tips and tricks for mssps leveraging hpe security arcsight esm to win proof of concepts
TRANSCRIPT
–
–
–
–
Confidential - Proficio, Inc
Tips and Tricks for MSSPs Leveraging ArcSight ESM to Win Proof of Concepts
…“Make ArcSight Great Again” Was Not Approved as a Title to this Presentation
Confidential - Proficio, Inc
Bryan BorraSOC and SIEM Director
Bryan manages the SIEM and SOC teams at Proficio. Previously worked at SAIC / Leidos / McAfee. He’s nicknamed “SIEM Destroyer” for creating the wrong content at the wrong time for a few SIEM instances.
Jordan KnoppSIEM Content Engineer
Jordan leads the development of SIEM content for several key contracts for Proficio’s ProSOC Services. He also currently serves as Proficio’s in-house machine learning solution.
Tristan ReedSIEM Content Engineer
Tristan leads the development of SIEM monitoring solutions for several products. He has recently been engaged in monitoring cloud platforms and specializes in bricking IoT devices to be used in demos.
ProficioSouthern California +Singapore based MSSP
Proficio is an award-winning MSSP that leverages HPE ArcSightESM to provide a multitenant SIEM-as-a-Service offering along with 24x7 SOC monitoring (ProSOC).
Introducing the Speakers
4
Confidential - Proficio, Inc
Agenda
5
Introduce common problems we encounter as an MSSP
Detail solutions to these issues, including:
1. Running efficient reports
2. Deploying effective content architecture
3. Monitoring new cloud data sources
Confidential - Proficio, Inc
Reports: Modern Visuals
6
Confidential - Proficio, Inc
Reports: What We See
7
Confidential - Proficio, Inc
Reports: What Our Customers Told Us
8
Confidential - Proficio, Inc
Concurrently Running Reports Limit
9
Limit of 5 “NumberOfReportsCurrentlyQueryingDB”
Ref:
/All Dashboards/ArcSight Administration/ESM/System Health/Resources/Reporting/Report Details
Confidential - Proficio, Inc
Reports: What We Asked Ourselves
10
Confidential - Proficio, Inc
Reports Requirements as an MSSP
11
Run hundreds of reports on a weekly basis
Have customized templates for branding and client
Be able to provide SIEM-as-a-service around reporting
Never overload the reporting engine
Confidential - Proficio, Inc
Reports Templates: Header / Footer
12
Toggling the header and footer
bubble will change the view of the
whole template but only affect…
Confidential - Proficio, Inc
Reports Templates
13
Easy Hex Picker:
http://www.ginifab.com/feeds/pms/pms_color_in_image.php
Respond
Select “Properties” on any chart
control and then select
“advanced” on the “Chart” tab
Confidential - Proficio, Inc
Reports Templates
14
Confidential - Proficio, Inc
Reports: Trends and Active Lists
15
Higher EPS as an MSSP, lower report performance
SIEM-as-Service issues
Demand for monthly and weekly reports
Overload on scheduled reports for Fridays and Mondays
Confidential - Proficio, Inc
Reports: Trends Versus Active Lists
16
Trends Active Lists
Less than 1,000,000 in a month
Usually have to schedule hourly
Can go back on historical data
Delays on collection by hour / day
More trend failures
Harder to setup than lists
Advantage of aggregation
Less than 100,000 events in a month
Driven by simple rules
Real-time as events are collected
Rules can trigger on repetition
Advantages of keys and value fields
TTLs are straightforward management
Sessions lists…what are those?
Confidential - Proficio, Inc
Reports: Common Reports
17
Trends Active Lists
IDPS events of interest
Antivirus events
Event collection statistics
Webfilter event statistics
Windows account logon failures
Windows group changes
Windows account lockouts
Firewall admin commands
Windows user account modifications
Special security devices
Confidential - Proficio, Inc
Sample Active List / Trend Setup
18
Rule Action: Add to List
Add to Reporting List
Schedule Hourly Trend
Gather Reporting Trend
Sample: Windows Group Changes
Sample: IDPS Events of Interest
Confidential - Proficio, Inc
Reports: Common Reports
19
1. IPS Summary
2. Windows Failed Logons
3. Firewall Command Summary
4. Blacklisted IP Correlation
Confidential - Proficio, Inc
Reports: Special Reports
20
1. CrowdStrike Summary 2. DARKTRACE Summary
3. Cylance Summary
Confidential - Proficio, Inc
Reports: Portal Reporting Solution
21
Choose Report Time Choose PresentationChoose Recipients
Confidential - Proficio, Inc
Reports: Portal Reporting Solution
22
Confidential - Proficio, Inc
Content Architecture
23
Rule management
Designing rules for scalability
Additional correlation layers
Confidential - Proficio, Inc
Thinking Ahead
24
Confidential - Proficio, Inc
Thinking Ahead
25
Confidential - Proficio, Inc
Rule Management
Requirements:
Accommodate blanket changes to multiple rules
Rules should be easily readable
Minimize complexity creep
Achievable through layers of abstraction
26
Confidential - Proficio, Inc
AV Critical Threat Detected
IDS Spyware Detected
Vulnerability Scanning
Destination IP Watchlist
Super APT Zero Day
…etc.
Additional Correlation Layer: Overview
27
Base / Aggregated Events
Notification Rule
Rule Action: Send Notification
Rule Action: Create Case
Checks Whitelists
Checks destination
Confidential - Proficio, Inc
Advantages of Correlation Layering
Easier to manage Changes can be applied at a higher level
Akin to CSS for HTML
Easier to maintain Reduces clutter by distributing additional conditions
Low impact Efficient conditions easy to create
28
Confidential - Proficio, Inc
Managing Rules
29
Rule Actions
Confidential - Proficio, Inc
Conditions at Higher Correlation Layer
Efficient conditions:
1. Set unique value as an action in lower corr. rules
2. Type = Correlation
30
Lower level rule action
Ref “All operators are not created equal”:
https://www.protect724.hpe.com/docs/DOC-11160
Confidential - Proficio, Inc
Conditions at Higher Correlation Layer
Using filters:
1. Filters have a smaller performance impact in this layer
2. Filter names provide built-in documentation
31
Confidential - Proficio, Inc
Correlation Layering
32
Independent Rules Additional Correlation Layer
Changes applied individually to each rule Most changes applied only on one rule
Difficult to annotate Annotation through filters
Increasingly complex/inefficient Very efficient
Confidential - Proficio, Inc
Effects of Correlation Layering
Before
33
After
Confidential - Proficio, Inc
Monitoring the Cloud: Sales Perspective
34
Confidential - Proficio, Inc
Monitoring the Cloud
35
Cloud Computing Services
Adapting Your View to IaaS
Building Use Cases
Confidential - Proficio, Inc
Cloud Computing Services
IaaS PaaS SaaS
36
Confidential - Proficio, Inc
Adapting Your View To IaaS
37
Same requirements for assets in the cloud
Monitoring infrastructure (as a service)
Amazon Web Services Infrastructure Traditional View
Security GroupsFirewall Policies
VPC Flow Firewall Traffic
AWS API Calls (CloudTrail) Infrastructure Management
Instances, Images, and Snapshots Logical Infrastructure Hosting Assets
Confidential - Proficio, Inc
Building Use Cases (AWS)
38
Identify available data sources
Implement business context modeling
Identifying possible attack vectors
Identifying malicious activity
Confidential - Proficio, Inc
Identify Data Sources (AWS)
39
Leverage Existing Audit Capabilities
AWS
CloudTrail
Amazon
CloudWatch
Identify Assets of Security Interest
Compute Storage Database Networking
Amazon
EC2
AMI
instances
Amazon
S3
snapshot
bucket
Amazon
DynamoDB
Amazon
RDS
Amazon
Redshift
Amazon
VPC
flow logs
VPN
gateway
Confidential - Proficio, Inc
Implement Business Context Modeling
40
1. Regular maintenance schedules (creating snapshots)
2. Authorized schedule for AWS account access
3. Typical locations (source addresses) for AWS access
4. Whitelist roles for 3rd party AWS accounts (e.g. CloudTrek)
Confidential - Proficio, Inc
Identify Potential Attack Vectors (AWS)
41
Vulnerable Web Services in EC2 Instance Example: Server Side Request Forgeries to Meta-Data Server
Spear Phishing An AWS developer’s credentials stolen via malicious email
Unprotected Access Keys A developer hard coded credentials in a publicly accessible
repository like GitHub
Confidential - Proficio, Inc
Identifying Events of Security Interest
42
Modifications to Security Groups
Creating Snapshots / Loading into Volumes
Running New Instances
User Policies
Confidential - Proficio, Inc
Questions?
43
Confidential - Proficio, Inc 44
www.Proficio.com
–
–
–
–
Thank you
46