-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Defining, building, and making use cases work Paul Brettle –
Presales Manager, Americas Pacific Region
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
2
What is a use case?
• Compliance – FISMA, PCI, SOX, etc… • Network security –
firewalls, IDS, routers & switches • Malware • Systems –
application and operating system • User monitoring – identity,
privileged user, shared accounts • SOC metrics – management
metrics, analyst team, infrastructure performance • Fraud –
banking, atms • Others?
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
3
Defining a Use Case
Problem statement
Define the objective
Identify data source
Define thresholds
Identify deliverables
Evaluate and refine
1
2
3
4 5
6
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
4
Example use case – audit log cleared
Identify Data source
How do I know when the audit log is cleared on my systems?
I need to be notified when audit logs are cleared for my
critical assets
Operating System IDS/IPS (Host) Firewalls
What are my thresholds? (Always, Frequency based, something
else?)
How do I want to be made aware? • Notification to CIRT •
Dashboard tracking • Compliance • Report to Auditors of
Audit Log Cleared
Problem statement
Define the objective
Identify data source
Define thresholds
Identify deliverables
Evaluate and refine
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
5
Building a use case
• Capture the data / requirements consistently • Utilise a
standard process
• What works for you is great • Consider Use Case forms •
https://protect724.arcsight.com/docs/DOC-1523 (Cindy Jones)
• Targeted, simple, manageable • Steer clear of monolithic
packages
https://protect724.arcsight.com/docs/DOC-1523
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
6
Simple tactics to make your life easy
• KISS principle still stands • Normal mechanisms stand, but
control is the key part
• Keep named user control around role based access • Limit
options for access rights – operators DON’T need write to rules! •
Group by general use / log source type / purpose – your choice! •
Use the numbering structures / schemes • Remember the use case
process and captured data
• Build out on deliverables • Build out on threat / risk
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
7
ArcSight use cases
• Under used previously – been present since ESM 4.5 • Much more
content and documentation around for ESM 6.0c and Express 4.0 •
Look at focused content built around specific data sets
• Usually focused around several active lists – imported or used
as standard • Linked resources for filters, active channels etc –
common naming, structure etc
• Wizard tool to drive content configuration
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
8
Configuring a use case
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
9
Steps to build use cases
1. Problem statement 2. Define objectives 3. Identify data
sources 4. Define thresholds 5. Identify the deliverables 6.
Evaluate & refine as needed
1 | 2 | 3 | 4 | 5 | 6
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
10
Example use case
• Problem statement: • Identify unauthorized privileged user
access to critical servers
• Define the objective: • Ensure we have the ability to identify
when unauthorized access is:
• Attempted • Succeeds • Occurs without authorization • Identify
unusual behavior • Allow easy identification of other
activities
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
11
Example use case
Identify the data sources: • Servers • Network devices •
Other?
But also need to identify supporting data sources:
• Who is an privileged user? • Can we identify them easily?
• How can we identify if they are allowed / authorized or not? •
Change control system? Change window?
• Supporting network log data?
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
12
Example use case
• Data source -> list • Log data -> event • Alert ->
rule
• Consider supporting
information • Critical servers – asset list • Privileged users –
external list • Default privileged user – external
list
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
13
Example use case
Define the thresholds • How to trigger rules? • What content to
build out?
Where does the information go? • Individuals? • Team to process?
• Tracking list?
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
14
Example use case
Identify deliverables • Content to show
what we want • Dashboards • Reports • Alerts • How to use the
data?
• Dashboards • Investigation • Ease of use?
• External data – compliance
• Audit information
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
15
Example use case
Evaluate and refine • How to improve? • Where to refine and get
better? • What content can be extended?
• Focus on key data / log sources – better privileged user
information • Integrate automated data feeds – export / import
• Improve data, quality and content • Add further capabilities
on different log sources / systems
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
16
Building Meaningful Use Cases
Review of use case approach
Formalized approach to understand what is required Define,
develop, build and use focused content Process helps define what is
needed:
• Problem Statement • Define Objectives • Identify Data Sources
• Define Thresholds • Identify the Deliverables • Evaluate &
Refine as Needed
Assists in so many other areas
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
17
Summary
User Monitoring
Threat Intelligence
Perimeter Monitoring
Insider Threat
App Monitoring
Social Media Feed
Server Admin
Monitor
Third Party
Monitor
Network Anomaly Detection
Baseline Monitoring
Advanced Malware Monitor
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
18
Please fill out a survey. Hand it to the door monitor on your
way out.
Thank you for providing your feedback, which helps us enhance
content for future events.
Session TB3057 Speaker Paul Brettle
Please give me your feedback
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Thank you
-
Defining, building, and making use cases workWhat is a use
case?Defining a Use CaseExample use case – audit log
clearedBuilding a use caseSimple tactics to make your life
easyArcSight use casesConfiguring a use caseSteps to build use
casesExample use caseExample use caseExample use caseExample use
caseExample use caseExample use caseReview of use case
approachSummaryPlease give me your feedbackThank youSlide Number
20
