Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSN52: Realizing the Value-Add:

Published byJoshua Daniel Modified over 7 years ago

Similar presentations

Presentation on theme: "CSN52: Realizing the Value-Add:"— Presentation transcript:

1 CSN52: Realizing the Value-Add:
Operationalize Your ArcSight ESM Deployment September 2011 Fernando Patzan | Tel: x1603

2 Agenda Challenges for Watch Operations Let’s Correlate & Analyze
Where’s All My actionable Events? Team Training Defined Roles & Responsibilities Content Development Tips Streamlined Processes & Workflow Information Sharing - I&W’s Computer Network Operations (CNO) Case Study Actionable Results Scenario

3 Challenges for Watch Operations
Burdened with multiple consoles / screens & credentials IDS/IPS, Firewalls, Web Proxy, A/V, etc. (varying by level of separation of duties) Lack of cross-correlation across disparate data sources Analysis of usernames / IPs across multiple devices is a tedious process Inefficiencies from analysis of large volume of logs Need for aggregation and centralized reporting Inability to apply context to event data in real-time Network modeling in one tool does not benefit events in another Attacks and malware getting more sophisticated Information sharing initiatives need centralized management to effectively apply threat intelligence

4 Let’s Correlate & Analyze
Scope of Disparate Data Sources Firewalls/ VPN Collect events from across the enterprise Log Aggregation and use of a single console Continuous analysis as network evolves Multi-Vendor support for future integrations Powerful analysis & correlation capabilities IDS / IPS Web Proxy Apps / Database OS Platforms Enhanced Situational Awareness

5 Where’s All My Actionable Events?
Analyst Training for Effective Use Defined Roles & Responsibilities Content Development Analyst Console Flooded w/ Logs Countless rule triggers from default ArcSight ESM content Events lacking context within target infrastructure Integrations requiring tailored field sets for informative views ArcSight ESM workflow doesn’t complement existing operations Human capital management around skills, responsibilities, SOPs Streamlined Processes Complementary Workflow Ongoing Documentation Order of Magnitude False Positives

6 Team Training Know Your Network
What’s valuable? What technical controls are in place? What’s broken? What keeps the decision-makers up at night? Enterprise Data Sources vs. ArcSight ESM Event lifecycle Auditability at the data source Integration type and event lifecycle ArcSight ESM System Administration Dependencies Modeling the network for enhanced correlation Software upgrades / new modules for integrations Ongoing tuning of data sources Datasets available for content development (rules, reports, etc.) Extend tuning to default content / custom content Reduces noise at the aggregation level; while having positive impact on bandwidth usage / storage needs Use Case Methodology, Processes, Guidelines Engage the organization on mitigating risk; bridge security with business needs Define stakeholders; Users; Service Desk; IT Engineers; NOC; Collaboration drives new use cases & enterprise knowledge Developing Content Tailored to Environment Supporting SOPs, skillset, workflow, best practices to deliver actionable results

7 Defined Roles & Responsibilities
Sample SIEM User Community Oversight Budget Policy, Guidance Interagency Coordination Personalized Dashboards Needs Custom Reporting Needs Adapt Standard Content to Enterprise SOC Workflow Integration Threat Management Continually Capture Enterprise Needs Develop, Implement “Use Cases” Incorporate Knowledge Base Articles Train Analysts Business Stakeholders ESM Role Type: Operator / Custom Group Content Author ArcSight ESM Role Type: Analyzer Administrator Overall System Health Integrate ArcSight ESM with Devices Verify Installations / Configurations User Roles, Permissions Feed Quality, Tuning Content Quality, Performance Monitor / Review Events Monitor / Review Alerts Investigate High Priority Events Support Remediation Content Feedback Quality, Tuning Feedback Submit Use Cases ArcSight ESM System Admin ArcSight ESM Role Type: Administrator SOC Analyst ArcSight ESM Role Type: Analyst

8 Content Development Tips
Keep in mind the Big Picture…security operations’ functions Shared Active Channels Tailored to Tiers Actionable Event Data Real-time Events: Focused Filters / Rule Fires Report Output / Data Entries from Lists 1. Need: Scenario Description Monitor 2. High-level Requirements Real-time Notification with Custom Event Names Dynamic Lists for Data of Interest Over Time Detect 3. Map Reqs to Existing Datasets Variables in Rules to Infuse Alert Data Asset Information Derived from Network Modeling Correlations mapped to Knowledge Base Article Analyze 4. Develop / Test Components Artifacts ingested as internal threat intelligence Filter events from custom signatures Populate known bad guys list (IP / domain) Trends for patterns of related activity Forensics 5. Verify Actionable Results R / E Trends to efficiently capture data over long periods Trends to supply metrics, executive reporting Report 6. Document, Train, Implement

9 Streamlined Processes & Workflow
Millions of Events SIEM Content Development Operational Guidelines Events of Interest Use Case Scenario Description Annotation Sequence for Analysis False Positive Content Tuned / Retired Use Case Change Request Analysts Annotate Through “Stages” Dataset CR Needs to Administrator Content Development Testing Incidents are Investigated New Datasets Broadcast to Users Train Analysts / Implement Use Case Existing IR Procedures Initiation Incidents Submitted for Content Review Content Generates Correlated Events False Positives Feedback to Author Documentation Throughout Lifecycle Roles vary by organization based on existing skillset; level of separation of duties; whether functions exist as separate units (i.e., operations, engineering, and incident response) or tightly coupled within a single team.

10 Information Sharing - I&W’s
Dynamic Lists to Manage Threat Intelligence Correlate and Build Context in Real-Time A list can be used by multiple rules, dynamically written to / read from Supports importing Indicators & Warnings in addition to manual entry for one-offs Easily manage supporting I&W data (i.e., source report name/category, website, organization, etc.) Supports assessing quality of intelligence source over time Time To Live can be set to age out the indicators automatically; or set to 0 for manual deletion Entry for existing indicator will reset the time of import when “key field” is in use Rules that read from lists can extract data entries for use in custom alerts/notification Removes the burden of manual, ad hoc I&W searches Timeliness and accuracy of Closed Source & Open Source I&Ws forces adversaries to work more Actionable Results to Focus on Real Threats to Operations

11 CNO Case Study Advanced Persistent Threat
Disciplined Operations Sophisticated Techniques Custom Software Spear-phishing Campaigns Zero Day Exploit for Evasion Targeted computer network exploitation campaign Limited scope with extreme focus on targeted information Intelligence gathering during peacetime Deep knowledge of the target networks Detailed reconnaissance prior to operation Utilizes social and professional network analysis Able to sustain presence within target networks Data staged on internal intermediate hosts for exfiltration Servers with highest performance and network throughput Leverage employee accounts Abuse privileged administrative accounts Exfiltration preparation by establishing C2 channel; testing external connections; and verifying available bandwidth Egress Beaconing Compression of Stolen Data Networked C2 Infrastructure Encrypted Data Exfiltration External Drop Points US-China Economic and Security Review Commission Report on the Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation

12 Actionable Results Scenario
Information Sharing Source Stage 2 IP is on Watchlist SIEM Asset Classification Target Configured as Mission Critical Asset SIEM Threat Intelligence NIDS Tuned & Updated: Attack Detected by Signature Firewall Logs Communication Outbound to Watchlist IP Integrated Site Feed Integrated Site Feed Actionable Results from Correlation & Analysis Infrastructure

13 In Summary… Focus on building a correlation and analysis infrastructure producing actionable results Adapt an ArcSight ESM workflow tailored to watch operations needs Implement role-based responsibilities Tailor existing content to the target infrastructure Foster collaborative environment for use cases Prioritize content development around actionable events Execute streamlined processes to manage content Document!

14 Thank You! Fernando Patzan Let’s Chat Anytime
Sharing Lessons Learned, Networking, etc. September 2011 Fernando Patzan | Tel: x1603

Download ppt "CSN52: Realizing the Value-Add:"

Similar presentations

Using PI to Aggregate & Correlate Security Events to Detect Cyber Attacks Dale Peterson Digital Bond, Inc.

Using PI to Aggregate & Correlate Security Events to Detect Cyber Attacks Dale Peterson Digital Bond, Inc.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
000000_1 Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.

000000_1 Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
California Common Operating Picture (Cal COP) for Public Safety

California Common Operating Picture (Cal COP) for Public Safety
Thursday, January 23, 2014 10:00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.

Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.
Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.

Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Module 10: Monitoring ISA Server 2004. Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Creating SmartArt 1.Create a slide and select Insert > SmartArt. 2.Choose a SmartArt design and type your text. (Choose any format to start. You can change.

Creating SmartArt 1.Create a slide and select Insert > SmartArt. 2.Choose a SmartArt design and type your text. (Choose any format to start. You can change.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Similar presentations

Ads by Google