Best practices and use cases for consistent, enterprise-wide SIEM security policy management

Best practices and use cases for consistent, enterprise-wide SIEM security policy management Bhavika Kothari, QA Lead Victor Lee, Product Manager, CISSP

Agenda Introduction Best practices Management tool Use cases Discussion and Q&A 2

Introduction

HP ArcSight Next Generation Cyber Defense Visualize Search Predict SIEM Analytics Collect Respond Correlate 4

Introduction Why is manageability important for security? Ensure security policies are Followed And Enforced Manage the deployment holistically and not just individual elements Monitor, create alert, and maintain the security operations Deliver efficient and timely implementation Enable resources to focus on security analysis 5

Best practices

Best practice Create Golden Configuration Create Groups Monitor critical events and set alerts Update to the latest ArcSight product release ASAP Backup regularly Review and audit changes Leverage the ArcSight user community in Protect724 7

Management tool

Management tool What are the benefits of using management tools? Reduce cost Faster and reliable implementation of security policy Increase accuracy Enable resource to focus on security analytics What is the name of the ArcSight management tool? ArcSight Management Center 9

HP ArcSight Management Center ArcSight Management Center (ArcMC) delivers centralized enterprise management that simplifies the deployment and maintenance of the desired enterprise security posture in a cost effective and efficient manner. 10

ArcSight Management Center (ArcMC) ArcMC Version 2.0 ArcMC ArcMC ConApp Connector Logger 11

A few definitions A host is a system that hosts at least on ArcSight product A node is a managed ArcSight product Connector Connector appliance ArcSight Management Center Logger Node can be software or hardware form factor A configuration listed in ArcMC is considered a golden configuration Subscriber are the nodes which can receive the golden configuration. When subscriber s configuration is identical to the golden configuration, it is considered compliant. Otherwise, it is non-compliant. 12

ArcMC architecture HTTPs Host 1 ArcMC Agent Logger (SW, Appliance) Client ArcMC Web Client Server ArcMC HTTPs Host 2 ArcMC Agent ArcMC/ConApp (SW, Appliance) Connector Host 3 CWSAPI Connector Connector 13

Use cases Configuration management Management using groups Update to the latest Software Monitoring

Use cases Configuration management

ArcMC paradigm of operation Step 1 Create/import configuration in ArcMC Step 2 Add subscribers to the configuration Step 3 Push configuration to subscribers Step 4 Check compliance 16

Use cases Configuration Management 17

Use case: Schedule regular configuration backup Configure all the appliances to do backup on same schedule, i.e., every Saturday at 10 p.m. ArcMC 18

Use case: Logger filters Logger Filter Add new filter query - Create filters once on one Logger and wants to have the same filters on the rest of Loggers w/o re-creating them on other Loggers ArcMC 19

Use case: User management Add new employee - Create the same users on all the Appliances, software or hardware form factor Add new appliances, for example multiple ArcMC or multiple Loggers need to add existing users to the new appliances. ArcMC Software Connector Appliances, logger and ArcMC 20 Connector Appliances, ArcMC, Logger

Use case: Window Unified Connector configuration Software Connector HP ArcSight HP ArcSight Push Window Unified Connector configuration to multiple Window Unified Connectors (WUC) HP ArcSight Run compliance check to ensure the configurations are indeed on the SmartConnectors ArcMC 21 Connector Appliances

Use case: DNS Management DNS server Add a new DNS server across all ArcSight Appliances Add a new DNS server to a logical group by location or function ArcMC 22

Use case: Compliance check X Is my environment compliant with FIPS? Compliance check can be extended, for example, Is the configuration compliant with the baseline golden configuration? following the corporate policy? ArcMC ArcSight ArcSight X X ArcSight ArcSight ArcSight ArcSight X 23

Supported Logger configurations Logger Logger Configuration Backup Logger Smart Message Receiver Logger Transport Receiver Logger Storage Group Logger Filter 24

Supported Connector and ConApp and ArcMC configurations Connectors FIPS Map Files Parser Override Syslog Connector Window Unified Connector Bluecoat Connector Appliance and ArcMC Conapp/ArcMC Configuration Backup 25

Supported System Admin configurations Software Authentication External Authentication Local Password Authentication Session User Configuration SMTP Hardware DNS NTP Network SNMP 26

Use cases Management using groups

Bulk add host- Import hosts Allows adding hosts in bulk from a Comma Separated Values (.csv) file Background batch job Requirement:.csv file with valid host entries Results of import hosts job will be stored in a text file at <install_dir>/userdata/arcmc/importhosts/ 28

Create CSV File for bulk add host 29

Bulk add host using import CSV Import Host CSV File 30

ArcMC node management A node is a managed ArcSight product Connector Connector Appliance Logger ArcMC Nodes can be software or hardware form factor 31

Use cases Update to the latest software

Use case: Update software to the latest release New ArcSight software release - Push new versions of software to connectors, ArcMC appliances and logger appliances. HP ArcSight HP ArcSight HP ArcSight ArcMC 33

Demo Update software to the latest release 34

Use cases Monitoring

Monitoring nodes ArcMC 2.0 will support monitoring for Connector Appliance (hardware and software) Logger Appliance (hardware and software) Local and Managed ArcMCs (hardware and software) Smart Connectors 36

Health data monitored ArcMC collects health data from managed products in 1-min, 5-min and 1-hour time intervals to support charting and alert generation. CPU Memory Disk Network EPS In/Out Event and Queue Stats Thread Count Fan, Voltage, Power Supply, Temperature, RAID 37

Critical alert generation Breach rules are defined to generate alerts against health data metrics. Example: Generate a FATAL alert for any Logger whose average CPU usage in the past 5 minutes is greater than 90% breach.rule[1].product = LOGGER breach.rule[1].severity = FATAL breach.rule[1].metric = CPU breach.rule[1].aggregation = AVG breach.rule[1].measurement = GREATER breach.rule[1].value = 90 breach.rule[1].timespan = 5 38

Monitoring levels Summary Displays alerts / breaches across all the managed products Displays per product severity / alert pie charts 39

Monitoring levels Aggregated per managed product Displays alert / breaches of particular product type 40

Monitoring levels Individual product Displays alert / breaches on a managed node Displays different health monitor stats (EPS In/ Out, CPU, Memory Utilization, Hardware Stats) 41

Discussion and Q&A

For more information Attend these sessions TB3067, Connector Appliance Migration to ArcSight Management Center Visit these demos HP ArcSight demo station HP ArcSight Management Center demo station After the event Contact your sales rep Presentations will be posted after Protect at https://protect724.hp.com/com munity/events/protectconference 43

Please give me your feedback Session TB3133 Speakers Victor Lee and Bhavika Kothari Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 44

Thank you