ArcSight Audit Quality SIEM Solution - Whitepaper

Summary:

This passage primarily focuses on how ArcSight ensures data integrity in its security event management system through various measures. Here’s a breakdown of the key points: 1. **Confidentiality**: ArcSight SmartConnectors use encrypted SSL connections to protect log data from unauthorized access, ensuring that only authorized personnel can view it. The data is classified as "confidential" and shared with only those who have a distinction of duty. 2. **Integrity**: To maintain the integrity of the data, ArcSight Connectors normalize security event data according to NIST 800-92 standards. This includes preserving the original data without changes and maintaining a chain of custody through timestamps from each component that processes the event. 3. **Availability**: The system is designed for high availability with local caching at remote sites, which helps in mitigating effects of connectivity loss between different locations or central log aggregation points. This ensures that critical information is not lost due to network issues. 4. **Audit Quality SIEM Solution**: ArcSight Audit Quality SIEM Solution provides automated failover capabilities and supports reliable transmission and storage of critical event data, minimizing the risk of data loss during audit investigations. 5. **Data Integrity in ArcSight ESM**: The ArcSight Logger and Enterprise Security Manager (ESM) are designed to maintain data integrity with features like digital signing, compression, chunking into sequentially sequenced digests for confidentiality and integrity preservation. 6. **Compliance with NIST Standards**: ArcSight follows NIST 800-92 guidelines by using the Common Event Format (CEF), which includes built-in encryption capabilities and authentication mechanisms to ensure data confidentiality and integrity. 7. **Authentication Methods**: ArcSight offers flexibility in authentication methods like RADIUS, Microsoft Active Directory, two-factor authentication, or custom JAAS plug-in configurations to meet customer preferences. Access to ESM is controlled by group permissions. In summary, the passage emphasizes the importance of maintaining data integrity in security event management systems through adherence to standards, use of secure technologies, and flexible authentication methods. This ensures that sensitive information remains confidential, data is not tampered with (integrity), and access to the information is granted only to authorized personnel.

Details:

The whitepaper titled "ArcSight Audit Quality SIEM Solution" provides a comprehensive overview of ArcSight's security information and event management (SIEM) solution. Key points include: 1. **Event Storage Flexibility**: Events can be stored in either twelve-hour or twenty-four-hour formats, with time zones indicated through different types of notation. The original data may have various labels such as Event Time, Timestamp, and Date and Time. Normalizing this data into consistent formats enhances analysis and reporting efficiency. 2. **Broad Event Collection**: Effective SIEM requires the collection of broad events across a wide range of devices and systems, including routers, VPNs, firewalls, physical access systems, and various applications and servers from hundreds of different manufacturers. ArcSight addresses these challenges by leveraging its event normalization abilities through connectors like ArcSight Connectors, Logger, and ESM. 3. **Simplified Deployment and Management**: The solution is designed to be scalable from small to enterprise scales without compromising performance or efficiency. It provides a straightforward approach to managing large amounts of log data. 4. **Normalization Process**: Normalization involves converting diverse event values into a standardized schema, which simplifies analysis and reporting across different types of devices and systems in an enterprise environment. 5. **Wide Compatibility and Scalability**: ArcSight can manage raw events in formats like Syslog or other third-party logs from hundreds of commercial products, making it versatile for various security operations. In summary, the whitepaper outlines how ArcSight's SIEM solution addresses the complexities of managing diverse event data across multiple devices and systems, providing a normalized framework that simplifies compliance audits, enhances security posture, and supports service level agreements through efficient log management and analysis. The ArcSight CEF format consists of over 400 fields, which allows log data to be mapped and categorized for advanced correlation to detect security threats and fraudulent activities in real-time. Despite the different formats used by various devices such as Cisco PIX and routers from the same company, ArcSight's connector technology uses the Common Event Format (CEF) to ensure that data is consistently formatted and normalized before being stored or correlated in a common database. This process helps in efficiently collecting, storing, archiving, and correlating log data from 275+ event sources. The use of CEF facilitates accurate real-time processing and aids analysts in deriving meaning from the log data, despite the differences in formats between devices. The provided information discusses the concept of data normalization in log management, specifically within ArcSight systems for SIEM (Security Information and Event Management) solutions. It explains that when logging data is normalized, it is converted into a standardized format with consistent labeling across devices, making correlation easier among different sources. This process involves converting values like dates, times, IP addresses, and protocol types to a common standard format. ArcSight utilizes a comprehensive normalization schema that allows for the storage of log data in a unified location using consistent formats. The system categorizes and subcategorizes data into structured categories which facilitate easier identification of similar events from various sources without requiring detailed knowledge of specific event syntaxes for each vendor or platform. This capability also enables seamless integration of new data sources without needing to rewrite reports or correlation rules, as demonstrated by the example of a company with two types of IDS solutions now being integrated within the same categorization framework. The document further highlights that ArcSight's approach helps in achieving consistent data handling across different devices and platforms, making it easier for users to track and correlate events from multiple sources efficiently. This method also reduces dependency on administrators who would otherwise need detailed knowledge of each vendor’s event syntax. The benefits include improved cross-device reporting capabilities, faster identification of relevant security incidents, and more efficient management of diverse data sources through standardized categorization. The document concludes with a list of vendors that have formally committed to supporting the Common Event Format (CEF) standard, which aligns with ArcSight's approach to normalization and categorization in log management. These include Vontu, AirTight Networks, CipherOptics, Vericept, Reconnex, Third Brigade, Lancope, DeepNines, Applied Identity, PowerTech, AirDefense, RADware Inflight (formerly Covelight), SanDisk, and Aruba Networks. The article highlights the certifications and standards that ArcSight has achieved to ensure its effectiveness in handling various data types from heterogeneous sources, which is particularly useful for companies looking to adopt or certify their products with the CEF (Common Event Format) standard. Some key points include: 1. **Certifications**: ArcSight has undergone rigorous evaluations such as Common-Criteria Evaluation, FIPS-140 certification, and a third-party assessment against Federal Rules for Evidence by Kahn Consulting Inc., which have helped it meet stringent standards in the industry. 2. **Compliance with Industry Standards**: The platform is compliant with both U.S. Federal Rules of Evidence (through the "copy provision") and supports the process of normalization as per NIST 800-92 standard, making it suitable for use in forensic investigations. 3. **Security Features**: ArcSight's products are certified to meet specific protection profiles and standards such as NIAP EAL-3 (Augmented) Certified against IDS, FIPS 140-2 Certified Encryption for communication channels, and have been STIG evaluated and accredited at various DOD and Intel agencies. 4. **Integration Capabilities**: The product supports integration with DOD CAC and HSPD-12 Card, indicating its capability to interoperate effectively in complex environments. 5. **Industry Standards Adoption**: ArcSight is the originator of the Common Event Format (CEF) standard and has been recognized by Gartner as a Leader in multiple years in the Magic Quadrant for SIEM solutions. It also receives various industry awards, demonstrating its standing in the market. 6. **Partnership Program**: For companies interested in adopting or certifying their products with CEF compatibility, ArcSight offers the Common Event Format certification program which includes documentation, access to a hosted ArcSight ESM solution for testing and web support as part of the certification process. Overall, these achievements and features highlight ArcSight's position as a robust and secure platform in the field of SIEM (Security Information and Event Management) solutions, backed by stringent industry standards and certifications. This summary discusses preserving raw event information in ArcSight for forensic purposes. It explains two methods for storing raw log data: directly sending it to ArcSight Logger or adding it as an extra field in normalized (CEF) events. Both techniques aim to maintain the integrity of raw logs while ensuring a chain of custody with timestamps from each processing component. The key point is that the ArcSight normalization process retains 100% of original data without alteration, and this approach helps maintain the quality of raw logs for forensic analysis or litigation purposes. This process involves using third-party tools or scripts to extract audit data from an application layer and write it to a log file. The log files are rotated on a scheduled basis and placed in a directory with read permissions for Logger. Logger connects to the systems via a secure protocol (e.g., SCP or SFTP) at regular intervals, collects the log files, and writes them to a local storage group named "RAW". To preserve raw event data, enable the "Preserve Raw Event" option in ArcSight SmartConnectors. This stores the entire text of the raw event within a field of the event in the ArcSight Schema. If some sources do not have true raw events because they are stored in binary structures like Windows and Check Point logs, this method is still applied to preserve the data for future use in reporting, alerting, and forwarding purposes. The passage emphasizes the importance of maintaining the integrity of security event data for effective multidimensional correlation, monitoring, alerting, and reporting within tools like ArcSight ESM. It highlights that the accuracy and reliability of this data are crucial, as even minor discrepancies can lead to inaccurate audit results or doubts about the validity of audit reports. To ensure data integrity, compliance with standards such as NIST 800-92 Log Management is essential, and technologies used for collecting log data must be available, secure, and protected from modifications. The passage also mentions that ArcSight, a company focused on enhancing security against cyber threats, adheres to these principles in its approach to providing robust solutions for log management and event correlation. The concept of C.I.A. (Confidentiality, Integrity, and Availability) plays a crucial role in ensuring the proper handling and management of log data within the ArcSight system. This framework ensures that sensitive information remains secure, is not altered or tampered with, and can be accessed when needed. ArcSight SmartConnectors are designed to maintain confidentiality by using an encrypted SSL connection for communication between components like ArcSight Logger and ArcSight ESM. They classify log data as "confidential" and only share it with authorized personnel who have a distinction of duty. To protect the integrity of the data, ArcSight Connectors normalize security event data according to NIST 800-92 standards, preserving the original data without changes and maintaining a chain of custody through timestamps from each component that processes the event. The availability of log data is ensured by providing local caching at remote sites, which helps in mitigating the effects of connectivity loss between different locations or central log aggregation points. This ensures that critical information is not lost due to network issues, contributing to a more reliable and resilient system for handling and managing log data. ArcSight Audit Quality SIEM Solution is designed to address the challenge of lost or unsent log data during audit investigations by providing automated failover capabilities, ensuring reliable transmission and storage of critical event data. The solution includes connectors that support failover to a secondary centralized destination (Logger or ESM) in case the primary destination becomes unavailable. This setup guarantees minimal loss of data and maintains the integrity of logs related to compliance violations. ArcSight Logger and ArcSight Enterprise Security Manager (ESM) are both integral components of this SIEM solution. ArcSight Logger is a specialized appliance that only allows secure SSL connections, enforcing access via authentication and group permissions for granular control. All archived log data from Logger is digitally signed, compressed, and chunked into sequentially sequenced digests to maintain confidentiality and integrity. ArcSight ESM is architected for high availability through the use of discrete components, automatic restart mechanisms, and cached event queues. It also features resilient capabilities such as automatically suspending and resuming operations in case of database failures, ensuring continuous operation even under adverse conditions. For network security, ArcSight recommends securing communication between ESM and databases by using a dedicated crossover cable for traffic transmission, minimizing the risk of MITM (Man-in-the-Middle) attacks through keeping the traffic off the network. The message digest of the ArcSight Database component is crucial in maintaining data integrity within the ArcSight Enterprise Security Manager (ESM) system. For this purpose, ArcSight recommends using a high-reliability RAID or SAN subsystem with tens of spindles for storage. Additionally, ArcSight Logger can receive and log data directly from event sources in a "raw" format if necessary, supporting various systems including Oracle Cluster File System (OCFS) and solutions from Veritas and EMC AutoStart. ArcSight follows NIST 800-92 guidelines by developing and advocating for the Common Event Format (CEF), which is gaining traction as a logging standard among vendors. This adherence to standards ensures data confidentiality, with ArcSight ESM Server being secured at the application layer, allowing only encrypted connections via SSL. The CEF log format supports its use as a platform for managing computer security events and provides ArcSight customers with assurance in audit quality due to its built-in encryption capabilities and authentication mechanisms. This text mainly discusses how ArcSight provides flexibility for authentication methods such as RADIUS, Microsoft Active Directory, two-factor authentication, or custom JAAS plug-in configurations to meet customer preferences. It highlights the ability to collect either raw log data, CEF (Common Event Format) data, or both, and that Access to ESM (Event Management System) requires authentication using group permissions to dictate access granularity. For more information, customers can contact ArcSight at info@arcsight.com or 1-888-415-ARST. The document also mentions that the mentioned terms are trademarks of ArcSight, Inc., and other product and company names may be trademarks or registered trademarks of their respective owners.