StealthWatch and ArcSight Interoperability
Lancope, an industry leader in flow-based monitoring, has joined forces with HP ArcSight, one of the industry’s premier sources for security event management, to provide greater contextual awareness surrounding security incidents. Together, the two systems provide a more complete picture of the security issues threatening enterprise networks, delivering more actionable insight for faster, more effective troubleshooting.
Arcsight’s SIEM (Security Information and Event Management) tools record and report on security incidents that take place on the network by aggregating log information from a variety of sources such as AV, firewall and IDS/IPS systems. Lancope’s StealthWatch® System leverages NetFlow and other flow data from existing network devices to cost-effectively deliver 24/7, end-to-end visibility into all hosts and traffic on the network. By augmenting traditional sources of SIEM data with flow-based information, ArcSight customers can see deeper into the network, reducing the cost and complexity of incident resolution and improving overall security measures.
Based on behavioral analysis versus signature updates, StealthWatch investigates and mitigates APTs and other zero-day attacks that bypass perimeter defenses, as well as insider threats such as network misuse, unauthorized access, device misconfigurations and data leakage. The system is scalable to meet the needs of even the largest networks, analyzing up to 3 million flows per second, and can also monitor and protect virtual environments.
We are focused on providing enterprises with a centralized and comprehensive solution for understanding the security posture of their organization so security groups and business managers can take coordinated, timely and effective action. Integrating Lancope’s network behavior anomaly detection adds a unique layer of intelligence to this centralized view, identifying previously unknown threats from the outside as well as on the inside of your network.”
How It Works
Through this integration, StealthWatch employs powerful, behavioral analytics on flow data to derive meaningful security alarms, and outputs them as syslog feeds to ArcSight for logging and correlation. ArcSight further leverages the information provided by StealthWatch by retrieving detailed Host Snapshots on either the source or target of an attack directly from StealthWatch without ever leaving the ArcSight console. The Host Snapshot provides data about the types of applications and services the host has been known to run, recent alarm activity observed from the host, interfaces the host is using, and more.
ArcSight users can benefit from StealthWatch flow data through a number of methods:
- Through enhanced integration using ArcSight’s Common Event Format (CEF), organizations with a complete StealthWatch deployment can seamlessly pull the results of sophisticated, behavioral analysis conducted on flow data into their ArcSight system as syslog feeds. Prioritized alarms streamline workflows by flagging the most critical security and compliance events occurring within the organization. Because StealthWatch analyzes the flow data, it lessens the processing requirements on ArcSight, enabling each system to focus on its core tasks and better scale to accommodate very large environments.
- Additionally, users can drill down even deeper into the StealthWatch flow data via their ArcSight console, obtaining a Host Snapshot that provides a plethora of details on either the source or target of specific attacks for even greater situational awareness.
- For much smaller deployments, organizations can leverage the StealthWatch FlowSensor to generate and send native flow data directly to ArcSight to process and correlate with data from other sources. This enables them to obtain in-depth network insight, even for areas of the network that are not NetFlow-enabled, without the need for expensive and difficult-to-manage probes.
In addition to strengthening overall security posture and expediting network troubleshooting, integrating StealthWatch and ArcSight enhances network forensics for incident investigation and supports compliance with a wide range of industry regulations from NERC CIP and FISMA/NIST to PCI and HIPAA.