Workflow With HP ArcSight ESM

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Workflow with ArcSight ESM Brian McNelly, Senior Consultant


Workflow best practices Verified on ArcSight 6.0C and earlier versions

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

Event workflow: stages and annotations

Problem it solves Work can flow between different users with different roles thus ensuring continuous investigations with escalating levels of complexity and reducing the likelihood of duplicating effort. Features Steps (called stages) that make up a collaborative workflow

used by security operations analysts A light-weight way to isolate and escalate individual events A method to inform, escalate, and track events of interest Key SOC benefits Triage tool used before escalating an event to an incident Ownership is tracked as are comments and workflow to

ensure investigations are consistent Measurable and visible to organizational leaders

SOC triage

SOC case created

False positive no action

Level 2 escalation

Level 2 investigating

SOC case created

False positive no action

Level 2

Event triage

Event triage

Design, testing & focused monitoring

Active channel(s)

Level 1

SOC Console monitoring stages and workflow

Queued

ArcSight

Level 1 investigating

Active channel(s)


Event annotation stages

Stage setup Require the analyst to modify the

annotation stage before any final action can be taken

Use workflow controls on subsequent stages Accountability Analytical Quality Ownership


Best practice: active channels

Active channel setup Simple single pane of glass

Only present Correlated Events for analysis

Use the message field to present important information

Opt-in rules by setting annotation stage Individual Active Channels

Start with a baseline setup Allow individuals write access to their

channel Analyst can personalize their active

channel

Individual channels

ArcSight ArcSight ArcSight ArcSight

Shared channel

ArcSight


Customizable case management

Problem it solves Centralization of information related to a security incident that includes the underlying events, analytical history, and related data within a single interface. Features Ability to track incidents through HP ArcSights built-in trouble

ticket system Use as standalone ticketing solution OR integrate with third-party

case management system Key SOC benefits Labels, fields & values can adapt to SOC incident taxonomy Events attached to investigation retained for historical analysis

and reporting User interaction with case attributes is logged (audit trail) GUI customizations carry over to HP ArcSight Web interface


Case workflow customization advantages

Internal case routing Ownership Route cases to SOC sub-groups

Engineering Level 2 Analysts

Eliminates case management by folder structure

SOC feedback loop

SOC metrics Individual and SOC KPIs Stakeholder metrics Incident types Incident categories Time to resolution Locations

Stakeholder escalation Web console Two way communication Event logs Feedback loop


Case UI customization - files

CaseUI Controls layout for user interface

Resource Strings Controls values of the dropdown boxes, and data labels

Label Strings Controls the labels of tabs, tables, and headers

Case Properties Determines attributes of cases written to ArcSight events


Before and after


Case workflow: Search Groups

Problem it solves Search groups actively display query results based on case attributes, events, and/or time that is customizable to an individual. Features Use Common Conditions Editor for Query Ability to query events attached to a case A method to inform, escalate, and track events of interest Key SOC benefits Displays results based case attribute changes in real-time Cases can appear in more than one Search Group result


Lessons learned

Plan ahead! Who are SOC stakeholders? How will the SOC use ArcSight cases? How are you going to use cases internally?

Filter requests/engineering feedback

Metrics What metrics do you need to generate? How do you categorize your incidents?

Development plan Use a development or backup system Schedule and communicate changes


For more information

Attend these sessions

TT1197, How Mature is your SOC?

BS1195, 5G/SOC: The Worlds Most Advanced SOC

TT1208, Got Reports?

Visit these demos

Mock SOC, Solution Pavilion

Software Pavilion

After the event

Contact your sales rep

Visit HP ESP at: www.hp.com/go/espservices

Visit HP SIOC at: www.hp.com/go/sioc

Download the whitepaper at: Building a Successful SOC'

Your feedback is important to us. Please take a few minutes to complete the session survey.


Thank you


Security for the new reality

Workflow with ArcSight ESMWorkflow best practicesVerified on ArcSight 6.0C and earlier versionsEvent workflow: stages and annotationsEvent annotation stagesBest practice: active channelsCustomizable case managementCase workflow customization advantagesCase UI customization - filesBefore and after Before and after Case workflow: Search GroupsLessons learnedFor more informationThank youSlide Number 15

Documents

Workflow With HP ArcSight ESM