Powered by machine learning and AI, ArcSight Intelligence makes SOC teams more effective at threat hunting, triage, and investigation.
Employees, contractors, partners, and privileged users can all become insider threats. They’re tough to spot, with devastating fallout if they succeed. The ArcSight Intelligence platform empowers security teams with visibility across endpoints, servers, networks, and even terabytes of log data.
ArcSight Intelligence is the only threat detection platform that offers a complete picture of inside threats from backend to endpoint. Through machine learning, ArcSight Intelligence creates a holistic picture of normal processes. Upon spotting anomalous or high-risk activities, it connects these events to the users involved, increases their risk score (radically minimizing false-positive alerts), and presents the incident’s context in a clear, actionable, interactive interface. ArcSight Intelligence detects and surfaces insider threats while enabling security teams to work more quickly and efficiently to mitigate them.
Today’s cyber attacks regularly penetrate even sophisticated, defense-in-depth perimeters. Companies must monitor these threats inside their networks. But sifting through massive amounts of event data usually yields mostly false positives. Built on a true big-data platform, ArcSight Intelligence ingests and analyzes massive amounts of data to quickly and accurately surface attacks.
ArcSight Intelligence will detect, connect, and visualize an attack path – from compromised accounts to lateral movement, data reconnaissance, data staging, and data movement for exfiltration. With this context, ArcSight Intelligence can surface attacks with speed, as they unfold. An analyst is immediately given incident visualizations and workflows to enable efficient validation, investigation, and response.
Many customers deploy ArcSight Intelligence in a data-centric security program because the analytics provide risk-scoring for digital assets, including projects in repositories, shared drives, servers, etc.
ArcSight Intelligence is also the only security analytics vendor to offer its own endpoint sensor, and to correlate endpoint data with backend repository and directory data. The platform uniquely addresses backend visibility problems by applying behavioral analytics to the application logs of IP repositories such as Source Code Management (SCM). ArcSight Intelligence pinpoints high-risk activities for analysts so they can stop bad behavior before a breach.
Endpoint detection and response (EDR) solutions provide the most detailed and accurate data for threat detection. Combined with ArcSight Intelligence that analyzes billions of endpoint events, security teams can detect the signs of compromised accounts, lateral movement, internal recon, or data exfiltration quickly and effectively. ArcSight Intelligence shines a new light on user information such as abnormal login frequency, date or time of work, or unusual machines, adding valuable context to help detect difficult-to-find threats.
Combine ArcSight Intelligence’s behavioral analytics with CrowdStrike’s rich endpoint data to swiftly uncover difficult-to-find threats, such as those from insiders or targeted attacks. This solution allows security operations centers to respond more seamlessly to threats by distilling billions of endpoint events into a list of prioritized leads, reducing alert fatigue and enabling them to focus on the threats that matter most.
Although cornerstones in today’s security operations centers, SIEM, DLP, IAM, and NAC products have created security gaps – too many false positives and overly complicated policy structures that reduce a security operations center’s ability to accurately detect, validate, and respond to threats. Analysts waste too much time guessing which is the true threat. ArcSight Intelligence’s advanced analytics platform was created to maximize the effectiveness of existing security tools and optimize security operations.
ArcSight Intelligence correlates data collected from existing security tools, such as ArcSight, to provide an enterprise-wide view of user and service accounts, authentication, and access at the system and application levels. The platform also lends insight into the access and movement of high-risk data, automatically feeding contextual data back into your SIEM or incident-response tool. And it can make API calls to activate IT controls in authentication, DLP, or NAC systems.
Compromised accounts can happen as a result of phishing, malware, or a data breach. Attackers steal customer and employee credentials for financial gain, or to access sensitive data in other applications and networks. Driven by advanced machine learning, ArcSight Intelligence’s platform utilizes more than 60 algorithms focused on compromised-account detection among user and service accounts. ArcSight Intelligence is also the only security analytics product that can correlate indicators from endpoints, directories, ACL, and application logs from multiple code collaboration and version control software programs. This covers all types of account-focused attacks.
ArcSight Intelligence’s expansive visibility empowers security teams to detect account compromises, connecting these attacks to related IOCs. In other words, it not only quickly and accurately surfaces threats, but it also goes a step further to provide the contextual information underlying an attack well before it reaches its target.
ArcSight Intelligence will surface an attack before it reaches its target. But that’s just the start. It will then assist security analysts to validate that attack, integrate with the business’s incident-response process, and provide incident information to teams across their organization. The UI delivers a three-dimensional picture of an attack, critical to immediately understanding how to stop it. Entity-risk views provide analysts with visualizations of the attack timeline, risk trend, and new anomalies as an attack unfolds. The timeline view can also include alerts from other security products and threat intelligence information related to an attack. This optimizes the validation and response process.
The ArcSight Intelligence platform includes Kibana/Elasticsearch open integration and has the ability to run historical analytics for any data in the Elasticsearch engine. Investigators and threat hunters have one-click access to deep event-level information for an incident. Additionally, the RESTful API and native integration with multiple downstream systems (e.g. DXL, Phantom, Splunk, etc.) optimize the response and investigation process, giving security teams the tools they need to stop an attack before data is compromised.
High-visibility incidents involving Edward Snowden and others have reminded us how blind we are to the actions of privileged accounts. If the employee is the threat, or their credentials have been compromised, access to this type of account can lead to a significant loss.
For each privileged account, ArcSight Intelligence factors in behaviors such as time, authentication, access, application usage, and data movement to baseline nearly 30 different types of behavior. When an account deviates from its baselines, ArcSight Intelligence’s analytics visualize a privileged user’s activity, factoring out false positives through risk scores, and then alerting security to take action.
What use cases are top of mind for your business? Schedule a demo with one of our security professionals to learn how ArcSight Intelligence can give you the tools to supercharge your SOC.
