Security Integration Splunk and ArcSight
Data Integration for IT security
Wednesday 14th January 2015 IT Analytics’15
Agenda
› Welcome – Ray Bruni › Eric Blavier – Splunk & Nexthink › Mostafa Soliman – ArcSight & Nexthink
Introduction
› Eric Blavier • work for Nexthink since 2005 -‐ • IT security specialist • Security projects using Nexthink • financial institutions • industry • governements • military • Europe / US / Asia
Nexthink security metrics
› Nexthink V5 • generates ~200 datapoints • ~50% are in real-‐time
› Security metrics • Nexthink Security Solution Pack (NSSP)
• Security Cockpit • Web&Cloud
NSSP V5› Specific set of out-‐of-‐the-‐box investigations for Endpoint Security
o Dynamic inventory o Unauthorized applications o Identity & access management o Vulnerability management & protection o Secure network configuration o Indicators of compromise
NSSP Web&Cloud
› Specific set of out-‐of-‐the-‐box investigations for Web & Security (through Nexthink Library)
Splunk
› Splunk • Collect and index many machine-‐generated data from many source or location in real time
• Correlate events spanning many diverse data sources • Can be used as a Security Information and Event Management (SIEM)
Nexthink DATA
Data integration
› Nexthink Engine -‐> Splunk • Using NXQL 2.0 direct Web API • direct access to Nexthink Engine Database
• https://demo.nexthink.com:1671/2/query?query=(select%20(id%20name%20last_seen)%20(from%20device%20(with%20device_activity%20(between%20now-‐7d%20now))))%20&format=csv
• new Nexthink Query Language Web interface
Data integration
› Adding Data in Splunk curl https://<Engine_IP>:1671/2/query?query=NXT_Investigation
update Data interval
SIEM› Security information and event management system • collects real-‐time data from IT infrastructure • analyzes, correlates and provides reporting to further a responsive action
• provides a clear insight into the security posture of a company
› Need notable eventsand behavior from ENDPOINTS (Nexthink)
Security dashboard
› Security posture • high level insight of «notable events» across many security domains
• Example of notable security events from Nexthink • Endpoint
• Host(s) with multiple infections • Critical priority Host(s) with malware detected
• Access • Insecure or cleartext authentication access detected • Default Account activity detected
www.mannai.com
from Dedication to Excellence ….
The Next Big Thing: A case study in utilizing End-‐User Real-‐Time Analytics tools in the SOC
Mostafa Soliman – Mannai Trading Company
www.mannai.com
✓ Mostafa Soliman ([email protected]) ✓ Home: Alexandria, Egypt ✓ Nexthink Consultant since 2011 ✓ ArcSight Consultant since 2012 ✓ Senior Security Consultant based in Doha, Qatar since 2011 ✓ Presented HP-ArcSight & Nexthink integration in HP Protect 2014
(Washington D.C.)
Introduction
www.mannai.com
Design, Consultancy, Implementation, Testing, and Support Services
for
What do we do?
OperationsAnalyticsSecurity
www.mannai.com
Endpoint Monitoring with ArcSight
Challenge:
• Endpoints are the entry point for most of the threats to the organization.
• Security & event logs do not always contain meaningful information.
• Some custom monitoring can be done using scripts on endpoints however this doesn’t detect all endpoint or end-user activities and requires high maintenance.
Conclusion:
• Endpoints are always a blind spot for ArcSight. • Leverage ArcSight by integrating it with endpoint monitoring.
www.mannai.com
Nexthink + ArcSight
Nexthink and ArcSight Integration enhances detecting and investigating endpoint anomalies.
www.mannai.com
Integration Use Cases
✓ Endpoints with malicious behavior. ✓ Endpoints running files from removable drive. ✓ Endpoints bypassing the proxy to connect to the Internet. ✓ Endpoints doing port scans. ✓ Endpoints accessing well known malicious URLs. ✓ Endpoints with disabled and/or out-of-date antivirus. ✓ Endpoints using Internet broadband connections. ✓ Endpoints executing non-compliant software (IM, P2P, …etc.)
Remember
› Integration • Push and/or Pull • APIs, Email, Syslog
› Extend, Enhance, and Compliment • Data • Analyze • Visualize