SIEM 3 the Next Generation

Sponsored By:

An IT Briefing produced by

SIEM 3.0: The Next Generation of Security and Compliance Monitoring

© 2008 TechTarget

BIO


By Rick Caccia

Rick Caccia is Vice President of Product Strategy of ArcSight. Caccia spent 15 years designing and managing infrastructure systems with a focus on security and identity management. Prior to ArcSight, he led product management at Symantec for e-mail and Web security products. Prior to Symantec, Caccia was at Oblix, leading product management and marketing for identity management, access control, and Web services policy. He has a master's degree in marketing and technology management from U.C. Berkeley.

This IT Briefing is based on an ArcSight/TechTarget Webcast, “SIEM 3.0: The Next Generation of Security and Compliance Monitoring.”

This TechTarget IT Briefing covers the following topics:• Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1• The Evolution of SIEM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

• SIEM 1.0 - Protecting the Perimeter . . . . . . . . . . . . . . . . . . . . . . . 1• SIEM 2.0 - Protecting the Network. . . . . . . . . . . . . . . . . . . . . . . . 2• Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2• Impacts of These Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

• SIEM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4• Protecting the Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4• Example Involving a Contractor. . . . . . . . . . . . . . . . . . . . . . . . . . . 4• Example Involving Compliance Violation . . . . . . . . . . . . . . . . . . . 5• Example Involving Account Takeover . . . . . . . . . . . . . . . . . . . . . . 5

• Evaluating SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5• Broad Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6• Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6• Auto-Learning in SIEM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6• Auto-Response in SIEM 3.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6• Scale in SIEM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6• Applications in SIEM 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

• Beyond SIEM 3.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6• ArcSight SIEM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

• Event Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7• Asset and User Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

• New Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9• IdentityView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

• Deploying the Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9• Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10• Common Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Copyright © 2008 ArcSight. All Rights Reserved. Reproduction, adaptation, or translation without prior written permission is prohibited, except as allowed under the copyright laws.

About TechTarget IT Briefings

TechTarget IT Briefings provide the pertinent information that senior-level IT executives and managers need to make educated purchasing decisions. Originating from our industry-leading Vendor Connection and Expert Webcasts, TechTarget-produced IT Briefings turn Webcasts into easy-to-follow technical briefs, similar to white papers.

Design Copyright © 2004–2008 TechTarget. All Rights Reserved.

For inquiries and additional information, contact:Dennis ShiaoDirector of Product Management, [email protected]

1 IT Briefing:SIEM 3.0: The Next Generation of Security and Compliance Monitoring Sponsored By:


IntroductionThis paper discusses some of the more interesting trends in the security information and event monitor-ing (SIEM) industry.

The Evolution of SIEMThis section describes the evolution of SIEM tech-nology, from its first phase to the current one, and includes a look at its future.

SIEM 1.0 - Protecting the PerimeterPhase I SIEM was quite straightforward. SIEM 1.0 companies deployed many firewalls and IDS or IPS devices to protect the network perimeter from hackers, worms, or other malware. SIEM implementations serve two purposes in this phase.

First, as shown in Figure 1, by monitoring the perime-ter security devices, SIEM 1.0 informed us whether these devices were working, answering the question about whether any sort of “junk” was getting through to the network.

Second, if something did get through, as Figure 2 illustrates, because SIEM monitors were spread from node to node, IT administrators relied on the SIEM system to tell them which desktops needed quaran-tine, a rebuild, and so forth. SIEM 1.0 was about pro-tecting the perimeter and many organizations still use it for their first phase of SIEM deployment. In practice, though, we have seen many organizations move beyond that stage to what can be called SIEM 2.0.

Figure 1


SIEM 2.0 - Protecting the NetworkPhase 2 SIEM still protects the perimeter but adds compliance initiatives, so the mandate is to protect the network in addition to the boundary. In this phase it is important to ask questions like those shown in Figure 3. Are the patches installed? Are antivirus defi-nitions updated on every desktop? So SIEM 2.0 tells the IT admins that the network protection processes are working and they can pass that along to the audi-tors.

As with SIEM 1.0, this phase has a similar second purpose, as shown in Figure 4. If a virus invades a user’s laptop over the weekend and starts to spread across the network on Monday morning, the SIEM product can tell the admin which machines are affected and which ones need to be rebuilt and so forth. The interesting fact about this layer is that, for malware scanning, the AV vendors play up the signa-tures, definitions, an so on, but in fact much of the malware prevention comes from the behavioral anal-ysis of those tools, used to eliminate the outbreaks. SIEM 2.0 can also help here because it analyses the spreading behavior of a virus or worm and can pro-

vide an early alert for IT as well as indicating which machines need repair.

ChangesThis section discusses some of the dramatic changes affecting the IT environment.

Data ChangesMore data is online and exposed to the Internet. More and more paper documents have been digitized and more and more forms are online. So more data is exposed to the public network, resulting in more data breaches, which are happening more often with greater impact. More risk brings more regulations, which bring more penalties.

More Online TransactionsAnother change is that more transactions take place online than ever before, whether they are banking transactions or purchases on eBay, Amazon, Google, or Craigslist. In many of these purchases people pay with PayPal, Google Checkout, or some other form of online payment.

Figure 2


Figure 3

Figure 4


Online transactions also include self-service stock trading and wire transfers. As a result of all these online transactions, more money is moving over the network, providing more opportunity for problems.

More Data, Devices, and EventsAnother change is simply growth in the network. More traffic comes from more users accessing more devices and generating more log events. This increased volume makes it more difficult to keep track of who is doing what. These are essentially tech-nical changes but other changes are occurring as well.

More Mergers and AcquisitionsMore mergers and acquisitions are occurring, result-ing in more heterogeneous systems in an organiza-tion’s IT environment. This change provides more opportunities for things to fall through the cracks.

More LayoffsMore mergers mean more layoffs that, apart from the personal effects, bring increased potential for data loss. An IT World study indicates that 88% of IT administrators said they would take confidential information if they knew they were getting laid off. Even if this number were off by a factor of two, it would still be a serious problem.

More Outsourcing, Contractors, and “Trusted Outsiders”Another change is more outsourcing, and not just to off-shore companies. More companies rely on con-tractors, partners, and so forth, and the result is that most organizations have more trusted outsiders than ever before. These people can access internal sys-tems but are not company employees.

More Software as a ServiceSoftware delivery as a service is a relatively new change. For example, many companies use www.salesforce.com to manage customer data. More and more are using Google Docs or Gmail for corpo-rate IT. More applications like these mean more data outside the firewall, less control over security, and less control over data storage.

Impacts of These ChangesAll these changes have a significant impact on busi-nesses.

Disappearance of the PerimeterThe first impact is the disappearance of the perime-ter. The notion of inside and outside changes when parts of the business are outsourced, where trusted outsiders access internal systems, and where key applications and data reside in the cloud.

Who Is on the Network and Who Should Be There?When the wall around the business shrinks, new questions arise about who is trusted. It is difficult to know whom to trust unless there is information about the identity of everyone in the network. Also, deactivated individuals might still be generating activ-ity. Besides understanding who is on the network, it is important to know who should be on the network. IP addresses are no longer enough; DHCP, mobile workers, and shared accounts are all increasing the need for real identity monitoring, not just knowing an IP address.

SIEM 3.0These changes and their impacts are causing many organizations to reconfigure their businesses. Secu-rity is becoming more challenging; to protect the business, monitoring becomes much more impor-tant. SIEM 3.0 can be a significant help with these new challenges.

Protecting the BusinessSIEM 3.0 is not just about protecting the perimeter of the network, but about protecting the business, as Figure 5 illustrates. It is still necessary to protect the perimeter and the network, but it is most important to protect the overall business.

To protect the business, it is essential to understand who is on the network, what data they are seeing, and which actions they are taking with that data, known as user monitoring, data monitoring, and application monitoring. SIEM 3.0 is about monitoring and understanding users, monitoring the information they look at, and monitoring the applications they touch.

Example Involving a ContractorSIEM 3.0 can perform correlation on a transaction to help determine whether it is fraudulent.

For example, an IT contractor is completing his work at a company. Analyzing his activities raises several


flags. First he has been using his badge to access the workspace after hours. His role in the identity man-agement system is a contractor and generally it is against policy for this customer’s contractors to come in after hours. Correlating file system logs indi-cates that he has copied some confidential files from the NetApp filer. Finally, using firewall logs, correlat-ing that information helps determine that he has uploaded files to an unknown site. This monitoring has enabled this customer to identify a contractor engaged in improper activity.

Example Involving Compliance ViolationWe investigated the computer activity of another company’s well-respected senior business analyst. Correlating identity information in the access direc-tory with application access in the mainframe and the Oracle financials application shows some potential problems. This analyst has violated separation of duties restrictions and it is necessary to sort out the access rules to make sure this company is still in compliance with Sarbanes-Oxley.

Example Involving Account TakeoverThis is a real situation involved a client of a bank who asked to wire funds from her account using the bank’s Website and her iPhone. At first the bank was pleased about the cost savings that come with self-service, but some correlations showed possible issues. We examined the timing and saw that her account was only recently established. We also saw that it was a single-custody account so she could wire funds without a second signature and that the wiring address changed very recently. This banking cus-tomer found that their back-office employees were using newly established customer accounts to wire money out of the country and steal from customers. They did it by changing addresses and executing transactions in the period between when the accounts were established and when the new account paperwork was sent out.

Evaluating SIEMThis section discusses how you can evaluate SIEM products against the issues we have discussed.

Figure 5


Broad CollectionFirst, you need to address the impacts on the busi-ness caused by recent changes. Look for software that can collect information from a broad range of sources. Relatively simple sources include firewalls, routers, and switches. More expensive sources include phones, badge readers, servers, and laptops. Even more expensive sources include the identity management and access control systems, the file servers, and the data leakage prevention products, as well as packaged applications. It is important to be able to examine the event information from all those systems.

NormalizationWhen you collect information from all those systems, you will notice that the events are logged in a variety of formats, which makes them very difficult to corre-late. The login from the firewall, the login from the mainframe, the login from Windows, and the login from the phone system—none of these events looks the same, so you are comparing apples to oranges to strawberries to something else. Until you normalize the formats, you cannot compare them, so you can-not analyze them to determine whether you have an issue. You need to convert all these formats to a com-mon format, essentially making everything look like an apple. Now you can compare them.

Auto-Learning in SIEM 3.0The next challenge is being able to define good rules that can be applied to resolve these sophisticated issues. A key function of SIEM 3.0 is the ability to learn automatically and to create new rules. This abil-ity to auto-learn means that the SIEM can look at his-torical data and activities and process that information, teaching itself about the observed pat-terns, which are often difficult to detect by visual examination. By creating new rules, the system gets smarter as it works. Moving from finding a worm coming through the firewall to detecting a trusted insider or outsider taking various actions over time that lead to a data breach, the analysis becomes very different. You want a system that can learn on its own, one that does not rely solely on the administra-tor who is on a console from 9 to 5.

Auto-Response in SIEM 3.0Once you do auto-learning and create those rules and start finding issues, you want your SIEM 3.0 solution to have automatic response. When it finds a problem, it should help you solve that problem, too. This can

be automatic, or through some kind of guided work-flow, or the administrator can be helped along, but you need to shorten the time between problem detec-tion and resolution.

For example, when the SIEM system determines that a company’s sales rep is copying confidential data and is about to leave to go to a competitor, it should be able to automatically shut that rep out of the key systems immediately to prevent more loss. It is use-ful to find the problem, but it is also useful to contain the problem.

Scale in SIEM 3.0More data and devices means that the SIEM really needs to scale up to be able to process large num-bers of events. Tens or hundreds of millions of events per day will be the norm in a SIEM 3.0 world. This is already the norm for many organizations and will become more widespread as people begin to analyze more of the data that moves through their networks.

Applications in SIEM 3.0The evolution of the iPhone demonstrates the value of how a platform increases value by supporting applications. The same rule applies to the SIEM, and especially to SIEM 3.0. You want your SIEM 3.0 solu-tion to run many kinds of correlations and be able to support a level of analysis on top of the basic plat-form. Many organizations are trying to do this today by piecing together solutions from a variety of prod-ucts, a log management product from one vendor, business intelligence or business analysis from a dif-ferent vendor, while using different types of technolo-gies to collect data. Unfortunately, these pieces tend not to talk to each other. You need a platform where the components are tied together, where they share tools, and where they share formats, so it is easy to analyze the collected data.

Beyond SIEM 3.0Beyond the 3.0 examples described earlier, some leading organizations have moved beyond user, data, and application monitoring.

In the area of logistics monitoring, one company is using its SIEM to do correlation of shipping and weather and other information, performing a kind of optimized logistics.

Another company is correlating stock trades to moni-tor trades for fraud. A pharmaceutical company cor-


relates information from medical devices during drug trials to learn about drug interactions. Another orga-nization is using the SIEM for biohazard monitoring by correlating shipping manifests and cargo scans and other useful information to discover any issues.

The monitoring platform that comes with a good SIEM product can solve a variety of problems beyond just catching worms sneaking past the firewall.

ArcSight SIEM OverviewArcSight sells a SIEM platform and is a leader in the market, offering a centralized platform made of multi-ple products for centralizing security. Figure 6 shows the layers in the platform. Starting at the bottom of the figure, an integration layer provides our connectors. Those are deployed and collect data from a large vari-ety of devices, normalize the data to a common for-mat, then send it to the real-time correlation engine and to the historical logging engine. These engines perform real-time analysis and reporting. If they find an issue, our auto-response engine can take action. These engines support a set of modules at the top of the platform for regulatory purposes or business pur-poses.

Event CollectionThe first strength of the ArcSight SIEM involves event collection, illustrated in Figure 7. ArcSight believes it offers the most comprehensive event collection and normalization on the market, collecting from just under 300 types of data sources out of the box. Each of these is normalized to our common event format.

For example, a failed login from Windows, a failed login from a mainframe, and a failed login from a Linux server generate event data that is converted to the same format, allowing for some interesting ana-lysis. The key point of this normalization is that, besides providing a better analysis, it gives you analy-sis that is future-proof. Many IT organizations want to upgrade pieces of their environment. They want to be able to normalize the data in their analysis even when some equipment has been upgraded. Rip out Cisco and put in Check Point; rip out Check Point and put in Juniper—the ArcSight analysis still works.

Asset and User ModelAs Figure 8 illustrates, a key strength related to corre-lation is the notion of the asset and user model. Arc-Sight monitors and models are the assets on the network. For every asset, server, and firewall device,

Figure 6


Figure 8

Figure 7


these monitors and models understand severity, sus-ceptibility to attack, and attack history. This allows you to identify the high-impact assets on the network and enables you to write rules and, when appropriate, raise a warning. In addition to modeling assets, you can also model users, enabling you to relate multiple accounts to understand a user’s true identity and examine his or her activity. You can do profiling to understand historically what this user’s patterns are and the result is that you can identify who the high-impact users are. You can now write correlation rules that enable you to know when a high-impact user touches a high-impact asset that may be a risk, and you can take a specific action.

New ApplicationsNew applications can run on top of the ArcSight plat-form.

IdentityViewAs Figure 9 shows, ArcSight IdentityView is a privi-leged user monitoring application, which does many of the things described above. IdentityView is a spe-cialized SIEM 3.0 application that can auto-synchro-nize with identity management systems, roll up

multiple accounts to a unique ID, do compliance reporting and access violation alerts, and perform activity profiling for automatic machine learning. The result is that you get much more in terms of security and compliance.

Deploying the PlatformAs Figure 10 describes, organizations looking at SIEM products have a range of deployment needs. ArcSight can be deployed along a spectrum of these needs. At one end of the spectrum, organizations just want occasional alerting if a problem arises. These organizations want historical compliance reporting to satisfy basic audit compliance. The next level, which can be thought of as the virtual Security Operation Center (SOC), is suitable for organizations that want their SIEM to do some real-time monitoring and cor-relation. They want to monitor what users are doing but they don’t have a full-time person watching this, sitting in front of a dashboard. If something goes wrong, they want something like e-mail notification. Organizations at the other extreme have a fully staffed, 24/7 SOC. When something goes wrong, the security staff can take immediate action.

Figure 9


SummaryFigure 11 lists several major points. First, although some organizations look at SIEM just to monitor the perimeter, SIEM has evolved from the perimeter to the firewall to the network for compliance.

Many organizations have moved all the way to moni-toring the business, users, data, and applications, because that is where the biggest risk-reward is. A worm coming through a firewall causes problems, but not as significant as the theft of customer data.

No product can monitor the users, data, and apps alone, so the notion of ecosystem becomes impor-

tant. Ecosystem considers not just the SIEM product but related monitoring products, such as database activity products and identity management or identity audit products. Choose a SIEM platform and moni-toring products that are compatible.

Finally, many organizations have spent money on sys-tems that do not work. Over time the network changes but related technologies need to change with it, so the notion of future-proofing needs to be a key evaluation criterion. Ask whether this product will work in the future. It is difficult to predict what your network will look like in two or three years, but you will certainly want to monitor it, so you want an archi-tecture that allows you to do that.

Figure 10


Figure 11

Common Questions


Question: What else is required to do things that you have described? Can SIEM do it all?

Answer: That’s a good question. I think SIEM is a good platform for analyzing data. We have customers who don’t want to constrain this to the SOC but want to use it for general business analytics. To do those kinds of things you need other technologies. I would be remiss if I said that your SIEM product can do it all. Some vehicles mentioned earlier are the database activity monitoring products and the identity audit products. Also, the data-leakage prevention products can render some interesting verdicts around confi-dential data. So, if we have learned anything in this market it is that customers have many kinds of mov-ing parts in their networks and the SIEM product needs to be able to work with all of those.

Question: Which identity management systems do you support?

Answer: We have connectors today for Oracle and Microsoft, and we are just finishing up the phone connector. When I say connectors, these basically synchronize with the user and role modeling in the IT management system, so that you manage your users there. We are able to pull the data out and use it to do identity correlation and then use account correlation and relay all the activity for a rolled-up account.

Question: Which is better, SIEM that uses agents for monitoring or agentless monitoring?

Answer: That depends on what you are trying to do. In general most organizations look for something that is agentless. They would like to have less of that. And so the way most of the SIEM products work is to pull data out of the log files for the various systems and then convert it to normalized format. Wherever possible we try to do that without agents. In some cases, such as Windows monitoring, specialized agents give you more data than is normally in the log file. So I think it depends on your needs, but I would say the market trend is to try not to use agents.

Question: A question about acronyms: Sometimes you use SIEMs, sometimes SEMs or SIM. Which is right?

Answer: These acronyms have evolved. Once there was the notion of log management, which involved two separate markets, one called SIM, the other SEM. Then over time, people figured out that these were not really separate. Vendors began combining them and the SIEM acronym came into being. People just pronounce it “sim.”

Question: Do we need an identity manager platform to correlate users or can you do it with Active Direc-tory in Windows alone?

Answer: I would say a large portion of the customers I talk to have not yet installed an identity manage-ment application. Instead, they use Active Directory and you can actually do quite a bit with that. In Active Directory you have a user, you have perhaps multiple accounts, if you keep them in AD, you have the groups to which that user belongs. We actually have an Active Directory user model import connector, so we can pull that in and with that you can now pro-duce a kind of authoritative list of users and their groups. We can augment that with data we extract from other systems. It is common to do an extract from products like PeopleSoft or SAP and in ArcSight combine the PeopleSoft HR extract with the informa-tion we pull out of Active Directory. Now you have a pretty good view of users that you don’t have in any of the individual apps and you can start to do some pretty interesting correlations. So, you definitely do not need an IEM system. Probably more than half the customers manage with just Active Directory plus ArcSight.

Question: Does ArcSight allow opening Remedy tick-ets as part of the corrective action?

Answer: Yes, we do have an integration with Remedy. So if you have an alert you can have a built-in action to kick off a Remedy ticket and later a follow-up action.


Question: Does ArcSight have a native mainframe connector?

Answer: Yes, we have a couple of different mainframe connectors and work with other ones. Some custom-ers have their own to pull out log files. Some partner products are focused on that and have more func-tionality than our connectors, but we do have a basic mainframe connector.

Question: Is your event data stored in a format that can be verified as not having been tampered with, in case you need to use a collection of events in a court case?

Answer: Yes, we have had the product certified as audit-ready or as litigation-quality. I think there is a white paper that addresses that. We also have a vari-ety of different training classes. These are described on our Website.

Question: Do you have a new version coming out that has faster processing?

Answer: Yes, we do have some product changes coming that have some significant improvements in processing. We have not released anything publicly, so stay tuned. You will see some pretty interesting changes coming.

Question: Does ArcSight have an appliance or is it software-based?

Answer: All the products are available as appliances now. Some of them are also available as software. For example, our correlation product ESM was originally available as software and still is. We have recently added it as an appliance version.

Question: What is the best way to collect real-time events and audit data from DBMS systems?

Answer: Great question. I touched on the database activity monitoring products a couple of times. Those are excellent products for pulling data, both audit data and event data, out of DBMS systems. One of the common issues with monitoring databases in particular is the way they are often deployed. An application server may have a Web application run-ning on top of it. The application server multiplexes a lot of requests through a single connection and runs a bunch of database queries so the app server knows who all the users are. But according to the database, there is only one user called App Server, or some-

thing like that. So the logs don’t have the user infor-mation. Database activity monitoring products are very useful for backing out that information and understanding which users executed which queries. They’re also good at understanding historical paths to the data. So if someone runs a query that’s out of the historical norm, they’re good at understanding this. So, I definitely recommend looking at those products for database monitoring. I know we already have prebuilt integrations with several of the compa-nies. I think Guardian announced a certification at a recent user conference and we have seen that in a lot of our accounts. Great partner.

Question: With ArcSight, can you use a GUI to build rules and parsers or does it require professional ser-vices or programming? Also, a related question, there’s the perception that ArcSight, while it’s a great product, can be difficult to design. Can you address this?

Answer: Yes, I would be happy to do that. Customers run the gamut in their need for functionality. We have been working hard to tune the product to match dif-ferent needs. So, for some customers wanting to col-lect logs, do real time alerts, and run reports, ArcSight Logger is a very straightforward way to do that. We have other customers, data financial services or the federal government, who do a very, very com-plex analysis and are doing fairly heavy programming on top of the system and ESM is great for that. One of the things that we want to do is make it easier to access all the functionality in ESM. We are working on some interesting things that you will see in a product coming up fairly soon, such as simplification in the correlation GUI and correlation technology, including specialized wizards, simplification of database man-agement, and so forth. We are evolving the product to match different users’ needs.

Question: To monitor specific files for changes, would you recommend using a product specialized for this purpose and then have this product moni-tored by the SIEM?

Answer: That is a very interesting question. I would say it depends on what you are trying to do. In some cases we monitor the Windows logs and monitor the file system there, and for some customers that’s good enough. For customers who want to see more detail, other products focus just on file system moni-toring. They do some things that we wouldn’t natively do. So it depends on what you are trying to do. I think in either case we either have a connector to do it or

Sponsor_01_2008_0001

About TechTarget

We deliver the information IT pros need to be successful.

TechTarget publishes targeted media that address your need for information and resources. Our network of technology-specific Web sites gives enterprise IT professionals access to experts and peers, original content, and links to relevant information from across the Internet. Our events give you access to vendor-neutral, expert commentary and advice on the issues and challenges you face daily. Our magazines give you in-depth analysis and guidance on the critical IT decisions you face. Practical technical advice and expert insights are distributed via specialized e-Newsletters, video TechTalks, podcasts, blogs, and wikis. Our Webcasts allow IT pros to ask questions of technical experts.

What makes TechTarget unique?

TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events, the expert interaction of Webcasts, the laser-targeting of e-Newsletters, and the richness and depth of our print media to create compelling and actionable information for enterprise IT professionals.


ArcSight_10_2008_0004

we have partnerships with the people who focus on that.

Question: Do you do antifraud today?

Answer: A lot of our customers are in financial ser-vices and we have seen a trend in many of them, which was that they deployed ArcSight to do perime-ter monitoring and network monitoring. In many cases they had a breach of some sort, so they tried to apply the correlation technology they are using for the perimeter to some of their fraud. And it was pretty interesting. In most cases they were able to discover the breach, discover the source of the fraud, and so forth pretty quickly. We had one customer say they basically prevented a $900,000 breach. So people are definitely doing it today. We have wrapped up a bunch of the rules and reports that we have built for these banks for antifraud into a package called the Antifraud Accelerator, which is available today.

Question: How does what you talked about compare to an identity management system?

Answer: We don’t see what we are doing as replace-ment for identity management at all; instead, it’s an adjunct. Identity management products are great for managing the user life cycle: adding new users, provi-sioning them to applications, managing their roles, managing user changes—if someone changes departments or titles or buildings—things that change access rights. Those products are well tuned to manage that. What SIEM products in general are good at doing is monitoring real-time user activity. And when you put those two products together, you can understand who the user is from the IdM system and what they do by connection to the SIEM tools.

SIEM 3 the Next Generation

Documents

identity management

identity management

identity audit

identity management

pretty interesting

log files

rights reserved

application