ArcSight priority formula

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ArcSight priority formula Fred Thiele, Managing Principal, South Pacific

@fgthiele #HPProtect

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

Our journey

The priority formula Let’s understand the ins and outs Look at some examples Take advantage of our new knowledge The priority formula is the most misunderstood and underutilized feature in ArcSight!


How often have we all seen this…


The basics

Priority formula

The priority formula is applied to every single event ingested into ArcSight Base events, correlation events and internal events – everything is evaluated the same Priority is made up of 4 parts • Relevance • Model Confidence • Severity • Criticality Fully customisable XML file defines the priority formula (ThreatLevelFormula.xml)


agentSeverity


How applicable is the attack against the target host?

Relevance (R)

Relevance provides full or partial support for incoming agentSeverity Effect

Heavily dependent on port and vulnerability scanning data Requirement

Factors 10

Default Value Port Scan?

-5

Vuln Scan?

-5

Port Open?

+5

Is Vuln?

+5

10 Highly Relevant

5 Partially Relevant

0 Irrelevant

Possible values


How much do we know about an asset?

Model Confidence (MC)

Moderates effect of Relevance on Priority Effect

Heavily dependent on assets, ports and vulnerability data Requirement

Factors

Output Model confidence is combined with Relevance to become Model Confidence and Relevance (MCR).

0

Asset Port Vuln

4

Asset Port Vuln

8

Asset Port Vuln

8

Asset Port Vuln

10

Asset Port Vuln


What is the likelihood the given event is applicable to our environment?

Model Confidence and Relevance (MCR)

Dampens effect of agentSeverity if Relevance < 10 Effect

Model Confidence and Relevance Requirement

Factors

Output A percentage that moderates effect of Relevance on Priority if Relevance is < 10.

Relevance

(Relevance + MC) – ((Relevance * MC) / 10)


How suspicious is the attacker and/or target? Have I seen them before?

Severity (S)

Adds a maximum of 30% to agentSeverity [ 1+S * (3/100) ] (cumulative) Effect

Proper utilization of system lists Requirement

Factors (system lists)

Output System severity lists are a huge benefit to your information security analysts! Utilize these lists in your analysts’ workflow and rules.

+1(103%)

Recon

+3 (109%)

Suspicious

+3 (109%)

Comp’d

+5 (115%)

Hostile

+6 (118%)

Infiltrators


How does your business view this asset?

Criticality (C)

Adds or removes support for agentSeverity +/- 20% Effect

Proper utilization of system categories Requirement

Factors (system cat.)

Pro tip Know the business value of your assets!

0 (20%)

Unknown

2 (40%)

Very Low

4 (60%)

Low

6 (80%)

Medium

8 (100%)

High

10 (120%)

Very High


Priority formula

R

( R + MC) – R * MC 10

Severity (S) Criticality (C)

C – 8

10

1+

Model Confidence & Relevance (MCR)

* *

% 1.00 - 1.30 .84 – 1.04 Vulnerability Threat Impact

S * 3

100

1+

agen

tSev

erity

Prio

rity

* = *

20%


Examples


General rules of thumb to follow

Priority guidelines

Numbers 0-10 are fed to an algorithm to produce a factor • The end result is a percentage to multiply agentSeverity against If Model Confidence is 0, Relevance has no effect on Priority • Means, by default MCR has no effect on Priority If Relevance is 0, Priority is always 0 Criticality drags down Priority until Criticality hits 8 (High)


Baseline

agentSeverity • Unknown – 2 • Low – 4 • Medium – 6 • High – 9 • Very-High – 10

Why is Priority != agentSeverity?


Asset in Asset DB Relevance = 10 • Is port scanned/is port open? (0) • Is vscanned/has vuln? (0) Model Confidence = 4 • Asset in DB (+4)


Scanned asset – Port 80 open Relevance (10 – 5 = 5) • Is port scanned/open? (-5) • Is vscanned (0)


Scanned asset – attack against Port 80 Relevance (10 – 5 + 5 = 10) • Is port scanned (-5) • Is port open (+5) • Is vscanned (0)


What’s the difference? Baseline

Port scanned + attack against open port


Knowing your network saves time and enables risk-based decision making

Importance of network modelling

Asset in Database Scanned; non-open port Recon + Suspicious Recon + Suspicious + Hostile Very-Low Asset Criticality Very-High Asset Criticality

Asset in Database Scanned; non-open port Recon

Recon + Suspicious + Hostile Very-Low Asset Criticality Very-High Asset Criticality

Recon + Suspicious


Effects of formula on priority – in summary

MCR 0.50 0.71 1.00 0.50 0.71 1.00 0.50 0.71 1.00 Low Crit/Sev (.84) Mid Crit/Sev (1.08) High Crit/Sev (1.35)

agen

tSev

erity

0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 2 1 1 2 2 1 2 2 2 2 3 2 2 3 3 2 2 3 2 3 4 3 3 5 4 2 3 4 3 4 5 3 4 6 5 3 3 5 3 4 6 4 5 7 6 3 4 6 4 5 7 5 6 9 7 3 5 6 4 6 8 5 7 10 8 4 5 7 5 7 9 6 8 10 9 4 6 8 5 7 10 7 9 10

10 5 6 9 6 8 10 7 9 10


In practice


Asset data is critical; have a plan to get it into ArcSight!

Where to start

Start small and utilize vulnerability scanning • Define a set of network ranges internally (zones) • Vulnerability scan those ranges • Import vulnerability scan using a supported vulnerability scan connector • Make sure to associate the vscan connector with the correct network/customer! • Assets will auto-create within zones and be tagged with open ports Enable your analysts • Implement a processes to enable analysts to add attackers to system lists • Enable analysts to define critical assets (e.G., Tagging assets with categories)


Once you have the basics, expand your scope

Expand the scope of the model

Auto-update network model • Define source(s) of truth • Aggregate weekly • Transform aggregate to ArcSight language • Import/update network model for the latest and greatest Utilize automated tools • UCMDB (HP) and RedSeal work really well • Export data to CSV, script a transform, import to ArcSight


Default priority formula may not be suited to everyone

Get fancy

Fully customisable • /opt/arcsight/manager/config/server/ThreatLevelFormula.xml • Priority formula is just an XML file • Documented in the online help • Powerful markup Pro tips • If you have deleted the system lists, just recreate the lists and modify the ThreatLevelFormula • Additional items can be added to XML file with very little configuration • Vulnerability mappings are highly dependent on context updates! • Utilise Risk Insight for additional dashboards in the SOC


Risk Insight

• Pre-built dashboards and metrics • Utilises the Priority Formula and Network Model • Integrates with ArcSight Command Centre • Intended for utilisation in Security Operations • Makes for great executive dashboards!

Visualise priority


For more information

Attend these sessions

• TB3153, Improving IR Workflow in HP ArcSight using risk-based escalation

• TT3062 – Reduce security analysis time from hours to minutes…

Visit these demos

• DEMO3525 – Find threats with HP ArcSight ESM

After the event

• Contact your sales rep • www.hpenterprisesecurity.com

Your feedback is important to us. Please take a few minutes to complete the session survey.


Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3593 Speaker Fred Thiele

Please give me your feedback


Thank you

Documents

ArcSight priority formula