Creating custom threat reporting with HP ArcSight

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Creating custom threat reporting with HP ArcSight Eric Itangata, Taras Kachouba Analyst Security Operations, Global Risk and Security Diebold

AGENDA

⤹ Overview ⤹ Industry Threat Reports ⤹ The Need ⤹ Content ⤹ Building Your Report ❓ Q&A

Industry Threat Reports

• There are a number of valuable resources in the industry that provide threat information and predictions

• Most notable, Verizon's DBIR, Symantec's ISTR, and Websense’s Threat Report

INDUSTRY THREAT REPORTS

• These provide good information on the state of

threats in the industry, but may not be specific to

your organization or industry

• Every organization should be aware of what

threats affect them specifically on a daily basis.

What trends are affecting you?

The Need… • You want to be able to tell

management specific

information

• Chances are they have

read the industry reports

• It is important to stay

abreast of not only the

threat landscape, but also

how it impacts you

KEY INFORMATION

• This is going to be what is important to you, your management, and your organization.

• Some key information is: • Malware outbreaks • DDoS attacks • Malicious connection attempts • Bad Actors (internal and external) • Top IDS alerts • Top firewall blocks • Top internal talkers • Phishing

Where to Start

• Once you identify what you want to include in

your report, now you need to gather this

information

• This information can come from a number of

sources, but the best source to use is your

ArcSight platform

Baselines • You need to have a good

understanding of your

network to what is normal

activity

• ArcSight comes with a large

volume of pre loaded

content

• Some of this content needs

to be tweaked for your

environment

Device Reporting

• The information from your threat report will come from a number of devices

• Firewalls, IDS/IPS, WAF, IIS, etc. will provide good detail from external threats

• AV, HIPS, DLP agent information, etc. provide information on endpoint events

• Windows/Linux event logs, DLP, proxy, etc. devices are good sources for brute

force attacks, data exfiltration, user activity threats

• Database security devices are good sources of potential data compromise

Content

• The content in ArcSight Foundation is a great

place to start

• Provides network baseline, intrusion monitoring,

DoS content, malware content, inbound attack

content, etc.

• As you identify your needs, you can also include

your own content

• Geographic event content is an example of this

Example of ArcSight Content

Other content

• Trend information, reports, etc. are great sources of information

• Don’t forget to include your dashboards. These are great sources for visual

representation

• You can generate these from your ESM or logger

Industry Report Information

• Most industry report

information is presented

with main points;

• Overview of

previous year

• Methodology

• Conclusions and

Recommendations

Building the Report • Just as an industry report, you need a narrative, this

should cover the basis of your analysis

• Explain the methodology you used to generate your

report, what ArcSight content used

• Keep the information in an overview format, with crisp

executive focus

• In your conclusions and recommendations, make sure

you make them specific to your findings and with

obtainable goals

The Report Overview

• Compare industry reports to what you are seeing in your environment

• Note differences and how your company stands up with your industry, and in

general

• Identify the attack vectors that led to the breaches and if you have seen them in

your environment

• Identify why you believe you (hopefully) weren’t breached via these attack methods

The Report Methodology

• You want your findings to be based on

accurate information. You need to show

how you came to your findings

• List the trends, filters, reports, etc. that

you used and an overview of them.

The Report Conclusion • Use the content within ArcSight to create graphs, charts,

etc. to give a visual representation to your findings

• If you have multiple locations, show and compare results

from your analysis

• Identify key areas such as top threat vectors, top

attackers, top targets, virus/malware activity, etc.

• Compare your results with industry results

• Remember, this is your report. Present what you think is

relevant and most important to your organization

Recommendations

• Make your recommendations based on the data you collect

• If you see over the timeframe covered an increase in a particular attack vector that

is in line with industry reports, identify that you are seeing that trend

• Conversely, if you are seeing a trend that is outside industry trends, this needs to

be identified

• Management needs to understand that although industry reports are valuable, they

may not accurately paint the right picture for the threats your organizations sees

Questions?

Thank You

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security for the new reality