Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



ArcSight, Inc. introduced the ArcSight Log Management Suite

November 2007 by Marc Jacob

Regulatory mandates and industry standards such as Sarbanes Oxley (SOX) and Payment Card Industry (PCI) are driving the need for cost effective, comprehensive and audit-quality log collection, storage and analysis. These regulations also necessitate automated retention policies and intelligent analysis for reporting and alerting against all log data. Increasingly, organisations are using log management to enhance security posture, assist in network and system management, and improve service-level agreements. ArcSight is equipped to address all of these use cases with the scale and breadth needed to adapt to evolving regulatory requirements as they encompass the application IT infrastructure.

Key Features of the ArcSight Log Management Suite:

Ultra-high performance log collection, archival and analysis with a broad range of price/performance options to meet the needs of small and medium businesses to the most sophisticated enterprise.

Complete audit-quality controls enabled by a unique distributed collection – centralised storage architecture, which supports raw data collection from the broadest range of sources and end-to-end secure and reliable transport and storage.

State-of-the art analysis portal enhances enterprise IT intelligence through rapid forensics searches, comprehensive reporting, personalised or role-based dashboards, and real-time alerting.

Comprehensive, pre-packaged, authoritative content targeted at specific mandates such as PCI and SOX empowers organisations to meet compliance initiatives efficiently and minimise extraneous manual audit efforts.

The use of logs in compliance audits requires both complete log capture as well as strong audit-quality controls. Yet most commercial log management solutions lack support for the breadth of devices (especially at the application layer) required for compliance monitoring, which prevents complete collection. These solutions are also susceptible to data loss when connectivity to central sites is lost and no local buffer exists; when unreliable protocols are used for log transport, or when no integrity checks are performed. A few lost events can easily represent the missing link in a forensics investigation evidentiary trail, audit report, or can be the cause of a missed compliance violation alert that if noticed, could have saved the company from a costly breach.

ArcSight enables audit-quality data through collection of all log data and a unique distributed collection/centralised storage architecture. First, universal event collection support – both raw and parsed – ensures that audit-quality requirements can be met without compromising the efficiency, efficacy or accuracy of user- and asset-based analysis. ArcSight also delivers true audit-quality data through a turnkey remote collection option which provides local buffers to protect against network connectivity loss, provides end-to-end secure, reliable and bandwidth sensitive transport and storage, and enforces National Institute for Standards and Technology (NIST) 800-92-compliant integrity checks.

Compliance is fundamentally about asset and user context – or about the “who, what, when and where” aspects of events to demonstrate compliance to process and policy. Most log management solutions have limited support for database and application logs that provide user context. Additionally, these solutions focus on raw data collection with limited parsing, which makes user-oriented analysis and monitoring extremely challenging and error prone. As a result, only users familiar with source specific log syntax can generate reports and navigate their way through log data.

The ArcSight Log Management Suite delivers a powerful combination of historical and real-time analysis options ranging from personalised dashboards and comprehensive interactive reporting, to high speed searches and intelligent alerting. Users are presented with visually appealing, interactive and personalised dashboards that combine relevant and related reports into a single role-based view. From these aggregate dashboard views, users can drill into specific report elements to simulate audit workflow and investigate policy violations and anomalies. Interesting results in reports can be further analysed by navigating through terabytes of log data using a simple web-based search tool to conduct ad hoc audit investigations and root cause analysis. In turn, the search patterns can be converted into real-time alerts to ensure that subsequent incidents and pattern matches lead to immediate notification as the incidents and violations occur.

A vast number of dashboards, reports, search filters and alerts are available out-of-the-box to address common compliance, operational and security monitoring needs. In addition, solution packages mapped to specific regulations and mandates such as PCI are also available. This pre-defined content enables organisations to kick-start and automate compliance audits based on established best practices, while also saving on internal research and development costs. All pre-built solutions leverage a unique device-independent taxonomy that allows end users to easily and intuitively navigate through log data without familiarity with source-specific log syntax. This device independent taxonomy also protects against content explosion and the resulting need to build and analyse device specific content.

The ArcSight solution can be deployed entirely as turnkey appliances. For added flexibility enterprises can opt for appliance or software-based collection infrastructure in remote locations when rack space is limited and additional computing cycles are available on local hosts. No database administration expertise or remote onsite client installation is required to deploy or manage the ArcSight solution. Configuration and management of remote collection infrastructure parameters can be performed en masse in batch mode to roll out or modify collection parameters or software updates.

Log Management solutions are primarily focused on simplifying historical analysis against large log volumes with some basic real-time alerting capabilities. However, many organisations have invested in or plan to expand into robust SIEM (Security Information and Event Management) capabilities to detect sophisticated threats or compliance violations and respond to them in a timely and optimal manner. Log management and SIEM solutions are in fact part of a continuum of value extraction from logs for reporting, real-time monitoring and remediation. As such, organisations should expect synergy across these investments and the ArcSight platform is unique in delivering integrated Log Management and SIEM capabilities. The ArcSight Log Management Suite can also complement third party SIEM solutions.

· ArcSight Connectors: Delivers the industry’s broadest and deepest event collection support spanning the IT infrastructure, including custom sources, in-house applications and physical access points. Deployable as software or Connector Appliances.

· ArcSight Logger: Delivers advanced, high performance log collection, cost effective archival and powerful personalised analysis.

· Compliance Insight Packages: Delivers pre-packaged reports, alerts and dashboards mapped to the needs of regulations or industry mandates and audit best practices to automate audit reporting requirements.

Related articles:

See previous articles


See next articles