Arcsight

2
 ArcSight

The HP ArcSight Security Intelligence platform helps safeguard your business by giving you complete
visibility into activity across the IT infrastructure-including external threats such as malware and hackers, internal threats such as data breaches and
fraud, risks from application flaws and configuration changes, and compliance pressures from failed audits. This industry-leading security information
and event management (SIEM) solution enables you to collect, analyze, and assess IT security, enterprise security and non-security events for rapid
identification, prioritization and response.

ArcSight Key Features

 Automate pattern analysis, protect application transactions and secure information

 Integrate correlation and log management, automate operations and search terabytes of data in seconds
 Store and manage all your log data, automate compliance reporting and gain business intelligence
 Solve the Big Data security problem with Big Security intelligence for the increasing volume, velocity and variety of data
 ArcSight ESM
Powerful enterprise security management software for analyzing and correlating
every event that occurs across your organization

 Automate pattern analysis

 Protect critical application transactions
 Secure sensitive data

LEARN MORE HOW TO BUY

 ArcSight IdentiyView
An application built on HP's SIEM platform for monitoring user activity across
accounts, applications and systems

 Monitor privileged users

 Attribute shared account usage
 Detect activity by terminated users

LEARN MORE HOW TO BUY

ArcSight Logger
Universal log management solution for collecting machine data from any log
generating source that unify searching, storing, and analysis

 Store and manage all enterprise log data

 Automate compliance reporting
 Gain business intelligence for logs

LEARN MORE HOW TO BUY

ArcSight Express
A security management software solution for collecting log activity,
consolidating information for storage efficiency and correlating events

 Deploy all-in-one correlation and log management

 Automate security operations
 Search terabytes of log data in seconds
 LEARN MORE HOW TO BUY

ArcSight Connectors
Out-of-the box connectors to collect, consolidate and normalize data to unify
searching, reporting and analysis

 Collect data from 275+ pre-built connectors

 Create new connectors with a simple toolkit
 Retain consistent monitoring

LEARN MORE HOW TO BUY

ArcSight Compliance
ArcSight Compliance Insight Packages help customers get moving quickly with
regulatory compliance projects or to automate manual oversight processes.

 Build regulation-specific dashboards

 Create auditor-friendly reports
 Automate continuous monitoring

LEARN
ArcSight Pricing:

The pricing below is the list price and should only be used for budgetary purposes. Since there are over 500 items within the ArcSight portfolio, we'll
provide the starting price for some of the main products. For an accurate configuration and pricing, please contact our technology architects at 866-
534-1640.

ArcSight ESM Appliance: E7400-2 Server

HP ArcSight E7400-2 Server ArcSight ESM Appliance-2 Core ESM

Manager license with Oracle embedded

 Part #: TG229AA
 List Price: $85,000
 24x7 Support: $19,550

ArcSight Express Appliance: AE-7405 Server

HP ArcSight AE-7405 Server ArcSight Express - 500 peak EPS/50k

Flows/min, up to 750 Devices. Incl Log Mgt, 1 console, and View
for Express for up to 50 Users.

 Part #: TG322AA
 List Price: $45,000
 24x7 Support: $10,350

ArcSight Logger Appliance: L3400 Server

HP ArcSight L3400 Server ArcSight Logger Up to 2k raw EPS. 200

local connector EPS. connector management. and 200 Devices

 Part #: TG238AA
 List Price: $20,000
 24x7 Support: $4,600

ArcSight Threat Response Manager Appliance

HP ArcSight TRM-100 HA Server High Availability for TRM

Device License + Appliance(s)

 Part #: TG346AA
 List Price: $25,000
 24x7 Support: $5,750

ArcSight Enterprise View

HP ArcSight EV Add 10k Asset NP SW E-LTU HP ArcSight

EnterpriseView Additional 10k Assets Non Production Software E-
LTU

 Part #: TD843AAE
 List Price: $75,000
  24x7 Support: $16,832

ArcSight CORR 6.0 – Install and Migration

Posted on November 29, 2012 by marirs

ArcSight (now HP) Enterprise Security Manager (ESM) is the premiere security event manager that analyzes and correlates every other event in order
to support the Security Team or analysts in every aspect of security event monitoring, from compliance and risk management to security intelligence
and operations. There have been several versions of ArcSight ESM released over a period in time. Their latest version is ArcSight CORR 6.0.
AtInfoSecNirvana.com we have got a copy of the latest version and we will be writing a multi-part post on how to Install, Migrate from Older versions
to 6.0 and some basic walk around.
In this Part 1 post, we shall cover about the installation of ArcSight CORR (Correlation Optimized Retention and Retrieval), a proprietary data storage
and retrieval framework that receives and processes events at high rates, and performs high-speed searches; the latest ArcSight ESM by HP. With the
ArcSight CORR, Oracle database is now eliminated.
CORR components:
 ArcSight Manager
 CORR Engine
 ArcSight Console
 ArcSight Web
 Management Console
 Smart Connectors
Requirements:
System: This completely depends on the EPS that you expect to receive. InfoSecNirvana has been working on getting a PoC for this and the below
configuration was used:
A VMWare box with 8 cores, 32GB Ram, 256GB SSD HDD, 2TB WD 7200 RPM SATA HDD (Note: for production, there might be/recommend a higher
configuration. Check with ArcSight manuals on the same)
OS: Red Hat Enterprise Linux Server release 6.2 x64, installed with xfsprogs-3.1.1-6.el6.x86_64 rpm; this is required to convert some of the ext4 file
systems to xfs filesystems. XFS Partition is the most apt format for us to fully utilize the performance enhancements coming with CORR. Typically, I
would recommend /opt/ to be formatted with XFS and maximum storage can be allocated to this partition. This is crucial because, the very first step
of installation would verify whether the entire /opt/ directory is in XFS. When using VMWare with LVM, we faced some issues during the
installation and ArcSight Support could not help us with this. However, when raw devices were mounted as /OPT/ we did not face any issues.
Storage: Please allocate the required storage (calculate based on Number of Devices, Events per second, Average Event Size and Retention period).
Remember, CORR is like an ESM with a built in Logger. You can still use a Logger for long term retention if that is what you prefer so that ESM will
be lean and mean.
Permissions: The installation has to be done using a Non-Root account. This account can be a service account named”arcsight”. This account should
have RWX permissions on the /opt/ directory. Make sure this is satisfied.
Misc: /TMP/ partition should have at least 3GB space. /home/arcsight also should have a minimum of 5GB free space. This is crucial again because,
the INSTALL DIR log files are written in these location and if sufficient space is not allocated the installation fails.
The CORR package: Get the CORR installation package and the license from HP ArcSight. This can be obtained from your sales representative with
HP/ArcSight.
CORR Installation:
The installation is pretty straightforward and is just a series of clicks. I have given most of the screenshots below just as a reference. Obviously, if you
have already installed ArcSight Software, you would not even need this. Once done, you would be able to install the Console to access CORR and play
around.
Once the installation is completed, we would want to test the following before we call the install as complete:

1. Validate the Log Files in the Manager Install Logs and find out if there are any warnings and errors. Generally, this is a best practice to ensure
valid installation.
2. Install the Console and try to connect to ESM, with the default user name and password (mentioned in the install guide). First time when you
connect, A certificate import of the Manager happens. If you use a self-signed certificate make sure you note down the parameters used to create
cause this will help in future migrations, troubleshooting or recovery.
3. After connecting to the console, you are ready to go.
Migrations from Existing Installs – Migrating from earlier versions to this CORR instance is tricky, because you are migrating from a DB back end to
a NON-DB back end. I will be posting a followup of this post in PART 2 that will detail the migration procedure from 4.X to 5.X.

Stay Tuned to InfoSecNirvana.com for more!!!