All About actors in ArcSight ESM - Micro Focus …...and future plans of Hewlett -Packard may differ...

Preview:

Citation preview

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Anurag Singla Sr. Manager, Software Development Sep 2012

All about actors in HP ArcSight ESM

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

This is a rolling (up to three year) Roadmap and is subject to change without notice.

Forward-looking statements

This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

This is a rolling (up to three year) Roadmap and is subject to change without notice.

HP confidential information

This Roadmap contains HP Confidential Information. If you have a valid Confidential Disclosure Agreement with HP, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of 3 years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from HP and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with HP’s prior written approval.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Agenda

• Introduction to actors • Why actors • Actor category models • Actor correlation using category models • Requirements and limitations • Q & a

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Introduction to Actors

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6

Introduction to actors

• Actors are representations of people on the network in ESM

• The actors feature maps actors and their activity to events from applications and network assets

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7

Attributes of an actor

Attribute Value

Full Name Bruce Willis

Phone Number 650-650-6511

Email bwillis@company.com

Manager Aaron Eckhart

Location /US/CA/Los Angeles

Address 123 Actors Way Los Angeles, CA

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8

Attributes of an actor - accounts

Authenticator Account ID

Oracle Applications bruce

Badge ID 123456

Microsoft Windows bruce

Microsoft Exchange bwillis@company.com

Bugzilla brucewillis

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9

Attributes of an actor - roles

Role Name Resource Name Role Type

DBA Oracle Database IT

Administrator Perforce IT

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10

How to get actor data into ESM

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Viewing actors

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12

Representation of actors in ESM

• Actors are represented in ESM as resources

• Actors can be viewed using − Navigator − Resource Editor − Channels − Reports − Query Viewers − Search, etc.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13

Editor

• Allows viewing and editing Actor details

• Actors can also be created in ESM using Actor Editor, similar to other resources in ESM

• Updating Actors recommended only for Actors manually created in ESM

• Updates from Model Import Connector, for an Actor imported by it, would overwrite corresponding changes in ESM

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14

Viewing actor channel from Navigator

• Right click on Actor Group to view and select ‘Show Actors’ option

• Displays Actors that are present directly in the selected group

• Right click ‘All Actors’ to view all the Actors recursively in an Actor channel

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15

Channels

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Why actors

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17

Why actors

• Attribute events to users instead of machines • Correlate and identify activity per Actor irrespective of different account IDs that they may use in

different systems • Ability to do time based correlation

– Actor roles, accounts and attributes can change over time – ESM maintains history of the Actor data so that the events match the Actor data relevant at the time the activity

occurred

• Perform advanced correlation using Category Models

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18

Actor lookup - channels

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19

Actor lookup - reports

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20

Actor lookup - query viewers

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21

Actor lookup - dashboards

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22

Actor global variables

• These provide capability to lookup Actor based on user information in the event fields

• Depending upon the information included in the event, corresponding Actor Variable can be used to identify Actors

Associate Actors to Events

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23

Using actor global variables

• Select the Actor Global Variables using ‘Fields & Global Variables’ tab available where fields can be chosen

• E.g. Select Actor Global Variable fields in a FieldSet

• Apply FieldSet to channel

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24

Using actor global variables - queries and rules

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Category models

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26

Category models

• A modeling and visualization tool that makes it possible to depict direct and indirect relationships between actors

• Actors can be grouped and visualized in numerous ways, such as reporting structures, location, or role-based hierarchy

• The system automatically maintains an up-to-date actor model that can be used within ESM to correlate users and their roles with their activity on the network

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27

Type of category models

• Dual field category model – Makes use of two fields from actor attributes that specify hierarchy relationship among actors – E.g. UUID and Manager field helps define organization chart

• Single field category model – Makes use of single categorizing field from actor attributes – E.G. Location field helps define location chart

• Ad hoc category model – Allows defining custom model using drag and drop functionality – E.g. People involved in a specific project

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28

Organization chart

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29

Defining organization chart

• An example of dual field category model • Specify the actor fields that provide the

relationship between actors • E.g. Manager and UUID fields

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30

Location hierarchy

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31

Defining location hierarchy

• An example of single field category model

• Specify the actor field that has the hierarchical information (E.g. location)

• Specify the delimiter for recognizing hierarchy

• Example locations: – /US/CA/Los angeles

– /US/CA/Cupertino

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 32

Ad hoc category model

• Allows creating ad hoc hierarchies • E.g., people involved in a specific project

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 33

Ad hoc category model - data

• Define your own hierarchy of groups • Drag and drop actors to these groups

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 34

A team model

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Actor correlation using category models

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 36

Global variable using HasRelationship function

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 37

HasRelationship function parameters

• The model to use • Parent Actor Identification Field based

on the Model • Child Actor identification field based on

the Model • Inherit All Related Actors option

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 38

Rule using HasRelationship function

• Create the rule and use the global variable created to identify HR violations based on Org Chart Model

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 39

Rule events in the channel

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 40

Violation based on organization chart

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 41

Requirements and limitations

• Up to 50K actors are supported − Average of 10 accounts per actor − Average of 10 roles per actor

• 4 GB manager heap size is needed for 50K actors • 1 GB console heap size is needed for working with actor category models • Actors are a licensed feature (part of IdentityView Solution)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 42

Alpha opportunity

Large actor solution using Azul JVM. Looking for alpha customers. • Up to 300K actors − Average of 20 accounts per actor − Average of 20 roles per actor

• 32-64 GB manager heap size

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 43

IdentityView solution use cases

User Activity Monitoring • Monitor privileged and regular user activity through Reports, Channels,

Trends, Dashboards etc.

Shared Accounts Monitoring • Usage of Known Shared Accounts • Detection of Shared Accounts

Suspicious Activity Detection • Discover and Analyze Suspicious Activity

Actor Threat Score • Track levels of Suspicious Activity

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 44

Summary

• Actors provide an easy way to model user information in ESM • Security events can be enhanced with actor information using actor global variables • Hierarchical relationships can be created among actors from the actor data by

providing minimal configuration information • These hierarchies can be further used in correlation

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

Recommended