arcsight threat response manager (trm) virtual appliance€¦ · –senior security analyst . use...
TRANSCRIPT
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ArcSight Threat Response Manager (TRM) virtual appliance Lee-Lan Yip, CISSP, ArcSight Sr. Product Line Manager Victor Tham, ESP Presales Manager
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
Agenda
TRM virtual appliance overview • Security use cases • Value proposition • Differentiation
ESM and TRM integration overview
Implementation and deployment
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Threat Response Manager (TRM) overview
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Challenge: security response to incidents is too long
Security team discovers an incident —rogue hosts, virus/malware, botnets, nefarious users…
Do you know how to stop it? Do you know what else is affected?
Do you know where it is?
4
Home VPN
Branch office
Public network
Public VPN
Wireless hot-spot
Remote workers
Corporate HQ Mobile users
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Solution: TRM instantly locates, analyzes and mitigates incidents
• Reduce the impact of security incidents on your business • Shorten the time required to respond to incidents directly from ESM • Ensure accuracy via investigate, locate and simulate engine • Quarantine users or devices based on intelligent workflow • Create a record of response plans and actions taken
Respond Detect Respond
Track
Virtual appliance
ESM ArcSight
Collect Analyze & prioritize Alert Investigate,
simulate, test Notify or
quarantine Report and document
TRM ArcSight
ArcSight
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
ArcSight TRM dramatically reduces the time to effectively respond, and through the application of business rules TRM conforms to corporate compliance policy.
Reliable | repeatable | reversible | auditable
Shrink “response window” to a few seconds
Current window of vulnerability
6
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Value proposition Arcsight TRM: calculated, effective response
How to think about TRM
7
TRM is like the sprinkler in your fire system
Alarm + sprinkler
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
TRM functions – where, what and how
Locate
• Determine node, endpoint or user access
• Provide router/switch access information
• Self-documenting engine provides “as-is” configured state
Analyze • Determine control point closest to node • Determine best method
to quarantine node • Determine impact of Quarantining node
Quarantine • Disable switch ports • Set MAC Filters • VLAN quarantine • Block IP traffic • Disable VPN Session • Disable user account
Set MAC Filter
Disable user
IP Traffic control remove VPN user
Change ACL IP traffic control
Multiple quarantine options for different impact
Authentication, directory server
Wired switch infrastructure
Router
Firewall VPN
Internet
Wireless infrastructure
Mobile user
Set MAC Filter Disable Switch Port Put on Quarantine VLAN
8
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Threat Response Mitigation: ESM and TRM Integration
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
Overview of infected host use case: • User sees notification of infected
asset • Investigate event details • View map of the attack • Investigate the node under attack • Simulate quarantine • Quarantine system • Confirm quarantine • Review commands issued • View quarantined systems • Remove system from quarantine
once cleaned
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
View map of the attack (from TRM) View attacker, target, and related networking details
From the attacker address, right-click and select TRM Command - Attacker-Target Map
1
2
3
4
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Review commands issued (from TRM)
Next to each task in the quarantine list is a “Command Log” link listing the commands that were taken
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Remove system from quarantine (from TRM)
After asset has been cleaned, can select it, and click “Remove Quarantined Nodes”
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
Customer perspective Since we deployed TRM over a year ago, we have been able to quarantine all cyber security attacks before any major damage has taken place. –Systems Engineer – Federal Government
ArcSight TRM Customer case study: government research lab
Company overview • Large gov’t funded research lab • Conducts advanced research with grants from
government • Tens of thousands of employee and non employee
visitors accessing network all hours of the day
Challenges and opportunities • Little control over large # of internal and external
unmanaged endpoints connecting to network
• Needed to provide access to network resources while also operating in a secure environment
• Needed to quarantine suspicious endpoints not their own
Results
• Located compromised or rogue hosts and isolated them from the network
• Changes made during threat response linking them to the incident documented
• Changes made while following pre-defined change management process
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Customer perspective Integration of 3rd party security application with ArcSight TRM drastically improved our uptime, cut our cost of “repairs” of critical endpoints and gave us the confidence to instantaneously react whenever a problem detected
–Senior Security Analyst
Use case: medical center customer success profile
Company overview • Large hospital group • Delivers advanced IP, data, voice service and solutions
to business and government • 32,000+ employees
Challenges & opportunities • 15-20 problem events per week detected by 3rd party
security application • Manual processes were inefficient and impractical • Disruption could severely impact the surgical department as
well as the continued healthcare
Results • Tight integration between 3rd party security application and
ArcSight TRM • Instantaneous quarantining action on critical events • 24/7/365 protection of our environment • Fully automated reporting
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
Summary
ArcSight TRM simplifies and automates critical parts of the threat response life cycle
Tight integration with ESM or AE and other products avoids the loss of critical time to respond and eliminates potential mistakes
Node investigation indentifies target in seconds versus minutes or hours
Quarantine simulation delivers impact analysis of the planned action
Rule system protects critical assets and provide control
Full history log and recorded execution detail
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
Implementation options for ArcSight TRM
ArcSight ESM (integration commands or TRM connector for Fully Automated Response)
3rd party integration (CLI)
Works with existing network equipment, no changes required
Remote VPN Wired Wireless
Virtual appliance
TRM ArcSight
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
Implementation and deployment • Threat Mitigation “Off-the-Shelf “ Integration with ESM or AE • Reduce time spent in investigation • Fast Response to attacks • Support enterprise work-flow authorization
End-to-End HP ArcSight Security Solution
• No dependency on ESM/AE or any other ArcSight product purchase • Completely standalone threat response offering • “Off-the-shelf” multi-vendors devices (Cisco, Juniper, HP, etc.) support • SOC or NOC Offering • Support virtualization (VMware)
Standalone Threat Response Application
• Open Soap API Integration with 3rd party application • Full TRM functionality enabled
3rd Party Security Application Integration
• Major routers, switches, security devices vendors: Cisco, Juniper, HP (ProCurv and H3C), DELL, Checkpoint, Bluecoat, Fortigate, etc.
• Option to develop custom driver. Supported Devices
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security for the new reality