Upload
guntha-narayan
View
63
Download
8
Embed Size (px)
DESCRIPTION
hp
Citation preview
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Workflow with ArcSight ESM Brian McNelly, Senior Consultant
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Workflow best practices Verified on ArcSight 6.0C and earlier versions
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
Event workflow: stages and annotations
Problem it solves Work can flow between different users with different roles thus ensuring continuous investigations with escalating levels of complexity and reducing the likelihood of duplicating effort. Features Steps (called stages) that make up a collaborative workflow
used by security operations analysts A light-weight way to isolate and escalate individual events A method to inform, escalate, and track events of interest Key SOC benefits Triage tool used before escalating an event to an incident Ownership is tracked as are comments and workflow to
ensure investigations are consistent Measurable and visible to organizational leaders
SOC triage
SOC case created
False positive no action
Level 2 escalation
Level 2 investigating
SOC case created
False positive no action
Level 2
Event triage
Event triage
Design, testing & focused monitoring
Active channel(s)
Level 1
SOC Console monitoring stages and workflow
Queued
ArcSight
Level 1 investigating
Active channel(s)
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Event annotation stages
Stage setup Require the analyst to modify the
annotation stage before any final action can be taken
Use workflow controls on subsequent stages Accountability Analytical Quality Ownership
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Best practice: active channels
Active channel setup Simple single pane of glass
Only present Correlated Events for analysis
Use the message field to present important information
Opt-in rules by setting annotation stage Individual Active Channels
Start with a baseline setup Allow individuals write access to their
channel Analyst can personalize their active
channel
Individual channels
ArcSight ArcSight ArcSight ArcSight
Shared channel
ArcSight
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
Customizable case management
Problem it solves Centralization of information related to a security incident that includes the underlying events, analytical history, and related data within a single interface. Features Ability to track incidents through HP ArcSights built-in trouble
ticket system Use as standalone ticketing solution OR integrate with third-party
case management system Key SOC benefits Labels, fields & values can adapt to SOC incident taxonomy Events attached to investigation retained for historical analysis
and reporting User interaction with case attributes is logged (audit trail) GUI customizations carry over to HP ArcSight Web interface
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Case workflow customization advantages
Internal case routing Ownership Route cases to SOC sub-groups
Engineering Level 2 Analysts
Eliminates case management by folder structure
SOC feedback loop
SOC metrics Individual and SOC KPIs Stakeholder metrics Incident types Incident categories Time to resolution Locations
Stakeholder escalation Web console Two way communication Event logs Feedback loop
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
Case UI customization - files
CaseUI Controls layout for user interface
Resource Strings Controls values of the dropdown boxes, and data labels
Label Strings Controls the labels of tabs, tables, and headers
Case Properties Determines attributes of cases written to ArcSight events
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Before and after
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
Before and after
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Case workflow: Search Groups
Problem it solves Search groups actively display query results based on case attributes, events, and/or time that is customizable to an individual. Features Use Common Conditions Editor for Query Ability to query events attached to a case A method to inform, escalate, and track events of interest Key SOC benefits Displays results based case attribute changes in real-time Cases can appear in more than one Search Group result
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
Lessons learned
Plan ahead! Who are SOC stakeholders? How will the SOC use ArcSight cases? How are you going to use cases internally?
Filter requests/engineering feedback
Metrics What metrics do you need to generate? How do you categorize your incidents?
Development plan Use a development or backup system Schedule and communicate changes
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
For more information
Attend these sessions
TT1197, How Mature is your SOC?
BS1195, 5G/SOC: The Worlds Most Advanced SOC
TT1208, Got Reports?
Visit these demos
Mock SOC, Solution Pavilion
Software Pavilion
After the event
Contact your sales rep
Visit HP ESP at: www.hp.com/go/espservices
Visit HP SIOC at: www.hp.com/go/sioc
Download the whitepaper at: Building a Successful SOC'
Your feedback is important to us. Please take a few minutes to complete the session survey.
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security for the new reality
Workflow with ArcSight ESMWorkflow best practicesVerified on ArcSight 6.0C and earlier versionsEvent workflow: stages and annotationsEvent annotation stagesBest practice: active channelsCustomizable case managementCase workflow customization advantagesCase UI customization - filesBefore and after Before and after Case workflow: Search GroupsLessons learnedFor more informationThank youSlide Number 15