ArcSight Services Brief: Threat Intelligence Accelerator

Summary:

The ArcSight Threat Intelligence Solution Accelerator is a pre-configured use case within the broader Services Brief from ArcSight Global. It aims to enhance existing investments in ArcSight solutions by providing tailored content for specific business problems, such as detecting infected or compromised hosts before significant data loss. This is achieved through the integration of threat intelligence from freely available sources on the Internet, including resources like C&C servers and malicious addresses/domains managed by abuse.ch. The accelerator includes purpose-built content within ArcSight ESM that helps in protecting against advanced persistent threats and enhancing the overall effectiveness of the ArcSight ESM system without requiring additional third-party services. The solution automates the extraction of data from various sources, such as the SANS Internet Storm Center (ISC) and Project Honey Pot, to track botnets and other harmful activities associated with cyber threats. It includes tools like the AMaDa malware database, ZeuS Tracker for monitoring ZeuS Command & Control servers and malicious hosts involved in hosting malware files, and the SpyEye Tracker specifically focused on tracking SpyEye C&C servers responsible for malicious activities. The ArcSight Threat Intelligence Solution Accelerator triggers rules to alert users about potential system compromises or malware infestations by identifying attempts to connect to known malicious hosts. It provides detailed information about past malware incidents within the customer environment, including source and target addresses, file accesses, target DNS domain names, and target country names. The solution helps in tracking suspicious communication, mitigating threats, and denying access to infected clients. Users can learn more about this tool or other services offered by ArcSight by contacting their sales representative or a global services consultant at +1 888 415 ARST.

Details:

The ArcSight Threat Intelligence Solution Accelerator, part of the broader Services Brief from ArcSight Global, aims to enhance the value derived from existing investments in ArcSight solutions by providing pre-configured use cases tailored for specific business problems. These use cases are designed to increase the accuracy of security event information and reduce false positives, thereby improving overall security posture against advanced persistent threats. The accelerator includes purpose-built content within ArcSight ESM (Enterprise Security Manager) that directly addresses various security challenges faced by businesses, such as detecting infected or compromised hosts before significant data loss occurs. This is achieved through the integration of threat intelligence from freely available sources on the Internet, which helps in protecting against advanced persistent threats and enhancing the overall effectiveness of the ArcSight ESM system without requiring additional third-party services. The content within this accelerator is developed by the ArcSight professional services team using lessons learned and best practices from previous customer engagements. By minimizing configuration and tuning requirements, the solution enables quick deployment and immediate operational efficiency gains for customers. The AMaDa malware database, managed by abuse.ch, is a resource used to gather threat intelligence from publicly available sources such as C&C servers and malicious addresses/domains. This information helps in tracking botnets and other harmful activities associated with cyber threats. The ArcSight Threat Accelerator automates the extraction of this data from various projects like the SANS Internet Storm Center (ISC) and Project Honey Pot, which work to identify spammers and their methods for harvesting email addresses. Additionally, abuse.ch's ZeuS Tracker monitors ZeuS Command & Control servers and malicious hosts involved in hosting malware files. This tracker helps in tracking not only ZeuS but also associated configuration files, binaries, and drop zones. The main objective of these tools is to assist system administrators in blocking known infected hosts and preventing network infections through the integration with ArcSight Enterprise Security Manager (ESM). Overall, this system aims to provide awareness about current threats and improve security monitoring for organizations dealing with cyber threats. The SpyEye Tracker is another project by abuse.ch, similar to the ZeuS Tracker but focusing on monitoring and tracking malicious malware and botnet infections such as SpyEye. It alerts users when experiencing an infection on their network, providing information about top source zones, target addresses, infected hosts, and malware files accessed. The ArcSight Threat Intelligence Solution Accelerator dashboard helps organizations quickly identify suspicious communication to known malicious hosts and systems, mitigating threats and reducing adverse impacts by denying access to infected clients. This service assists ISPs, CERTs, and law enforcement agencies in tracking SpyEye C&C servers responsible for these malicious activities. The ArcSight Threat Intelligence Solution Accelerator is a tool designed to alert users about potential system compromises or malware infestations by triggering rules when there's an attempt to connect to malicious hosts. This solution helps in identifying historical details of all identified malware incidents within the customer environment, including source and target addresses, file accesses, target DNS domain names, and target country names. The ArcSight Threat Intelligence Solution Accelerator also maintains an active list that stores detailed information about past malware incidents. To learn more about this tool or other services offered by ArcSight, users can contact their sales representative or a global services consultant at +1 888 415 ARST.