#MicroFocusCyberSummit
Data Simplicity: ArcSight Data Platform enhances enterprise data via the Common Event Format Peter Titov – Micro Focus #MicroFocusCyberSummit
Agenda Usage What do we ask of our data? Ingestion How do we get our data where it needs to go? Management Where is the easiest place to manage data? Solutions Why I can have my cake & eat it too. 3
ADP: Hold up! Wait a minute. What is ADP, what is included with it, and what is CEF? Smartconnector Ingest ArcMC Manage Event Broker Route Logger Immutable storage CEF: Common Event Format 4
Normalized Data vs Raw Data: Usage Normalized data Raw data Ideal for real-time correlation Ideal for hunting expeditions of the unknown Ideal for known requests Compliance mandates Reports, dashboards, filters, lists, etc.… 5
Normalized Data vs Raw Data: Ingestion Normalization of Raw Data Approaches to Normalization Regardless when the data is analyzed, Pre-ingest – Formatting normalization will occur in Parsing up stream as close to the some fashion. log source Weight of normalization is on the Data will be formatted SmartConnector Data will be read Post-ingest – Modeling Data will be interpreted Parsing down stream as close to the log destination Weight of normalization is on the Indexer 6
Normalized Data vs Raw Data: Management Transport Encrypt or obfuscate Enrich Aggregate Secure Under budget 7
Normalized Data vs Raw Data: Challenges Events are lumped together ArcSight fields are not indexed and/or inaccurately captured Aggregated ArcSight data compounds this problem Indexing terabytes of data is exceptionally costly 8
Normalized Data vs Raw Data: Platform Solutions Elastic ArcSight X-Pack Splunk ArcSight Integrator Sumo CEF Syslog Parsing HDFS Data Lake vs Data Warehouse 9
Platform Solutions: Elastic & ArcSight X-Pack Fully normalized data aligned to CEF via Logstash Aggregate data for faster searching Machine learning & analytics Awesome visualizations via Kibana Additional data routing and ETL capabilities Best part, it’s bundled with Elastic when installed!!! 10
ADP & Elastic: Implementation Download and install Elastic: https://www.elastic.co/downloads Point ArcSight Connectors or Event Broker/Kafka to Logstash: https://www.elastic.co/guide/en/logstash/current/arcsight-module.html Helpful guide for beginning your journey: https://community.softwaregrp.com/t5/ArcSight-User-Discussions/Elasticsearch-Installation- and-ArcSight-Module-Configuration/m-p/1616812 11
Platform Solutions: Splunk & ArcSight Integrator Fully normalized data aligned to CEF Aggregating data to drastically reduce Splunk licensing Splunk & ArcSight syntax similarities: Share content quickly and easily between platforms Increase efficiency of Splunk performance Simply add the ArcSight Integrator and point CEF Syslog or consume CEF Kafka topic. 12
ADP & Splunk: Powerful Together The Splunk Processing Language & ArcSight Interactive Search share many similarities A unified schema enables the cross-pollination of query syntax, e.g... ArcSight sourceAddress =“10.0.0.1” | top destinationAddress Splunk index=“ arcsight ” AND sourceAddress =“10.0.0.1” | top destinationAddress 13
ADP & Splunk: Aggregation Testimonial Reduce license utilization by 83% for one feed (from 9,000 to 1,500) $1.35 million in savings from this one example* *Based upon ESM License pricing 14
ADP & Splunk: Implementation Add the ArcSight Technology Add-on (TA) for your ingest method: Splunk_TA_ArcSight_Integrator_for_SmartConnectors https://splunkbase.splunk.com/app/4133/ CEF Syslog Destinations Splunk_TA_ArcSight_Integrator_for_EB_or_Kafka https://splunkbase.splunk.com/app/4135/ Kafka topic of CEF data https://splunkbase.splunk.com/app/4136/ Optional : Leverage the Splunk_SA_ArcSight_Integrator (Support Add-on) for CEF-based dashboards and queries Configure connectors to aggregate data per included instructions Link to Protect724 for Splunk Add-On 15
Platform Solutions: Sumo & CEF Syslog Fully normalized data aligned to CEF Aggregating data to reduce Sumo licensing Increase efficiency of Sumo performance 16
Platform Solutions: HDFS Data Warehouse Data Lake Data Warehouse 17
Final Thoughts At the end of the day, we are all on the same team: When platforms collaborate: They become a force multiplier for their customers Everyone wins: users have faster searches AND managers have lower costs. Big data means thinking big and looking at the big picture. 18
Contact: Peter Titov #MicroFocusCyberSummit Peter.Titov@microfocus.com Peter.Titov@gmail.com (412)-720-7938 Thank You.
#MicroFocusCyberSummit
Recommend
More recommend