Best practices and use cases for consistent, enterprise-wide SIEM security policy management

Transcription

1 Best practices and use cases for consistent, enterprise-wide SIEM security policy management Bhavika Kothari, QA Lead Victor Lee, Product Manager, CISSP

2 Agenda Introduction Best practices Management tool Use cases Discussion and Q&A 2

3 Introduction

4 HP ArcSight Next Generation Cyber Defense Visualize Search Predict SIEM Analytics Collect Respond Correlate 4

5 Introduction Why is manageability important for security? Ensure security policies are Followed And Enforced Manage the deployment holistically and not just individual elements Monitor, create alert, and maintain the security operations Deliver efficient and timely implementation Enable resources to focus on security analysis 5

6 Best practices

7 Best practice Create Golden Configuration Create Groups Monitor critical events and set alerts Update to the latest ArcSight product release ASAP Backup regularly Review and audit changes Leverage the ArcSight user community in Protect724 7

8 Management tool

9 Management tool What are the benefits of using management tools? Reduce cost Faster and reliable implementation of security policy Increase accuracy Enable resource to focus on security analytics What is the name of the ArcSight management tool? ArcSight Management Center 9

10 HP ArcSight Management Center ArcSight Management Center (ArcMC) delivers centralized enterprise management that simplifies the deployment and maintenance of the desired enterprise security posture in a cost effective and efficient manner. 10

11 ArcSight Management Center (ArcMC) ArcMC Version 2.0 ArcMC ArcMC ConApp Connector Logger 11

12 A few definitions A host is a system that hosts at least on ArcSight product A node is a managed ArcSight product Connector Connector appliance ArcSight Management Center Logger Node can be software or hardware form factor A configuration listed in ArcMC is considered a golden configuration Subscriber are the nodes which can receive the golden configuration. When subscriber s configuration is identical to the golden configuration, it is considered compliant. Otherwise, it is non-compliant. 12

13 ArcMC architecture HTTPs Host 1 ArcMC Agent Logger (SW, Appliance) Client ArcMC Web Client Server ArcMC HTTPs Host 2 ArcMC Agent ArcMC/ConApp (SW, Appliance) Connector Host 3 CWSAPI Connector Connector 13

14 Use cases Configuration management Management using groups Update to the latest Software Monitoring

15 Use cases Configuration management

16 ArcMC paradigm of operation Step 1 Create/import configuration in ArcMC Step 2 Add subscribers to the configuration Step 3 Push configuration to subscribers Step 4 Check compliance 16

17 Use cases Configuration Management 17

18 Use case: Schedule regular configuration backup Configure all the appliances to do backup on same schedule, i.e., every Saturday at 10 p.m. ArcMC 18

19 Use case: Logger filters Logger Filter Add new filter query - Create filters once on one Logger and wants to have the same filters on the rest of Loggers w/o re-creating them on other Loggers ArcMC 19

20 Use case: User management Add new employee - Create the same users on all the Appliances, software or hardware form factor Add new appliances, for example multiple ArcMC or multiple Loggers need to add existing users to the new appliances. ArcMC Software Connector Appliances, logger and ArcMC 20 Connector Appliances, ArcMC, Logger

21 Use case: Window Unified Connector configuration Software Connector HP ArcSight HP ArcSight Push Window Unified Connector configuration to multiple Window Unified Connectors (WUC) HP ArcSight Run compliance check to ensure the configurations are indeed on the SmartConnectors ArcMC 21 Connector Appliances

22 Use case: DNS Management DNS server Add a new DNS server across all ArcSight Appliances Add a new DNS server to a logical group by location or function ArcMC 22

23 Use case: Compliance check X Is my environment compliant with FIPS? Compliance check can be extended, for example, Is the configuration compliant with the baseline golden configuration? following the corporate policy? ArcMC ArcSight ArcSight X X ArcSight ArcSight ArcSight ArcSight X 23

24 Supported Logger configurations Logger Logger Configuration Backup Logger Smart Message Receiver Logger Transport Receiver Logger Storage Group Logger Filter 24

25 Supported Connector and ConApp and ArcMC configurations Connectors FIPS Map Files Parser Override Syslog Connector Window Unified Connector Bluecoat Connector Appliance and ArcMC Conapp/ArcMC Configuration Backup 25

26 Supported System Admin configurations Software Authentication External Authentication Local Password Authentication Session User Configuration SMTP Hardware DNS NTP Network SNMP 26

27 Use cases Management using groups

28 Bulk add host- Import hosts Allows adding hosts in bulk from a Comma Separated Values (.csv) file Background batch job Requirement:.csv file with valid host entries Results of import hosts job will be stored in a text file at <install_dir>/userdata/arcmc/importhosts/ 28

29 Create CSV File for bulk add host 29

30 Bulk add host using import CSV Import Host CSV File 30

31 ArcMC node management A node is a managed ArcSight product Connector Connector Appliance Logger ArcMC Nodes can be software or hardware form factor 31

32 Use cases Update to the latest software

33 Use case: Update software to the latest release New ArcSight software release - Push new versions of software to connectors, ArcMC appliances and logger appliances. HP ArcSight HP ArcSight HP ArcSight ArcMC 33

34 Demo Update software to the latest release 34

35 Use cases Monitoring

36 Monitoring nodes ArcMC 2.0 will support monitoring for Connector Appliance (hardware and software) Logger Appliance (hardware and software) Local and Managed ArcMCs (hardware and software) Smart Connectors 36

37 Health data monitored ArcMC collects health data from managed products in 1-min, 5-min and 1-hour time intervals to support charting and alert generation. CPU Memory Disk Network EPS In/Out Event and Queue Stats Thread Count Fan, Voltage, Power Supply, Temperature, RAID 37

38 Critical alert generation Breach rules are defined to generate alerts against health data metrics. Example: Generate a FATAL alert for any Logger whose average CPU usage in the past 5 minutes is greater than 90% breach.rule[1].product = LOGGER breach.rule[1].severity = FATAL breach.rule[1].metric = CPU breach.rule[1].aggregation = AVG breach.rule[1].measurement = GREATER breach.rule[1].value = 90 breach.rule[1].timespan = 5 38

39 Monitoring levels Summary Displays alerts / breaches across all the managed products Displays per product severity / alert pie charts 39

40 Monitoring levels Aggregated per managed product Displays alert / breaches of particular product type 40

41 Monitoring levels Individual product Displays alert / breaches on a managed node Displays different health monitor stats (EPS In/ Out, CPU, Memory Utilization, Hardware Stats) 41

42 Discussion and Q&A

43 For more information Attend these sessions TB3067, Connector Appliance Migration to ArcSight Management Center Visit these demos HP ArcSight demo station HP ArcSight Management Center demo station After the event Contact your sales rep Presentations will be posted after Protect at munity/events/protectconference 43

44 Please give me your feedback Session TB3133 Speakers Victor Lee and Bhavika Kothari Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 44

45 Thank you

46