Download SMARTAGENT™ COLLECTION SYSTEM

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
Document related concepts

Database model wikipedia , lookup

Transcript 
{
INTELLIGENT
REAL TIME
COMPLETE
Intelligent Aggregation
SMARTAGENT
™
3
v
COLLECTION SYSTEM
Highlights: Efficient, Real Time Event Data Capture
Broadest range of device support to manage any enterprise environment
FlexAgent™ adds new devices on site for immediate coverage
Multiple deployment options to match current infrastructure
Intelligent filtering and bandwidth management to eliminate network and database overhead
Raw event data normalized for consistent and complete analysis
100% capture of all alarms and alerts for complete visibility
MULTIPLE SMARTAGENT DEPLOYMENT OPTIONS
Since each network has unique data collection policies and procedures,
ArcSight has built an extremely flexible and network-friendly agent
deployment system, which means it is likely that no network change
is required to support the installation. Depending on the device to
EFFICIENT, COMPLETE REAL-TIME CAPTURE OF SECURITY-RELEVANT
be monitored and the in-place infrastructure, a choice is provided
INFORMATION
for simple log parsing and loading, “agentless” deployment via network
The first problem that ArcSight solves is collecting and normalizing
listening (e.g., SNMP), installation on aggregation points (Syslog
the enormous amount of data that is generated by all the different
servers and concentrators) and installation directly on security-relevant
sources of security-relevant information that exist in an organization.
devices. All communication between the SmartAgents and ArcSight
Whether the threat is internal or external, ArcSight goes beyond
Manager is via double-certificate SSL.
simple log consolidation by providing intelligent data collection
through the use of SmartAgents™.
FULL EVENT DATA CAPTURE
A data-normalized ArcSight message, which captures 100% of the
Alarms and alerts can come from routers, email logs, Single Sign-On
source fields, is created for every event. By capturing the entire event
Systems, vulnerabilty scanners, anti-virus products, firewalls, intrusion
data set and organizing it into a consistent format, powerful upstream
detection systems, VPN systems, NT Event Logs, Syslogs, and other
data management, cross-correlation, display and reporting is available
sources such as applications and databases where security threat
to the security team. In addition, there is also an option to capture
information is detected and reported. Each event generator has a
and store the message in its original form for purposes of forensic
SmartAgent assigned to collect all the relevant security information.
investigation and possible use as evidence.
SmartAgent Deployment Variations
INTERNAL OR EXTERNAL
SECURITY-RELEVANT DEVICES
CONSOLE
CONSOLE
LOGS
(AGENTLESS)
SNMP
(AGENTLESS)
ARCSIGHT
MANAGER
CONCENTRATORS,
LOG SERVERS
ORIGINAL DEVICES
= ARCSIGHT SMARTAGENTS
DATABASE
WITH ARCHIVE
Enterprise Security Management Software
SUPPORTED DEVICES
Whether in the ArcSight lab or on-site via the FlexAgent, the ArcSight
SmartAgent architecture is designed for rapid support of new devices.
As a result, ArcSight features the broadest and most comprehensive
list of supported devices and the list is constantly growing.
INTELLIGENCE AT THE SOURCE
In addition to collecting and normalizing data from security devices,
For an updated directory of supported devices please vist
ArcSight SmartAgents intelligently manage the data with user-
www.arcsight.com/product_arcsight_agents.htm.
configurable options that include:
THE SMARTAGENT RAPID DEPLOYMENT PROCESS
Filtering to allow the administrator to set conditions by which data
will be collected and sent to the database. This source-level filtering
reduces the need to manage and store large volumes of unwanted data.
Bandwidth management to optimize use of the network. Based on the
STEP 1
REQUIREMENT
IDENTIFIED, INTERFACE
INFORMATION RECEIVED
STEP 2
time period selected, the ArcSight SmartAgent can aggregate similar
events by collecting duplicate alerts and sending one message with
ARCSIGHT AGENT
TEMPLATE PROGRAMMED
FOR NEW SOURCE
a count of the total. SmartAgents can also be configured to send a
batch of alerts at one time rather than sending alerts immediately
STEP 3
after each occurrence. These collections are also configurable and
AGENT QA'D AND RELEASED
ALONG WITH UPDATED
RULES AND REPORTS
can accommodate a variety of bandwidth-preserving strategies including
sending high-priority events immediately while holding low priority
events to be sent at at time when network usage is minimal.
Device-independent threat taxonomy and threat level. SmartAgents
can parse the event data stream and set field values based on the
policies of the organization. For example, the variety of event severity
levels that devices produce can all be normalized at the agent level
into a single, consistent hierarchy. Because each device vendor uses
a unique name for the same event, ArcSight SmartAgents also generate a standard threat taxonomy that not only relieves the user from
knowing all the message variations, but also supports device-independent reporting, filtering and correlation.
Failover support for sending events to multiple ArcSight Managers.
SmartAgents can work in either redundancy or fail-over mode.
Redundancy mode allows each event to be sent to multiple managers
simultaneously. In failover mode, when the primary manager is down,
the events are automatically re-routed to a secondary manager.
Rapid on-site integration of new devices via the FlexAgent. Through
a simple-to-use console wizard, ArcSight’s FlexAgent software allows
a user to create custom SmartAgents that can read and parse information from third-party devices and map that information to ArcSight’s
event schema.
Private network encoding to eliminate the problem of ambiguous
internal IP addresses caused by multiple subnets. This is accomplished
by supplying a “security area code” to each subnet in order to uniquely
FOR MORE INFORMATION, PLEASE CONTACT:
identify which asset is being attacked.
ArcSight, Inc.
5 Results Way, Cupertino, CA 95014, USA
Email: [email protected]
Phone: (408) 864-2600
Related documents
Recorded Future Real-Time Threat Intelligence with HP ArcSight
Recorded Future Real-Time Threat Intelligence with HP ArcSight
Distilling Data in a SIM: A Strategy for the Analysis
Distilling Data in a SIM: A Strategy for the Analysis
Client-Facing Resume
Client-Facing Resume
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
A Global Disease Needs a Global Response
A Global Disease Needs a Global Response
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Testimony - American Security Project
Testimony - American Security Project
Web/Online Marketing Manager * Marketing/Digital Branding Firm
Web/Online Marketing Manager * Marketing/Digital Branding Firm
CSCI 5582 Artificial Intelligence
CSCI 5582 Artificial Intelligence
The First Euro-China Conference on Intelligent Data Analysis and
The First Euro-China Conference on Intelligent Data Analysis and
A Before and After Study to evaluate Acute Kidney Injury
A Before and After Study to evaluate Acute Kidney Injury