ArcSight ESM Architecture

Presentation by Akilesh
 Introduction
• ArcSight ESM (Enterprise Security Management) analyze and corelates every event occurs across
the organization every logon, logoff file access, database query to deliver accurate prioritization
of security risk compliance.
• Correlates data from any source in real time to detect incidents before they become breach.
Fig 1: ArcSight ESM Architecture Overview
ESM Manager
• It is the heart of the solution
• It is the Java Based server that driven analysis.
• Links user interface, Arcsight connectors and ESM Data base.
• Service Request from User Interface and Receives event from Arcsight smart connector.
• Complete Normalize of of events and writes into ESM database.
• It is the only component that directly communicates with Data base.

ESM Database
• It is a central repository used to store normalized event received from ESM manager.
• The event data received from ESM manager is used for Investigation and analysis.
• ESM database is portioned for every 24hrs into chronological slice that can be compressed and archived.
User Interface:
1)ESM console:
• Its GUI based application
• Allows to perform real time monitoring, in depth investigation, as well as scheduled automated reports.

2)ArcSight Web:
• Used to analyst who need to acess the system from remote login
• Perform basic function needed to monitor enterprise security.
ArcSight Connectors
• Its is a standard protocol and proprietary API(Application Programming Interface)
• It collect event data from emails, routers, applications, firewall, OS, intrusion detection system etc..
• It filters normalized data before sending it to ESM Manager.
Connector Appliance:
• It is hardware solution that host ArcSight smart connector in a single device.
• With a web based user interface for centralized management of multiple ArcSight smart connector.
CORR-Engine:
The Correlation Optimized Retention and Relevance Engine is a proprietary data storage and retrieval frame
works that receives and process events at high rates, and performs high speed searches.

Logger:
Logger is an event data storage appliance that is optimized extremely High event throughput. Stores Security
Events in compressed form, but always retrieves unmodified events on demand.

NCM/ TRM:
Is Network Configuration Manager and Threat Response Manager (NCM/TRM) is an appliance that builds and
maintain the detailed understanding of our network topology, centrally manage our network infrastructure
and respond instantly.
Discovery Suite
• It is two software add-ons Pattern Discovery and Interactive Discovery.
• Enhance correlation capabilities such as finding relationship between events.
Thank you