ArcSight ESM v3.5.2 ITGov3_03062007 - IT Governance

Summary:

This text discusses the use of ArcSight, a security information and event management (SIEM) tool, for various purposes such as asset management, vulnerability analysis, compliance with ISO standards, and handling potential data leaks. Here’s an overview of the key features and steps mentioned: 1. **Asset Management**: ArcSight provides detailed information about assets including network details, assigned categories, and vulnerabilities detected by scanners. If a replay event reveals a vulnerability not listed in the asset's information, it might indicate a bug or incorrect data entry. To investigate further: - Use "Investigate (Show Targeted Asset)" from the context menu within the event fields to get more details about vulnerabilities and related assets. - For specific vulnerabilities under the Asset Editor (Vulnerability Tab), use Nessus for detailed information. - ArcSight includes reference pages that provide vulnerability details which can be accessed by right-clicking in the Navigator panel and selecting "Reference Pages." 2. **Vulnerability Analysis**: ArcSight offers built-in incident workflow capabilities to automatically create cases for investigation and remediation: - Right-click on a rule (e.g., "Vulnerabilities Found – Business Information System") and select options like "Correlation Options (Correlation Trigger)" followed by setting up case creation actions in the Rules Editor's Actions tab. - Track all aspects of the investigation, including remediation, providing related events within the case for easy reference. 3. **Handling Persistent Vulnerabilities**: The process involves: - Navigating to the case related to business information system vulnerabilities and accessing the Events Tab. - Identifying expired Active List entries (indicating persistent vulnerabilities). - Reviewing event details and asset information associated with these expired entries. - Confirming the path of the Active List and TTL settings. - Taking action based on findings, escalating issues that require immediate remediation. 4. **Data Leakage Detection**: ArcSight is used to detect potential data leaks: - Examples include accidental email attachments of sensitive documents or emails during off-hours. - The tool flags specific users in the active list editor for searching for new job opportunities, indicating a possible leak. 5. **Compliance with ISO Standards**: ArcSight integrates data from various sources to monitor compliance: - It can be used as part of an overall framework designed to address information leaks and ensure compliance with standards like ISO 17799/NIST800-53. - Nearly 200 reports are available, accessible through a detailed report editor and scheduler feature. 6. **Upgrading ArcSight**: For existing customers: - Upgrading the system with more connectors or additional manager licenses might be necessary to handle increased data integration. - Assessing storage capacities may become essential as more data is integrated into the platform. In summary, ArcSight Solutions are beneficial for organizations aiming to comply with ISO standards by providing real-time monitoring and alerting mechanisms across all IT systems and applications. These solutions can lead to discussions about system upgrades or additional configurations based on specific needs and existing data integration levels.

Details:

The IT Governance v3.0 document outlines a framework designed for customers requiring regulatory compliance reporting, particularly those aiming for standards such as ISO 17799:2005 and NIST 800-53. This framework is intended to automate controls that monitor infrastructure and map reporting mechanisms according to the standards' requirements. The document provides a brief history of how organizations face pressure to demonstrate proper data protection, leading to increased focus on regulatory compliance reporting among CEOs and CISOs. Non-compliance can result in legal issues, management consequences, and loss of customer and business partner trust. To ensure effective implementation and adherence to policies, the document emphasizes continuous monitoring, auditing, and remediation of any policy violations. This is crucial for maintaining proper security measures and demonstrating compliance with stated business policies. The benefits highlighted include enhancing good will, improving revenue management, and ensuring job stability by effectively implementing regulatory compliance reporting mechanisms. The provided text outlines a demonstration setup and preparation process designed to showcase the capabilities of ArcSight, an enterprise security management solution. The demonstration focuses on monitoring and reporting policy violations in compliance with ISO standards such as ISO 17799:2005 and NIST 800-53. Key components include: 1. **Event Files**: A pre-defined event file named "itgov3.events" is used to generate a series of security events relevant to the assets being monitored by ITGov3 content. This setup triggers policy violations in various ISO sections and NIST 800-53 compliance checks. 2. **Event Sources**: The demonstration utilizes various event sources including ISS, Nessus, Vontu logs, and operating system logs. These sources are designed to simulate events that would otherwise violate the defined security policies and standards. 3. **Rules**: To demonstrate rule capabilities, a search using the keyword "IT Governance" can be performed, allowing users to explore rules related to IT governance within ArcSight. Restricting the search with parameters like "IT Governance and type:rule" will yield specific rule sets for demonstration purposes. 4. **Filters, Users, Reports, Dashboard, Data Monitors, ActiveLists, and Issues**: These components are all part of a comprehensive setup designed to simulate real-world security challenges and solutions. For instance, the user (Admin) performs as a security analyst responsible for investigating events and reviewing content related to IT governance compliance. The dashboard provides an at-a-glance view of the system's status, while data monitors and active lists highlight specific issues like vulnerability data that needs proper linkage. Overall, this setup is intended to showcase how ArcSight can be used to monitor, detect, and respond to security threats by enforcing organizational policies and standards such as those outlined in ISO 17799:2005 and NIST 800-53. This demonstration outlines a process to showcase how ArcSight can be used to comply with ISO 17799.2005 and NIST 800-53 standards through its content consisting of dashboards, rules, active lists, and reports. The demo starts by logging into the ArcSight console as "admin", initiating a replay of itgov3.events at a rate like 200 EPM to save time. Preloaded dashboards include ISO Sections Overview, Section 9 Overview, Section 10 Overview, Section 12 Overview, and Section 15 Overview. The demonstration highlights that ArcSight's content is designed to match the ISO 17799.2005 policy framework and utilizes NIST 800-53 for compliance checks. Each section of the ISO framework’s status is displayed in an overview dashboard, which allows users to instantly assess if their organization is compliant with specific sections of the standard. It notes that certain sections, such as physical building security, cannot be covered through event monitoring and will not appear in the ISO Section List. The text describes how ArcSight, a security system, detects violations of physical/logical security by employees using badges. It mentions that there's a violation in Section 9 as seen in the ISO Overview Dashboard, and it can be viewed more deeply in the Section 9 Overview Dashboard. This violation is linked to an employee accessing system 10.0.112.115 while they are supposed to be badged out. ArcSight's ability to correlate events from different sources allows for matching logical activity on a system with the physical location of the user, identifying potential violations like this one. Some customers have integrated this capability into their physical monitoring, using response triggers in ArcSight correlation rules to take snapshots and catch the perpetrator in real-time if necessary. The ISO Overview Dashboard can be drilled down for more detailed information, allowing analysts full access to data captured during an incident. This is illustrated by showing how a badged out employee's active channel displays activity from the rule that fired due to the violation, which can also be reviewed through right-click drill-down capabilities within the ArcSight Console, providing details about successful logins and related events that led to the correlation rule firing. This process involves using ArcSight's patent-pending technology called Active Lists to track employee activity based on log events from physical badge readers. When an employee "badges in," their name is added to a list of physically badged-in employees, and when they "badges out," their name is removed. Any activities by these employees not reflected on this list are considered violations under ISO 17799/NIST 800-53 framework standards. To monitor such activity, navigate to Active Lists in ArcSight, select the specific Badged In active list, and view entries to identify potential policy breaches. Alternatively, you can use the Section 9 Overview Dashboard to specifically check for Activity From Badged-Out Employee events. Each time a violation is detected through these means, an alert will be triggered indicating a possible access violation in progress. ArcSight's correlation rules not only detect such violations but also automatically respond by sending notifications to relevant personnel or integrating with Threat Response Management (TRM) systems for further action. This automated response significantly reduces the time users are at risk and enhances overall security measures. ArcSight, a security tool, automatically responds to threats by disabling user accounts, forcing logouts, blocking traffic, or disabling ports in case of suspicious activity. These actions are pre-determined with specific command sequences that can be executed without human error and are audited for compliance. To implement these responses, users navigate through the Event Inspector view, right-click on a correlated event, and select Correlation Options to access the Rules Editor. From there, they go to the Actions tab, add an Execute Agent Command, choose ArcSight Counteract agent from ArcNet Agents, and scroll down to find available commands. Compliance with ISO standards is also managed by ArcSight through vulnerability scanning using tools like Nessus. The tool tracks vulnerabilities found on systems and provides a detailed overview of all related events for analysis. The text provides a guide on how to utilize ArcSight's features for asset management and vulnerability analysis. It starts by explaining how ArcSight provides detailed information about assets including network details, assigned categories, and vulnerabilities detected by scanners. However, it highlights an issue where a replay event shows a vulnerability not listed in the asset's information, which might indicate a bug or incorrect data entry. To investigate further: 1. Use "Investigate (Show Targeted Asset)" from the context menu within the event fields to get more details about vulnerabilities and related assets. 2. For specific vulnerabilities under the Asset Editor (Vulnerability Tab), use Nessus for detailed information, following steps like right-clicking on a vulnerability and selecting options such as 'Find Vulnerability In Navigator' or double-clicking to open the vulnerability editor. 3. ArcSight includes reference pages that provide vulnerability details which can be accessed by right-clicking in the Navigator panel and selecting "Reference Pages." Choose links with vulnerability reference numbers for further information. 4. ArcSight also offers built-in incident workflow capabilities, allowing correlation rules to automatically create cases for investigation and remediation. This involves right-clicking on a rule (e.g., "Vulnerabilities Found – Business Information System") and selecting options like "Correlation Options (Correlation Trigger)" followed by setting up case creation actions in the Rules Editor's Actions tab. 5. ArcSight tracks all aspects of the investigation including remediation, providing related events within the case for easy reference. This summary outlines a process for managing persistent vulnerabilities using ArcSight. It begins by navigating to the case related to "Vulnerabilities on Business Information System" and examining its events through the Events Tab. The system highlights issues with expired Active List entries, specifically those associated with Systems With Vulnerabilities. These lists track vulnerability presence over time and alert when a given period has passed without remediation. The process involves: 1. Navigating to the case related to business information system vulnerabilities. 2. Accessing the Events Tab within this case. 3. Identifying Active List entries that have expired, indicating persistent vulnerabilities. 4. Reviewing event details and asset information associated with these expired entries. 5. Confirming the path of the Active List and TTL (Time To Live) settings to understand the duration for which the vulnerability has been present on the system. 6. Taking action based on findings, escalating issues that require immediate remediation. This method is crucial for promptly addressing vulnerabilities in business-critical systems as identified by ArcSight's Active List technology. The text describes a part of a framework that focuses on detecting and addressing information leaks within an organization. Specifically, Section 15 of this framework includes a feature called "ISO Section 15 Last State data monitor," which helps in identifying leaked information by allowing users to drill down into details of specific incidents. The example provided involves David L accidentally sending his resume as an attachment via email to a recruiter's address, leading to both organizational and personal data leaks. In response, ArcSight, the tool used for this purpose, flags David L's user name in its active list editor, indicating that he may be searching for new job opportunities, making him a suspect of taking sensitive information. Further actions like emailing large attachments or printing sensitive documents after normal business hours are monitored and reported by ArcSight to ensure compliance with ISO 17799/NIST800-53 standards. The framework also includes nearly 200 reports that help in addressing the requirements of these standards, which can be accessed through a detailed report editor and scheduler feature within ArcSight. This process involves using features like "Find Resource" to locate specific governance and reporting resources relevant to IT Governance 3.0. The text suggests providing additional training for users unfamiliar with reporting capabilities to ensure effective use of the tool's functionalities. The text outlines the benefits of using ArcSight Solutions for compliance with ISO standards by emphasizing its ability to integrate data from various sources beyond traditional network security systems. This comprehensive approach allows organizations to monitor, alert, and track potential compliance issues across all their IT systems and applications. For existing customers, this can lead into discussions about upgrading the system with more connectors or additional manager licenses. Additionally, there may be a need for reassessing storage capacities as more data is integrated. While these changes might require significant adjustments in budget allocation and management, ArcSight's capabilities offer a robust solution to meet regulatory compliance requirements across multiple platforms. In summary, this text highlights the importance of considering all IT systems when aiming for ISO standards compliance through real-time monitoring and alerting mechanisms provided by ArcSight Solutions. It also suggests that these solutions could lead to discussions about system upgrades or more extensive configurations based on a company's specific needs and existing data integration levels.