architecture and sizing security presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... ·...

1

strongest selling points

(ADP)Connectors – Flex , out of the box , separate domains, voltage integration .(ADP)Event Broker – KAFKA , redundancy , Third Party , order (spaghetti data center) , one focal point(ADP)ArcMC – Central management , device monitoring,Deployment view , Rules for health monitoring

ESM – The best correlation engine , Experience , HA and DR , on premise or cloud , License .

Logger – Long term , performance , distribution , part of the ADP lower price

Investigate – Vertica, Integration , Simple to use ,user experience ,Road map.

ArcSightArchitecture and

sizing

Cfir Homeri

Security Presales

Cfir.homeri@microfocus.com

2

How To

Start ?

3

How To

Start ?

• Top Risk• Business • Who working at the SOC

• Network topology• How match employees• Main services• Cloud or On premise• Security solution you have

Micro Focus ArcSight Sizing Discovery.xlsx

The New ArcSight Architecture

User Cloud App Servers & Workloads

Network Endpoints IoT Physical

ARCSIGHT ENTERPRISE SECURITY MANAGER24x7 Real-time Monitoring & Correlation

UEBAUser Entity Behavior Analytics

ARCSIGHT LOGGERCompliance | Search |Retention

ARCSIGHT INVESTIGATEHunt | Investigation

SECURITY OPEN DATA PLATFORM

MANAGEMENT CENTERSuite Management & Administration

TRANSFORMATION HUBInformation delivery

SMART/FLEX CONNECTORSData Collection, Enrichment, and Normalization

CONTENTUnified | Actionable | Insight

WEB CONSOLEAccessible Monitoring & Platform Management

ArcSight – in a Nutshell

Integrated, Single Solution working towards the same goal:Intelligent Security Operations !

ArcSight ESM for Real Time Prevention and Detection @ 100K+ EPS ADP Logger for long-term log retention & compliance @ 1M+ EPS ArcMC for Single-Pane-of-Glass Management Investigate for hunting & analytics at blazing speed @ 1M+ EPS Event Broker to be the Message Bus of choice to feed the Single Security

Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc…) for 1M+ EPS

You invest in the vision of Micro Focus who sees Intelligent Security Operations at the center of the Enterprise Security paradigm.

7

Building

High level

Design

Example

1

“Solution with low cost, regulation , investigation if needed”

8

Building

High level

Design

Example

1

“low cost, regulation , Correlation if needed there is no people”

Logger/ESM

9

Building

High level

Design

Example

2

“ We just starting to build our SOC , Need early success Save data for one year ”

LoggerESM

ArcMc

10

Building

High level

Design

Example

3

“ We run the SOC at the last 2 years , we are looking for high speed investigation tool , SOAR support to take out capabilities to the next level”

Logger ESM

ArcMc

investigate

Event Broker

SOAR

11

Building

High level

Design

Example

3

“ We run the SOC at the last 2 years , we are looking for high speed investigation tool , SOAR support to take out capabilities to the next level”

Logger ESM

ArcMc

investigate

Event Broker

SOAR

12

Building

High level

Design

Example

3

Full support DR and HA

Logger ESM

ArcMc

investigate

Event Broker

SOAR

Intelligent Security Operations

ArcMC

Event Broker

Any

User Cloud App Servers & Workloads

Network Endpoints

E.g. Hadoop

3rd Parties

Vertica Logger Pool / Cluster

Logger 6.4 or up Logger Pool / Cluster

Logger 6.4 or up Logger Pool / Cluster

Logger 6.4 or up

ArcSight Data Platform (ADP)

ESM

ESM 6.11 or Up

ArcMC

ArcMC 2.6 or Up

Vertica Cluster Node 1

Vertica DB Vertica Cluster Node 2

Vertica DB Vertica Cluster Node 3

Vertica DB Vertica Cluster Node n

(where n is an odd number)

Vertica DB

ArcSight Investigate

Investigate

Management Traffic

Event Broker Cluster Node 1

Event Broker Event Broker Cluster Node 2

Event Broker Event Broker Cluster Node 3

Event Broker

Event Broker Cluster Node n (where n is an odd number)

Event Broker

Add Event Broker Nodes as performance required

SmartConnectors SmartConnectors SmartCo nnectors SmartCo nnectors SmartConnector

Cluster

SmartConnector

Cluster

Event Flow

Correlation LayerHunting & Analytics & Investigation

Integration Command

Log Collection Layer

Logger Pool / Cluster

Logger 6.4 or up Logger Pool / Cluster

Logger 6.4 or up Logger Pool / Cluster

Logger 6.4 or up

Production

HA/DR

Compliance & Reporting

14

Building

High level

Design

15

Sizing

HPE ArcSight Sizing Worksheet FY18-16-

0801.xlsm

16

Event Broker Sizing

Sizing: Event Broker – 2 days retention (caching) – 10K EPS3 nodes

Sizing: Event Broker – 2 days retention (caching) – 10K EPS5 nodes

Sizing: Event Broker – 2 days retention (caching) – 25K EPS5 nodes

Sizing: Event Broker – Best Practices [5] x nodes of VM/physical server, each with the following hardware specs

- ___ TB of disk space + OS (100 GB)

- Recommend Gen9/Gen10 hardware (ProLiant DL380, etc…)

- 64GB RAM (32 GB RAM is OK – this is the absolute minimum - DO NOT GO BELOW THIS NUMBER)

- 2 x CPU with 12 cores per CPU = 24 CPU cores

- 15K RPM SAS (10K RPM is OK)

- 10 Gbit/s NIC’s (most important) – DO NOT GO BELOW THIS NUMBER

VM is OK to use, if the recommended hardware specs can be guaranteed per VM.

- At least equivalent to Gen9 if virtual environment.

It is about choosing an appropriate “cookie cutter” (VM) hardware configuration. Same hardware as nodes added over time

Low latency critical - 10Gbit network only

Consider the multiple topics that need to be fulfilled based on Consumers – CEF, CEF Binary for ESM (two Connector destinations) and AVRO for Investigate (transformation performed at Event Broker)

___ TB of disk space space PER NODE for events/index only. Can be SAN, but needs to be lowest latency possible. SSD not mandatory.

Keep in mind that compression in KAFKA is performed on the Producer (eg the Smart Connector) using GZIP. KAFKA itself plays no role in compression of data.

MSSP

32

MSSP solutionGoals

• Managing different customers on the same platform

• Easy to implement

• Enable accesses using policy and permission

• Separate data

• Flexible growth

• Full audit

• GDPR and compliance on a privacy issues

33

Single ESM Server

34

Multiple ESM Servers

35

Network Model

Asset ranges - represent a set of network nodes addressable by a contiguous block of IP addresses.

Zones - represent portions of the network itself and are also characterized by a contiguous block of addresses.

Locations - describe the geographic location of assets, asset groups, or zones.

End point detection – Stage 2

Micro Focus Confidential

10.0.2.0\24 10.0.3.0\24

10.0.1.0\24

Cyber_1

BYOD –Asset ranges

Zones

Network

Con 1

Con 2

Con 3

Locations

37

• Tagging is a feature developed mainly to support MSSP

environments.

• Designation identifies who owns the events. This

ensures each customer (tenant) can view only its own

events.

Customer

End point detection – Stage 2

Micro Focus Confidential

10.0.2.0\24 10.0.3.0\24

10.0.1.0\24

Cyber_1

Con 1

Con 2

Con 3

Zone Network Customer Connectors Raw data

Location

39

Access Control Lists (ACLs)

What you can See

What you can do

40

MSSP Content Management

Guidelines

• Events

• Cases

• Reports

• Data Monitors

• Dashboards

• Notifications• Rules

41

Managing Storage Groups

This ensures all events from a connector go to the

designated storage group.

42

Rule: Event Counts Detected

43

Query: Daily Average EPS

44

Report 1: Daily EPS Usage for All Customers

45

• Flexible architecture• Support multi tenant• Permissions (can see , can do)• storage separation• Full audit log• Data encryption – privacy issue • Customer reports

MSSP