architecture and sizing security presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... ·...
TRANSCRIPT
![Page 1: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/1.jpg)
1
strongest selling points
(ADP)Connectors – Flex , out of the box , separate domains, voltage integration .(ADP)Event Broker – KAFKA , redundancy , Third Party , order (spaghetti data center) , one focal point(ADP)ArcMC – Central management , device monitoring,Deployment view , Rules for health monitoring
ESM – The best correlation engine , Experience , HA and DR , on premise or cloud , License .
Logger – Long term , performance , distribution , part of the ADP lower price
Investigate – Vertica, Integration , Simple to use ,user experience ,Road map.
ArcSightArchitecture and
sizing
Cfir Homeri
Security Presales
![Page 2: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/2.jpg)
2
How To
Start ?
![Page 3: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/3.jpg)
3
How To
Start ?
• Top Risk• Business • Who working at the SOC
• Network topology• How match employees• Main services• Cloud or On premise• Security solution you have
Micro Focus ArcSight Sizing Discovery.xlsx
![Page 4: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/4.jpg)
The New ArcSight Architecture
User Cloud App Servers & Workloads
Network Endpoints IoT Physical
ARCSIGHT ENTERPRISE SECURITY MANAGER24x7 Real-time Monitoring & Correlation
UEBAUser Entity Behavior Analytics
ARCSIGHT LOGGERCompliance | Search |Retention
ARCSIGHT INVESTIGATEHunt | Investigation
SECURITY OPEN DATA PLATFORM
MANAGEMENT CENTERSuite Management & Administration
TRANSFORMATION HUBInformation delivery
SMART/FLEX CONNECTORSData Collection, Enrichment, and Normalization
CONTENTUnified | Actionable | Insight
WEB CONSOLEAccessible Monitoring & Platform Management
![Page 5: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/5.jpg)
ArcSight – in a Nutshell
Integrated, Single Solution working towards the same goal:Intelligent Security Operations !
ArcSight ESM for Real Time Prevention and Detection @ 100K+ EPS ADP Logger for long-term log retention & compliance @ 1M+ EPS ArcMC for Single-Pane-of-Glass Management Investigate for hunting & analytics at blazing speed @ 1M+ EPS Event Broker to be the Message Bus of choice to feed the Single Security
Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc…) for 1M+ EPS
You invest in the vision of Micro Focus who sees Intelligent Security Operations at the center of the Enterprise Security paradigm.
![Page 6: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/6.jpg)
7
Building
High level
Design
Example
1
“Solution with low cost, regulation , investigation if needed”
![Page 7: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/7.jpg)
8
Building
High level
Design
Example
1
“low cost, regulation , Correlation if needed there is no people”
Logger/ESM
![Page 8: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/8.jpg)
9
Building
High level
Design
Example
2
“ We just starting to build our SOC , Need early success Save data for one year ”
LoggerESM
ArcMc
![Page 9: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/9.jpg)
10
Building
High level
Design
Example
3
“ We run the SOC at the last 2 years , we are looking for high speed investigation tool , SOAR support to take out capabilities to the next level”
Logger ESM
ArcMc
investigate
Event Broker
SOAR
![Page 10: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/10.jpg)
11
Building
High level
Design
Example
3
“ We run the SOC at the last 2 years , we are looking for high speed investigation tool , SOAR support to take out capabilities to the next level”
Logger ESM
ArcMc
investigate
Event Broker
SOAR
![Page 11: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/11.jpg)
12
Building
High level
Design
Example
3
Full support DR and HA
Logger ESM
ArcMc
investigate
Event Broker
SOAR
![Page 12: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/12.jpg)
Intelligent Security Operations
ArcMC
Event Broker
Any
User Cloud App Servers & Workloads
Network Endpoints
E.g. Hadoop
3rd Parties
Vertica Logger Pool / Cluster
Logger 6.4 or up Logger Pool / Cluster
Logger 6.4 or up Logger Pool / Cluster
Logger 6.4 or up
ArcSight Data Platform (ADP)
ESM
ESM 6.11 or Up
ArcMC
ArcMC 2.6 or Up
Vertica Cluster Node 1
Vertica DB Vertica Cluster Node 2
Vertica DB Vertica Cluster Node 3
Vertica DB Vertica Cluster Node n
(where n is an odd number)
Vertica DB
ArcSight Investigate
Investigate
Management Traffic
Event Broker Cluster Node 1
Event Broker Event Broker Cluster Node 2
Event Broker Event Broker Cluster Node 3
Event Broker
Event Broker Cluster Node n (where n is an odd number)
Event Broker
Add Event Broker Nodes as performance required
SmartConnectors SmartConnectors SmartCo nnectors SmartCo nnectors SmartConnector
Cluster
SmartConnector
Cluster
Event Flow
Correlation LayerHunting & Analytics & Investigation
Integration Command
Log Collection Layer
Logger Pool / Cluster
Logger 6.4 or up Logger Pool / Cluster
Logger 6.4 or up Logger Pool / Cluster
Logger 6.4 or up
Production
HA/DR
Compliance & Reporting
![Page 13: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/13.jpg)
14
Building
High level
Design
![Page 14: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/14.jpg)
15
Sizing
HPE ArcSight Sizing Worksheet FY18-16-
0801.xlsm
![Page 15: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/15.jpg)
16
![Page 16: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/16.jpg)
Event Broker Sizing
![Page 17: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/17.jpg)
Sizing: Event Broker – 2 days retention (caching) – 10K EPS3 nodes
![Page 18: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/18.jpg)
Sizing: Event Broker – 2 days retention (caching) – 10K EPS5 nodes
![Page 19: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/19.jpg)
Sizing: Event Broker – 2 days retention (caching) – 25K EPS5 nodes
![Page 20: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/20.jpg)
Sizing: Event Broker – Best Practices [5] x nodes of VM/physical server, each with the following hardware specs
- ___ TB of disk space + OS (100 GB)
- Recommend Gen9/Gen10 hardware (ProLiant DL380, etc…)
- 64GB RAM (32 GB RAM is OK – this is the absolute minimum - DO NOT GO BELOW THIS NUMBER)
- 2 x CPU with 12 cores per CPU = 24 CPU cores
- 15K RPM SAS (10K RPM is OK)
- 10 Gbit/s NIC’s (most important) – DO NOT GO BELOW THIS NUMBER
VM is OK to use, if the recommended hardware specs can be guaranteed per VM.
- At least equivalent to Gen9 if virtual environment.
It is about choosing an appropriate “cookie cutter” (VM) hardware configuration. Same hardware as nodes added over time
Low latency critical - 10Gbit network only
Consider the multiple topics that need to be fulfilled based on Consumers – CEF, CEF Binary for ESM (two Connector destinations) and AVRO for Investigate (transformation performed at Event Broker)
___ TB of disk space space PER NODE for events/index only. Can be SAN, but needs to be lowest latency possible. SSD not mandatory.
Keep in mind that compression in KAFKA is performed on the Producer (eg the Smart Connector) using GZIP. KAFKA itself plays no role in compression of data.
![Page 21: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/21.jpg)
MSSP
![Page 22: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/22.jpg)
32
MSSP solutionGoals
• Managing different customers on the same platform
• Easy to implement
• Enable accesses using policy and permission
• Separate data
• Flexible growth
• Full audit
• GDPR and compliance on a privacy issues
![Page 23: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/23.jpg)
33
Single ESM Server
![Page 24: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/24.jpg)
34
Multiple ESM Servers
![Page 25: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/25.jpg)
35
Network Model
Asset ranges - represent a set of network nodes addressable by a contiguous block of IP addresses.
Zones - represent portions of the network itself and are also characterized by a contiguous block of addresses.
Locations - describe the geographic location of assets, asset groups, or zones.
![Page 26: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/26.jpg)
End point detection – Stage 2
Micro Focus Confidential
10.0.2.0\24 10.0.3.0\24
10.0.1.0\24
Cyber_1
BYOD –Asset ranges
Zones
Network
Con 1
Con 2
Con 3
Locations
![Page 27: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/27.jpg)
37
• Tagging is a feature developed mainly to support MSSP
environments.
• Designation identifies who owns the events. This
ensures each customer (tenant) can view only its own
events.
Customer
![Page 28: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/28.jpg)
End point detection – Stage 2
Micro Focus Confidential
10.0.2.0\24 10.0.3.0\24
10.0.1.0\24
Cyber_1
Con 1
Con 2
Con 3
Zone Network Customer Connectors Raw data
Location
![Page 29: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/29.jpg)
39
Access Control Lists (ACLs)
What you can See
What you can do
![Page 30: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/30.jpg)
40
MSSP Content Management
Guidelines
• Events
• Cases
• Reports
• Data Monitors
• Dashboards
• Notifications• Rules
![Page 31: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/31.jpg)
41
Managing Storage Groups
This ensures all events from a connector go to the
designated storage group.
![Page 32: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/32.jpg)
42
Rule: Event Counts Detected
![Page 33: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/33.jpg)
43
Query: Daily Average EPS
![Page 34: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/34.jpg)
44
Report 1: Daily EPS Usage for All Customers
![Page 35: Architecture and sizing Security Presalesmicrofocus.fundorfina.pl/wp-content/uploads/2019/... · Big Data Lake & Beyond (Hadoop, 3rd party Data Lakes, etc ... •Managing different](https://reader035.vdocuments.mx/reader035/viewer/2022062505/5ec5d0094a29781b3c1abf3e/html5/thumbnails/35.jpg)
45
• Flexible architecture• Support multi tenant• Permissions (can see , can do)• storage separation• Full audit log• Data encryption – privacy issue • Customer reports
MSSP