Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

OPSEC Partners

ArcSight

Product Version Certified: ArcSight v3.0 SmartAgent on Solaris
Certified for use with: Check Point NG

Product Description: ArcSight delivers the only enterprise framework that integrates and optimizes the management of all threats and events generated by any source of security-relevant information. By giving security professionals complete monitoring, correlation, investigation, resolution and reporting - all within a single solution - ArcSight provides a truly coordinated infrastructure that maximizes security results while decreasing overall costs.

     
Key Features and Benefits
OPSEC Integration 		  ArcSight
 
Company Description: ArcSight is a leading provider of enterprise software solutions that enable large organizations to manage security as a critical business process while protecting vital information assets and functions. ArcSight's software improves the efficiency and effectiveness of enterprise security by integrating and automating the monitoring, correlation, investigation, resolution and reporting of threats and attacks. The security intelligence and process control delivered by ArcSight create a closed-loop partnership between business objectives, security policies and procedures and day-to-day operations.

Already, organizations in the financial services, technology, government, and e-business sectors are using ArcSight's solutions to dramatically improve the detection and resolution of threats and attacks while delivering more cost-efficient security operations.

 

 
Key Features and Benefits

The ArcSight solution enables security and information technology professionals to fuse together massive amounts of information generated by FireWall-1/VPN-1 or any other source of security-relevant information in a network, for a single, cohesive view that melds best-of-breed security products into a highly effective, unified solution.

Features

Unlike other offerings that appear to address this space, only ArcSight provides a complete solution that includes the three critical elements of enterprise security management:

  • real-time precision intelligence across vendors
  • closed-loop incident response management
  • enterprise scalability across a wide variety of platforms as well as any type of deployment from fully centralized to fully distributed

ArcSight comprises four main areas of functionality:

  • A data collection and storage system, which consolidates network wide alarms and alerts in a normalized proprietary Security Data Schema(TM)
  • Analysis and cross-correlation tools to detect multi-source and multi-target threats in real-time as well as in forensics mode
  • Incident management workflow for efficient event investigation and resolution; and
  • Comprehensive reporting including pre-configured and custom-developed report for effective communication

Benefits

The instant and precise security intelligence delivered by ArcSight's solution closes the gap between the true level of threat an organization faces and what currently can be detected and resolved delivering the following benefits:

  • By optimizing the value of point devices (e.g. FireWall-1/VPN-1, IDSs, Access Servers, VPNs) already in place, ArcSight helps all individuals responsible for security to work smarter.
  • Greatly reduce the amount of time required for the monitoring of security information, freeing up hours for higher-level activities like proactive interception of legitimate threats.
  • Separate real events from the "white noise" in the environment.
  • Enable even non-security personnel like systems administrators, CIOs, CTOs and employees from auditing and legal departments to monitor and understand what is happening in the security environment.
OPSEC Integration

Background Information

The ArcSight solution is based on a three-tier architecture of:

  • ArcSight SmartAgents (TM) collect 100% of the alerts and events from FireWall-1/VPN-1, IDSs, Routers and other sources of network security information.
  • The ArcSight Manager component then normalizes the data in a proprietary Security Data Schema(TM), storing it in a relational database and computing all additional analysis, reporting and management services.
  • The ArcSight Console, a complete workstation application, displays event data in real time and forensically through numerous tabular and graphical formats. System administration, SmartRules authoring, incident investigation and report generation is done through the Console`s graphical user interface.

Integration Details

The ArcSight SmartAgent for Check Point FireWall-1/VPN-1 serves as the LEA client retrieving alerts from the LEA Server in real-time and sending them to the ArcSight Manager. The ArcSight Manager parses the Check Point's FireWall-1/VPN-1 security events and normalizes them in ArcSight's proprietary and extensible data schema. These FireWall-1/VPN-1 security events are stored together with events from a large variety of network and security products in a central database.

This centralized and normalized data repository is the basis for ArcSight SmartRules(TM), which detect and report multi-source, multi-target threats and attacks while filtering out the majority of false positives. Correlated data can trigger a notification based on a wide variety of pre-configured conditions, or through custom-designed rules developed by the security staff. SmartRules can be used for real-time data as well as during the analysis of forensics data stored in the centralize database.

Furthermore, the ArcSight Manager includes an independent reporting engine, which is used to generate a large variety of cross-vendor/cross-device security reports as well as vendor specific reports for the security analyst. The reporting engine enables unlimited reporting capabilities including the customization of SQL-queries on the normalized security event data table via a proprietary report definition GUI. Amongst others reports for all protocols monitored by FireWall-1/VPN-1 are available at install.

ArcSight's LEA client uses HTTP (typically on port 80 or 8080) and HTTPS (typically on port 443 or 8443) to communicate with the Arcsight's Manager. The protocol must be allowed only from the host where ArcSight's LEA Client resides to the host where ArcSight's Manager resides.