The ArcSight Compliance Tool Kit

The ArcS Ar cSig ight ht Compl om plii ance nc e Tool oo l Kit K it

Morris Hicks Consulting Technical Director © 2009 ArcSight, ArcSight, Inc. All rights reserved. reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

Ri sk sks s ar e Real and Invit nv ite e Regul gu l ation ti on

Compliance in a Nutshell 1. Document/define –

Business processes

–

Critical cyber assets

2. Internal controls –

Properly defined

–

Monitored

–

Enforced

Compliance in a Nutshell (cont.) 3. Implement a secure and auditable log archive –

Converge disparate sources

–

Normalize formats

–

Capture high event rates

–

Transit slow, remote links

–

Establish search, analysis, and reporting

4. Enable event alerting and response –

Real-time monitoring

–

Rapid notification

–

Intelligent response

–

Workflow

–

Documentation

5. Integrate views of who took action, how and when

The ArcSight Approach to Compliance 

Prepackaged content—auditors (SOX, HIPAA, PCI, NERC, ITGOV, FISMA)



Share best practices



Extend the platform—custom use case development



Roadmap

Controls 

Regulations don’t specify a comprehensive set of controls, in most cases



Frameworks – ISO 27002:2005 (formerly 17799) – NIST SP 800-53 – COBIT 4



Other drivers of controls –  Audit findings – Security assessment findings – Organizational policy

 ArcSight Auditors 

Prepackaged content to address most common controls—SOX, PCI, NERC, HIPAA, FISMA – Logger: reports, searches, alerts – ESM: rules, reports, dashboards



ISO 27002-based



Network modeling – Identify regulated systems – Categorize regulated systems – Import active list data

 ArcSight Auditors 

Content relies on many data sources – IDS – OS – IAM – Solution guide lists the necessary 20 data sources



UCI (Use Case Identifier) discerns functional content – UCI DEMO!

UCI DEMO (part 1)

UCI DEMO (part 2)

Real-time Dashboards 

Graphical summary



Highly configurable



Drill down for detail

Rule Actions & Reports 

Rules may initiate actions – Notifications – Case creation



Reports – Scheduled – On demand

 Active Channels Live event collection 

Filter 



Sort



Drilldown

 Auditors Based on ISO Framework ISO

Topic

Use Cases

1-3

Introductory Sections

Not Applicable

4

Risk Assessment & Treatment

Security Overview

Security Policy

Policy Violations

5

High Risk Event Analysis

New Services and Hosts 6

Organization of Information Security

Reporting on Cases

7

Asset Management

Asset Inventory Reporting Data Classification Reporting & Monitoring

8

9

Human Resources Security

Watching New Hires & Former Employees

Physical & Environmental Security

Physical Building Access

Internet Usage Reporting and Monitoring

 Auditors Based on ISO Framework ISO

Topic

Use Cases

10

Communications & Operations Management

Configuration Management (File & Configuration Changes, Maintenance Schedules) Audit Trails Separation of Development, Test, & Operations Facilities Malicious Code Monitoring IP Address/User Name Attribution

11

Access Control

User Management (User Access) Authorization Changes Password Policy Privileged Accounts (Administrative Access) Network Services (including routing, firewall, & VPN) Segregation of Networks Role Based Access Monitoring

 Auditors Based on ISO Framework ISO

Topic

Use Cases

12

Information Systems Acquisition, Development & Maintenance

Certificate Management

Information Security Incident Management

Internal Reconnaissance

Business Continuity Management

Availability

Compliance

Intellectual Property Rights & Information Leaks

13

14

15

Attack Monitoring Vulnerability Management

Escalated Threats

Highly Critical Machines

Personal and Company Information Resource Misuse (excessive email, illegal content downloads, etc.) Policy Breaches (P2P, IM, etc.)

Common Compliance Applications What are the most common ArcSight compliance applications? 

 Access monitoring



Configuration management



 Attacks and malicious code



 Audit trail



Network segmentation

Extending the Core Capability of Auditors How are customers extending the core capability of the auditors? ISO

Use Case

Examples

Section 10 Communications & Operations Management

Configuration Management

Modifications to application binaries, configuration files/tables and other sensitive files/tables Report and review of all configuration changes Policy change attempts, unscheduled changes

Audit Trail

Audit logs cleared/deleted Audit logs unavailable, i.e. not received Attempt to disable/change auditing

Attacks and Malicious Code

High severity attacks, IDS attacks followed by login from attacking host Attacks from regulated systems Antivirus, P2P, spyware, infections

Extending the Core Capability of Auditors ISO

Use Case

Examples

Section 11 – Access Controls

Administrative Access

Successful and unsuccessful logins Local administrative user created or administrative rights granted Administrative actions (su, sudo, file modification, etc.)

User Access

Successful and unsuccessful logins Local user created, user created followed by access to regulated system, privilege granted followed by access to regulated system User activity reports

Unauthorized Access

Administrative connections from unauthorized host Access to unauthorized service Unauthorized user access, new authorized user

Extending the Core Capability of Auditors ISO

Use Case

Examples

Section 12 – Info-Systems Acquisition, Development & Maintenance

Change Management

Changes made outside of maintenance window Correlate change request to implemented changes Changes performed by personnel not in an appropriate role

 ArcSight Approach to Compliance 

Prepackaged content –  Auditors – Based on ISO framework – Use case identifier 



Best practices – Engagement drivers – Common applications of the technology



How the platform can be extended—custom use case development



Roadmap

Maximizing Value  Articulate requirements



– Select controls from discussed best practices – Sample control matrix –  Audit results (internal/external) – Security assessment results/penetration tests – Security policy & procedures – Interviews with key personnel (PMO, Internal Audit, Compliance, InfoSec) –  Architecture overview 

Prioritize controls for implementation

 Align resources



– Personnel for interviews – System access for technology implementation

How ArcSight Can Help 

Convey industry and customer best practices



Provide sample control matrix



Define technical dependencies for selected controls



Implement the solution



Training/knowledge transfer 



Provide solution roadmap