faster response with fewer resources. Traditional SIEM vendors focus on some of the basics of correlation, including event, threshold and statistical correlation. While these are important building blocks of correlation, HP ArcSight Express goes far beyond them with a robust and mature correlation engine. HP ArcSight Express also packages Out of the Box content for common use cases the rules, reports, alerts and dashboards for a wide variety of common problems faced by an IT staff – network visibility, security, privileged user monitoring and sensitive data protection so staff does not have to spend weeks and months to realize value out of HP ArcSight Express.
Meaningful Response HP ArcSight Express offers a range of features that ensure fast, convenient and intuitive access to information. •
Integrated notifications, case management and workflow
•
Complete reporting and documentation of all activities
•
Automated response to threats, risks, and compliance violations
20
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Dashboards Customizable and graphically rich dashboards provide business and technical views that are tailored to deliver insights to the appropriate individuals in the organization. The reporting framework makes business-level reporting easy through both standard and customizable templates for compliance status, business risk and user profiling. The HP ArcSight Express console provides a single view of a company’s status based on validated attacks and business risk, while geographic and network map views allow users to maintain awareness in areas of their organizational responsibility. Once threats and risks are identified, HP ArcSight Express uses its built-in workflow engine to manage incidents, prevent damage and respond appropriately. •
Real-Time Alerting and Notifications
•
Analyze and Investigate
•
Powerful and Flexible Reporting
•
Built-In Workflow
•
Threat Response
With HP ArcSight, threat response is fast, flexible, and effective; HP provides the right response for the right impact.
21
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
ESM EMS Anatomy HP ArcSight ESM consists of several separately installable components that work together to process event data from networks. These components connect to a network via sensors that report to ESM SmartConnectors. SmartConnectors translate a multitude of device output into a normalized ESM schema that becomes the starting point for ESM correlation capabilities. The graphic below illustrates ESM’s basic components and additional HP ArcSight products that manage event flow, facilitate event analysis, and provide centralized network management and incident response. These components are described in the following pages.
Individual SmartConnectors and/or a Connector Appliance gather and process event data from network devices and pass it to the Manager. The ESM Manager processes and stores event data into the ESM Database. Users interact with ESM using the ESM Console or ArcSight Web. A comprehensive series of optional products provide forensic-quality log management, network management and instant remediation, regulatory compliance, and advanced event analysis.
22
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Smart Connectors SmartConnectors are the interface to the objects on a network that generate ESMrelevant data on the network. They collect event data from network nodes, and then normalize the data in two ways: first they normalize values (such as severity, priority, and time zone) into a common format, and then they normalize the data structure into a common schema. SmartConnectors can then filter and aggregate events to reduce the volume of events sent to the ESM Manager, which increases ESM’s efficiency and accuracy, and reduces event processing time. SmartConnectors support commands that alter the source and/or execute commands on the local host, such as instructing a scanner to run a scan. SmartConnectors also add information to the data they gather, such as looking up IP and/or host names in order to resolve IP/host name lookup at the Manager. SmartConnectors perform the following functions: •
Collect all the data needed from a source device, so you do not have to go back to the device during an investigation or audit.
•
Save network bandwidth and storage space by filtering out data you know will not be needed for analysis.
•
Parse individual events and normalize them into a common schema (format) for use by ESM.
•
Aggregate events to reduce the quantity of events sent to the Manager.
•
Categorize events using a common, human-readable format. This saves staff from having to be an expert in reading the output from a myriad of devices from multiple vendors, and makes it easier to use those event categories to build filters, rules, reports, and data monitors.
•
Pass events to the Manager after they have been processed.
Depending on the network node, some SmartConnectors can also instruct the device to issue commands to devices. These actions can be executed manually or through automated actions from rules and some data monitors. HP ArcSight releases new and updated SmartConnectors regularly.
Connector Appliance HP ArcSight Connector Appliance is a hardware solution that hosts the HP ArcSight SmartConnectors needed in a single device with a web-based user interface for centralized management of multiple devices. The Connector Appliance centralizes SmartConnector management and offers unified control of SmartConnectors on the Connector Appliance itself, remote Connector Appliances, and software-based SmartConnectors installed on remote hosts. The Connector Appliance: •
Supports bulk operations across all SmartConnectors and is ideal in HP ArcSight ESM deployments with a large number of SmartConnectors
•
Provides an HP ArcSight ESM-like SmartConnector management facility in Logger-only environments
23
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
•
Provides a single interface through which to configure, monitor, tune, and update SmartConnectors
The Connector Appliance does not affect working SmartConnectors unless it is used to change their configuration. Connector Appliance is an ideal solution when connectors target multiple heterogeneous destinations (for example, when HP ArcSight Logger is deployed along with ESM), in a Logger-only environment, or when a large number of SmartConnectors are involved, such as in a MSSP deployment.
ESM Manager The ESM Manager is the heart of the ESM solution. It is a Java-based server that drives ESM analyses, workflow, and services. The Manager is portable across a variety of operating systems and hardware platforms. It also correlates output from a wide variety of security systems. The Manager writes events to the ESM Database as they stream into the system. It simultaneously processes them through the correlation engine, which evaluates each event with network model and vulnerability information to develop real time threat summaries. ESM comes with default configurations and standard foundation use cases consisting of filters, rules, reports, data monitors, dashboards, and network models designed to be usable as soon as ESM is installed. Organizations can also design the entire process that the ESM Manager drives, from detection, to correlation, to escalation. HP ArcSight Professional Services is available to help with this design and set-up.
ESM Database As events stream into the Manager from the SmartConnectors, they are written to the ESM Database with a normalized schema. This enables ESM to collect all the events generated by devices on a network for later analysis and reference. The ESM Database is based on Oracle. A typical installation retains active data online for a period ranging from weeks to months. SmartStorage Partition Management SmartStorage partitions are chronological slices of the database that can be compressed, and then archived for later retrieval. By default, ESM creates a new partition every day.
24
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
EnterpriseView EnterpriseView Elevator Pitch HP EnterpriseView provides CISOs with the decision intelligence required to allocate budget and resources to most efficiently remediate and mitigate IT risk. HP EnterpriseView integrates with existing technologies to map IT devices to the business services they support. This frames IT risk in a business context in heat maps, reports and a dynamic risk register. Further efficiencies are achieved through integrations with CMDB’s, SIEM’s and SCM solutions as this capability allows for automated assessments of technical controls.
The problem today driving the need for HP EnterpriseView: The Problem • No actionable intelligence
The Cost •
$1,000,000,000 in misallocated IT spending annually
•
$100,000’s in potential savings by automating
•
CISO’s are buried under a sea of technical data without business context.
• Manual audits • Reduced ROI on existing technology
What is HP Enterprise View? HP EnterpriseView is:
HP EnterpriseView is NOT:
• Purpose-driven (IT GRC)
• …a dashboard
• Dedicated Development and Quality Assurance
• …direct competition to SecureBoardroom or Executive Scorecard
• Technical Support • Maintenance • Updates/Patches
• …dependent on HP ArcSight ESM or a SIEM add-on
EnterpriseView HP Integration Points •
HP uCMDB - Asset importation to build framework
•
HP BSA - Automate technical control assessments
HP ArcSight ESM • Asset importation to build framework • SIEM event stats •
HP ArcSight Vulnerability SmartConnectors
25
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Qualify the Solution Qualification questions & pain points Universal Pain Points The target for the HP ArcSight SIEM solution is the CISO, CCO and CIO and their teams. The list below describes pain points to listen for when talking to prospective customers. •
“Can’t get to the important data” (understand business impact)
•
“Can’t get to the important data quick enough” (when time matters)
•
“Too manual and expensive to get to the important data” (resource intensive)
•
“We don’t even know when we are under attack”(needle in the hay stack)
Questions leading to HP ArcSight Logger Ask these questions for prospective customers for HP ArcSight Logger. •
Are you using three separate solutions one each for cybersecurity, compliance and IT operations? •
•
Do you want to lower your TCO and increase your ROI by combining all this into one solution?
Do you have distributed silos of information scattered around the enterprise? •
Do you want to centralize all that information to paint the complete picture of who is doing what and when in your organization?
•
Are you supposed to be compliant with one or more regulations and are supposed to store logs for multiple months/years?
•
Do you find yourself in situations where you do not know who made a change or why a server went down? •
What did a contractor or a terminated employee do a month before or after the termination date?
26
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
• •
Where to start in case of an audit and how to efficiently demonstrate compliance to the auditor?
Do you have a simple, unified, fast and efficient way to sift through terabytes of logs within seconds?
Questions leading to ESM/HP ArcSight Express Ask these questions for prospective customers for ESM / HP ArcSight Express. •
Do you have complete visibility into the threats and attacks faced by your organization?
•
Do you need to manually interpret logs from several different systems to understand what is happening in your environment?
•
Are you able to identify security threats to your environment accurately in a short span of time?
•
Does the volume of alerts coming from your IT infrastructure overwhelm your staff? •
•
Do you have too many false positives?
Do you have to be compliant with any regulations? •
Does it take a long time for you to generate compliance reports?
•
Are you able to identify and respond to security threats in real-time?
•
Are you able to monitor the activity of privileged users in your sensitive assets?
•
Are you able to track which users accessed what critical data/assets at any time?
27
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
HP footprint: cross-HP Software Sales plays HP ArcSight Logger to BSM Convergence of data from IT Operations and Security Operations
Benefits of Bi-directional integration between OM/NNM/NNMi and HP ArcSight ESM/Logger: •
Complete visibility into anomalies and threats, a 360º view of security and IT events.
•
Single pane of glass view of security, compliance and IT operations
•
Reduced gap between NOC and SOC
•
Security and compliance related Key Performance Indicators (KPIs) to IT operations service health dashboards
•
Automate business process and workflows to enable effective business risk management
IT operations capture exceptions, incidents, fault, and performance events from business critical applications and network infrastructure supporting them. The target-specific data is captured through pre-written policies that trigger an event from those specific devices or applications. Therefore, some events simply do not show up on the IT operations console. Log management captures all logs from same devices plus any other log source in the network. Log management can capture up to 100,000 events per second. The convergence of this data helps IT operations understand the security context on the exceptions along with a second set of eyes for comprehensive infrastructure log monitoring from a security perspective, and helps to identify the security vulnerabilities in the system. To identify prospects (IT operations practitioners or Directors) should either: •
Have some form of Log Management point vendor solution such as Q1/ Nitro/ Splunk to look at their IT operations
28
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
•
Be current HP IT operations customers who have BSM suite of products such as OMi, NNMi, BAC, or legacy OpenView software
Educate the prospects that HP has a seamless integration between the log management solution and IT operations software that helps in comprehensive log management, and simplified integration. It helps cut costs, enables organization to be more agile, and can be deployed with an appliance, software, virtual machine or within the cloud in both Windows and Linux environment.
HP ArcSight Logger to BSM qualifying questions Questions for Directors/ Executives: •
Do you have two separate teams for security and operations with little or no interaction between the two?
•
Do you want to add security layer and metrics to your existing HP Software investment?
•
•
• •
Questions for Practitioners: •
Do you find it difficult to search across events that happened last week, last month, last year or in the last decade?
•
Is it cumbersome and error prone to collect all the health events from all the systems you have deployed?
How do you troubleshoot and identify problem servers, networks or storage devices caused due to load or security threats?
•
How can your Operations team detect and manage external threats security vulnerabilities?
How do you ensure compliance enforcement/ IT security management?
•
Do you need help to understand integrating SOC and NOC?
How long does it take to create compliance / IT security reports?
•
How many people are assigned to compliance/ security related tasks?
Do you want to accelerate the adoption of your HP’s IT Operations investments?
29
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Competitive Landscape Competitive analysis Gartner Magic Quadrant for SIEM (May 2012)
Summary of the Gartner Magic Quadrant: •
HP rated #1 in 8 out of 12 categories
•
HP ArcSight is still in the Leader’s quadrant
•
RSA (EMC) exits Leader’s quadrant
•
LogLogic has not just fallen off the Leader’s quadrant but is now the last in Challenger’s quadrant
•
Symantec also exits Leader’s quadrant
•
LogRhythm enters Leader’s quadrant - the only new entry into the leader’s quadrant this year
•
Nitro has gained on execution because of the McAfee acquisition
•
Q1 (now IBM) is more or less at the same place as last year
30
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Challenges: Gartner was not too happy about HP’s complexity and pricing of ESM both of which HP plans to address in the next major release of ESM (6.0) scheduled for 2H 2012. They also mentioned HP was separated from the pack in the previous year’s Magic Quadrants because HP was the only public company in the SIEM space. That has changed now with recent acquisitions of Q1 and Nitro which is why they have placed all these three vendors very close to each other. McAfee and IBM, now identified in the Leaders quadrant in the Magic Quadrant, are both coming at SIEM from an IT management position that mimics the HP approach, broadening SIEM within a larger security and risk platform. For example, our competitor’s ongoing efforts to copy HP (while talking HP down to customers) is proof that HP has set the gold standard in SIEM, and is baking SIEM into something with long term evolutionary legs/roadmap.
Top Competitors, their strengths and their attack angles The top competitors for HP ArcSight, their strengths, and the sales attack approach Competitor
Their Primary Strength
Primary Attack Angle
IBM/Q1 Labs
Out of the box usability
“The HP product is a framework, not a solution. Ours is faster to deploy and easier to use.”
McAfee/NitroSecurity
Slick interface and pricing
“We will discount or include additional products, as needed to win the deal.”
RSA enVision
Established customer base
“We are just like ArcSight, but cheaper and easier to use.”
Symantec
Brand recognition
“Buy from the #1 name in IT Security.”
Splunk
Simple and easy to use. Free offering.
“We collect data from anything and everything. Try us for free. We have a huge user community.”
LogRhythm
“We have said all along that LM and SIEM are one in the same, and we are the only solution that provides it on the same appliance.”
Competitors Log Management HP ArcSight Competitors in the Log Management arena are currently Splunk, LogLogic, and LogRhythm. These vendors emerged in 2006/2007 with a different value proposition. •
LogLogic – log management + light correlation
•
Network Intelligence – log management + light correlation
•
Splunk – IT Operations search
Competitive Differentiation Splunk weakness •
Not a universal log management solution. Positions itself as IT operations solution
•
No event correlation or strong SIEM capability
•
Structured data analysis is limited
31
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
•
Available ONLY as a software
•
Licensed version 2X to 4X higher than Logger; 50 to 75% more expensive to buy and maintain the software
•
Splunk does not have normalization and categorization
LogLogic weakness •
Minimum two appliances needed to do what Logger can accomplish using one instance
•
Available ONLY as an appliance
•
Long term reporting only on metadata
•
LogLogic has around 2 dozen connectors as compared to more than 300+ from HP ArcSight – they dismiss Smart Connectors as unnecessary
LogRhythm weakness •
Available ONLY as an appliance - single box solution has many limitations
•
Fat client ONLY which does not allow remote management
•
They have database correlation which is slow and detects threats after the damage is done
Competitors SIEM SIEM emerged from SIM and SEM (SIM + SEM = SIEM), because ~ 70% of buyers required both SIM and SEM. • SIM = Historical analysis, compliance focused • SEM = Real time analysis, perimeter threat focused
HP ArcSight’s current competitors in the SIEM space include: Q1Labs/QRadar, RSA, nitroSecurity, Symantec, netforensics, and alienvault. Competing with Q1Labs/QRadar •
Stress Correlation capabilities •
HP has 3X faster correlation, 5X faster reporting, and 10X more storage
•
IdentityView capability far outreaches Q1’s version of “identity”
•
Stress Rich Console Usability, customizable, live dashboard and ability to drill down into real data.
•
Stress TCO; their Q1 maintenance costs are based on LIST pricing, ArcSight’s are based on NET.
Competing with RSA/enVision •
Push for a trial to emphasize differentiation… slides and a demo do not do it justice
•
Exploit enVision Weaknesses •
enVision LS does not support SAN storage
•
enVision does not collect NetFlow data
•
enVision does not have Pattern Recognition 32
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
•
enVision is not a pillar for RSA - 2 ½ years between versions 4.0 and 4.1
Competing with nitroView (McAfee) •
Primary market in government sector
•
Supports approximately 200 devices
•
Flash-driven GUI sleek but limits navigation
•
“High Availability” accomplished by duplication of hardware vs. replication
Competing with Symantec •
Scalability issues using their approach of one SESA agent with collectors plugged in
•
Exists only as web interface, no console option available
•
SSIM has very few installations and is mainly used as an enhanced reporting engine for other Symantec products
•
Normalization and categorization is very limited
•
No significant release in 2 ½ years.
•
Make sure success criteria to include a FlexConnector – they show poorly here
Competing with NetForensics •
HP ArcSight has over 5X the storage space (42TB vs. 8TB)
•
HP ArcSight consistently replacing netForensics in MSSP environments
•
Claim to support over 1,000 devices, but website only lists 120
Competitors Suite Suite vendors emerged in 2007/2008 with a wave of acquisitions. •
Novell – acquires eSecurity
•
Attachmate buys NetIQ – Mainly in the Windows Event Management space
•
Cisco – acquired Protego (now called MARS), but still focuses on networking. Relationship with NetForensics eroded.
•
CA – dropped SCC and Audit and came up with Enterprise LogManager
•
IBM – still there, trying to integrate TSOM and TSIM
•
Symantec – Round #3 of trying to come up with a competitive product
Today •
Hewlett Packard acquires HP ArcSight
•
… one year elapses …
•
IBM acquires Q1 Labs
•
McAfee acquires NitroSecurity
33
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
What does it mean? •
HP Security Strategy is validated
•
SIEM MUST be a core component that every CIO MUST invest in
•
Enterprises need to address security concerns in a comprehensive, connected fashion
Other recent actions and acquisitions •
Cisco killed MARS
•
RSA acquired Netwitness and doesn’t really know what to do with it
•
Symantec is still around in some countries
•
Splunk went public
•
LogLogic aquired by Tipco
Handling common objections Common Objections or FUD (Fear, Uncertainty, and Doubt) Logger can’t capture “all the data” •
Third party verified audit quality data capture
•
Secure, Reliable transport, multiple time stamps, hashing and caching
•
Collection from 300+ log generating source or build your own connector easily
Logger is difficult to deploy with connectors •
Logger can be deployed with or without connectors
•
Connectors bring a lot of value to the table which competitors cannot match
•
HP ArcSight offers more than 300 connectors from more than 100 vendors in more than 35 categories for simple out of the box collection and fast and simple forensic analysis
Logger has no real- time correlation •
Logger does offer basic correlation, real-time search and real-time alerts
•
For more advanced correlation customers chose HP ArcSight ESM or Express with best-inclass correlation capabilities
34
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Demonstrate unique business value and build a proposal Main case studies Foxconn / Hon Hai •
HP was on-site in Shenzhen, China within 48 hours of notification
•
Landed 3 top-level consultants from 3 countries and 2 continents (S. Korea, HK, USA)
•
HP ArcSight SIEM Platform was installed and configured within 3 hours and receiving data within 5 hours
•
They identified 25 serious active security events in 72 hours including 3 major discoveries and several real-time intrusions
•
Here are the observations, risks, and recommendations for Foxconn.
Observation
Risk
Recommendations
No central security operations or monitoring of security devices
Customer has challenges detecting, analyzing and reporting on threats in real-time.
Implement HP ArcSight SIEM to centralize log management.
No centralized security Program or Ownership
Client has limited workflow, processes and procedures to quickly respond to threats
Form security operations organization to centralize security people and processes
DMZ allows brute force user/password attacks on SSH and FTP servers.
Disallow external inbound SSH, use TippingPoint to block brute force attacks, enable “3 failed and locked” type rules as well as HP ArcSight content to report on activity.
Take-aways from the FOXCONN / Hon Hai Q2 Win 11 Days from Breach to Order meant The Perfect Solution Selling Storm. What we learned: Build C-level relationships early Run C-level security intelligence workshops Follow market news closely Always pull in HP Tipping Point Leverage the HP AGM & AM
35
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Customer references http://www.hpenterprisesecurity.com/customers
Proof points Proof Points The critical elements for success are a combination of People, Process and Technology. It’s important that organizations understand this concept to balance their vision. Technology is only a third of the problem or better stated a third of the solution. It does not solve anything by itself; it only solves things when integrated with people and processes. In addition, people need to be trained and there has to be awareness in the company. Processes have to exist to make sure “you know what to do and when.” Simply installing a SIM does not “solve” any problem. A SIM helps automate and improve your security, compliance and incident response program. It’s SIM + Strategy + Development = Solution. Enterprise Project •
People (size ‘o’) - Trained & Experienced
•
Process (x-axis) - Focus on Relevant Business Objectives, Enterprise Project Team
•
Technology (y-axis) - Tuned and Stable
Measuring the success of a SIEM implementation When trying to measure the success of a SIEM implementation, something like this Magic quadrant helps. It has three dimensions: the people – trained and experienced, the Process – focused on relevant BO and the project team, and the technology – tuned and stable. Of course, it‘s the goal to get the customer in the upper right corner with a big circle. How to get customers there: •
Successful Implementation – Get Enterprise technical experts, do a well-designed overall architecture analysis and advise the customer on key considerations.
•
Educate the customer – Learning on the job, Instructor-Led Training, or web-based training through HP ArcSight University.
36
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
•
Implement the process and strategy – Advise customers on the business of information security in an HP ArcSight context, provide functional as well as technical security expertise; it should be highly focused on customer workflow.
Business justification IdentityView HP Identity View lets you understand who is on your network, what they are looking at and what actions they are taking, giving you better compliance at lower cost.
HP ArcSight IdentityView - User Activity Monitoring HP ArcSight IdentityView (IdView) helps organization understand who is on their network, what data they are seeing, and which actions they take with that data. •
Correlates user identity across accounts and systems
•
Compares user activity to role to detect violations
•
Enriches all monitored events with user data for better context
The benefits to customers include: •
High business value use cases for user monitoring
•
Lower risk from malicious insiders, shared and privileged accounts, and high risk users
•
Increased compliance with IAM best practices
HP ArcSight IdentityView correlates IP addresses with a user’s identity information across multiple accounts. Then it compares that user’s rolled up activity to the person’s roles, to determine any violations. It can also profile user behavior to understand what they are doing, giving better visibility into all business processes and the activities within those processes. HP ArcSight IdentityView lets organizations retain control over their network as they open it up to partners and customers, because tracking what these outsiders do can make compliance easier.
37
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Compliance Insight Packages (CIP) Compliance Insight Packages (CIP) are pre-packaged solutions for regulatory compliance and IT Governance, consisting of comprehensive sets of best practices based reports, rules, active lists and dashboards for audit and compliance. •
Standards-based log management solution
•
Applicable offerings for “governance approach” and “regulation specific approach” organizations
HP ArcSight Compliance Insight Packages help clarify confusing log review practices for compliance by providing an immediate, pre-developed log structure. HP has multiple offerings based on the way your organization needs to structure compliance reporting. HP ArcSight Compliance Insight Package for IT Governance For organizations that are taking a governance approach to the compliance problem (such as adopting a standard as the underlying basis of their security program such as ISO-17799), HP offers the HP ArcSight Compliance Insight Package for IT Governance. This package offers over 80+ reports based on of a combination of the ISO and NIST standards. HP ArcSight Packages: •
HP ArcSight ESM CIP for IT Governance
•
HP ArcSight Logger CIP for IT Governance
Customer Requirements: •
Moderate for regulation specific
•
Low to medium for standards specific
Value: •
Pre-developed log review in an ISO-17799 specific context
•
Technical checks based on NIST 800-53
•
Reporting structure in ISO-17799 and NIST 800-53 specific format
Regulation-specific Compliance Insight Packages For organizations that wish to take a regulation specific approach to their compliance program, such as checks directly mapped to the HIPAA security standard, SOX specific reporting, etc., HP offers and continues to develop regulation-specific Compliance Insight Packages that provide out-of-the box technical, business and policy based checks directly mapped to major compliance standards. HP ArcSight Packages: •
HP ArcSight ESM CIP for SOX, JSOX, PCI, FISMA, HIPAA, NERC
•
HP ArcSight Logger CIP for SOX, PCI
Customer Requirements: •
Needs regulation specific program
•
Seeking guidance from vendor 38
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Value: •
Pre-developed log review in a regulation specific context
•
Supports control frameworks through best practice based approach
•
Reporting structure in regulation specific format
Unique differentiators for Logger Captures Everything: Broadest LM solution •
Any structured or unstructured data collection •
300+ Products
•
FlexConnectors
•
Raw Syslog (TCD/UDP)
•
Raw File Based logs
•
CEF Partners
Analyze Anything: Business intelligence at your fingertips •
Unified search interface for all structured and unstructured logs
•
Top-down or bottom-up analysis
•
Pre-packaged content (PCI, SOX, IT Governance , ISO/NIST)
Eliminates Tradeoffs: Patented Technology •
Log capture rate of up to 100K events per second
•
Compresses and stores up to 42 TB of logs/appliance
•
Analysis speed of millions of events per second
SIEMple Integration: A True SIEM solution under one umbrella •
Seamless integration with ArcSight ESM/Express
•
Common collection for low TCO
•
Common taxonomy of events
Common Event Format (CEF): One language to understand •
Future-proofs customer’s investment
•
Device independent analysis
•
Removes the need for device expertise
Deployment Flexibility: Optimal solution for any environment •
Hardware and software form factors
•
On-board or SAN/NAS/DAS storage flexibility
•
Optimized for centralized and distributed environments
39
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Market Leadership: Trusted and tested solution •
Gartner MQ Leader: SEVEN years running
•
IDC – #1 Market Share
•
InfoPro - #1 “In Plan” & "In Use" SIEM and Log management solution
•
First LM solution to offer FIPS and CAC
Solution Viability: Where most LM vendors are privately held •
An HP company
•
Growing at 30%+ every quarter
•
2000 customers in 70+ countries
•
10 years of innovation and thought leadership
Key Performance Indicators (KPIs) Key Performance Indicator
Figures
Number of events/ Number of events per source Why: •
Base for a lot of other KPIs
•
Trend shows quality of event management
Data sources: All How: •
Logger: Daily report counting events
•
ESM: Trend with reports on top
40
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Number of privileged users failed logins Why: •
Potential security breach
•
Data sources:
•
Apps
•
Authentication servers
OS
How: •
Logger: Report using ‘hard-coded’ user names in query
•
ESM: Report using active list populated by e.g. ADS integration
Number of security incidents Why: •
Base for other KPIs
•
Shows trend of security incidents in the organization
Data sources: •
HP ArcSight ESM
•
Service Desk, Ticketing System
How: •
Logger: Just applicable if feed from ticketing system is integrated or critical events are by default an incident
•
ESM: Applicable if ESM is used for case management or ticketing system is integrated.
41
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Number of identified IT risks/ Number of newly identified IT risks (compared to previous exercise) Why: •
Shows security posture of organization
•
Shows trend in mitigating risks
Data Source •
Vulnerability Scanner
•
Logger: Report in Vulnerability Scanner events
•
ESM: Reports on Vulnerability Scanner, reports per asset, trends
How
Number of unauthorized IP addresses, ports and traffic types denied Why: •
Shows security violations
•
Indicator for success of awareness training
Data sources: •
Firewalls and routers with ACLs
•
IDS/IPS
•
Logger: Report using information in query
•
ESM: Report using active list and zones
How
42
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Pricing/licensing model Breaking down the project Basic Principles of how to break the project down •
Succeed or fail, SIEM can be expensive
•
Get it right and it works well
•
Get it wrong and it can doom a strategy
•
Spot the early signs and correct the plan
Building The Project - Starting to put it all together •
Where do we start? What can we do?
•
Don’t get lost – can seem daunting
•
Impacts different areas of business
•
Conflicting demands from business
•
Overly complex
Top-down approach Top Down or Bottom Up - which is the best approach? •
Easy to build bottom up business case – encompass all needed
•
Try the bottom up approach
•
200,000 desktops
•
10,000 servers
•
10,000 other devices
•
Probably $5m+ product, $1m staff (6), $1m on-going, $3m internal
Top Down Approach Works...and why bottom up doesn’t! •
High level sample use case on PCI-DSS •
200,000 desktops – down to zero – out of scope
•
10,000 servers – down to 10% - only impacted assets
•
10,000 other devices – down to 10% - only impacted assets
•
Cost now $1m+ product, $100k staff (2?), $100k on-going, $300k internal costs – much cheaper
•
Know what the alternative costs are with different approach
•
Do the simple calculations on ROI / Cost
43
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Pricing & Licenses ESM is sold as a Suite, but can also be used stand-alone as an Appliance or Software version. These are the Factors that determine pricing for each. Appliance version •
EPS events per second
•
# of devices or sources
•
on-board capacity of the appliance (built-in)
Software version •
GB per 24-hr day (data flow rate)
•
# of devices is constrained
•
capacity for reporting, search (governors)
Table: ArcSight Logger: Appliance Pricing Logger List Appliance
NFR
HA
CIPs
Physical Remote Max Effective Raw Connector Onboard Capacity Connector Devices Capacity EPS EPS Connectors (TB) Management
L7400x
$130 $11,00 $91,00 $10 unlimite 6.0 K 0 0 K d
~42TB
100 NA K
No
No
L7400SAN
$90K $11,16 $63,00 $10 unlimite 5.4 on SAN ~50TB 0 0 K d
75K NA
No
No
L7400s
$70K $11,00 $49,00 $10 500 0 0 K
6.0
~42TB
5K NA
No
No
L3400-PCI $30K $5,700 $21,00 incld 200 0
2.0
~7.8TB
2K 200
4
20 (5 containers)
L3400
2.0
~7.8TB
2K 200
4
20 (5 containers)
$30K $5,700 $14,00 $10 200 0 K
•
Pricing based on incoming EPS and number of devices
•
Channel/SMB friendly starting price point
•
Pricing shown for North America – standard uptick applies in EMEA and APAC
•
Additional CIPs are $2500 for each additional appliance
•
Low cost NFR units for internal use, demos and evaluations
44
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
•
Upgrade SKUs available and a special SKU L3x00-DSKTOP
Table: ArcSight Logger – Software Pricing SW SKU
SW Price in NA
Corresponding
Corresponding
HW SKU
HW Price
GB/day
Effective Capacity
Devices
L750MB
$0
N/A
N/A
0.75
500GB
10
L5GB
$7.5K
N/A
N/A
5
2.5TB
50
L30GB
$15K
L3400
$20K
30
8TB
200
L80GB
$60K
L7400s
$70K
80
42TB
500
L160GB
$115K
L7400x
$130K
160
42TB
No license restriction
•
Price neutral to appliances
•
No equivalent SW SKU to L7400-SAN. Users can use SAN with any of the above SW SKUs
•
Upgrade prices are designed to promote customers to buy higher priced SKUs early on
For more information Please review the pricing and licensing data that is available in the HP Software IT Performance Suite - Enterprise Security Price Guide. The guide can be downloaded from the Pricing page on Partner Central https://h20229.www2.hp.com/partner/protected/bto/pricingguide/pricing.html. The page contains pricing Information for the HP Software Business Technology Optimization, Information Management and Security Portfolios, along with key documents on HP Software pricing.
Evaluation/Demo Version The SKU “L750MB” has no price because is a free demo version – a tool prospects can use for evaluation. The features and limits to the free, evaluation product, are compared with those of the Enterprise version in this table. Feature
Evaluation version
Enterprise version
Daily limit on log data
750MB
License-dependent
Total searchable space (compressed)
50MB
License-dependent
Distributed search reports
No
Yes
Support for ArcSight SmartConnectors
Restricted set
Full set
Searching Report and Real-time alerting
Yes
Yes
Granular Role-Based Access
Yes
Yes
Authentication and Authorization
Yes
Yes
Community Support
Yes
Yes
Enterprise support
No
Yes
45
Selling HP ArcSight Information Security Solutions Self-Enablement Guide
Additional resources Please see the following sources for more information: •
ESP on HP Software Partner Portal: https://h20229.www2.hp.com/partner/protected/bto/portfolio/centers/esc.html
•
ESP University: http://www.hpenterprisesecurity.com/services/education/
•
ESP Customer website: http://www.hpenterprisesecurity.com/
•
ESP on HP Learning Center: http://www.hp.com/certification/whats_learning_center.html
•
Access to product and technical manuals on Software Support Online: http://support.openview.hp.com/selfsolve/manuals
•
HP Secure on YouTube: http://www.youtube.com/user/HPSecure
46