ArcSight ESM v4.0 Demo Script

Summary:

This document is about an ArcSight version 1.1 demonstration focused on identity and user role correlation, which helps in detecting threats such as insider sabotage and unauthorized information disclosure by tracking inconsistencies between physical access (badges) and logical accesses (VPN sessions). The tool uses patent-pending active lists to correlate various user attributes like badge ID, email address, phone extension, system logons, etc., for unique identification. ArcSight's Enterprise Security Manager (ESM) and Threat Response Management (TRM) are used together to detect, investigate, and respond effectively to insider threats by monitoring activities across different access points, correlating actions with user roles, and taking automatic or manual responses like terminating VPN sessions or disabling compromised accounts. The demonstration involves mapping unique identifiers to user roles for better correlation rules, dashboards, and reporting, which helps in detecting potential security incidents involving users who have gained unauthorized access through VPN after gaining the user’s credentials.

Details:

The document is about an ArcSight version 1.1 demonstration focused on identity and user role correlation. It highlights how ArcSight's features can track user identity across different devices like physical access badges and remote VPN sessions, detecting inconsistencies between physical and logical accesses. This tool helps identify threats by comparing actions to user roles, especially in cases where an insider might have shared their credentials with unauthorized individuals, potentially gaining access through remote entry points such as VPN. ArcSight's proactive monitoring can alert on potential insider threats like sabotage and unauthorized information disclosure. It tracks identity and user roles across various data feeds to identify if a user is performing tasks outside their job scope or accessing systems from unexpected locations. For instance, it alerts when the physical location does not match the access profile recorded in ArcSight's system, indicating possible security breaches. When such threats are detected, ArcSight can automatically or manually respond through its TRM (Threat Response Module) capabilities like terminating VPN sessions or disabling compromised accounts to contain the threat spread across the network. This method of correlation and response is designed to protect organizations from potential confidential information disclosure or system damage by disgruntled insiders. ArcSight ESM (Enterprise Security Manager) is a security information and event management software that can track activities as they move through various access points, such as servers, workstations, and applications. It is capable of correlating these activities to identify suspicious actions or violations against an organization's policies. If any such occurrences are detected, ArcSight TRM (Threat Risk Management) can take appropriate action like quarantining involved systems or disabling user accounts. In the demonstration setup described: 1. An event log file named "iThreatEventsall.events" was used to simulate potential threats. 2. Two types of access logs were considered: physical (from a badge reader) and logical (via VPN from a remote location using someone's credentials). 3. The scenario involved an insider threat where the bad guys attempted to access confidential information stored in an Oracle database. 4. A video presentation by Colby DeRodeff was available for review at a specified URL, which included a password for accessing a zip file containing relevant materials. 5. After reviewing the resources and understanding the scenario, reports such as "User Investigation – rjackson.pdf" and "Information Leak Status" were accessed through the ArcSight platform to monitor potential threats and breaches. 6. The TRM Counteract agent was triggered during the demo to explain its function of disabling user accounts based on correlation rules. This setup demonstrates how ArcSight ESM and TRM can be used together to detect, investigate, and respond to insider threats effectively. Today's demonstration will showcase ArcSight ESM 4.0's capabilities in converging physical and logical security with identity-based event correlation. The scenario involves an insider accessing confidential financial data through VPN after gaining the user’s credentials, attempting to conceal his actions post-breach. ArcSight detects these risks using its advanced correlation abilities along with Threat Response Management. The demonstration will navigate through a series of dashboards and tools that enable analysts to detect and respond effectively to information security incidents. It highlights how ArcSight can identify when policies regarding confidential information are violated, track file leaks, pinpoint the users responsible for leaking data, and alert on recipients who have received leaked private information from within the organization. The main focus of this demonstration is identity-based correlation, which leverages several patent pending active lists in its technology. One such method is 'Identity Mapping', which correlates various user attributes like badge ID, email address, phone extension, system logons etc., to uniquely identify individuals involved in the incident. Through these capabilities, ArcSight ESM provides enhanced security and response mechanisms for organizations dealing with sensitive information, ensuring proactive detection of potential threats and breaches. The process described involves mapping unique identifiers to user roles in an organization for better correlation rules, dashboards, and reporting. This is done by first mapping the unique identifier (in this case, "rjackson") to specific actions taken by the user, such as logging into systems or databases. To map these identifiers: 1. Go to Navigator > Lists > Shared > all active lists > ArcNet Active Lists > Identity Correlation > Identity Mappings. 2. Right-click and show entries. Then right-click over "Unique Identifier" and sort, finding "rjackson". 3. Map the unique identifier to user roles (e.g., IT Department, Database Administrator). This helps in correlating specific actions with defined roles, like turning off auditing without knowing it affects tables with audit enabled. 4. In ArcSight, navigate to Active Channels and view events related to "rjackson". Describe sequences of events such as logging into VPN, accessing Oracle, and creating a user for unauthorized access. Add/remove columns in the device vendor column to display event sources. This setup ensures better tracking and correlation of user activities against defined roles within an organization. This document outlines a method for investigating potential security incidents involving user rjackson by reviewing events in an Oracle database, using ArcSight as a tool. The process involves several steps to trace and analyze activities that may indicate suspicious behavior. Here's a summary of the main points: 1. **Filtering Events**: Start by filtering or right-clicking on rjackson’s name to focus on his activities. Oracle includes the source user ID in its logs, which helps link rjackson’s actions back to him even if other devices are involved (like Keri, Cisco, Microsoft). 2. **Reviewing Logs**: As you review the sequence of events, note how Oracle provides the source user ID and explains this functionality within the system. 3. **Alert on Disabled Account**: At some point in the investigation, a TRM CounterAct rule will trigger an alert indicating that rjackson’s account has been disabled. Explain that this is part of a threat response management (TRM) process where rules automatically detect and respond to potential security threats like disabled accounts. 4. **Active Lists**: If no alert has appeared yet, follow the correlation rule trigger in the Active Channel. Discuss how TRM uses active lists such as Watch List, Suspicious List, and Malicious List to track user actions. The Threat Priority Formula evaluates where a user falls within these lists based on their activities. 5. **Dashboard Representation**: Bring up the Recent Watch List Additions Dashboard to visually show how rjackson’s action progressed through different active lists. This provides a visual representation of all users added to these lists, helping in understanding the severity and priority of potential threats. 6. **TRM Capabilities**: Explain how TRM capabilities work by integrating with other security tools like ArcSight Event Correlation (ESM) and discussing the integration details. The correlation rule trigger actions and the Execute Connector Command are particularly highlighted as part of this process. Overall, this document provides a structured approach to investigating suspicious activities using Oracle database logs and ArcSight features to manage active lists and alert on potential security threats like disabled accounts. The text discusses the use of new features in ArcSight ESM 4.0 for monitoring user activities based on various attributes such as login IDs, phone extensions, and physical badge access numbers. These features are part of the Insider Threat Solutions Pack that utilizes active lists, dashboards, and reports to alert and alarm on suspicious or malicious behavior. The system also integrates with TRM to prevent attacks and policy violations.