Configuring an ArcSight Smart-Connector to collect events from Kaspersky Admin Kit 8.0

Page 2

As part of a comprehensive security monitoring program, many organizations have deployed Security Information Event Management (SIEM) software within their infrastructure to centrally collect and analyze valuable security and application logs from the variety of systems and applications that support their business.

When deploying SIEM technology, it is important to identify the systems and applications that will generate the necessary log information in support of your documented security objectives.

This will usually include the following types of systems and applications; however, this is not a comprehensive list:

Firewalls

ProxyServers

VPNs

Authentication

PhysicalAccessControl

IdentityManagement

IntrusionDetection

Antivirus

Anti-Spam

ApplicationAuditLogs

TherearemanySIEMvendorsinthemarketplacesuchasQ1Labs,ArcSight,SplunkandLogLogic.This particular document will focus on the collection of antivirus event information from Kaspersky AdministrationKit8.0usingtheArcSight(nowHewlett-Packard)SmartConnectortechnology.

TheArcSightSmartConnectortechnologyisaJavaframeworkusedtointegrate3rdpartyproductsforthe purposes of collecting event log information and forwarding the collected events to a central server forstorage,real-timeanalysis,trendingandreporting.

TheArcSightSmartConnectorframeworkoffersavarietyofeventcollectionoptions,anddependingonthe particular application or system, more than one collection method may be available. Which one you select will depend on the given limitations of the application/system to generate events, and the needs and capabilities of your IT infrastructure to support a particular method.

Example event log collection methods SYSLOGMessage

SNMPTrap

NativeAPI(e.g.WMI,OPSECLEA)

FileMonitoring(e.g.Flat-file,CSV)

Database(viaJDBC/ODBC)

Page 3

KasperskyAdminKit8.0iscapableofgeneratingeventnotificationswhenaparticulareventoractionoccurs(e.g.policychange,virusdetection,networkattacketc).Policysettingsallowforgranularcontroltowhicheventswillbelogged,whicheventswillgenerateanotification,orboth.

Supported Notification Methods Email

NetworkMessage(NETSEND)

SNMP

Runninganexecutablefile

Supported Event Log Methods WindowsEventLog(LocalClient)

WindowsEventLog(AdministrationServer)

Forthisexercise,KasperskyAdministrationKit8.0willbeconfiguredviapolicytoforwardclientevents to the Kaspersky Administration Server, where they will be logged into the Windows Applications and Services Logs,usingtheKasperskyEventLogwhichwasautomaticallycreatedwhen the Administration Server was installed.

TheArcSightSmartConnectorframework,whichcanbeinstalledremotely,willbeinstalledlocallyontheKasperskyAdministrationServer,andwillbeconfiguredtocollecteventsfromtheKasperskyEventLoginreal-time,andtostoretheminalocalfilefordemonstrationpurposes.

Note: In a production deployment of ArcSight, the events would be forwarded to an ArcSight Logger or Enterprise Security Manager (ESM) appliance; however, for this exercise a local file destination was chosen to demonstrate the concept.

Page 4

ToenableloggingofKasperskyAnti-ViruseventsbyArcSight,thefollowingtwoproceduresarerequired:

1. ConfigureeventloggingwithinKasperskyAdminKit

2. InstallandConfiguretheArcSightSmartConnectorframework

Step 1 Configure Kaspersky Event Logging1. LogintotheKasperskyAdministrationKit

Page 5

2. Usingthenavigationontheleft,expandtheManaged Computers object and drill down to the policythatyouwouldliketoenableloggingfor,inthisexample,Windows Workstation Policy

3. RightclickonthepolicytobeeditedandselectProperties

Page 6

4. ClickontheEvents tab

5. The drop down list displays the four event categories available; Critical event, Error, Warning, and Info.Eacheventcategoryhasseveraleventswhosepropertieswithregardstonotificationandloggingcanbeindividuallyconfigured.

Page 7

6. Select the Event Category and Event Type that you would like to enable logging for, and click on the Properties button.

7. Select whether you would like the event to be logged to the clients local event log, or the event log on the Kaspersky Administration Server, or both, then click OK. Note: For this exercise, we require that the logs be on to the Kaspersky Administration Server.

Page 8

8. Repeatsteps6and7asrequiredfortheremainingEventCategoriesandEventTypes.Whenfinished,clicktheApply button to save your changes, then click OK

9. Clickonthenameofthepolicythatyouwerejustediting,andchangethePolicy Status from Inactive to Active

Page 9

Step 2 Install the ArcSight SmartConnector Framework1. DownloadtheArcSightSmartConnectorframeworkandlaunchtheinstallerbydouble-clickingonit.

Note: For this exercise, the Microsoft Windows version of the ArcSight SmartConnector framework utilized was 5.1.1.5782.0

2. When the installer appears, click Next

3. SelectthelocationtoinstalltheArcSightSmartConnectorandclickNext

Page 10

4. The Choose Install Set window will be displayed, select Typical and click Next

5. ConfirmtheShortcut Folder options and click Next

Page 11

6.ConfirmyourselectionsandclickInstall

7. TheArcSightSmartConnectorframeworkwilltakeseveralminutestoinstalltheJavaRuntimeEnvironmentandthenecessarySmartConnectoragent.

Page 12

8. When prompted to select the SmartConnector Destination, select CEF File and click Next

9. ConfirmthePath and File Name that the events will be written to and click Next

Page 13

10. SelectthetypeofSmartConnectortoinstall,Microsoft Windows Event Log Local, and click Next

11. Bydefault,theSmartConnectorisconfiguredtocollecttheApplication, System, and Security event logs.

Page 14

12.ProvideaName,andoptionaldescriptionforthisSmartConnectorandclickNext

Highlight the defaults and delete them, then type Kaspersky Event Log and click Next

Page 15

13. ConfirmtheoptionsyouhaveselectedandclickNext

14. TheSmartConnectorwillnowbeconfigured.Whencompleted,clickNext

Page 16

15.SelectwhetheryouwouldliketheSmartConnectortorunasaService or as a Standalone Application and click Next

16. ConfirmtheSmartConnectorService Parameters and click Next

Page 17

17. OncetheSmartConnectorservicehasbeeninstalled,clickFinish

18. TheArcSightSmartConnectorinstallationisnowcomplete,clickDone

Page 18

19. LaunchtheMicrosoft Windows Services Applet (services.msc) and verify that the newly installedArcSightSmartConnectorserviceisrunning.Starttheserviceifnecessary.

20.GeneratesomeKasperskyevents(i.e.downloadtheEICARtestvirusat http://www.eicar.org from a client)

Page 19

21. LaunchtheWindows Event Viewer and drill down to the Applications and Service Logs, and click on the Kaspersky Event Log

22.VerifythattheeventsarebeingwrittentotheKasperskyEventLogbydoubleclickingonanevent

Page 20

23.VerifythattheeventsarebeingcollectedbytheArcSightSmartConnectorandstoredinafile,byviewingthefilecreatedinthedestinationdirectorythatwasspecifiedduringtheinstall(e.g.c:\ProgramFiles\ArcSightSmartConnectors\current\user\agent\cef\2011-04-12-04-33-38.cef)

Page 21

24. EacheventwillberecordedintheArcSightCommonEventFormat(CEF),witheachentrystarting with the header CEF:0,andtheindividualeventfieldsbeingPipeDelimited(|)

At this point, the events can be fed into ArcSight, however, normalization and categorization has not been performed, so although the SIEM can collect and store the events, it will not understand the meaningofthem,ortheircontext.

Categorizationofeventswasoutsideofthescopeofthisexercise,whichwastodemonstratetheability to collect the events.

Kaspersky Lab500 Unicorn ParkWoburn, MA 01801866.563.3099smbsales@kaspersky.com

www.kaspersky.comwww.threatpost.com