ArcSight provides a centralized platform that can collect event data from multiple network end-points, such as firewalls, intrusion detection platforms, VPN gateways, OS logs, etc. Data such as alarms and alerts are automatically gathered and correlated into a centralized repository, and reporting and notification tools allow for the analysis and management of that data.

The ArcSight Platform consists of multiple modules that are sold separately depending on the needs of the customer.

Closest to the endpoint logs themselves are the optional ArcSight Connectors, which provide the ability to extract log data from multiple sources (the vendor's current two-page list of supported sources includes identity management, switches, A/V, A/S, individual applications, IDS, IPS, content filtering, mail servers, operating systems, and many more) and normalize it into a common format for use with downstream tools. Connectors are served in software and appliance-based flavors, the latter offered in three formats (all 1U) supporting 400, 2,500, and 5,000 events per second, respectively.

ArcSight Logger is an appliance (four versions currently available) that collects information either directly from sources (in raw form) or in the normalized form as provided by the Connectors and stores up to 35 TB worth of data (SAN-based storage is also supported). ArcSight Logger provides forensic abilities, including reporting and alerting (through a personal portal, E-mail, or SNMP), and the ability to drill down from a report/alert into the source of the event itself.

ArcSight ESM is the center-piece of the vendor's offerings, it provides a centralized real-time correlation engine for collected events, attempting to gauge the overall relevance of an event by placing it in context with other system events and parameters, such as asset priorities, user activity, history, etc. Results are presented via dashboards, notifications, or reporting. An optional component--the ArcSight Threat Response Manager--provides admins with a "guided response engine" with workflow and knowledge-based assistance for the remediation of identified threats. ESM is also available as software or as an appliance, and can be deployed stand alone or in combination with Logger/Connectors.

Individual Compliance Automation modules are deployed atop the ArcSight platform and provide pre-defined rules, alerts, and reports focused on a specific regulatory entity; such as PCI DSS, SOX, HIPAA, NIST 800-53, etc.

Finally, the newest member of the ArcSight Family is ArcSight IdentityView, which seeks to combine the features of identity management products with event management products and produce data that correlates the two data sets for forensic purposes. IdentityView provides the ability to correlate multiple user identities to a single identity key, and includes connectors to retrieve data from "leading" identity and access management systems, including those from Oracle and Microsoft. The net goal is to provide a view of who is on the network and what they are doing; with reporting capabilities including activity-based role modeling, activity reporting (any time period and across systems), watch list processing, and application usage tracking, to name a few possibilities. Additionally, IdentityView includes the vendor's "Pattern Discovery" baselining capabilities, which enable the product to examine historic trends and develop baseline profiles for user activities, with the ability to alert on those current behaviors that deviate from the historical baseline.

ArcSight is available now. Visit the vendor's Web site for further information.

product submission by EITPlanet Staff

E-Mail this page to a colleague
send info about ArcSight

Suggest a link
for the ArcSight fact sheet