We leveraged the power of HP ArcSight ESM to build advanced content which enables custom, risk-based, automated incident workflow.
Citation preview
1. Improving IR Workflow Using Risk-Based Escalation in HP
ArcSight ESM MetaNet IVS @meta_net http://MetaNetIVS.com
2. What This Talk Is About We leveraged the power of ArcSight
ESM to build advanced content which enables custom, risk-based,
automated incident workflow. 2
3. Why Should You Care 3 Objectives: Show capability of
ArcSight ESM as a platform Teach the audience to create uncommon
use cases based on novel ideas Share our stories and practical
experience
4. Larry Wichman Security Engineer, Kemper Anton Goncharov
Principal, MetaNet IVS
5. The Customer 5 Diversified insurance holding company
Individual and small business market
6. Customer Environment Feeds MS Windows Server McAfee
AntiVirus CheckPoint Firewall Cisco ASA Snort IDS McAfee Web
Gateway Foundstone Nessus Vulnerability Scanner ! EPS: 600 Cases
per Day: 1-2 Enterprise Systems: 9000 Enterprise Users: 3000 !
Things We Like: Dashboards and drill downs Things We Dislike: ESM
client is not appropriate for our management Querying multiple
Active Lists at once 6
7. The Problem 7 Triggered Rules dont translate well into
actionable events or Cases
8. The Idea 8 Low Risk (Severity Score 1) Medium Risk (Severity
Score 2) High Risk (Severity Score 3) Indicator Examples AV:
Malware Found and Cleaned Proxy: Blocked Outbound Connection FW:
Outbound SSH Connection AV: Malware Found and Not Cleaned AV: File
Infected Proxy: Blocked Connection (non-US) IDS: High Severity
Alert Threat Intel: Connection to Known C&C Host AV: Buffer
Overflow SIEM: Compromise Event to Vulnerable Asset 1 + 1 + 1 1 + 2
3
9. Solutions Provider 9 SIEM and Event Management Solutions
Provider Heavy focus on HP ArcSight and Splunk solutions Based in
San Francisco, CA Team members world-wide Custom SIEM tools and
methodologies Experts in: Maintenance of challenging environments
Complex integrations Distributed architectures Custom solutions for
a variety of applications Services catered to customer needs
Purveyors of Finely Crafted Analytics
10. THE SOLUTION
11. Logic Flow 11 Obligatory Confusing Chart. Point With
Stick.
12. Content Overview 12 Filters Rules Active Lists Cases
Reports
13. Content Detail 13 Risk Score 2pts+ Low Severity Filters
Risk Score Set 1 Not Risk Score 1pt Not
14. Content Detail 14 Risk Score 2pts+ Low Severity Filters
Risk Score 1pt Risk Score +1 Risk Score Set 1 Case Alert Case
Notification
15. Content Detail 15 Risk Score 2pts+ Low Severity Filters
Medium Severity Filters Risk Score Set 1 Risk Score Set 2 Risk
Score 1pt Not Not Risk Score +1 Case Alert Case Notification
16. Content Detail 16 Risk Score 2pts+ Low Severity Filters
Medium Severity Filters Risk Score Set 1 Risk Score Set 2 Risk
Score 1pt Case Alert Case Notification Risk Score +1 Risk Score
+2
17. Content Detail 17 Not Risk Score 2pts+ Low Severity Filters
Medium Severity Filters High Severity Filters Risk Score Set 1 Risk
Score Set 2 Risk Score 1pt Risk Score Set 3 Case Alert Case
Notification Risk Score +1 Risk Score +2 Not
18. Content Detail 18 Risk Score 2pts+ Low Severity Filters
Medium Severity Filters High Severity Filters Risk Score Set 1 Risk
Score Set 2 Risk Score 1pt Risk Score Set 3 Risk Score +3 Case
Alert Case Notification Risk Score +1 Risk Score +2