Best practices and use cases for consistent, enterprise ... · PDF fileArcSight Management Center ... Supported System Admin configurations Software • Authentication External •

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Best practices and use cases for consistent, enterprise-wide SIEM security policy management

Bhavika Kothari, QA Lead Victor Lee, Product Manager, CISSP

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

Agenda

• Introduction • Best practices • Management tool • Use cases • Discussion and Q&A


Introduction


HP ArcSight Next Generation Cyber Defense

Predict

Visualize

Search

Collect

Correlate

Respond

Analytics SIEM


Why is manageability important for security?

Introduction • Ensure security policies are Followed And Enforced • Manage the deployment holistically and not just individual elements • Monitor, create alert, and maintain the security operations • Deliver efficient and timely implementation • Enable resources to focus on security analysis


Best practices


Best practice

• Create Golden Configuration • Create Groups • Monitor critical events and set alerts • Update to the latest ArcSight product release ASAP • Backup regularly • Review and audit changes • Leverage the ArcSight user community in Protect724


Management tool


Management tool

What are the benefits of using management tools? • Reduce cost • Faster and reliable implementation of security policy • Increase accuracy • Enable resource to focus on security analytics What is the name of the ArcSight management tool?

ArcSight Management Center


HP ArcSight Management Center

ArcSight Management Center (ArcMC) delivers centralized enterprise management that simplifies the deployment and maintenance of the desired enterprise security posture in a cost effective and efficient manner.


ArcMC Version 2.0

ArcSight Management Center (ArcMC)

ArcMC

ConApp

Connector

Logger

ArcMC


A few definitions • A host is a system that hosts at least on ArcSight product • A node is a managed ArcSight product Connector Connector appliance ArcSight Management Center Logger

• Node can be software or hardware form factor • A configuration listed in ArcMC is considered a golden configuration • Subscriber are the nodes which can receive the golden configuration. • When subscriber’s configuration is identical to the golden configuration, it is

considered compliant. Otherwise, it is non-compliant.


ArcMC architecture

ArcMC Web

Client

ArcMC

Logger (SW, Appliance)

ArcMC/ConApp (SW, Appliance) ArcMC

Agent

Connector

Connector

Connector

Host 1

Host 2

Host 3

Client Server

HTTPs

HTTPs

CWSAPI

ArcMC Agent


Use cases Configuration management Management using groups Update to the latest Software Monitoring


Use cases Configuration management


ArcMC paradigm of operation

Step 1 Create/import

configuration in ArcMC

Step 2 Add subscribers

to the configuration

Step 3 Push configuration

to subscribers

Step 4 Check compliance

✔ ✔


Configuration Management

Use cases


Use case: Schedule regular configuration backup

Configure all the appliances to do backup on same schedule, i.e., every Saturday at 10 p.m.

ArcMC


Use case: Logger filters

Add new filter query - Create filters once on one Logger and wants to have the same filters on the rest of Loggers w/o re-creating them on other Loggers

Logger Filter

ArcMC


Use case: User management

• Add new employee - Create the same users on all the Appliances, software or hardware form factor

• Add new appliances, for example multiple ArcMC or multiple Loggers – need to add existing users to the new appliances.

Software Connector Appliances, logger and ArcMC

Connector Appliances, ArcMC, Logger

ArcMC


Use case: Window Unified Connector configuration

• Push Window Unified Connector configuration to multiple Window Unified Connectors (WUC)

• Run compliance check to ensure the configurations are indeed on the SmartConnectors

Software Connector

Connector Appliances

ArcMC

HP ArcSight

HP ArcSight

HP ArcSight


Use case: DNS Management

• Add a new DNS server across all ArcSight Appliances

• Add a new DNS server to a logical group by location or function

DNS server

ArcMC


Use case: Compliance check

• Is my environment compliant with FIPS?

• Compliance check can be

extended, for example, Is the configuration compliant with the baseline “golden” configuration? following the corporate policy?

ArcSight ArcSight ArcSight

ArcSight ArcSight ArcSight

X ✔ ✔

X X ✔

X

✔

ArcMC


Supported Logger configurations

Logger • Logger Configuration Backup • Logger Smart Message Receiver • Logger Transport Receiver • Logger Storage Group • Logger Filter


Supported Connector and ConApp and ArcMC configurations Connectors • FIPS • Map Files • Parser Override • Syslog Connector • Window Unified Connector • Bluecoat Connector Appliance and ArcMC • Conapp/ArcMC Configuration Backup


Supported System Admin configurations Software • Authentication External • Authentication Local Password • Authentication Session • User Configuration • SMTP

Hardware • DNS • NTP • Network • SNMP


Use cases Management using groups


Bulk add host- Import hosts

• Allows adding hosts in bulk from a Comma Separated Values (.csv) file • Background batch job • Requirement: .csv file with valid host entries • Results of import hosts job will be stored in a text file at

<install_dir>/userdata/arcmc/importhosts/


Create CSV File for bulk add host


Bulk add host using import CSV

Import Host CSV File


ArcMC node management A node is a managed ArcSight product • Connector • Connector Appliance • Logger • ArcMC

Nodes can be software or hardware form factor


Use cases Update to the latest software


Use case: Update software to the latest release

• New ArcSight software release - Push new versions of software to connectors, ArcMC appliances and logger appliances.

ArcMC

HP ArcSight

HP ArcSight

HP ArcSight


Demo Update software to the latest release


Use cases Monitoring


Monitoring nodes

ArcMC 2.0 will support monitoring for • Connector Appliance (hardware and software) • Logger Appliance (hardware and software) • Local and Managed ArcMCs (hardware and software) • Smart Connectors


Health data monitored

ArcMC collects health data from managed products in 1-min, 5-min and 1-hour time intervals to support charting and alert generation. • CPU • Memory • Disk • Network • EPS In/Out • Event and Queue Stats • Thread Count • Fan, Voltage, Power Supply, Temperature, RAID


Critical alert generation • Breach rules are defined to generate alerts against health data metrics. • Example: Generate a FATAL alert for any Logger whose average CPU usage in the

past 5 minutes is greater than 90% breach.rule[1].product = LOGGER breach.rule[1].severity = FATAL breach.rule[1].metric = CPU breach.rule[1].aggregation = AVG breach.rule[1].measurement = GREATER breach.rule[1].value = 90 breach.rule[1].timespan = 5


Monitoring levels

Summary – Displays alerts /

breaches across all the managed products

– Displays per product severity / alert pie charts


Monitoring levels

Aggregated per managed product Displays alert / breaches of particular product type


Monitoring levels

Individual product • Displays alert / breaches on a

managed node • Displays different health monitor

stats (EPS In/ Out, CPU, Memory Utilization, Hardware Stats)


Discussion and Q&A


For more information

Attend these sessions

• TB3067, Connector Appliance Migration to ArcSight Management Center

Visit these demos

• HP ArcSight demo station

• HP ArcSight Management Center demo station

After the event

• Contact your sales rep • Presentations will be

posted after Protect at https://protect724.hp.com/community/events/protect-conference

https://protect724.hp.com/community/events/protect-conference





Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3133 Speakers Victor Lee and Bhavika Kothari

Please give me your feedback


Thank you


Documents

Best practices and use cases for consistent, enterprise ... · PDF fileArcSight Management Center ... Supported System Admin configurations Software • Authentication External •