© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Best practices and use cases for consistent, enterprise-wide SIEM security policy management
Bhavika Kothari, QA Lead Victor Lee, Product Manager, CISSP
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
Agenda
• Introduction • Best practices • Management tool • Use cases • Discussion and Q&A
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Introduction
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
HP ArcSight Next Generation Cyber Defense
Predict
Visualize
Search
Collect
Correlate
Respond
Analytics SIEM
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Why is manageability important for security?
Introduction • Ensure security policies are Followed And Enforced • Manage the deployment holistically and not just individual elements • Monitor, create alert, and maintain the security operations • Deliver efficient and timely implementation • Enable resources to focus on security analysis
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Best practices
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Best practice
• Create Golden Configuration • Create Groups • Monitor critical events and set alerts • Update to the latest ArcSight product release ASAP • Backup regularly • Review and audit changes • Leverage the ArcSight user community in Protect724
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Management tool
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Management tool
What are the benefits of using management tools? • Reduce cost • Faster and reliable implementation of security policy • Increase accuracy • Enable resource to focus on security analytics What is the name of the ArcSight management tool?
ArcSight Management Center
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
HP ArcSight Management Center
ArcSight Management Center (ArcMC) delivers centralized enterprise management that simplifies the deployment and maintenance of the desired enterprise security posture in a cost effective and efficient manner.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
ArcMC Version 2.0
ArcSight Management Center (ArcMC)
ArcMC
ConApp
Connector
Logger
ArcMC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
A few definitions • A host is a system that hosts at least on ArcSight product • A node is a managed ArcSight product Connector Connector appliance ArcSight Management Center Logger
• Node can be software or hardware form factor • A configuration listed in ArcMC is considered a golden configuration • Subscriber are the nodes which can receive the golden configuration. • When subscriber’s configuration is identical to the golden configuration, it is
considered compliant. Otherwise, it is non-compliant.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
ArcMC architecture
ArcMC Web
Client
ArcMC
Logger (SW, Appliance)
ArcMC/ConApp (SW, Appliance) ArcMC
Agent
Connector
Connector
Connector
Host 1
Host 2
Host 3
Client Server
HTTPs
HTTPs
CWSAPI
ArcMC Agent
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Use cases Configuration management Management using groups Update to the latest Software Monitoring
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Use cases Configuration management
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
ArcMC paradigm of operation
Step 1 Create/import
configuration in ArcMC
Step 2 Add subscribers
to the configuration
Step 3 Push configuration
to subscribers
Step 4 Check compliance
✔ ✔
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Configuration Management
Use cases
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Use case: Schedule regular configuration backup
Configure all the appliances to do backup on same schedule, i.e., every Saturday at 10 p.m.
ArcMC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Use case: Logger filters
Add new filter query - Create filters once on one Logger and wants to have the same filters on the rest of Loggers w/o re-creating them on other Loggers
Logger Filter
ArcMC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Use case: User management
• Add new employee - Create the same users on all the Appliances, software or hardware form factor
• Add new appliances, for example multiple ArcMC or multiple Loggers – need to add existing users to the new appliances.
Software Connector Appliances, logger and ArcMC
Connector Appliances, ArcMC, Logger
ArcMC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
Use case: Window Unified Connector configuration
• Push Window Unified Connector configuration to multiple Window Unified Connectors (WUC)
• Run compliance check to ensure the configurations are indeed on the SmartConnectors
Software Connector
Connector Appliances
ArcMC
HP ArcSight
HP ArcSight
HP ArcSight
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Use case: DNS Management
• Add a new DNS server across all ArcSight Appliances
• Add a new DNS server to a logical group by location or function
DNS server
ArcMC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
Use case: Compliance check
• Is my environment compliant with FIPS?
• Compliance check can be
extended, for example, Is the configuration compliant with the baseline “golden” configuration? following the corporate policy?
ArcSight ArcSight ArcSight
ArcSight ArcSight ArcSight
X ✔ ✔
X X ✔
X
✔
ArcMC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
Supported Logger configurations
Logger • Logger Configuration Backup • Logger Smart Message Receiver • Logger Transport Receiver • Logger Storage Group • Logger Filter
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
Supported Connector and ConApp and ArcMC configurations Connectors • FIPS • Map Files • Parser Override • Syslog Connector • Window Unified Connector • Bluecoat Connector Appliance and ArcMC • Conapp/ArcMC Configuration Backup
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
Supported System Admin configurations Software • Authentication External • Authentication Local Password • Authentication Session • User Configuration • SMTP
Hardware • DNS • NTP • Network • SNMP
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Use cases Management using groups
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28
Bulk add host- Import hosts
• Allows adding hosts in bulk from a Comma Separated Values (.csv) file • Background batch job • Requirement: .csv file with valid host entries • Results of import hosts job will be stored in a text file at
<install_dir>/userdata/arcmc/importhosts/
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29
Create CSV File for bulk add host
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30
Bulk add host using import CSV
Import Host CSV File
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31
ArcMC node management A node is a managed ArcSight product • Connector • Connector Appliance • Logger • ArcMC
Nodes can be software or hardware form factor
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Use cases Update to the latest software
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 33
Use case: Update software to the latest release
• New ArcSight software release - Push new versions of software to connectors, ArcMC appliances and logger appliances.
ArcMC
HP ArcSight
HP ArcSight
HP ArcSight
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 34
Demo Update software to the latest release
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Use cases Monitoring
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 36
Monitoring nodes
ArcMC 2.0 will support monitoring for • Connector Appliance (hardware and software) • Logger Appliance (hardware and software) • Local and Managed ArcMCs (hardware and software) • Smart Connectors
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 37
Health data monitored
ArcMC collects health data from managed products in 1-min, 5-min and 1-hour time intervals to support charting and alert generation. • CPU • Memory • Disk • Network • EPS In/Out • Event and Queue Stats • Thread Count • Fan, Voltage, Power Supply, Temperature, RAID
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 38
Critical alert generation • Breach rules are defined to generate alerts against health data metrics. • Example: Generate a FATAL alert for any Logger whose average CPU usage in the
past 5 minutes is greater than 90% breach.rule[1].product = LOGGER breach.rule[1].severity = FATAL breach.rule[1].metric = CPU breach.rule[1].aggregation = AVG breach.rule[1].measurement = GREATER breach.rule[1].value = 90 breach.rule[1].timespan = 5
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 39
Monitoring levels
Summary – Displays alerts /
breaches across all the managed products
– Displays per product severity / alert pie charts
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 40
Monitoring levels
Aggregated per managed product Displays alert / breaches of particular product type
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 41
Monitoring levels
Individual product • Displays alert / breaches on a
managed node • Displays different health monitor
stats (EPS In/ Out, CPU, Memory Utilization, Hardware Stats)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Discussion and Q&A
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 43
For more information
Attend these sessions
• TB3067, Connector Appliance Migration to ArcSight Management Center
Visit these demos
• HP ArcSight demo station
• HP ArcSight Management Center demo station
After the event
• Contact your sales rep • Presentations will be
posted after Protect at https://protect724.hp.com/community/events/protect-conference
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 44
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session TB3133 Speakers Victor Lee and Bhavika Kothari
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you