HPE ArcSight ESM Security Information and Event Management, SIEM

About the Product

Solution on event management of information security of ArcSight ESM (Security Information and Event Management, SIEM). ArcSight ESM controls all events on all enterprise, uses powerful tools to the analysis and correlation for the purpose of identification of business and technology threats. The solution ESM is constructed on the flexible scalable platform providing information movement from one hardware on another in the organization.

Contextual solution

ArcSight ESM provides infrastructure of correlation which allows to define value of each specific event, placing it in a context, i.e. showing to who that where when and why caused emergence of this event. It helps to reveal influence of an event on a business risk.

Broad spectrum of processing

Infrastructure of collection of information of ESM provides enhanced capabilities for data acquisition from a broad set of sources — magazines more than 275 devices and sources of events, including operating systems, network devices (routers, switches), network analyzers (monitors of network and network analyzers, NAC, NBA), security systems (intrusion detection and prevention systems, firewalls, virtual private networks, vulnerability scanners) and also magazines of audit of applications, databases, solutions for management of identification, Web servers and Internet-applications.

Events from other devices of similar family (for example, routers) are unified for the purpose of carrying out summary monitoring and the analysis.

Who and that

ESM allows to learn precisely who is in network what data are browsed by them and what actions are taken. The messages generated in real time inform administrators on the most important events and also provide all necessary accompanying information for the further analysis and elimination of threat.

Reporting

The solution ArcSight ESM provides a broad spectrum of functions which provide quick and convenient access to necessary information. The configured control panels with fine graphics provide business and the technical overview of information necessary for the specific staff of the organization. The ESM console provides the uniform overview of the current security level of the company and provides information on the revealed attacks and business risks. Available network and maps allow users to reveal threats which are in their competence. The solution ArcSight ESM provides complex technical, operations and trend reports which contain information on the current security level. These reports completely meet requirements to preparation of the control reporting. The system of preparation of reports simplifies a problem of preparation of the reporting at the level of business thanks to existence of standard and user templates for reports on compliance to requirements of regulators, reports on business risks and parameters of users.

Additions

In addition to built in, a system allows users to create own reports and templates for formation of the additional reports and reports created according to the schedule. A system provides the complex overview of the up-to-date correlated information, allowing concerned parties to reveal risk factors, expediency and efficiency of actions for security and also helping to find answers to key questions of business. Periodic reports allow to trace emergence of events for a certain period and also to define their influence on security. Thanks to existence of technology of correlation, trend reports can be also used in the analysis of probabilistic scenarios which help to predict the impact of change of this or that policy on the general security and risks.

2017

Opening of the source code of Russia

At the beginning of October, 2017 it became known that Hewlett Packard Enterprise (HPE) allowed the Russian Ministry of Defence to investigate the system of cyber defense of the Pentagon which uses the software of the company. The White House called this event security risk, to intellectual property and the Internet.

It is about the software of HPE ArcSight. Though the source code of this software is carefully protected, Moscow got access to it during certification of a system for sale to its Russian public sector.

Pentagon building

ArcSight developers and staff of the American intelligence agencies told Reuters agency that having studied the code, the Russian side could detect vulnerabilities in the software. At the same time the revealed vulnerabilities can help hackers to hide cyber attack from the American military.

According to CNBC with reference to the coordinator on cyber security of administration of U.S. President  Rob Joyce, a permission to other countries to see source codes of the software which is strictly protected by internal security services as a condition for use of this product in the market is a protectionist  measure of certain modes which threatens "the free and open Internet", and can interfere with development of safety features and confidentiality in a product.

There are some aspects of safety of similar disclosures of data, and they are problem … If you give the source code to China, satisfying thereby a product yield condition on this market, you should think of whether competitors will begin to implement these functions then. We saw a number of such examples in the past, and it really disturbs us — Joyce on an action, organized HPE said.

Despite potential risks for the Pentagon as notes Reuters, none of interlocutors of the agency pointed to any leakages or cases of cyber espionage after the analysis of the Russian Defense Ministry of a system of cyber defense of the American department.^[1]

Getting into the register of the Russian software

On August 24, 2017 it became known of entry of the "Russian" version of HP ArcSight into the register of the Russian software therefore state bodies will be able to buy a product. As writes RBC, the Hewlett-Packard Enterprise (HPE) company told the clients and partners in Russia about it.

In  the letter of HPE which the edition studied the reference to   the Ankey SIEM program which was registered in  the register  on July 23, 2017 is given.  The Ankey SIEM system, as stated in  the accompanying documentation, is developed by the Gazinformservice company executing generally orders of Gazprom.

HPE headquarters

On the website of Gazinformservice it is said that Ankey SIEM is used for identification of the attacks and cyberincidents, the analysis and event management of information security of IT infrastructure. At the same time there are no references that the product is based on HP ArcSight.

Earlier the sales director of HPE Security Russia Artem Medvedev mentioned to the CRN edition "the localized OEM-production Ankey SIEM  based on HPE Arcsight technologies".

As the representative of Gazinformservice Anastasia Tunyk told RBC, the company is a developer of the product Ankey SIEM which completely conforms to requirements for placement in the register of domestic software. She also told that contributions to advantage of HPE of sales of Ankey SIEM do not exceed 30%. 

According to the chief executive of Domestic Software association and the member of expert advice on the Russian software (considers requests for inclusion in the register of the Ministry of Telecom and Mass Communications) Evgenia Vasilenko if the foreign company which HPE is, announces inclusion of the "Russian" version of the product in the register, then it is a reason for repeated check of this software.

The representative of the Ministry of Telecom and Mass Communications after the publication of RBC said that department requested additional explanations from Gazinformservice.^[2] 

2016: ArcSight ESM completed certification of FSTEC

On August 19, 2016 the IT Guard company announced certification of FSTEC of the ArcSight ESM platform from Hewlett Packard Enterprise (HPE) company.

The certificate confirms compliance of software of ArcSight ESM to requirements of the regulating document "Protection against unauthorized access to information of Part 1 - the Information security software. Classification by the level of absence control of not declared opportunities" (State Technical Commission of Russia, 1999) — on the 4th level of control and specifications AGRD.509001-03 of the specification at accomplishment of the restrictions on application specified in the form AGRD.509001-03 FO^[3].

The certificate is issued on the basis of results of the certification tests which are carried out by testing laboratory of Eshelon scientific and production association (the certificate of accreditation of 6/3/2009 No. of information security facility RU.2321.B011.033) — the technical conclusion of 6/23/2016, and the expert opinion of FAU certification body the State research test institute of problems of information technical protection FSTEC of Russia of 7/4/2016 (the certificate of accreditation of 5/5/2016 No. of information security facility RU.0001.01BI00.A002).

2014

HP ArcSight ESM 6.8c

On December 2, 2014 submitted to HP the new version of HP of ArcSight ESM.

As a part of this version several innovations improving high-speed performance of the solution. HP Application Defender, the industry-first means of self-defense of applications offered in the form of SaaS service uses possibilities of HP Haven for effective protection of production applications against the attacks.

ArcSight ESM 6.8c include key updates of HP:

• The profound analysis allowing analysts quicker and more effectively to reveal and study threats
• The increased volume of storage allowing to analyze klasterno security up to 600 Tbyte of online and data 1
• The improved sweep rate which increased by 1000 times in comparison with previous versiyey1
• The tools of the analysis of Big Data of the Haven HP platform providing improvement of correlation and detection of threats in real time

ArcSight ESM 5.2

The IT Guard company (IT Guard) specializing in distribution of solutions in information security field announced in the summer of 2014 that the HP solution of ArcSight ESM successfully underwent certification of FSTEC of Russia.

The carried-out certification confirmed that the monitoring system and correlations of events of information security of HP of ArcSight ESM (version 5.2) of Hewlett-Packard company is the means of collecting and the analysis of events of security implementing monitoring functions (viewing, the analysis) of results of registration of events of security and response to them, identifications and authentications of users, access controls of users to information resources and conforms to requirements of specifications AGRD.509000-02 of the specification.

The certificate is issued on the basis of results of certification tests which were carried out by NPO Eshelon (accredited as testing laboratory Russian Defense Ministry, FSB of Russia and FSTEC of Russia) by request of IT Guard.

2013

ArcSight ESM 6.5

On December 16, 2013 the Hewlett-Packard company announced a release of the new version of ArcSight ESM 6.5.

The new version of SIEM with the built-in context search is 30 times faster with CORRe.

Search in ESM as in Logger

• Fast

investigation

• Text search

as in Logger

The new version of SIEM with the built-in context search is 30 times faster with CORRe

• Effective storage of logs
• Integration with open source
• 5 generation of CORRe – are 30 times faster
• The simplified web console
• Search, the reporting, administration and risks assessment from one console
• Centralized operation by settings and rules
• Import and export of content
• Content for control of applications of AppView

See Also

• Article:Security Information and Event Management (SIEM)