ArcSight 30-Minute Overview Demo Version 1.1

Summary:

The scenario you've described is an example of how a Security Information and Event Management (SIEM) tool like ArcSight can be used to effectively manage and respond to a virus outbreak in a network environment. Here’s a summary of the key points and steps involved in this process, as well as some additional context: ### Key Points: 1. **Event Identification**: The initial discovery of the virus was made through an event log from McAfee (NAI EPO), which identified symptoms such as system infections, file modifications, and potential unauthorized access attempts. These events were critical for understanding the scope and nature of the outbreak. 2. **Asset Criticality Consideration**: ArcSight’s capability to consider asset value in correlation rules helped prioritize actions by giving more focus on critical systems over less important ones. This feature is particularly useful in high-stakes situations where resources need to be allocated efficiently. 3. **Remediation List Creation**: Based on the prioritization determined by factors such as asset importance, a list of affected systems was compiled for immediate remediation actions like quarantining infected files, updating security patches, and implementing firewall rules to block further infection vectors. 4. **Reporting**: The generation of reports in ArcSight allows for detailed analysis which can be crucial when communicating the situation internally within the organization or externally with upper management and stakeholders. Custom reports were mentioned as a part of this process. 5. **Visualization and Communication**: Visualizations provided by the dashboard allowed for immediate visual identification of areas with high virus activity, while detailed event listings helped in focusing on specific issues requiring deeper investigation. The final report was sent to management via email for awareness and action across different levels of the organization. 6. **Conclusion**: The overall conclusion is that by leveraging ArcSight’s features such as automated threat correlation, prioritization based on asset value, detailed reporting, and visualization tools, a swift and effective response could be mounted against an emerging virus outbreak. This demonstrates how SIEM solutions can significantly enhance network security operations through proactive monitoring and actionable insights. ### Additional Context: - **Real-Time Monitoring**: The use of ArcSight’s real-time agent interface allowed for immediate detection of the virus, ensuring that actions could be taken as soon as possible after its identification. - **Data Integration**: Integrating data from multiple sources like McAfee EPO and other potential sensors within the network provided a comprehensive view of the situation across various endpoints and servers. - **Automated Correlation**: The ability to automatically correlate events based on predefined rules allowed for quicker detection of patterns that might indicate an attack or infection, facilitating faster response times. - **Event Inspector**: Utilizing tools like the Event Inspector enabled detailed investigation into specific incidents, providing granular insights into what actions triggered the alerts and how they should be addressed. Overall, this scenario showcases a well-executed incident response plan using SIEM capabilities to identify threats, prioritize actions based on criticality, and communicate effectively across an organization.

Details:

The provided text outlines a demonstration designed to introduce ArcSight's capabilities to prospects who are unsure of their specific requirements. It highlights two scenarios: a "Zero Day Worm Outbreak" for introducing visualization, investigations, notifications, and active lists; and a "Brute Force Login Scenario" for demonstrating correlation, priority scoring, compliance reporting, and case management. The demonstration covers several key areas including event sources (Unix Logs, Cisco PIX Firewall, and Cisco Routers), rules applied (Zero Day Worm outbreak and Application Brute Force Logins), and reports generated (Failed Login Report). It also describes the data monitors on a dashboard showing worm spread by system and logical network, moving average spike, worm activity status, and infected systems. The purpose of this demonstration is to provide an introductory overview that can excite prospects about using ArcSight in their environment for potential solutions to security challenges. The text suggests that if the prospect has specific requirements or use cases, more detailed scenarios should be picked to reinforce support of those requirements. The provided text outlines a series of steps designed to simulate the initial response by a security analyst to an identified Zero Day Worm Outbreak. The scenario involves setting up a new channel for real-time event viewing and configuring data monitors within a dashboard. Here's a summarized breakdown of the setup, refresh steps, and overall scenario: 1. **Setup Steps:**

• Create a "Real-Time Event Viewer" active channel similar to a provided screen shot.

• Ensure this new channel has a default column set.

• Open the Zero Day Worm Outbreak dashboard and make sure it is displayed as the current panel.

• Set up the Replay Agent to replay the `wormOutbreak.events` file at a rate of 300 events per minute, but do not start processing yet.

• Create a new user named "hacker" for simulating failed login attempts.

2. **Refresh Steps:**

• Clear the data monitor display by disabling and then re-enabling each data monitor within the dashboard.

• Reset the Replay Agent by pausing, refreshing, and reselcting the `wormOutbreak.events` file without starting event processing.

• Remove 127.0.0.1 from the system active list, attackers, and suspicious list.

• Reset the 'hacker' account password.

3. **Scenario Setup:**

• The analyst receives an email notification on a PDA about a Zero Day Worm Outbreak.

• The goal is to quickly understand the situation, drill down into detailed events for verification, and obtain the list of infected systems for remediation.

The text also suggests that this scenario setup involves setting up a channel for real-time event viewing and configuring data monitors within a dashboard, followed by refreshing these settings to clear previous data and prepare for analysis of the worm outbreak. The purpose appears to be to practice efficient incident response in a simulated environment before applying similar techniques in a live situation. This document outlines a detailed process for creating and testing a custom ArcSight correlation rule, which triggers a notification under specific conditions: when a target host experiences a 100% spike in activity towards a particular port, and simultaneously targets at least 10 distinct hosts using the same port. The rule is designed to analyze events from various devices such as UNIX logs, Firewall logs, and Router events. The demo flow includes several steps for setting up and testing this rule: 1. **Resetting Demo Setup**: Clear previous configurations related to specific IP addresses (e.g., 127.0.0.1) and accounts from the system's active lists of attackers, suspicious users, and reset a user account password. 2. **Replaying Events**: Run the Zero Day Worm replay file twice with adjustments in data monitor settings to ensure proper event graph updates. Describe the dashboard related to this worm and inspect/edit details of a selected event. Switch to the Real-Time Channel Viewer to locate and display events associated with the worm. 3. **Displaying Correlation Rule**: Show the specific correlation rule created for detecting the Zero Day Worm, explaining its actions and effects on infected systems. List all affected systems involved in this attack. 4. **Analyzing Failed Logins**: Navigate to the System Events Last Hour Active Channel to highlight priority 6 events from brute force login attempts and a priority 7 event due to being added to the suspicious list. Demonstrate adding failed login activity to a case and reviewing the failed login report in ArcSight Web. 5. **Graphical Representation**: Switch back to the console graph view of cases to show stages, illustrating workflow aspects of case management. This flow is crucial for understanding how to set up and validate custom rules within an SIEM tool like ArcSight, ensuring efficient detection and response mechanisms against potential cyber threats. This is a guide on how to use a dashboard for monitoring IT security events, specifically addressing a scenario where there's an attack using a worm. Here’s a summary of the steps involved: 1. **Introduction of SmartAgents**: Introduce that while these tools are primarily for testing, you can utilize 140 "out-of-the-box" SmartAgents to quickly deploy and start collecting event data in your environment. 2. **Dashboard Population Observation**: Switch back to the console and observe how the dashboard starts populating with real-time data. 3. **Color Coding Explanation**: Explain the color coding scheme used on the dashboard:

• Red squares denote the source of the attack.

• Blue circles represent events that have occurred.

• White squares indicate targets, which later turn into attackers when they become infected.

4. **Spike in Target Port Activity by Attacker Panel**: Focus on the yellow moving average line and green current activity level to understand spikes in port activity due to the attacker. 5. **Worm Spread Visualization**: Observe the circular layout graph (Worm Spread by System Panel) to get a quick visual of the scale of the attack across systems. 6. **Interacting with Data Monitors**:

• To undock a data monitor, double-click its header.

• Hovering over items allows you to potentially drill down to more detailed information, which can be enabled in your dashboard setup if allowed.

• Re-dock the monitor by clicking the third icon from the right at the top of the window or using Window/Floating/Worm Spread by System if it’s not visible.

7. **Exploring Worm Spread Across Networks**:

• Notice how the worm spreads logically across different network zones (e.g., Hong Kong external to internal zone, then into San Jose network).

• Detach this window to get a sense of how deeply the worm has penetrated the network.

8. **Worm Infected Systems Panel**: Highlight systems identified as critical and needing immediate attention due to infection by the worm. 9. **Final Adjustments**: Resize or re-dock the windows to optimize the display, ensuring clear visibility of all relevant data on the dashboard. This guide provides a step-by-step method for effectively using a dashboard to monitor and analyze IT security threats such as worm attacks, utilizing various visual aids like color coding, graphs, and interactive panels. To summarize, the provided text outlines a series of steps for using an ArcSight system, including double-clicking status lines to view event details and priorities, filtering events based on priority, drilling down into specific rule events, and analyzing forensic data through detailed chain of events and triggering resources. The benefits mentioned include gaining a high-level understanding with dashboards, focusing on critical events, and ensuring immediate access to all historical data for thorough analysis. This passage discusses how an analyst can use software like ArcSight to effectively manage and respond to a computer virus outbreak on a network. The process begins with receiving a notification, where the analyst identifies the priority action. They then click on this action within the system, which allows them to set the correlation event's priority. The passage outlines several potential actions that can be taken using ArcSight, such as automating remediation, identifying infected systems, creating notifications, and executing custom scripts or calling for external systems like Remedy. These steps are important because they help reduce the time needed to address the outbreak (remediation window) and minimize the number of affected systems. After selecting the "add to infected list" option, the analyst can navigate through the ArcSight system to find and manage this active list. This list includes details about all the infected systems that need attention. By managing these lists effectively with ArcSight, analysts can quickly identify and address issues before they escalate. The conclusion highlights how advanced correlation rules and automated actions such as notifications and list management have improved the ability of security analysts to detect and stop zero-day worm outbreaks more efficiently than ever before using tools like ArcSight. This methodical approach to virus outbreak management demonstrates how technology can streamline response times and enhance overall network security posture. This document outlines a demo for detecting and managing computer virus outbreaks across multiple networks in real-time, using McAfee (NAI EPO) tools. The goal is to rapidly identify infected machines and reduce remediation time to halt the spread of viruses. Here's a summary of the setup and steps involved: 1. **Open the Virus Activity Dashboard** from the Navigator panel. Perform a preliminary Virus Activity report to preload all services, then close it. 2. **Run the replay agent**: Load the \virusOutbreak.events file and set the event rate to 500 events per second. Start the event flow to populate the dashboard with relevant data. 3. **Dashboard Setup**: The Virus Activity Dashboard uses a data monitor that visually represents affected networks (red boxes), hosts (green circles), and viruses (white boxes). Larger white boxes indicate more occurrences of the virus, helping prioritize cleaning efforts. 4. **Reports**: Review historical reports such as "Virus Activity/Failed Updates on compliant Systems" to identify systems potentially vulnerable due to outdated updates. The other report, "Virus Activity – Show difference between two time ranges," helps in trend analysis and tracking decreases in virus occurrences over time. 5. **Event Sources**: The events are sourced from McAfee (NAI EPO), with a rule specific for detecting spikes in virus activity across multiple networks but not actively used in this scenario. 6. **Summary of Visual Indicators**: The dashboard provides immediate visual cues to prioritize which systems need attention based on the size of the white boxes, indicating higher occurrences of viruses. This setup aims to provide an efficient and effective method for IT and security teams to quickly identify and respond to virus outbreaks, ensuring minimal disruption and swift containment. The scenario involves a security analyst tasked with investigating an unusually high number of virus infections reported by users, which has escalated into a critical situation. To begin the investigation, follow these steps within ArcSight's real-time agent interface: 1. **Pause and Refresh**: Click on 'pause' to halt any further activity, then click 'refresh'. Reopen the 'virusOutbreak.events' file by reselecting it, and finally, click 'continue' to resume the event feed. 2. **Dashboard Review**: Use ArcSight’s Virus Activity Dashboard to visually identify areas of high virus activity. The dashboard features a color-coded system where:

• Red squares denote targeted network zones.

• White boxes represent viruses; larger boxes indicate more users affected.

• Blue circles signify targeted systems.

3. **Drill Down on Specific Issue**: In the Virus Activity Spike-Zone Data Monitor, observe that the SQL Slammer Worm shows a significantly higher activity compared to its moving average. Drill down into this specific issue by clicking on the worm in the Virus Activity Grid. This action will display individual events directly related to the largest issue. 4. **Prioritize and Investigate**: Sort the list of events by priority (right-click and select 'sort' twice for descending order) to focus on the most urgent issues first. Click on a priority 9 item, which should be investigated in detail using the Event Inspector:

• Pay attention to the Target address, as it is crucial for understanding the affected systems and their locations within the network.

This step-by-step approach allows for quick visual identification of the virus outbreak, prioritization of critical issues, and immediate remediation based on detailed analysis of individual events. The text describes a process for handling a virus outbreak using ArcSight, a security information and event management (SIEM) tool. Here's a summary of the steps taken: 1. **Event Identification**: A virus was detected in a specific file with details like machine name, username, file name, virus name, and product name and version. This initial discovery is tied to a mission-critical asset, prompting an immediate high priority. 2. **Asset Criticality Consideration**: ArcSight allows for the consideration of asset value in correlation rules, which automatically lowers the priority if the affected asset has low value. This feature differentiates it from other SIM vendors lacking such sophistication. 3. **Remediation List Creation**: Based on the prioritization determined by critical factors like asset importance, a list of affected systems is compiled for remediation efforts. 4. **Reporting**: Before commencing with remediation, a management report about the current virus outbreak is prepared and sent to upper management. ArcSight offers flexibility in reporting; it has 250 pre-built reports that can be run on demand or customized as needed. The specific "Virus Activity" report was generated during this phase. 5. **Visualization and Communication**: The report, formatted as a PDF, is sent to management via email for visibility. This enables the security analyst to focus on ongoing remediation tasks while providing upper-level management with an overview of the situation. 6. **Conclusion**: Through the use of ArcSight's features like graphical dashboards, prioritized events, and customizable reporting, a virus outbreak was swiftly detected, assessed, and acted upon based on asset criticality. This efficient handling demonstrates how SIEM tools can enhance security operations by providing real-time insights and actionable information.