Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
{ INTELLIGENT REAL TIME COMPLETE Intelligent Aggregation SMARTAGENT ™ 3 v COLLECTION SYSTEM Highlights: Efficient, Real Time Event Data Capture Broadest range of device support to manage any enterprise environment FlexAgent™ adds new devices on site for immediate coverage Multiple deployment options to match current infrastructure Intelligent filtering and bandwidth management to eliminate network and database overhead Raw event data normalized for consistent and complete analysis 100% capture of all alarms and alerts for complete visibility MULTIPLE SMARTAGENT DEPLOYMENT OPTIONS Since each network has unique data collection policies and procedures, ArcSight has built an extremely flexible and network-friendly agent deployment system, which means it is likely that no network change is required to support the installation. Depending on the device to EFFICIENT, COMPLETE REAL-TIME CAPTURE OF SECURITY-RELEVANT be monitored and the in-place infrastructure, a choice is provided INFORMATION for simple log parsing and loading, “agentless” deployment via network The first problem that ArcSight solves is collecting and normalizing listening (e.g., SNMP), installation on aggregation points (Syslog the enormous amount of data that is generated by all the different servers and concentrators) and installation directly on security-relevant sources of security-relevant information that exist in an organization. devices. All communication between the SmartAgents and ArcSight Whether the threat is internal or external, ArcSight goes beyond Manager is via double-certificate SSL. simple log consolidation by providing intelligent data collection through the use of SmartAgents™. FULL EVENT DATA CAPTURE A data-normalized ArcSight message, which captures 100% of the Alarms and alerts can come from routers, email logs, Single Sign-On source fields, is created for every event. By capturing the entire event Systems, vulnerabilty scanners, anti-virus products, firewalls, intrusion data set and organizing it into a consistent format, powerful upstream detection systems, VPN systems, NT Event Logs, Syslogs, and other data management, cross-correlation, display and reporting is available sources such as applications and databases where security threat to the security team. In addition, there is also an option to capture information is detected and reported. Each event generator has a and store the message in its original form for purposes of forensic SmartAgent assigned to collect all the relevant security information. investigation and possible use as evidence. SmartAgent Deployment Variations INTERNAL OR EXTERNAL SECURITY-RELEVANT DEVICES CONSOLE CONSOLE LOGS (AGENTLESS) SNMP (AGENTLESS) ARCSIGHT MANAGER CONCENTRATORS, LOG SERVERS ORIGINAL DEVICES = ARCSIGHT SMARTAGENTS DATABASE WITH ARCHIVE Enterprise Security Management Software SUPPORTED DEVICES Whether in the ArcSight lab or on-site via the FlexAgent, the ArcSight SmartAgent architecture is designed for rapid support of new devices. As a result, ArcSight features the broadest and most comprehensive list of supported devices and the list is constantly growing. INTELLIGENCE AT THE SOURCE In addition to collecting and normalizing data from security devices, For an updated directory of supported devices please vist ArcSight SmartAgents intelligently manage the data with user- www.arcsight.com/product_arcsight_agents.htm. configurable options that include: THE SMARTAGENT RAPID DEPLOYMENT PROCESS Filtering to allow the administrator to set conditions by which data will be collected and sent to the database. This source-level filtering reduces the need to manage and store large volumes of unwanted data. Bandwidth management to optimize use of the network. Based on the STEP 1 REQUIREMENT IDENTIFIED, INTERFACE INFORMATION RECEIVED STEP 2 time period selected, the ArcSight SmartAgent can aggregate similar events by collecting duplicate alerts and sending one message with ARCSIGHT AGENT TEMPLATE PROGRAMMED FOR NEW SOURCE a count of the total. SmartAgents can also be configured to send a batch of alerts at one time rather than sending alerts immediately STEP 3 after each occurrence. These collections are also configurable and AGENT QA'D AND RELEASED ALONG WITH UPDATED RULES AND REPORTS can accommodate a variety of bandwidth-preserving strategies including sending high-priority events immediately while holding low priority events to be sent at at time when network usage is minimal. Device-independent threat taxonomy and threat level. SmartAgents can parse the event data stream and set field values based on the policies of the organization. For example, the variety of event severity levels that devices produce can all be normalized at the agent level into a single, consistent hierarchy. Because each device vendor uses a unique name for the same event, ArcSight SmartAgents also generate a standard threat taxonomy that not only relieves the user from knowing all the message variations, but also supports device-independent reporting, filtering and correlation. Failover support for sending events to multiple ArcSight Managers. SmartAgents can work in either redundancy or fail-over mode. Redundancy mode allows each event to be sent to multiple managers simultaneously. In failover mode, when the primary manager is down, the events are automatically re-routed to a secondary manager. Rapid on-site integration of new devices via the FlexAgent. Through a simple-to-use console wizard, ArcSight’s FlexAgent software allows a user to create custom SmartAgents that can read and parse information from third-party devices and map that information to ArcSight’s event schema. Private network encoding to eliminate the problem of ambiguous internal IP addresses caused by multiple subnets. This is accomplished by supplying a “security area code” to each subnet in order to uniquely FOR MORE INFORMATION, PLEASE CONTACT: identify which asset is being attacked. ArcSight, Inc. 5 Results Way, Cupertino, CA 95014, USA Email: [email protected] Phone: (408) 864-2600