ArcSight SIEM and data privacy best practices

Similar documents

HP ArcSight SIEM and data privacy best practices

ArcSight Express Administration and Operations Course

Configuring an ArcSight Smart- Connector to collect events from Kaspersky Admin Kit 8.0

Panorama Overview. Palo Alto Networks. Panorama Administrator s Guide Version 6.0. Copyright Palo Alto Networks

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Protecting Communication in SIEM systems

HP ESP 2013 Solution Roadmap

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Configuring Security Features of Session Recording

Terminal Services vs. Remote Desktop Connection in Windows 2000 and Windows White Paper

What is SIEM? Security Information and Event Management. Comes in a software format or as an appliance.

Protect Your Universe with ArcSight

Blue Coat Systems. Reference Guide. WCCP Reference Guide. For SGOS 5.3

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Privileged Identity Management for the HP Ecosystem

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

Scalability in Log Management

Complying with PCI Data Security

How To - Implement Clientless Single Sign On Authentication with Active Directory

Blue Coat Systems. Reference Guide. WCCP Reference Guide. For SGOS

Security Operations Metrics Definitions for Management and Operations Teams

Configuring Role-Based Access Control

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do?

Virtual Networking Features of the VMware vnetwork Distributed Switch and Cisco Nexus 1000V Series Switches

Chapter Replication in SQL Server

Home Phone Call Forward Guide

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

CRM Global Search: Installation & Configuration

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Setting up Microsoft Office 365

How to utilize Administration and Monitoring Console (AMC) in your TDI solution

Lab Developing ACLs to Implement Firewall Rule Sets

Configuring a VPN between a Sidewinder G2 and a NetScreen

Document Security. ados.com ADOS Corporation ADOS Corporation

Setting up Microsoft Office 365

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

DeviceLock Management via Group Policy

RUNNING TRACKER ON A TERMINAL SERVER

How to Setup SQL Server Replication

Triple DES Encryption for IPSec

Administration Guide BES12. Version 12.3

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

NetScreen s Approach to Scalable Policy-based Management

BEST PRACTICES. Systems Management.

Administering Group Policy with Group Policy Management Console

VPN SECURITY POLICIES

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

SAP Business Objects Security

Understanding Route Aggregation in BGP

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide

Configuring Security for FTP Traffic

Security Provider Integration Kerberos Server

Lab a Configure Remote Access Using Cisco Easy VPN

Getting Started with Multitenancy SAP BI 4.1

Converting Prospects to Purchasers.

Enforcive / Enterprise Security

Naverisk 2013 R3 - Road Map

Authorize.net modules for oscommerce Online Merchant.

CNW Re-Tooling Exercises

Routing concepts in Cyberoam

FIREWALLS IN NETWORK SECURITY

Role Based Administration for LDMS 9.0 SP2

Common Event Format Configuration Guide

anomaly, thus reported to our central servers.

SHARING FILE SYSTEM RESOURCES

YubiKey PIV Deployment Guide

Basic Exchange Setup Guide

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Best practices and use cases for consistent, enterprise-wide SIEM security policy management

Manage Log Collection. Panorama Administrator s Guide. Version 7.0

An Oracle White Paper January Oracle Database Firewall

Lab Configure IOS Firewall IDS

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

Demonstrating the ROI for SIEM: Tales from the Trenches

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Microsoft Present and Future

How to configure Exchange Smart Host

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

An Oracle White Paper January Oracle Database Firewall

PIX/ASA 7.x with Syslog Configuration Example

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

HOWTO: How to configure IPSEC gateway (office) to gateway

DEMONSTRATING THE ROI FOR SIEM

Cisco ASA. Administrators

Basic Exchange Setup Guide

Installing Policy Patrol on a separate machine

How to Create a Delegated Administrator User Role / To create a Delegated Administrator user role Page 1

Darstellung Unterschied ZyNOS Firmware Version 4.02 => 4.03

EventTracker: Integrating Imperva SecureSphere

CSN38:Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

How To: Configure a Cisco ASA 5505 for Video Conferencing

Create, Link, or Edit a GPO with Active Directory Users and Computers

Configuring a Custom Load Evaluator Use the XenApp1 virtual machine, logged on as the XenApp\administrator user for this task.

Transcription:

ArcSight SIEM and data privacy best practices Frank Lange, Sr. Sales Engineer

A StreetView example 2

Data privacy in the SIEM world National data protection laws Data privacy guidelines Workers council requirements Use cases: Protect user related data - still do correlation Prevent the forwarding of specific events outside of a legal entity still retain them locally 3

Elements we will talk about ESM/Express ArcSight Connector Logger 4

Connector

Connector obfuscation configuration Destination specific setting in <agentid.xml>.\current\user\agent\3nojt4xebabcbus8g8bxhnw==.xml One or many fields Uses md5 hash algorithm One way operation High performance <Config AgentId="3nOjT4xEBABCBuS8G8BXhnw==... <Setting ProcessingSettings.fieldstoobfuscate= "attackerusername,targetusername />... </Config> 6

Connector obfuscation ESM console view 7

ESM/Express

ESM/Express role-based access Access Control Lists (ACL) based on User Groups with inheritance 9

ESM/Express I. FieldSets FieldSet A number of fields in specific order ActiveChannel allows default FieldSet Adhoc customizable (Add/Remove Column) 10

ESM/Express II. Event Filter Restricts access to a subset of events Based on standard Filters Enforced on User Group level Transparent to the user 11

ESM/Express III. Actors IdentityView Granular restriction via ACL Restriction on all Actors/a Domain/Types Allows Mixed Mode 12

ESM/Express III. Actors Not an all-or-nothing option, allows view of Actor data based on membership level 13

Logger

Logger Search Group Filter Restricts access to a subset of events only Restriction based on user group membership transparent to the Logger user RegEx filters Applies on peer Loggers Performance on RegEx speed 15

All together

A powerful mix example scenario Only obfuscated events to ESM ArcSight ESM/Express Search Special User with Logger Integration Command can search for unobfuscated data on remote Logger within ESM console Connector Destination specific obfuscation Logger Only special user is allowed to access unobfuscated data on Logger 17

Summary Multi-layer approach Impact on SIEM design Correlation and data privacy at the same time Like a StreetView for SIEM 18

Thank you

Security for the new reality