All About actors in ArcSight ESM - Micro Focus …...and future plans of Hewlett -Packard may differ significantly as a result of, among other things, changes in product strategy resulting

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Anurag Singla Sr. Manager, Software Development Sep 2012

All about actors in HP ArcSight ESM

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

This is a rolling (up to three year) Roadmap and is subject to change without notice.

Forward-looking statements

This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.


This is a rolling (up to three year) Roadmap and is subject to change without notice.

HP confidential information

This Roadmap contains HP Confidential Information. If you have a valid Confidential Disclosure Agreement with HP, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of 3 years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from HP and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with HP’s prior written approval.


Agenda

• Introduction to actors • Why actors • Actor category models • Actor correlation using category models • Requirements and limitations • Q & a


Introduction to Actors


Introduction to actors

• Actors are representations of people on the network in ESM

• The actors feature maps actors and their activity to events from applications and network assets


Attributes of an actor

Attribute Value

Full Name Bruce Willis

Phone Number 650-650-6511

Email [email protected]

Manager Aaron Eckhart

Location /US/CA/Los Angeles

Address 123 Actors Way Los Angeles, CA

mailto:[email protected]�


Attributes of an actor - accounts

Authenticator Account ID

Oracle Applications bruce

Badge ID 123456

Microsoft Windows bruce

Microsoft Exchange [email protected]

Bugzilla brucewillis


Attributes of an actor - roles

Role Name Resource Name Role Type

DBA Oracle Database IT

Administrator Perforce IT


How to get actor data into ESM


Viewing actors


Representation of actors in ESM

• Actors are represented in ESM as resources

• Actors can be viewed using − Navigator − Resource Editor − Channels − Reports − Query Viewers − Search, etc.


Editor

• Allows viewing and editing Actor details

• Actors can also be created in ESM using Actor Editor, similar to other resources in ESM

• Updating Actors recommended only for Actors manually created in ESM

• Updates from Model Import Connector, for an Actor imported by it, would overwrite corresponding changes in ESM


Viewing actor channel from Navigator

• Right click on Actor Group to view and select ‘Show Actors’ option

• Displays Actors that are present directly in the selected group

• Right click ‘All Actors’ to view all the Actors recursively in an Actor channel


Channels


Why actors


Why actors

• Attribute events to users instead of machines • Correlate and identify activity per Actor irrespective of different account IDs that they may use in

different systems • Ability to do time based correlation

– Actor roles, accounts and attributes can change over time – ESM maintains history of the Actor data so that the events match the Actor data relevant at the time the activity

occurred

• Perform advanced correlation using Category Models


Actor lookup - channels


Actor lookup - reports


Actor lookup - query viewers


Actor lookup - dashboards


Actor global variables

• These provide capability to lookup Actor based on user information in the event fields

• Depending upon the information included in the event, corresponding Actor Variable can be used to identify Actors

Associate Actors to Events


Using actor global variables

• Select the Actor Global Variables using ‘Fields & Global Variables’ tab available where fields can be chosen

• E.g. Select Actor Global Variable fields in a FieldSet

• Apply FieldSet to channel


Using actor global variables - queries and rules


Category models


Category models

• A modeling and visualization tool that makes it possible to depict direct and indirect relationships between actors

• Actors can be grouped and visualized in numerous ways, such as reporting structures, location, or role-based hierarchy

• The system automatically maintains an up-to-date actor model that can be used within ESM to correlate users and their roles with their activity on the network


Type of category models

• Dual field category model – Makes use of two fields from actor attributes that specify hierarchy relationship among actors – E.g. UUID and Manager field helps define organization chart

• Single field category model – Makes use of single categorizing field from actor attributes – E.G. Location field helps define location chart

• Ad hoc category model – Allows defining custom model using drag and drop functionality – E.g. People involved in a specific project


Organization chart


Defining organization chart

• An example of dual field category model • Specify the actor fields that provide the

relationship between actors • E.g. Manager and UUID fields


Location hierarchy


Defining location hierarchy

• An example of single field category model

• Specify the actor field that has the hierarchical information (E.g. location)

• Specify the delimiter for recognizing hierarchy

• Example locations: – /US/CA/Los angeles

– /US/CA/Cupertino


Ad hoc category model

• Allows creating ad hoc hierarchies • E.g., people involved in a specific project


Ad hoc category model - data

• Define your own hierarchy of groups • Drag and drop actors to these groups


A team model


Actor correlation using category models


Global variable using HasRelationship function


HasRelationship function parameters

• The model to use • Parent Actor Identification Field based

on the Model • Child Actor identification field based on

the Model • Inherit All Related Actors option


Rule using HasRelationship function

• Create the rule and use the global variable created to identify HR violations based on Org Chart Model


Rule events in the channel


Violation based on organization chart


Requirements and limitations

• Up to 50K actors are supported − Average of 10 accounts per actor − Average of 10 roles per actor

• 4 GB manager heap size is needed for 50K actors • 1 GB console heap size is needed for working with actor category models • Actors are a licensed feature (part of IdentityView Solution)


Alpha opportunity

Large actor solution using Azul JVM. Looking for alpha customers. • Up to 300K actors − Average of 20 accounts per actor − Average of 20 roles per actor

• 32-64 GB manager heap size


IdentityView solution use cases

User Activity Monitoring • Monitor privileged and regular user activity through Reports, Channels,

Trends, Dashboards etc.

Shared Accounts Monitoring • Usage of Known Shared Accounts • Detection of Shared Accounts

Suspicious Activity Detection • Discover and Analyze Suspicious Activity

Actor Threat Score • Track levels of Suspicious Activity


Summary

• Actors provide an easy way to model user information in ESM • Security events can be enhanced with actor information using actor global variables • Hierarchical relationships can be created among actors from the actor data by

providing minimal configuration information • These hierarchies can be further used in correlation


Thank you

Documents

All About actors in ArcSight ESM - Micro Focus …...and future plans of Hewlett -Packard may differ significantly as a result of, among other things, changes in product strategy resulting