Maintaining privacy with HPE ArcSight Petr Hněvkovský, CISSP, CISM, CISA, CEHSenior Solution Architect, EMEA

Nov, 2016

Forward-looking statementsThis is a rolling (up to three year) roadmap and is subject to change without notice

This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard Enterprise's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett Packard Enterprise may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.

2

Hewlett Packard Enterprise confidential informationThis is a rolling (up to three year) roadmap and is subject to change without notice

This Roadmap contains Hewlett Packard Enterprise Confidential Information.

If you have a valid Confidential Disclosure Agreement with Hewlett Packard Enterprise, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of three years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from HPE and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with Hewlett Packard Enterprise’s prior written approval.

3

Agenda

Data de-identification

ArcSight native use case

Voltage Data Security capability

ArcSight & Voltage PoC

Live demo

Under the integration hood

Q&A

A streetview example

5

Data anonymization drivers with ArcSight

Shared services

Managed Security Providers

Strict Controls Reduction

Big data initiatives

Security data lakes

Hunting and Analytics

PII, PCI & HIPPA sensitive data

GDPR compliance

VIPs & Intelectual Property

8

ArcSight native de-identificationData obfuscation

9

Elements we will talk about

Connector

ESM / Express

Logger

10

Connector obfuscation – ESM console view

11

A powerful mix – example scenariohttp://h71056.www7.hp.com/gfs-shared/downloads-203.pdf

Connector

ESM/ Express

Logger

– Only obfuscated events to ESM

– Special User with Logger

Integration Command can

search for unobfuscated data

on remote logger within ESM

console

– Only special user is allowed to access

unobfuscated data on Logger— Destination specific obfuscation

search

12

Voltage Data SecurityUnderstand the capability

13

HPE Data Security – Voltage SecureData recap Data de-identification with Format-Preserving Encryption (FPE)

14

AES

FPE 345-753-5772

8juYE%Uks&dDFa2345^WFLERG

Tax ID

934-724-2356

First Name – Gunther

Last Name – Robertson

SSN – 575-72-2356

DOB – 20-07-1966

First Name – Uywjlqo

Last Name – Muwruwwbp

SSN – 575-67-8745

DOB – 18-06-1972

Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW

Oiuqwriuweuwr%oIUOw1@

HPE Data Security – Voltage SecureData recapData de-identification with Secure Stateless Tokenization (SST)

15

Credit card

934-724-2356

Tax ID

1234 5678 8765 4321

SST 347-982-83098736 5533 4678 9453

Field level, format-preserving, reversible data de-identificationCustomizable to granular requirements addressed by encryption and tokenization

16

Credit card

4171 5678 8765 4321

SSN/ID

934-72-2356

Email

bob@voltage.com

DOB

31-07-1966

Full 8736 5533 4678 9453 347-98-8309 hry@ghohawd.jiw 20-05-1972

Partial 4171 5681 5310 4321 634-34-2356 hry@ghohawd.jiw 20-05-1972

Obvious 4171 56AZ UYTZ 4321 AZS-UD-2356 hry@ghohawd.jiw 20-05-1972

FPESST

De-Identified / Protected -Data

Sensitive / Live -Data

FPEFPESSTFPEFPE

HPE Data Security – Data protection with HP FPE and HP SST

17

Name SS# Credit Card # Street Address Customer ID

James Potter 385-12-1199 37123 456789 01001 1279 Farland Avenue G8199143

Ryan Johnson 857-64-4190 5587 0806 2212 0139 111 Grant Street S3626248

Carrie Young 761-58-6733 5348 9261 0695 2829 4513 Cambridge Court B0191348

Brent Warner 604-41-6687 4929 4358 7398 4379 1984 Middleville Road G8888767

Anna Berman 416-03-4226 4556 2525 1285 1830 2893 Hamilton Drive S9298273

Name SS# Credit Card # Street Address Customer ID

Kwfdv Cqvzgk 161-82-1292 37123 48BTIR 51001 2890 Ykzbpoi Clpppn S7202483

Veks Iounrfo 200-79-7127 5587 08MG KYUP 0139 406 Cmxto Osfalu B0928254

Pdnme Wntob 095-52-8683 5348 92VK DEPD 2829 1498 Zejojtbbx Pqkag G7265029

Eskfw Gzhqlv 178-17-8353 4929 43KF PPED 4379 8261 Saicbmeayqw Yotv G3951257

Jsfk Tbluhm 525-25-2125 4556 25ZX LKRT 1830 8412 Wbbhalhs Ueyzg B6625294

learn more at www.hp.com/go/datasecurity

HPE SecureData – Data Security Platform

18

HPE SecureData

Web Services API (REST,

SOAP)

HPE SecureDatanative APIs

(C, Java, C#, .NET)

API

HPE SecureData

Management Console

Authentication and authorization

sources (e.g., active directory)

HPE SecureData

Hardware Security Module (HSM)

HPE SecureData Command Lines and Automated

File Parsers

API

HPE SecureData File Processor

High availability

HPE SecureData – Data Security Platform

19

HPE SecureData Management

Console

Authentication and authorization sources (e.g. active directory)

Hardware Security Module (HSM)

HPE SecureDataWeb Services API

HPE SecureDatanative APIs

(C, Java, C#, .NET)

HPE SecureData Command Lines and

Automated File Parsers

HPE SecureData z/Protect, z/FPE

HPE SecureData Native UDFs

Partnerintegrations

SaaS & PaaS cloud apps

Policy controlled data protection and masking services and clients

Paymentterminals

Volume key management

Production databases

Mainframeapplications

and databases

Third party applications

Teradata,Hadoop

And Vertica

ETL & data integration

suites

NetworkInterceptors

Paymentsystems

Business applications, data stores and processes

HPE NonstopApplications and

Databases

Web/cloudapplications

(AWS, Azure)

Enterprise applications

Volumes and storage

Third party SaaSgateways

HPE SecureData

API

ArcSight & Voltage = SOC with PrivacyData protection prove of concept

20

Using HPE Security – Data security for event de-identification Where to implement?

21

EventsHPE VoltageSecureData

HPE ArcSightESM/Logger

HPE ArcSightArcMc/Connectors

b

c

a

ArcSight with Voltage privacy prove of concept

22

PCI events

HPE VoltageSecureData

Tokenize specificattributes Fraud

detection

De-tokenizespecific attributes

cc_number=

2081-8866-4532-5518

cc_number=

1111-2222-3333-4444

Outsourced or internal butnon PCI complient environment

HPE ArcSightESM cc_number =

2081-8866-4532-5518

CERT

case

live demo

In this short demo we want to

23

–Receive windows logon event messages and de-identify the username attribute “duser”

– Pick any base event with a de-identified user-name in it

–Right click on that user name and invoke an integration command to access the original attribute

Using HPE Security – Data security for event de-identification Proof-of-concept

24

Events HPE VoltagesecureData

HPE ArcSightESM

AttributeDe-Ident.

Original attribute

Protected attribute

TLS

TLS

De-identified Syslog MessageSyslog, TCP or UDP/514

Python script thatreceives syslog eventsand replaces specificattributes with theirprotected version. It uses the CLI clientto call the HPE VoltagesecureData API.

It then sends on thesyslog event with theprotected attribute(s)to the HPE ArcSightconnector/ESM/Logger

Original syslog message

SyslogUDP514

Using HPE Security – Data security for event de-identification Proof-of-concept

25

EventsHPE VoltagesecureData

HPE ArcSightESM

User with appropriateprivileges right-clickson protected eventfield and requests theoriginal item via anintegration commandcalling the HPE VoltageWeb-API.

Original attribute

Protected attribute

Accesspecific attrib.

TLS

TLS

ArcSight & Voltage integrationUnder the hood options

27

#0 Data anonymization with external mapper

28

Source Event data

Connector external mapper

ESMLogger

VoltageSecure Data

server

• Not suited for the use case

• Required DB to API middleware

• Not pursued

DB to API middleware

#1a Data anonymization in-line

29

Source Event data

Collecting Connector

Syslogprocessor

ESMLogger

Forwarding Connector

VoltageSecureData

server

• First PoC design worked

• Python + Voltage SDCL

• Data travels to Voltage server

CEFCEF

#1b Data anonymization in-line

30

Source Event data

Collecting Connector

ESMLogger

Forwarding Connector

VoltageSecureData

server

• Faster than 1a

• Perl + Voltage REST API

• Data travels to Voltage server

CEFCEF

Syslogprocessor

#1c Data anonymization in-line

31

Source Event data

Collecting Connector

ESMLogger

Forwarding Connector

VoltageSecureData

server

• Work in progress

• Java + Voltage SimpleAPI

• Key is pulled from Voltage server

CEFCEF

Syslogprocessor

#2 Data anonymization diode

32

Source Event data

Collecting Connector

File Processor

ESMLogger

Forwarding Connector

VoltageSecureData

server

• Faster bulk processing, but delay

on file handling

• Voltage File Processor

• Key is pulled from Voltage server

CSV CSV

#3 Data anonymization event broker

33

Source Event data

Collecting Connector

Kafka Event Broker

ESMLogger

VoltageSecureData

server

Subscribe to„sensitive“ topic

Publish the „anonymized“ topic

publish subscribe

• Work in progress..

• Kafka internal transformation or

external subsriber/publisher?

Data anonymization options with Voltage Data Security

34

Source Event data

File Processor

ESMLogger

Syslogprocessor

Kafka Event Broker

in-line

data-diode

messagebus

Start small to get fast results

Both ArcSight and Voltage provide

open and flexible architecture to

solve your privacy requirements.

Try it!

35

Vielen DankPetr.Hnevkovsky@hpe.com

36