Zeroing in on threats

Before the Internet, CTOs and IT managers could pinpoint the primary threats to their IT infrastructure -- disgruntled employees, unscrupulous suppliers, and the occasional act of God rounded out the list. In the last 15 years, however, the nature of the threat has changed dramatically, and today, enterprises face a situation where attackers -- or mere freeloaders -- can come from almost anywhere on the planet. A network attack doesn't just affect e-mail, it can shut down a business until a threat has passed.

In the good old days, it was enough to write some scripts that would parse a handful of log files and have a human translate those results into an assessment of the situation. But the growing dependency on always-available, interconnected systems; the large number of ways these systems can be compromised; and the shortage of people skilled enough to interpret evidence of these compromises makes it increasingly difficult to get a grip on just what's going on both inside and at the edge of the corporate network.

The bad news is that aggregating log files today remains the only way to get a complete picture of what's taking place on your network. The good news is that ArcSight 2.0 offers a means to do just that. It presents the situation in ways that are equally suited for the troglodytes in the operations center and the managers and specialists dialing in at 3 a.m. to respond to a possible emergency. It's powerful enough to meet most needs for security monitoring and reporting and easily earned our "Deploy" rating.

ArcSight 2.0 uses what is now a familiar, three-tier model for collecting and presenting the data from myriad network devices. The SmartAgent is responsible for data collection. It can run on the device -- an application or file server, for example -- or against consolidated sources such as a dedicated log server, which most large enterprises use to efficiently manage the output of network and security devices.

It's possible to create your own SmartAgents that perform a simple translation to ArcSight's event schema. Although we did not create any custom SmartAgents, it's rather simple to do. As long as the device in question outputs log data in a standard format, all one really needs to create a custom SmartAgent is a basic understanding of Perl scripting and a schema for the logged data. This can be done with delimited files by using regular expressions or by simply evaluating all events logged after a certain time.

The rest of the ArcSight package is conceptually simple. The ArcSight Manager is a server-based package containing a rules engine, a manager for the SmartAgents, an interface to the event database -- which runs on Oracle 8i -- and the notification component that communicates with either the ArcSight Console application or the browser-based myArcSight, which offers a subset of the console's functionality.

Getting ArcSight up and running is not a trivial task. Although the basic OS and memory requirements are fairly straightforward, your Oracle database must meet specific requirements. We'd like to see future versions support IBM's DB2 and/or Microsoft's SQL Server, if only because in our own case, Oracle's canned startup scripts proved defective. If your shop doesn't currently use SSL certificates, you'll want to have them in hand before you begin deployment because ArcSight's SmartAgents and consoles communicate with the ArcSight Manager through an SSL connection.