Click here to load reader

Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

  • View
    331

  • Download
    4

Embed Size (px)

Text of Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

  • Confidential - Proficio, Inc

    Tips and Tricks for MSSPs Leveraging ArcSight ESM to Win Proof of Concepts

    Make ArcSight Great Again Was Not Approved as a Title to this Presentation

  • Confidential - Proficio, Inc

    Bryan BorraSOC and SIEM Director

    Bryan manages the SIEM and SOC teams at Proficio. Previously worked at SAIC / Leidos / McAfee. Hes nicknamed SIEM Destroyer for creating the wrong content at the wrong time for a few SIEM instances.

    Jordan KnoppSIEM Content Engineer

    Jordan leads the development of SIEM content for several key contracts for Proficios ProSOC Services. He also currently serves as Proficios in-house machine learning solution.

    Tristan ReedSIEM Content Engineer

    Tristan leads the development of SIEM monitoring solutions for several products. He has recently been engaged in monitoring cloud platforms and specializes in bricking IoT devices to be used in demos.

    ProficioSouthern California +Singapore based MSSP

    Proficio is an award-winning MSSP that leverages HPE ArcSightESM to provide a multitenant SIEM-as-a-Service offering along with 24x7 SOC monitoring (ProSOC).

    Introducing the Speakers

    4

  • Confidential - Proficio, Inc

    Agenda

    5

    Introduce common problems we encounter as an MSSP

    Detail solutions to these issues, including:

    1. Running efficient reports

    2. Deploying effective content architecture

    3. Monitoring new cloud data sources

  • Confidential - Proficio, Inc

    Reports: Modern Visuals

    6

  • Confidential - Proficio, Inc

    Reports: What We See

    7

  • Confidential - Proficio, Inc

    Reports: What Our Customers Told Us

    8

  • Confidential - Proficio, Inc

    Concurrently Running Reports Limit

    9

    Limit of 5 NumberOfReportsCurrentlyQueryingDB

    Ref:

    /All Dashboards/ArcSight Administration/ESM/System Health/Resources/Reporting/Report Details

  • Confidential - Proficio, Inc

    Reports: What We Asked Ourselves

    10

  • Confidential - Proficio, Inc

    Reports Requirements as an MSSP

    11

    Run hundreds of reports on a weekly basis

    Have customized templates for branding and client

    Be able to provide SIEM-as-a-service around reporting

    Never overload the reporting engine

  • Confidential - Proficio, Inc

    Reports Templates: Header / Footer

    12

    Toggling the header and footer

    bubble will change the view of the

    whole template but only affect

  • Confidential - Proficio, Inc

    Reports Templates

    13

    Easy Hex Picker:

    http://www.ginifab.com/feeds/pms/pms_color_in_image.php

    Respond

    Select Properties on any chart

    control and then select

    advanced on the Chart tab

    http://www.ginifab.com/feeds/pms/pms_color_in_image.php

  • Confidential - Proficio, Inc

    Reports Templates

    14

  • Confidential - Proficio, Inc

    Reports: Trends and Active Lists

    15

    Higher EPS as an MSSP, lower report performance

    SIEM-as-Service issues

    Demand for monthly and weekly reports

    Overload on scheduled reports for Fridays and Mondays

  • Confidential - Proficio, Inc

    Reports: Trends Versus Active Lists

    16

    Trends Active Lists

    Less than 1,000,000 in a month

    Usually have to schedule hourly

    Can go back on historical data

    Delays on collection by hour / day

    More trend failures

    Harder to setup than lists

    Advantage of aggregation

    Less than 100,000 events in a month

    Driven by simple rules

    Real-time as events are collected

    Rules can trigger on repetition

    Advantages of keys and value fields

    TTLs are straightforward management

    Sessions listswhat are those?

  • Confidential - Proficio, Inc

    Reports: Common Reports

    17

    Trends Active Lists

    IDPS events of interest

    Antivirus events

    Event collection statistics

    Webfilter event statistics

    Windows account logon failures

    Windows group changes

    Windows account lockouts

    Firewall admin commands

    Windows user account modifications

    Special security devices

  • Confidential - Proficio, Inc

    Sample Active List / Trend Setup

    18

    Rule Action: Add to List

    Add to Reporting List

    Schedule Hourly Trend

    Gather Reporting Trend

    Sample: Windows Group Changes

    Sample: IDPS Events of Interest

  • Confidential - Proficio, Inc

    Reports: Common Reports

    19

    1. IPS Summary

    2. Windows Failed Logons

    3. Firewall Command Summary

    4. Blacklisted IP Correlation

  • Confidential - Proficio, Inc

    Reports: Special Reports

    20

    1. CrowdStrike Summary 2. DARKTRACE Summary

    3. Cylance Summary

  • Confidential - Proficio, Inc

    Reports: Portal Reporting Solution

    21

    Choose Report Time Choose PresentationChoose Recipients

  • Confidential - Proficio, Inc

    Reports: Portal Reporting Solution

    22

  • Confidential - Proficio, Inc

    Content Architecture

    23

    Rule management

    Designing rules for scalability

    Additional correlation layers

  • Confidential - Proficio, Inc

    Thinking Ahead

    24

  • Confidential - Proficio, Inc

    Thinking Ahead

    25

  • Confidential - Proficio, Inc

    Rule Management

    Requirements:

    Accommodate blanket changes to multiple rules

    Rules should be easily readable

    Minimize complexity creep

    Achievable through layers of abstraction

    26

  • Confidential - Proficio, Inc

    AV Critical Threat Detected

    IDS Spyware Detected

    Vulnerability Scanning

    Destination IP Watchlist

    Super APT Zero Day

    etc.

    Additional Correlation Layer: Overview

    27

    Base / Aggregated Events

    Notification Rule

    Rule Action: Send Notification

    Rule Action: Create Case

    Checks Whitelists

    Checks destination

  • Confidential - Proficio, Inc

    Advantages of Correlation Layering

    Easier to manage Changes can be applied at a higher level

    Akin to CSS for HTML

    Easier to maintain Reduces clutter by distributing additional conditions

    Low impact Efficient conditions easy to create

    28

  • Confidential - Proficio, Inc

    Managing Rules

    29

    Rule Actions

  • Confidential - Proficio, Inc

    Conditions at Higher Correlation Layer

    Efficient conditions:

    1. Set unique value as an action in lower corr. rules

    2. Type = Correlation

    30

    Lower level rule action

    Ref All operators are not created equal:

    https://www.protect724.hpe.com/docs/DOC-11160

    https://www.protect724.hpe.com/docs/DOC-11160

  • Confidential - Proficio, Inc

    Conditions at Higher Correlation Layer

    Using filters:

    1. Filters have a smaller performance impact in this layer

    2. Filter names provide built-in documentation

    31

  • Confidential - Proficio, Inc

    Correlation Layering

    32

    Independent Rules Additional Correlation Layer

    Changes applied individually to each rule Most changes applied only on one rule

    Difficult to annotate Annotation through filters

    Increasingly complex/inefficient Very efficient

  • Confidential - Proficio, Inc

    Effects of Correlation Layering

    Before

    33

    After

  • Confidential - Proficio, Inc

    Monitoring the Cloud: Sales Perspective

    34

  • Confidential - Proficio, Inc

    Monitoring the Cloud

    35

    Cloud Computing Services

    Adapting Your View to IaaS

    Building Use Cases

  • Confidential - Proficio, Inc

    Cloud Computing Services

    IaaS PaaS SaaS

    36

  • Confidential - Proficio, Inc

    Adapting Your View To IaaS

    37

    Same requirements for assets in the cloud

    Monitoring infrastructure (as a service)

    Amazon Web Services Infrastructure Traditional View

    Security GroupsFirewall Policies

    VPC Flow Firewall Traffic

    AWS API Calls (CloudTrail) Infrastructure Management

    Instances, Images, and Snapshots Logical Infrastructure Hosting Assets

  • Confidential - Proficio, Inc

    Building Use Cases (AWS)

    38

    Identify available data sources

    Implement business context modeling

    Identifying possible attack vectors

    Identifying malicious activity

  • Confidential - Proficio, Inc

    Identify Data Sources (AWS)

    39

    Leverage Existing Audit Capabilities

    AWS

    CloudTrail

    Amazon

    CloudWatch

    Identify Assets of Security Interest

    Compute Storage Database Networking

    Amazon

    EC2

    AMI

    instances

    Amazon

    S3

    snapshot

    bucket

    Amazon

    DynamoDB

    Amazon

    RDS

    Amazon

    Redshift

    Amazon

    VPC

    flow logs

    VPN

    gateway

  • Confidential - Proficio, Inc

    Implement Business Context Modeling

    40

    1. Regular maintenance schedules (creating snapshots)

    2. Authorized schedule for AWS account access

    3. Typical locations (source addresses) for AWS access

    4. Whitelist roles for 3rd party AWS accounts (e.g. CloudTrek)

  • Confidential - Proficio, Inc

    Identify Potential Attack Vectors (AWS)

    41

    Vulnerable Web Services in EC2 Instance Example: Server Side Request Forgeries to Meta-Data Server

    Spear Phishing An AWS developers credentials stolen via malicious email

    Unprotected Access Keys A developer hard coded credentials in a publicly accessible

    repository like GitHub

  • Confidential - Proficio, Inc

    Identifying Events of Security Interest

    42

    Modifications to Security Groups

    Creating Snapshots / Loading into Volumes

    Running New Instances

    User Policies

  • Confidential - Proficio, Inc

    Questions?

    43

  • Confidential - Proficio, Inc 44

    www.Proficio.com

  • Thank you

    46