We believe that monitoring for threats and risks is harder than ever. To do it successfully, you need to see a lot of things, including which systems are on your network, new malware that hits and spreads, what happens in confidential databases, what users are doing, connections coming in from third parties, and so on. The info is not easy to process and so you have little visibility into what’s going on.
And the result of this challenging task is continued growth in cybercrime. Some of the splashier breaches we’ve read about recently all came about when management didn’t have visibility into threats on the network. Taken together, just these four resulted in hundreds of million of accounts breaches and hundreds of millions of dollars lost. And these are just small handful, just the tip of the iceberg. If Google, one of the very most technically sophisticated organizations on the planet, could get hacked, what is the impact to the thousands of other firms that aren’t as secure as Google? But the most interesting thing about these breaches is not just the impact, but also how they happened…
In fact, they all shared the same pattern, one that has become very common among modern threats. First, the hacker used malware to attack a specific company, to penetrate the outer defenses and hop from system to system. So, perimeter security didn’t really help. Next, they hopped around until they could find a machine with privileged account access to the systems and data they wanted. So, the impact took some time, this isn’t a smash-and-grab of whatever you can take quickly. Finally, once the breach started, it went on for a while, slowly siphoning off valuable information. The point is that early detection mattered in these cases; if you detected the breach early, you could prevent most of the loss.
The point of all this is that today’s cybercrime is very different from what we have seen before. The attacks are different; they are driven by smart humans guiding sophisticated technology against specific high value targets. This is not indiscriminate malware attack against anyone who downloads a bot through a greeting card. The defenses are different; AV signatures are not very effective. The attacks either change too quickly and so signatures can’t be generated, or else the attacks unfold too slowly and can’t be detected. And even if the signatures were working well, the rise of borderless networks means you have few choke points to apply signatures. And so the vulnerabilities are also different; systems that were formerly considered “internal” and protected are left unmonitored and exposed. And privileged users with privileged access to those systems are left unwatched and takeover of that access is undetected. To sum it up in three points, you face more risk then ever, what you used to do won’t work, and so you need a fundamentally different approach.
And this visibility is important because you can’t fight what you can’t see. And it’s harder to see what you need to defend against.
With ArcSight, you get instant detection of activities affecting everything on your network, new zero day outbreaks as they spread, your confidential databases, your key users, everything. You see the patterns and the connections and get the context you need to take action.
ArcSight is that fundamentally different solution. The ArcSight platform is the only solution for monitoring threats and risks in an environment of borderless networks, persistent threats, and enterprise risks. It enables you to capture data from any and every thing on your network, devices, applications, transactions, users, config changes, everything. You can manage and store all that data for years, supporting any reporting, audit, or investigation. As the data is generated, you can analyze it in real time to find threats quickly, since as we mentioned, threats take time to have impact. You can use pattern detection and historical trending to monitor unusual behavior of people or applications. And if a problem is detected, the platform supports automatic response to shut down the threat, important because we discussed, early detection matters in modern cybercrime. So this platform gives you a level of visibility and understanding of modern enterprise threats and risks that you can’t get anywhere else.
And we do that better than anyone in three ways. First, universal data collection. We enable you to collect information from anything and everything, safely and securely. We maintain hundreds of prebuilt connectors off the shelf. You can keep it raw or parse it for better analysis, your choice. Most importantly, you can extend this collection to any new type of device whenever you need to, even without our involvement, using our toolkit. This means that the choices you make today for monitoring won’t limit your information strategy tomorrow.
Remember when I said earlier that to get the big picture, you have to collect from everything? I mean everything. Firewalls, routers, servers, desktops, app servers, and so on. There are two key points that set us apart in data collection. The first is that we make it happen faster and easier. We have 300 off the shelf connectors, and a connector toolkit that has been used to create over a thousand other custom connectors. This is important because what happens when you want to collect from a system that we’ve never seen before? Well, the biggest complaint we hear from prospects that have competitors’ products is that it takes 4-6 weeks to get a connector built, and it requires the vendor’s engineering team. For ArcSight, you can build it yourself with our toolkit, in as little as a day, with no involvement or cost from us. The second point is that our architecture future-proofs you. We collect from hundreds of sources and we normalize it all to a common and categorized format, which you then build your analysis and rules against. The key thing is that this insulates your analysis from your technology choices. If you want to swap out your Cisco and put in Juniper, your reports still work. So, we lessen your dependency on the device vendors. This future-proofs your risk analysis. This is unique and very critical. You don’t get this level of insulation from other vendors. [next slide]
Next Enterprise wide log management to handle all that data that you collect. The platform supports management of raw and structured data for any type of usage in any department. You can store, search and report on years worth of data very quickly, and you can dramatically cut the cost of storing years of data using our leading compression and storage mechanisms. This allows you to deploy a single solution to manage al log data across your enterprise. This matters because the kinds of questions managers now want to ask require information that cuts across departments. For example, investigating a breach, you may find that a user visited a site, inadvertently downloaded malware, which then stole credentials, accessed a database, queried credit card records, phoned home and sent out the numbers. To see this, you need logs from your web team, IT, security, identity management, etc. You need universal log management.
Finally, cutting edge threat analysis via advanced correlation, packaged in a simple and automated form. We use modern techniques to detect modern cybercrime. These include our patented ThreatDetector engine, a pattern matching and anomaly detection system which can find very subtle and sophisticated threats including zero-day outbreaks and fraud. It includes correlating user roles and trends to determine who is violating policies and putting the business at risk. We are the only company that can correlate across WHO-WHAT-WHERE, that is, roles, logs and flows, to understand not only what’s happening but if it’s really a problem. And the best part is that the more info you collect and store, the smarter the system gets. The net result is that with ArcSight you can detect and therefore prevent not only the basic stuff, but especially the attacks that you can’t predict.
The competition just cannot stack up. In terms of collection, we give you a toolkit and you can build your own connectors if you want. Competitors require their R&D to get involved, and we are hearing quotes of 4-6 weeks per connector of R&D time from competitors. This means that the other vendor controls your ability to roll out new monitoring. In terms of consolidation, others are either too expensive, charging you over $3 million to collect 100,000 eps, or else the others can’t scale up and therefore you have limited data retained. Which means your investigations will fail. And finally, in terms of correlation, we parse out 200+ fields in the log data we collect. That means you can execute rules against any and all of those fields. Others parse out maybe a dozen fields, which means you can only write basic rules. Which means basic threat detection only. But as we’ve already seen, the basic stuff isn’t the problem anymore. So with others, you are at huge risk of breach and loss. This is why ArcSight leads the market in every measure you can think of.
And while we deliver this as an integrated platform, we also package the pieces into different products that you can buy separately and lock together as needed.
For data capture and correlation, there is ArcSight ESM. For capture and log management/search, there is ArcSight Logger. For all of it packaged into an all in one option, there is ArcSight Express. You can extend these with IdentityView for privileged user and process monitoring or FraudView for online financial fraud monitoring. You can also extend these with out auditors apps for regulatory controls such as SOX, HIPAA, PCI, etc. We have applications to monitor ERP apps such as SAP. And across all of this, you can add automatic response when threats are detected, via ArcSight TRM. Buy seprately or together as a platform.
And that platform connects to the other key initiatives you have completed or are thinking about, such as DLP, cloud, virtualization, storage management, and so forth. ArcSight extends each of these, connecting them to better understand the risk in any of these areas at any time. So, we have talked about using ArcSight to better monitor security, to find threat and risk on the security side. But there is another benefit to this platform. We find that customers use it not only to protect the business, but also to improve the business…
For example, a utility applied the ArcSight platform to automate SOX reporting. It saved over $4.5 million in three years but cutting thousands of contractor hours. The system improved audit reporting and paid for itself in a month. Or a credit union applied the ArcSight platform as compensating controls that enabled it to push off an $8 million application rewrite to address shared account controls. The system paid for itself in a few weeks. Or a regional bank that applied the ArcSight platform to detect wire fraud in its online banking systems. It detected a million dollars in the first week and the system paid for itself by Wednesday. So this is how you can use the platform to protect your business against modern threats, but also to improve your business’ ability to operate in a modern environment.
And we see this in practice today. For a large retail broker, it looks like monitoring transactions and traders to prevent fraud. They track millions of stock trades per day and use correlation to sift out fraud. For a large intelligence agency, it looks like tracking employees to prevent data theft. Here they correlate actions and data access to determine if confidential data is slipping out. [next slide]
And other customers are doing traditional network security. For example, at FAA they monitor their networks to catch intrusions. They use ArcSight to find problems early and get incident response down from 8 hours to 8 minutes. More recently, they now operate a managed service to monitor the Dept of energy, dept of transportation, and the dept of education. The Dept of Ed moves more money, via student loans, than Fort Knox, so this is a big solution. At a national electronics chain, it looks like PCI and SOX controls. ArcSight is used to monitor access to customer credit card data and monitor privileged users. For example, the DBA might have access to the customer database, let’s make sure he’s not looking at credit card numbers while he’s there. So, monitoring networks and people on those networks is happening already, at leading companies today. They all bought ArcSight to help protect their businesses. [next slide]
And proof of these three abilities is our customer base. ArcSight is currently deployed at: Most of the F500 All of the US Intelligence community More than 20 government agencies More than 150 banks globally 25 US Federal agencies More than 25% of states in U.S.
So let me summarize. I hope I have shown that due to modern cybercrime, business faces more risk than ever, what used to work won’t work going forward, and something very different is required. ArcSight provides the only platform that can detect, manage and minimize modern threats. With Arcsight you get completed visibility into who’s affecting your business, your systems are safer and therefore have better uptime, and you have better compliance with less effort. I look forward to talking through the products in more detail and to show exactly how each product can meet your needs.
ArcSight is a ten year old leader in the security information management market We have grown rapidly and now have a global presence including offices worldwide. That has resulted in nearly 2000 customers, serviced both directly and via our 35 MSSP partners Our 2008 IPO, based on the strength of our business, combined with our ongoing profitability and cash generation allows us to continue to evolve the company and product set. Those products have won many awards, most recently winning the reader’s choice gold award for SIM in Information Security Magazine. On the analyst side, IDC has us as the market share leader for the third year in a row, with our business growing twice as fast as the SIM market. The InfoPro, a quantitative analysis firm, has us as the #1 in-use vendor for both log and event management. Finally, Gartner has us in the Leader quadrant of its magic quadrant for the sixth year in a row. [next slide]
And the Gartner point is especially relevant, in three ways: First, we are the only vendor to be in the leader quadrant for the entire time the MQ has been produced Second, we are surrounded by much larger competitors, EMC, IBM, Cisco, etc. We are able to win there because of the strength of our solutions. Third, we are the most visionary vendor on the quadrant. The main component of “vision” is the ability to listen to customers and give them what they need. This is important because our customers’ business continues to change… [next slide]
This is the “Transition” slide design. Use this slide to clearly break up sections of your presentation. Title is Arial Bold in 23 pt., initial cap and flushed right.
Road Show - Arcsight ETRM
ArcSight Plataforma de Gerenciamento de Riscos e Ameaças - ETRM Luiz Zanardo CISSP, CISA, CFE Senior Sales Engineer, América Latina e Caribe
ArcSight é a única solução <ul><li>Plataforma ArcSight ETRM </li></ul><ul><li>Uma plataforma para monitoração de riscos e ameaças modernas </li></ul><ul><li>Captura qualquer tipo de dados de qualquer sistema </li></ul><ul><li>Gerencia e retem todos os eventos </li></ul><ul><li>Analisa os eventos em tempo real </li></ul><ul><li>Identifica comportamentos anômalos </li></ul><ul><li>Responde rapidamente para prevenir perdas </li></ul>