HP ArcSight & Ayehu eyeShare - Security Automation

Ayehu eyeShare Automation

Or Cohen – We Ankor 2014

[email protected]

Sunday, August 17, 2014 slide 2

The problems most SOC have today• Many daily alerts, even after advanced aggregation and

correlation.

• Responding to every alert is not always possible due to lack of physical/virtual access, tools, time, or knowledge.

• Just initiating the response may take hours or even days – long after the initial alert was triggered.

• Response procedures are often non existing or not strict enough – resulting in different responses to the same alerts.

• Not all alerts are handled, causing the SOC to miss possible incidents.


The problems most SOC have today

Most companies want to tackle the “Unknown” threatsYet the same companies still struggle with the most common “Known” threats

What a SOC needs

• Build clear and strict response procedures for known alerts.

• Start a clear and strict response procedure for every single alert within seconds.

• Reduce False-Positive using automated data enrichment and collection processes from various sources post-alert.

• Minimize SOC work around scriptable procedures, allowing the SOC to focus its work on actions that cannot be automated.

• Increase the amount of alerts handled to provide better coverage.


The solution – Ayehu eyeShare automation

• Complete automation or semi-automation of IR processes.

• Data enrichment and data collection.

• False-Positive reduction.

• Ticketing and event management.


The solution – Achieving effective automation


Systems & Content

System: Netflowrule monitoring lap-tops communica-

tion

ScenariosFor example: a compromised lap-

top floods a critical system

RiskFor example: Availability loss to a critical

system

• Phase A – Plan monitoring

according to risks.

• Must be suited to YOUR COMPANY.



• Phase B – Plan response

procedure according to

the risk, scenario,

systems, knowledge,

and available tools.

• Must be suited to

YOUR COMPANY.

Mail arriving

Check Virustotal Check Traffic

Malicious Evidence

Open Ticket To Block in:

- Websense- TM WebRep

End Workflow and notify SOC

Check Virustotal

Send MD5 To ArcSight

Send To TM

Log and notify SOC

Has Links In Body

No

YES

Has Attachments

YES

Encrypted YESNo

Malicious Evidence

YES No

YES No



• Phase C – Automate the response procedure according to the risk, scenario, systems, knowledge, and available tools.

• Must be suited to

YOUR COMPANY.

Use Case Planning – User Running Brute Force


Failed to login

12345Logging in AD

User_adm_14 WS98123

Rule

User running Brute Force Attack!Hostname: WS98123User: User_adm_14

Number of failed attempts: 5


• Possible questions to ask:• Is the user a valid user in AD? If so, does it belong to a person or a service?

• Is the user a member of a critical group or has administrative privileges?

• Is the user currently locked?

• Did the user reset his/hers password recently?

• Possible actions to take:• Ask the person in charge of the user if he/she failed to login from that host.

• Lock/disable the account (if not already locked by DC policy).

• Send the host to a different VLAN using NAC/IPS.



• Possible questions to ask:• Is the user a valid user in AD? If so, does it belong to a person or a service?

• Is the user a member of a critical group or has administrative privileges?

• Is the user currently locked?

• Did the user reset his/hers password recently?

• Possible actions to take:• Ask the person in charge of the user if he/she failed to login from that host.

• Lock/disable the account (if not already locked by DC policy).

• Send the host to a different VLAN using NAC/IPS.


How much time would it take to answer/perform these tasks in your SOC?

Use Case Workflow – User Running Brute Force


• ArcSight alerts eyeShare using the OOTB e-mail template with all information related to the incident.



• eyeShare opens an internal ticket for operators to see the incident.



• eyeShare queries AD checking if the user exists or not.



• If the user exists, eyeShare queries AD again, getting the user’s mobile phone number.



• eyeShare sends a text message to the user, asking him/her if he/she failed to login on the relevant host.



• If the user replies “yes”, the internal ticket is closed and the incident is resolved.

Use Case – User Running Brute Force


• If the user replies “no”, or does not reply in 10 minutes, the severity of the internal ticket is raised, and the user is disabled for 10 minutes.



• If the user does not exists, eyeShare sends a text message to the operator on call, asking if he/she knows the user or details about the incident.



• If the operator on call replies with “yes”, the internal ticket is closed and the incident is resolved.



• If the operator on call replies with “no”, or does not reply in 10 minutes, the severity of the internal ticket is raised, and the host is quarantined by the NAC.

Use Case Planning – Group Violation

Logging in AD

Power User

Normal User

VIP Users Group

Add to group

A few minutes later……

Use Case Planning – Group Violation R

ule

User Added & RemovedFrom VIP Group in 1h

Added User: XAdding User: YGroup: GroupZ

Logging in AD

Power User

Normal User

VIP Users Group

Remove from group


• Possible questions to ask:• Was this action authorized and documented in IDM/Ticketing?

• Who is the adding user? Is he/she authorized to do add/remove user from groups?

• Who is the added user? Is she/he a new employee? From which department?

• What time is it? Is it night? Is it a holiday or weekend?

• Possible actions to take:• Talk to both users to understand why the user was added and removed.

• Lock their accounts.

• Remove their permission until further investigation.Sunday, August 17, 2014 slide 25


• Possible questions to ask:• Was this action authorized and documented in IDM/Ticketing?

• Who is the adding user? Is he/she authorized to do add/remove user from groups?

• Who is the added user? Is she/he a new employee? From which department?

• What time is it? Is it night? Is it a holiday or weekend?

• Possible actions to take:• Talk to both users to understand why the user was added and removed.

• Lock their accounts.

• Remove their permission until further investigation.Sunday, August 17, 2014 slide 26


Use Case Workflow – Group Violation


• ArcSight alerts eyeShare using the OOTB e-mail template with all information related to the incident.

• A ticket in opened.



• All AD information for both users is gathered.



• A search is performed on the ticketing system to validate if a ticket has being opened, review, and authorized regarding this issue. If so, the incident is resolved.



• If a ticket is not present for this issue, a e-mail is sent to the adding user, the added user, and the SOC operator.

• The e-mail requests that they explain their actions.

• Their response is documented and reviewed by the SOC.



Use Case Planning – User Reporting On Spam

E-mail sent to user/s

User/s suspect e-mail might be

malicious, forward to SOC

SO

C

Investigate

Web ReputationAnti-virusHistory

(URL/Mail)Sandbox

Etc.


• Possible questions to ask:• Who sent the e-mail?

• Are there any links in the e-mail? If so, could pressing on them lead to infection?

• Are there any attachments in the e-mail? If so, would opening them lead to infection?

• How many people got this e-mail?

• Possible actions to take:• Block sender in mail-relay.

• Block links in proxy.

• Block/blacklist attachments, upload to AV vendor.Sunday, August 17, 2014 slide 33


• Possible questions to ask:• Who sent the e-mail?

• Are there any links in the e-mail? If so, could pressing on them lead to infection?

• Are there any attachments in the e-mail? If so, would opening them lead to infection?

• How many people got this e-mail?

• Possible actions to take:• Block sender in mail-relay.

• Block links in proxy.

• Block/blacklist attachments, upload to AV vendor.Sunday, August 17, 2014 slide 34


Use Case Workflow – User Reporting On Spam


• This workflow gets an e-mail sent by users to the SOC and does the following:• Thank the user for forwarding the e-mail to the SOC.

• Check for links and e-mail address, send all finding to be analyzed by Virustotal. Notify ArcSight by CEF syslog if a link is malicious.

• Check for attachments, uploads all finding to be analyzed by Virustotal and Cuckoo Sandbox. Notify ArcSight by CEF syslog if an attachment is malicious.

• Sends the analysis verdict to the back to the user (clean/malicious).



• A user gets this e-mail, and decides to forward it to the SOC.



• Upon reception, eyeShare sends back a successful submission e-mail, providing the user with some initial instructions and a reference ID.



• The operator on call will receive an e-mail notification if an attachment or link is detected as malicious.



• At the end of the analysis, the user gets a response from eyeShare with the verdict.



• At the end of the analysis, the user gets a response from eyeShare with the verdict.

Automation Summary – why use it?

• If we know what the alert is, which questions to ask, which action to perform for each answer we receive – why not automate it?

• Using automation, a SOC can handle more alerts with greater efficiency, maximize human productivity, strengthen the bond with the rest of the company, raise the SOCs maturity, and raise overall security posture.

• Operators / analysts will handle incidents after False-Positive reduction, reconnaissance, user input, and in the correct severity.

• Operators/analysts will work much less on the “Known” threats and will be available to investigate the “Unknown” threats.


Automation Summary – why Ayehu eyeShare?• No more standalone, unsupported, unmanaged scripts

written in different programming languages.

• Single framework for all workflows with support for multiple devices (AD, CISCO, VMWare, move files, http requests, DB queries, etc.).

• Know the result of every part of every workflow, and keep it for as long as you need.

• Integration with HP ArcSight (provided by We Ankor).

• Support for HA, segmentation, and multiple domains.Sunday, August 17, 2014 slide 42

Questions?

Or Cohen – We Ankor 2014

Technology

HP ArcSight & Ayehu eyeShare - Security Automation