The ArcSight Compliance Tool Kit

November 9, 2018 | Author: srmv59 | Category: Information Security, Regulatory Compliance, Audit, Malware, Surveillance
Share Embed Donate

Short Description

The ArcSight Compliance Tool Kit...


The ArcS Ar cSig ight ht Compl om plii ance nc e Tool oo l Kit K it

Morris Hicks Consulting Technical Director © 2009 ArcSight, ArcSight, Inc. All rights reserved. reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

Ri sk sks s ar e Real and Invit nv ite e Regul gu l ation ti on

Compliance in a Nutshell 1. Document/define –

Business processes

Critical cyber assets

2. Internal controls –

Properly defined



Compliance in a Nutshell (cont.) 3. Implement a secure and auditable log archive –

Converge disparate sources

Normalize formats

Capture high event rates

Transit slow, remote links

Establish search, analysis, and reporting

4. Enable event alerting and response –

Real-time monitoring

Rapid notification

Intelligent response



5. Integrate views of who took action, how and when

The ArcSight Approach to Compliance 

Prepackaged content—auditors (SOX, HIPAA, PCI, NERC, ITGOV, FISMA)

Share best practices

Extend the platform—custom use case development


Controls 

Regulations don’t specify a comprehensive set of controls, in most cases

Frameworks – ISO 27002:2005 (formerly 17799) – NIST SP 800-53 – COBIT 4

Other drivers of controls –  Audit findings – Security assessment findings – Organizational policy

 ArcSight Auditors 

Prepackaged content to address most common controls—SOX, PCI, NERC, HIPAA, FISMA – Logger: reports, searches, alerts – ESM: rules, reports, dashboards

ISO 27002-based

Network modeling – Identify regulated systems – Categorize regulated systems – Import active list data

 ArcSight Auditors 

Content relies on many data sources – IDS – OS – IAM – Solution guide lists the necessary 20 data sources

UCI (Use Case Identifier) discerns functional content – UCI DEMO!

UCI DEMO (part 1)

UCI DEMO (part 2)

Real-time Dashboards 

Graphical summary

Highly configurable

Drill down for detail

Rule Actions & Reports 

Rules may initiate actions – Notifications – Case creation

Reports – Scheduled – On demand

 Active Channels Live event collection 




 Auditors Based on ISO Framework ISO


Use Cases


Introductory Sections

Not Applicable


Risk Assessment & Treatment

Security Overview

Security Policy

Policy Violations


High Risk Event Analysis

New Services and Hosts 6

Organization of Information Security

Reporting on Cases


Asset Management

Asset Inventory Reporting Data Classification Reporting & Monitoring



Human Resources Security

Watching New Hires & Former Employees

Physical & Environmental Security

Physical Building Access

Internet Usage Reporting and Monitoring

 Auditors Based on ISO Framework ISO


Use Cases


Communications & Operations Management

Configuration Management (File & Configuration Changes, Maintenance Schedules) Audit Trails Separation of Development, Test, & Operations Facilities Malicious Code Monitoring IP Address/User Name Attribution


Access Control

User Management (User Access) Authorization Changes Password Policy Privileged Accounts (Administrative Access) Network Services (including routing, firewall, & VPN) Segregation of Networks Role Based Access Monitoring

 Auditors Based on ISO Framework ISO


Use Cases


Information Systems Acquisition, Development & Maintenance

Certificate Management

Information Security Incident Management

Internal Reconnaissance

Business Continuity Management



Intellectual Property Rights & Information Leaks




Attack Monitoring Vulnerability Management

Escalated Threats

Highly Critical Machines

Personal and Company Information Resource Misuse (excessive email, illegal content downloads, etc.) Policy Breaches (P2P, IM, etc.)

Common Compliance Applications What are the most common ArcSight compliance applications? 

 Access monitoring

Configuration management

 Attacks and malicious code

 Audit trail

Network segmentation

Extending the Core Capability of Auditors How are customers extending the core capability of the auditors? ISO

Use Case


Section 10 Communications & Operations Management

Configuration Management

Modifications to application binaries, configuration files/tables and other sensitive files/tables Report and review of all configuration changes Policy change attempts, unscheduled changes

Audit Trail

Audit logs cleared/deleted Audit logs unavailable, i.e. not received Attempt to disable/change auditing

Attacks and Malicious Code

High severity attacks, IDS attacks followed by login from attacking host Attacks from regulated systems Antivirus, P2P, spyware, infections

Extending the Core Capability of Auditors ISO

Use Case


Section 11 – Access Controls

Administrative Access

Successful and unsuccessful logins Local administrative user created or administrative rights granted Administrative actions (su, sudo, file modification, etc.)

User Access

Successful and unsuccessful logins Local user created, user created followed by access to regulated system, privilege granted followed by access to regulated system User activity reports

Unauthorized Access

Administrative connections from unauthorized host Access to unauthorized service Unauthorized user access, new authorized user

Extending the Core Capability of Auditors ISO

Use Case


Section 12 – Info-Systems Acquisition, Development & Maintenance

Change Management

Changes made outside of maintenance window Correlate change request to implemented changes Changes performed by personnel not in an appropriate role

 ArcSight Approach to Compliance 

Prepackaged content –  Auditors – Based on ISO framework – Use case identifier 

Best practices – Engagement drivers – Common applications of the technology

How the platform can be extended—custom use case development


Maximizing Value  Articulate requirements

– Select controls from discussed best practices – Sample control matrix –  Audit results (internal/external) – Security assessment results/penetration tests – Security policy & procedures – Interviews with key personnel (PMO, Internal Audit, Compliance, InfoSec) –  Architecture overview 

Prioritize controls for implementation

 Align resources

– Personnel for interviews – System access for technology implementation

How ArcSight Can Help 

Convey industry and customer best practices

Provide sample control matrix

Define technical dependencies for selected controls

Implement the solution

Training/knowledge transfer 

Provide solution roadmap

View more...


Copyright ©2017 KUPDF Inc.