Event management takes the step beyond storage and alerting to provide real-time monitoring, historic analysis and automated response necessary to manage the higher level of risk associated with doing business in today’s digital world. ArcSight delivers real-time event management with ArcSight ESM. As a key component of the ArcSight SIEM Platform, ArcSight ESM delivers “forensics on the fly,” the ability to drill down from an alert to the source events that triggered the alert.

The advanced real-time correlation capability of ArcSight ESM identifies the relevance of any given event by placing it within context of who, what, where, when and why that event occurred and its impact on business risk. ArcSight ESM correlates incoming events with asset prioritization and vulnerability, user activity, and threat history to deliver accurate and automated prioritization of security risks and compliance violations. The powerful correlation engine of ArcSight ESM processes many millions of log entries down to the few critical events that matter. These incidents are then presented through real-time dashboards, notifications, or reports to the security administrator.

With built-in concepts of network asset and user models, ArcSight ESM is uniquely able to understand who is on the network, what data they are seeing, and which actions they are taking with that data.

Once risks are identified, ArcSight ESM provides a built-in workflow engine that guides risk containment activities including case management and handing off the threat information to ArcSight Threat Response Manager (TRM), for threat isolation and remediation options.

Event-Driven Automatic Response

ArcSight TRM, the optional response engine for ESM, pinpoints the exact location of threats on your network, presents available response actions, and allows the operation to respond immediately with specific, policy-based actions within a self-documenting and auditable framework. Possible response actions include:

• Disabling the source of the threat, including changing user privileges and turning off access rights for the suspicious user accounts
• Limiting the actions that are possible from a suspicious source
• Placing systems in separate out of band networks/VLANs
• Taking a complete snapshot of the suspicious system for forensic analysis

Event-Driven Activity Profiling

ArcSight ESM Pattern Discovery module mines historical trends to baseline and profile expected behavior to allow for the automatic detection of aberrant activity occurring in the environment which can be used to detect policy violations or suspicious or fraudulent activities. Pattern Discovery detects repeating patterns across a wide variety of sources including users, sensitive data, applications, systems and network assets. Administrators can then use the discovered patterns as a basis for policies that govern authorized or restricted activity, thus improving their overall risk posture.

ArcSight ESM is available either as installable software or as a rack-mountable appliance.