An Automated Approach to Incident Response
There is no shortage of prevention and detection technology in the marketplace. What is missing is technology that supports your incident response plan. Incident response requires a multi-dimensional approach that addresses a variety of issues challenges including:

• Corporate process
• Company communication
• Technology
• Compliance
• Audit

Organizations could address these challenges with manual processes, but that is not a practical approach. Why? Because if your network is ever compromised, you need to respond fast. With the ArcSight Threat Response Management (TRM) solution, relief is only seconds away.

Instantly Locate Any Incident on Your Network
ArcSight TRM builds and maintains a detailed understanding of your network's topology by communicating directly with your network infrastructure devices including routers, switches, firewalls, wireless access points and VPNs.

Because ArcSight TRM communicates natively using telenet, SSH and HTTP(s), it does not require clients or agents to be deployed on your network. As a result, you can easily operate the solution without making any changes to your existing network infrastructure and desktop environment.

The system's advanced patent-pending algorithms can instantly identify the exact location of any node (wireless, wired or VPN) across your network, and implement specific, policy-based actions. These actions include disabling the node's switch port, implementing a filter on the node's traffic and moving the node to a virtual quarantine network.

ArcSight TRM can instantly identify the exact location of any node across your network and implement specific, policy-based actions.

Manage and Control User Rights
Organizations commonly have multiple support teams, each with its own location-dependent rights. The user account control feature in ArcSight TRM defines task groups within each module, allowing you to easily control and restrict access rights in accordance to individual job tasks and descriptions.

By better managing user rights, you can maintain control and be more effective. For example, a user with Level 1 support might only be allowed to suggest response actions and policy changes, but may not be allowed to execute them. In this case, the user would have account settings that require authorization for higher levels of the support team. Some users might only be entitled to work in certain parts of the network, while others have total network control.

Support for Disaster Recovery
The powerful disaster and threat level support in ArcSight TRM allows you to store alternative network configurations and policies under an unlimited number of user-definable labels. Alternative scenarios are only a mouse click away, and disaster recovery exercises can be conducted in a few seconds, rather than a few days. Moreover, adapting to new threats is instantaneous.

Initiate Policy-Based Quarantine Options
ArcSight TRM provides several policy-driven quarantine options. All can be initiated by simply providing the system with an IP address, MAC address or host name. ArcSight TRM uses its advanced topology logic to identify the node's exact location, then based on your policy, it will implement one of the following quarantine functions:

Leverage Existing Investment
ArcSight TRM builds a bridge between network security and network operations. The system allows you to easily integrate with existing and upcoming security technologies. It also supports quick and simple integration with trouble ticket systems as well as network management systems. ArcSight TRM provides complete multi-vendor support, enabling you to respond across your entire network regardless of which security devices?and non-security devices?you have deployed.
 

Address Compliance Requirements
The system's intelligent actions are completely self-documenting, eliminating the pain of manually capturing and consolidating incident response information. ArcSight's robust web-based reporting system makes all relevant details transparent. The system produces easy-to-understand, customizable reports that are convenient for security managers and provide detailed audit trails to address key compliance requirements.

Perform Manually or Automatically
Quarantines can be performed manually through a web interface, or automatically through integration with various security devices and network management systems. A balance of automated and manual quarantines can easily be achieved by identifying trusted vs. un-trusted alarms from your detection systems. Trusted alarms can be automatically quarantined with a detailed notifications sent to you, while un-trusted alarms can generate an authorization request asking for permission to quarantine.