ArcSight threat response manager (TRM) virtual appliance€¦ · –Senior Security Analyst . Use case: medical center customer success profile . Company overview • Large hospital

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ArcSight Threat Response Manager (TRM) virtual appliance Lee-Lan Yip, CISSP, ArcSight Sr. Product Line Manager Victor Tham, ESP Presales Manager

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

Agenda

TRM virtual appliance overview • Security use cases • Value proposition • Differentiation

ESM and TRM integration overview

Implementation and deployment


Threat Response Manager (TRM) overview


Challenge: security response to incidents is too long

Security team discovers an incident —rogue hosts, virus/malware, botnets, nefarious users…

Do you know how to stop it? Do you know what else is affected?

Do you know where it is?

4

Home VPN

Branch office

Public network

Public VPN

Wireless hot-spot

Remote workers

Corporate HQ Mobile users


Solution: TRM instantly locates, analyzes and mitigates incidents

• Reduce the impact of security incidents on your business • Shorten the time required to respond to incidents directly from ESM • Ensure accuracy via investigate, locate and simulate engine • Quarantine users or devices based on intelligent workflow • Create a record of response plans and actions taken

Respond Detect Respond

Track

Virtual appliance

ESM ArcSight

Collect Analyze & prioritize Alert Investigate,

simulate, test Notify or

quarantine Report and document

TRM ArcSight

ArcSight


ArcSight TRM dramatically reduces the time to effectively respond, and through the application of business rules TRM conforms to corporate compliance policy.

Reliable | repeatable | reversible | auditable

Shrink “response window” to a few seconds

Current window of vulnerability

6


Value proposition Arcsight TRM: calculated, effective response

How to think about TRM

7

TRM is like the sprinkler in your fire system

Alarm + sprinkler


TRM functions – where, what and how

Locate

• Determine node, endpoint or user access

• Provide router/switch access information

• Self-documenting engine provides “as-is” configured state

Analyze • Determine control point closest to node • Determine best method

to quarantine node • Determine impact of Quarantining node

Quarantine • Disable switch ports • Set MAC Filters • VLAN quarantine • Block IP traffic • Disable VPN Session • Disable user account

Set MAC Filter

Disable user

IP Traffic control remove VPN user

Change ACL IP traffic control

Multiple quarantine options for different impact

Authentication, directory server

Wired switch infrastructure

Router

Firewall VPN

Internet

Wireless infrastructure

Mobile user

Set MAC Filter Disable Switch Port Put on Quarantine VLAN

8


Threat Response Mitigation: ESM and TRM Integration


Overview of infected host use case: • User sees notification of infected

asset • Investigate event details • View map of the attack • Investigate the node under attack • Simulate quarantine • Quarantine system • Confirm quarantine • Review commands issued • View quarantined systems • Remove system from quarantine

once cleaned



View map of the attack (from TRM) View attacker, target, and related networking details

From the attacker address, right-click and select TRM Command - Attacker-Target Map

1

2

3

4






Review commands issued (from TRM)

Next to each task in the quarantine list is a “Command Log” link listing the commands that were taken



Remove system from quarantine (from TRM)

After asset has been cleaned, can select it, and click “Remove Quarantined Nodes”



Customer perspective Since we deployed TRM over a year ago, we have been able to quarantine all cyber security attacks before any major damage has taken place. –Systems Engineer – Federal Government

ArcSight TRM Customer case study: government research lab

Company overview • Large gov’t funded research lab • Conducts advanced research with grants from

government • Tens of thousands of employee and non employee

visitors accessing network all hours of the day

Challenges and opportunities • Little control over large # of internal and external

unmanaged endpoints connecting to network

• Needed to provide access to network resources while also operating in a secure environment

• Needed to quarantine suspicious endpoints not their own

Results

• Located compromised or rogue hosts and isolated them from the network

• Changes made during threat response linking them to the incident documented

• Changes made while following pre-defined change management process


Customer perspective Integration of 3rd party security application with ArcSight TRM drastically improved our uptime, cut our cost of “repairs” of critical endpoints and gave us the confidence to instantaneously react whenever a problem detected

–Senior Security Analyst

Use case: medical center customer success profile

Company overview • Large hospital group • Delivers advanced IP, data, voice service and solutions

to business and government • 32,000+ employees

Challenges & opportunities • 15-20 problem events per week detected by 3rd party

security application • Manual processes were inefficient and impractical • Disruption could severely impact the surgical department as

well as the continued healthcare

Results • Tight integration between 3rd party security application and

ArcSight TRM • Instantaneous quarantining action on critical events • 24/7/365 protection of our environment • Fully automated reporting


Summary

ArcSight TRM simplifies and automates critical parts of the threat response life cycle

Tight integration with ESM or AE and other products avoids the loss of critical time to respond and eliminates potential mistakes

Node investigation indentifies target in seconds versus minutes or hours

Quarantine simulation delivers impact analysis of the planned action

Rule system protects critical assets and provide control

Full history log and recorded execution detail


Implementation options for ArcSight TRM

ArcSight ESM (integration commands or TRM connector for Fully Automated Response)

3rd party integration (CLI)

Works with existing network equipment, no changes required

Remote VPN Wired Wireless

Virtual appliance

TRM ArcSight

http://www1.us.dell.com/content/default.aspx?c=us&l=en&s=gen


Implementation and deployment • Threat Mitigation “Off-the-Shelf “ Integration with ESM or AE • Reduce time spent in investigation • Fast Response to attacks • Support enterprise work-flow authorization

End-to-End HP ArcSight Security Solution

• No dependency on ESM/AE or any other ArcSight product purchase • Completely standalone threat response offering • “Off-the-shelf” multi-vendors devices (Cisco, Juniper, HP, etc.) support • SOC or NOC Offering • Support virtualization (VMware)

Standalone Threat Response Application

• Open Soap API Integration with 3rd party application • Full TRM functionality enabled

3rd Party Security Application Integration

• Major routers, switches, security devices vendors: Cisco, Juniper, HP (ProCurv and H3C), DELL, Checkpoint, Bluecoat, Fortigate, etc.

• Option to develop custom driver. Supported Devices


Thank you


Security for the new reality

Documents

ArcSight threat response manager (TRM) virtual appliance€¦ · –Senior Security Analyst . Use case: medical center customer success profile . Company overview • Large hospital