Micro Focus ArcSight

Integrating Vectra AI with ArcSight

  • Save time and manpower
  • Reduce attacker dwell time
  • Speed up incident response before data is stolen or destroyed
  • Enable real-time investigations by showing the infected hosts that pose the highest threat risk based on Vectra analysis
  • Automatically correlate those investigations with logs generated by other devices

Why integrate Micro Focus ArcSight with Vectra AI

Together, Vectra AI and Micro Focus ArcSight deliver a practical solution to the most persistent problems facing enterprise security–finding and stopping active cyber attacks, while getting the most out of the organization’s limited time and manpower.

Modern cyber attackers easily penetrate traditional perimeter defenses that IT security teams have historically relied upon to keep networks safe.

The adoption of BYOD and mobile technologies have weakened these defenses and increased the network attack surface. Many network intrusions have resulted in massive financial losses, front-page news, brand damage, and tenuous job security for CISOs.

Unable to rely entirely on perimeter defenses, security teams are left to manually investigate threats, giving attackers an advantage as analysts are overworked as they dig through vast amounts of noise in search of a weak signal.

In practice, this means that breaches are first discovered after the fact and are reported by an external third party, turning the investigation into a forensic effort rather than a preventive exercise.

A geographical map showing Vectra detection events in Arcsight

ArcSight and Vectra AI: A new model of threat detection

The Cognito automated threat detection and response platform detects threats in real time by analyzing the underlying behaviors of cyber attackers from the objective viewpoint of the network. This behavioral analysis of the network detects threats without signatures or reputation lists. In addition, Cognito empowers security teams to detect new and unknown threats as well as attacks that do not rely on malware, such as malicious insider threats and compromised users machines. This unique intelligence is applied to all phases of an active cyber attack, ranging from command-and-control (C&C) server traffic, internal reconnaissance behaviors, lateral movement, and data exfiltration.

The Vectra platform and ArcSight integration brings all Vectra detections and host scores directly into the ArcSight dashboard, enabling them to be easily integrated into existing security operational center workflows.

The highly flexible Micro Focus ArcSight Resource Package from Vectra ensures that analysts have complete visibility into cybersecurity events and can pivot to any level of detail needed by security analysts.

Key integration features include:

  • Automated correlation and integrated workflow – The integration ties Vectra data to more than 240 ArcSight resource elements. This enables security teams to easily correlate Vectra data with any other data housed within. Security teams can easily correlate a Vectra event to user names in Microsoft domain controller events. Security teams can also feed Vectra data into ArcSight dashboards, build custom rules and integrations, and update active lists and filters.
  • Pinpoint hosts with the highest risk to the network – Vectra automatically associates all malicious behaviors to physical network hosts – even if IP addresses or user roles change – and scores hosts in terms of their overall risk. Vectra integrates this information into the ArcSight platform, and accelerates incident response by eliminating the need for security analysts to manually investigate events. Precorrelated threat scores enable security teams to quickly build custom rules within ArcSight.
  • Visibility into threats across the kill chain – The Vectra platform and ArcSight integration provides critical insight into specific threats as well as the progression of attacks across the kill chain. This unique visibility allows security teams to quickly distinguish opportunistic botnet behavior from more serious targeted threats and take action before data is stolen or damaged.
  • Deep investigation, on demand – In addition to bringing Vectra information into ArcSight, integration allows security teams to pull additional forensics on demand or pivot into the Vectra user interface for additional investigation. While investigating an event, ArcSight users can leverage integration commands to quickly access a packet capture of the event in question in one click. This ensures that security analysts have everything they need to complete fast, conclusive investigations.

The integration of the Vectra platform with the Micro Focus ArcSight SIEM empowers fast, context driven investigations into active cyber attacks.

Additional resources

BLOG

Moving from Prevention to Detection with the SOC Visibility Triad

Modern SOCs today are looking for tools that can give them complete visibility into user endpoints, multi-cloud, hybrid, and on-prem networks, as well as correlation and forensic capabilities. In this search, the SOC visibility triad has emerged as the de-facto standard.

Read the blog