Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Preview:
DESCRIPTION
We leveraged the power of HP ArcSight ESM to build advanced content which enables custom, risk-based, automated incident workflow.
Citation preview
- 1. Improving IR Workflow Using Risk-Based Escalation in HP
ArcSight ESM MetaNet IVS @meta_net http://MetaNetIVS.com
- 2. What This Talk Is About We leveraged the power of ArcSight
ESM to build advanced content which enables custom, risk-based,
automated incident workflow. 2
- 3. Why Should You Care 3 Objectives: Show capability of
ArcSight ESM as a platform Teach the audience to create uncommon
use cases based on novel ideas Share our stories and practical
experience
- 4. Larry Wichman Security Engineer, Kemper Anton Goncharov
Principal, MetaNet IVS
- 5. The Customer 5 Diversified insurance holding company
Individual and small business market
- 6. Customer Environment Feeds MS Windows Server McAfee
AntiVirus CheckPoint Firewall Cisco ASA Snort IDS McAfee Web
Gateway Foundstone Nessus Vulnerability Scanner ! EPS: 600 Cases
per Day: 1-2 Enterprise Systems: 9000 Enterprise Users: 3000 !
Things We Like: Dashboards and drill downs Things We Dislike: ESM
client is not appropriate for our management Querying multiple
Active Lists at once 6
- 7. The Problem 7 Triggered Rules dont translate well into
actionable events or Cases
- 8. The Idea 8 Low Risk (Severity Score 1) Medium Risk (Severity
Score 2) High Risk (Severity Score 3) Indicator Examples AV:
Malware Found and Cleaned Proxy: Blocked Outbound Connection FW:
Outbound SSH Connection AV: Malware Found and Not Cleaned AV: File
Infected Proxy: Blocked Connection (non-US) IDS: High Severity
Alert Threat Intel: Connection to Known C&C Host AV: Buffer
Overflow SIEM: Compromise Event to Vulnerable Asset 1 + 1 + 1 1 + 2
3
- 9. Solutions Provider 9 SIEM and Event Management Solutions
Provider Heavy focus on HP ArcSight and Splunk solutions Based in
San Francisco, CA Team members world-wide Custom SIEM tools and
methodologies Experts in: Maintenance of challenging environments
Complex integrations Distributed architectures Custom solutions for
a variety of applications Services catered to customer needs
Purveyors of Finely Crafted Analytics
- 10. THE SOLUTION
- 11. Logic Flow 11 Obligatory Confusing Chart. Point With
Stick.
- 12. Content Overview 12 Filters Rules Active Lists Cases
Reports
- 13. Content Detail 13 Risk Score 2pts+ Low Severity Filters
Risk Score Set 1 Not Risk Score 1pt Not
- 14. Content Detail 14 Risk Score 2pts+ Low Severity Filters
Risk Score 1pt Risk Score +1 Risk Score Set 1 Case Alert Case
Notification
- 15. Content Detail 15 Risk Score 2pts+ Low Severity Filters
Medium Severity Filters Risk Score Set 1 Risk Score Set 2 Risk
Score 1pt Not Not Risk Score +1 Case Alert Case Notification
- 16. Content Detail 16 Risk Score 2pts+ Low Severity Filters
Medium Severity Filters Risk Score Set 1 Risk Score Set 2 Risk
Score 1pt Case Alert Case Notification Risk Score +1 Risk Score
+2
- 17. Content Detail 17 Not Risk Score 2pts+ Low Severity Filters
Medium Severity Filters High Severity Filters Risk Score Set 1 Risk
Score Set 2 Risk Score 1pt Risk Score Set 3 Case Alert Case
Notification Risk Score +1 Risk Score +2 Not
- 18. Content Detail 18 Risk Score 2pts+ Low Severity Filters
Medium Severity Filters High Severity Filters Risk Score Set 1 Risk
Score Set 2 Risk Score 1pt Risk Score Set 3 Risk Score +3 Case
Alert Case Notification Risk Score +1 Risk Score +2
- 19. Rule Example: Risk Score +2 19
- 20. THE RESULTS
- 21. Reduction In Generated Cases 21
- 22. Other Customizations: Workflow 22
- 23. Final Thoughts 1 1 1 1 3 1 1 2 2 1 1 1 1 1 3 1 1 1 1 2 3 1
1 23 Only systems reaching 3+ risk severity will trigger incident
response 2 1 1 1
- 24. http://MetaNetIVS.com/downloads @meta_net Thank You