Effective Log Management

1. Effective Log Management Terry Bishop Sales Engineer 2 March 2011

2. The Market Leader For those of you new to our company, here is a brief history on �Who we are�, �How we are recognized� and �Who our customers are�. ArcSight was founded back in 2000 and has now grown significantly to become the ONLY pure play SIEM vendor that is publicly traded Our efforts have been well recognized by reviewers, analysts and by industry at large� IDC has recognized us as a #1 Market Leader in terms of market share. We have around 19% share of the total market which is more than twice of the next vendor Gartner has been continuously placing ArcSight in the Leader�s quadrant of SIEM Magic Quadrant for SIX consecutive years In 2008, Gartner also started assigning critical capability scores and ArcSight received the highest scores for both Event Management and Log Management in both the reports of 2008 and 2009 A recent survey by InfoPro suggested that ArcSight is #1 Ranked Vendor for "In Use" SIEM and Log Management Purchases by Fortune 1000 companies ArcSight is also in Top 500 fastest growing technology companies in North America according to a recent report by Deloitte Similar recognition also comes from other analysts, press, and industry awards but most of all our validation comes from companies successfully using us and that list includes more than 1800 organizations worldwide of all sizes and across all industries. In fact, 30% of the fortune one hundred companies, 37% of companies listed in Dow Jones Index and 6 out of top 10 world banks rely on ArcSight. [next slide] For those of you new to our company, here is a brief history on �Who we are�, �How we are recognized� and �Who our customers are�. ArcSight was founded back in 2000 and has now grown significantly to become the ONLY pure play SIEM vendor that is publicly traded Our efforts have been well recognized by reviewers, analysts and by industry at large� IDC has recognized us as a #1 Market Leader in terms of market share. We have around 19% share of the total market which is more than twice of the next vendor Gartner has been continuously placing ArcSight in the Leader�s quadrant of SIEM Magic Quadrant for SIX consecutive years In 2008, Gartner also started assigning critical capability scores and ArcSight received the highest scores for both Event Management and Log Management in both the reports of 2008 and 2009 A recent survey by InfoPro suggested that ArcSight is #1 Ranked Vendor for "In Use" SIEM and Log Management Purchases by Fortune 1000 companies ArcSight is also in Top 500 fastest growing technology companies in North America according to a recent report by Deloitte Similar recognition also comes from other analysts, press, and industry awards but most of all our validation comes from companies successfully using us and that list includes more than 1800 organizations worldwide of all sizes and across all industries. In fact, 30% of the fortune one hundred companies, 37% of companies listed in Dow Jones Index and 6 out of top 10 world banks rely on ArcSight. [next slide]

3. Cybercrime Keeps Growing � 2010 ArcSight Confidential 3 www.arcsight.com And the result of this challenging task is continued growth in cybercrime. Some of the splashier breaches we�ve read about recently all came about when management didn�t have visibility into threats on the network. Taken together, just these four resulted in hundreds of million of accounts breaches and hundreds of millions of dollars lost. And these are just small handful, just the tip of the iceberg. If Google, one of the very most technically sophisticated organizations on the planet, could get hacked, what is the impact to the thousands of other firms that aren�t as secure as Google? But the most interesting thing about these breaches is not just the impact, but also how they happened�And the result of this challenging task is continued growth in cybercrime. Some of the splashier breaches we�ve read about recently all came about when management didn�t have visibility into threats on the network. Taken together, just these four resulted in hundreds of million of accounts breaches and hundreds of millions of dollars lost. And these are just small handful, just the tip of the iceberg. If Google, one of the very most technically sophisticated organizations on the planet, could get hacked, what is the impact to the thousands of other firms that aren�t as secure as Google? But the most interesting thing about these breaches is not just the impact, but also how they happened�

4. ArcSight Platform The log management capabilities from ArcSight are part of the broader ArcSight platform which provides an integrated growth path to extract more value from log data through real time event correlation and content modules for monitoring users, applications, compliance controls, and specialized problems like fraud. The log management capabilities from ArcSight are part of the broader ArcSight platform which provides an integrated growth path to extract more value from log data through real time event correlation and content modules for monitoring users, applications, compliance controls, and specialized problems like fraud.

5. I am sure you must be aware of the various Log Management drivers but let us look at the top 3. Modern day networks generate millions and millions of logs every day. In a recent cybersecurity survey conducted by ArcSight, respondents said that they have more than a 1000 devices on an average that spit out cybersecurity related logs. This massive growing amount of daily log data affects security, IT operations and compliance. The basic questions that come up over and over again are the following: How will you investigate new cyber-incidents? How will you troubleshoot your network? How will you pass your audits? I am sure you must be aware of the various Log Management drivers but let us look at the top 3. Modern day networks generate millions and millions of logs every day. In a recent cybersecurity survey conducted by ArcSight, respondents said that they have more than a 1000 devices on an average that spit out cybersecurity related logs. This massive growing amount of daily log data affects security, IT operations and compliance. The basic questions that come up over and over again are the following: How will you investigate new cyber-incidents? How will you troubleshoot your network? How will you pass your audits?

6. ArcSight Logger � Collect and Search Everything

7. ArcSight Express - Complete Visibility 7 � 2010 ArcSight Confidential www.arcsight.com With ArcSight, you get instant detection of activities affecting everything on your network, new zero day outbreaks as they spread, your confidential databases, your key users, everything. You see the patterns and the connections and get the context you need to take action.With ArcSight, you get instant detection of activities affecting everything on your network, new zero day outbreaks as they spread, your confidential databases, your key users, everything. You see the patterns and the connections and get the context you need to take action.

8. Capture Everything ArcSight Connectors enable intelligent of the box support log collection for over 275 commercial log sources ranging from network and security devices all the way through databases, Operating Systems, and commercial apps � with the ability to also easily incorporate homegrown or legacy sources using a simple wizard interface. ArcSight Logger can also accept direct raw feeds from any syslog device or file based log source. Connectors are don�t simply collect logs � they make analysis a lot simpler by translating logs across the 100�s of different formats in existence into one common event format. This future proofs all of your log analysis content (reports, alerts, searches) against vendor swapouts. So, if you replace a Cisco PIX device with a Checkpoint Firewall � all of your content continues to work seamlessly. Connectors can be deployed centrally with ArcSight Logger or can be installed closer to end devices in remote locations to ensure audit quality collection by providing a secure and reliable path for log traffic back to the data center. The connectors also deliver bandwidth controls to ensure that transactional traffic is never overwhelmed by log traffic on low bandwidth links. Connectors are available in a range of performance options as rack mountable appliances for large data centers, table top appliances for branch offices or remote stores, and also as installable software in locations where you have existing hardware with spare computing cycles. Simply put, Connectors insulate your device choices from your analysis which is a key differentiator over other solutions. This not only simplifies analysis � it also ensures that your log monitoring architecture will continue to function regardless of what underlying devices you have and the vendors you choose to go with. Capture Everything ArcSight Connectors enable intelligent of the box support log collection for over 275 commercial log sources ranging from network and security devices all the way through databases, Operating Systems, and commercial apps � with the ability to also easily incorporate homegrown or legacy sources using a simple wizard interface. ArcSight Logger can also accept direct raw feeds from any syslog device or file based log source. Connectors are don�t simply collect logs � they make analysis a lot simpler by translating logs across the 100�s of different formats in existence into one common event format. This future proofs all of your log analysis content (reports, alerts, searches) against vendor swapouts. So, if you replace a Cisco PIX device with a Checkpoint Firewall � all of your content continues to work seamlessly. Connectors can be deployed centrally with ArcSight Logger or can be installed closer to end devices in remote locations to ensure audit quality collection by providing a secure and reliable path for log traffic back to the data center. The connectors also deliver bandwidth controls to ensure that transactional traffic is never overwhelmed by log traffic on low bandwidth links. Connectors are available in a range of performance options as rack mountable appliances for large data centers, table top appliances for branch offices or remote stores, and also as installable software in locations where you have existing hardware with spare computing cycles. Simply put, Connectors insulate your device choices from your analysis which is a key differentiator over other solutions. This not only simplifies analysis � it also ensures that your log monitoring architecture will continue to function regardless of what underlying devices you have and the vendors you choose to go with.

9. ArcSight Logger - Analyze Anything The other key advantage of ArcSight Logger is that it enables unified analysis across all types of data (structured and unstructured) in a �single pane of glass� via a Google-like interface. In addition to simplicity, ArcSight Logger provides ultra-fast searching (millions of events per second) and reporting capabilities, handling terabytes of data in seconds. In fact, in a recent ArcSight cybersecurity survey three fourth of the respondents said that they very rarely or hardly ever knew what exactly to look for when researching a cyber attack. Unified analysis in ArcSight Logger helps to paint the complete picture and helps in fast detection and remediation of cyber-attacks. Now most organizations don�t have the time or the expertise to build content � whether its reports or dashboards or real time alerts from scratch for specific use cases. That�s why ArcSight has developed a set of solutions layered on top of ArcSight Logger that include extensive out of the box content for general security monitoring, as well as compliance monitoring for PCI, SOX or general IT governance and are based on standards like ISO and NIST. These packages include comprehensive content that delivers forensics on the fly � dashboards � drill down reports � intelligent searches and real time alerts. The other key advantage of ArcSight Logger is that it enables unified analysis across all types of data (structured and unstructured) in a �single pane of glass� via a Google-like interface. In addition to simplicity, ArcSight Logger provides ultra-fast searching (millions of events per second) and reporting capabilities, handling terabytes of data in seconds. In fact, in a recent ArcSight cybersecurity survey three fourth of the respondents said that they very rarely or hardly ever knew what exactly to look for when researching a cyber attack. Unified analysis in ArcSight Logger helps to paint the complete picture and helps in fast detection and remediation of cyber-attacks. Now most organizations don�t have the time or the expertise to build content � whether its reports or dashboards or real time alerts from scratch for specific use cases. That�s why ArcSight has developed a set of solutions layered on top of ArcSight Logger that include extensive out of the box content for general security monitoring, as well as compliance monitoring for PCI, SOX or general IT governance and are based on standards like ISO and NIST. These packages include comprehensive content that delivers forensics on the fly � dashboards � drill down reports � intelligent searches and real time alerts.

10. Use Everywhere ArcSight Logger supports multiple deployments options and comes in different sizes. As mentioned earlier, most log management tools support fast log analysis by compromising collection rates and storage efficiency or by requiring more hardware. ArcSight Logger is uniquely architected to minimize that tradeoff, thus enabling a single ArcSight Logger appliance to capture raw logs at rates of up to 100,000 events per second, compress and store up to 42TB of logs within a single instance or search through millions of events each second regardless of the log format or source. For smaller organizations, there�s an all-in-one logger appliance that includes not just storage and analysis but also includes connectors on board creating a true an all-in-one experience so there�s no need to deploy separate collection agents, procure and deploy hardware, or make a separate storage investment. For larger and distributed organizations, ArcSight Logger is available in a range of performance options both as an appliance and as software � which provides the flexibility and scale for tiered deployments of any size. Use Everywhere ArcSight Logger supports multiple deployments options and comes in different sizes. As mentioned earlier, most log management tools support fast log analysis by compromising collection rates and storage efficiency or by requiring more hardware. ArcSight Logger is uniquely architected to minimize that tradeoff, thus enabling a single ArcSight Logger appliance to capture raw logs at rates of up to 100,000 events per second, compress and store up to 42TB of logs within a single instance or search through millions of events each second regardless of the log format or source. For smaller organizations, there�s an all-in-one logger appliance that includes not just storage and analysis but also includes connectors on board creating a true an all-in-one experience so there�s no need to deploy separate collection agents, procure and deploy hardware, or make a separate storage investment. For larger and distributed organizations, ArcSight Logger is available in a range of performance options both as an appliance and as software � which provides the flexibility and scale for tiered deployments of any size.

11. What distinguishes ArcSight�s analysis engine is its support for forensics on the fly. With a lot of Log Management solutions, each step of an investigation requires building new content. If you�re looking at a report and you notice an anomaly, to conduct the next logical step of analysis, you need to generate a new report. That�s not the case with ArcSight Logger. It starts with personalized dashboards that are comprised of CLICK ONCE drill-down reports so you can go from one report to another report seamlessly using pre-built navigation paths. CLICK ONCE From reports you can switch to conducting forensic searches using the common event format that�s simple, intuitive and fast. CLICK ONCE Any search expression can easily be converted into a real-time alert for immediate notification. Let�s look at each of these elements of analysis, individually. What distinguishes ArcSight�s analysis engine is its support for forensics on the fly. With a lot of Log Management solutions, each step of an investigation requires building new content. If you�re looking at a report and you notice an anomaly, to conduct the next logical step of analysis, you need to generate a new report. That�s not the case with ArcSight Logger. It starts with personalized dashboards that are comprised of CLICK ONCE drill-down reports so you can go from one report to another report seamlessly using pre-built navigation paths. CLICK ONCE From reports you can switch to conducting forensic searches using the common event format that�s simple, intuitive and fast. CLICK ONCE Any search expression can easily be converted into a real-time alert for immediate notification. Let�s look at each of these elements of analysis, individually.

12. ArcSight Logger is the industry�s first solution to address the growing need for universal log management. With ArcSight Logger you can capture everything, analyze anything and it can be used everywhere. Most log management tools were designed to tackle use cases specific to a certain IT team and as a result they are only optimized to capture an analyze logs from specific event sources. These solutions were not architected to handle the number or variety of event sources, the event volume, the retention requirements, or the flexibility in analysis needed for organization wide log management. Stretching these first generation log management tools imposes significant tradeoffs between log collection rates, log analysis speed, and log storage efficiency. A universal log management solution must eliminate this classic tradeoff between performance and efficiency. ArcSight Logger uses patented technology to minimize this trade-off� and here�s how we do that�.<next slide>>ArcSight Logger is the industry�s first solution to address the growing need for universal log management. With ArcSight Logger you can capture everything, analyze anything and it can be used everywhere. Most log management tools were designed to tackle use cases specific to a certain IT team and as a result they are only optimized to capture an analyze logs from specific event sources. These solutions were not architected to handle the number or variety of event sources, the event volume, the retention requirements, or the flexibility in analysis needed for organization wide log management. Stretching these first generation log management tools imposes significant tradeoffs between log collection rates, log analysis speed, and log storage efficiency. A universal log management solution must eliminate this classic tradeoff between performance and efficiency. ArcSight Logger uses patented technology to minimize this trade-off� and here�s how we do that�.<next slide>>

13. ArcSight Express Enables Complete Visibility With ArcSight, you get instant detection of activities affecting everything on your network, new zero day outbreaks as they spread, your confidential databases, your key users, everything. You see the patterns and the connections and get the context you need to take action.With ArcSight, you get instant detection of activities affecting everything on your network, new zero day outbreaks as they spread, your confidential databases, your key users, everything. You see the patterns and the connections and get the context you need to take action.

14. Advanced Correlation Correlate common identifiers such as email address, badge ID, phone extension, server name, network Events occurring across devices that identify activity by different attributes Attribute the event to a unique �identity� allowing correlation across any type of device

15. Example Dashboard: Employee/Contractor Monitoring

16. Powerful And Flexible Reporting ArcSight also has a powerful reporting engine built in. ArcSight includes over 350 standard reports out of the box � these can easily be run against events based on categorization, asset priority, etc � We also bundle in a ISO 17799 reporting package which provides the framework for all compliance reporting. We also include Sarbanes Oxley and HIPAA content as well. ESM has a GUI report writer built into the product to simplify custom and adhoc reporting needs. This is nice because there is not any SQL experience needed to create/modify reports. ArcSight also has a powerful reporting engine built in. ArcSight includes over 350 standard reports out of the box � these can easily be run against events based on categorization, asset priority, etc � We also bundle in a ISO 17799 reporting package which provides the framework for all compliance reporting. We also include Sarbanes Oxley and HIPAA content as well. ESM has a GUI report writer built into the product to simplify custom and adhoc reporting needs. This is nice because there is not any SQL experience needed to create/modify reports.

17. Summary � ArcSight ETRM Platform So let me summarize. I hope I have shown that due to modern cybercrime, business faces more risk than ever, what used to work won�t work going forward, and something very different is required. ArcSight provides the only platform that can detect, manage and minimize modern threats. With Arcsight you get completed visibility into who�s affecting your business, your systems are safer and therefore have better uptime, and you have better compliance with less effort. I look forward to talking through the products in more detail and to show exactly how each product can meet your needs.So let me summarize. I hope I have shown that due to modern cybercrime, business faces more risk than ever, what used to work won�t work going forward, and something very different is required. ArcSight provides the only platform that can detect, manage and minimize modern threats. With Arcsight you get completed visibility into who�s affecting your business, your systems are safer and therefore have better uptime, and you have better compliance with less effort. I look forward to talking through the products in more detail and to show exactly how each product can meet your needs.