ArcSight SIEM and Data-Privacy Best Practices

Summary:

This document outlines several key aspects related to integrating ArcSight SIEM with data privacy best practices and discusses specific use cases within the context of national data protection laws, workers' council requirements, and role-based access control in the ESM console. Here’s a summary of the main points: 1. **Data Privacy Compliance**: The document emphasizes the importance of adhering to national data protection laws and following data privacy guidelines when handling sensitive user information within a SIEM environment. It also highlights the need to consider workers' council requirements for managing such data responsibly. 2. **Use Cases**: Two primary use cases are discussed: - Protecting user-related data by preventing specific events from being forwarded outside the legal entity while still performing necessary correlation. This is achieved through obfuscation of certain fields using the md5 hash algorithm within a block in an file, tailored for destinations with high performance requirements. - Ensuring that such data remains local while adhering to privacy regulations by implementing role-based access control and restricting information visibility based on user groups. 3. **ESM/Express Features**: The document covers several features of ESM/Express: - **Connector Obfuscation**: Details the configuration of connector obfuscation, including the use of the md5 hash algorithm to protect fields like "attackerUserName" and "targetUserName". - **Role-Based Access Control**: Explains how role-based access control is enforced through ACLs based on user groups with inheritance in the ESM console. 4. **Implementation Details**: The text provides practical insights into how these features are implemented, including visual representations within the ESM console and how they operate invisibly as part of a transparent filtering system for both users and data. 5. **Logger Module**: Specifically addresses enhancements made to the Logger module in ESM/Express, such as implementing a Search Group Filter that restricts access based on user group membership, supporting Regex filters for more specific criteria matching. This document serves as a comprehensive guide for setting up and managing an SIEM system with robust data privacy features, ensuring compliance with legal requirements while maintaining operational efficiency and security.

Details:

This document discusses the integration of ArcSight SIEM and data privacy best practices within the context of national data protection laws, workers' council requirements, and specific use cases for protecting user-related data while still performing necessary correlation. The content covers various elements such as ESM/Express, ArcSight connector, Logger, obfuscation configuration, and role-based access control in the ESM console. 1. **Data Privacy in SIEM World**: This section highlights the importance of adhering to national data protection laws, following data privacy guidelines, and considering workers' council requirements when handling sensitive user information within a SIEM environment. 2. **Use Cases**: The document discusses two specific use cases:

• Protecting user-related data by still performing correlation but preventing specific events from being forwarded outside the legal entity.

• Ensuring that such data remains local while adhering to privacy regulations.

3. **Elements We Will Talk About**: The following elements are outlined for discussion:

• **Connector**: A critical component in this context, which includes obfuscation configuration and destination-specific settings within an file to protect specific fields using the md5 hash algorithm.

• **ESM/Express**: An application that supports role-based access control through Access Control Lists (ACL) based on user groups with inheritance.

4. **Connector Obfuscation and Configuration**: Details are provided about configuring connector obfuscation, where certain fields such as "attackerUserName" and "targetUserName" are obfuscated using the md5 hash algorithm within a block in an file. This configuration is tailored to specific destinations with high performance requirements. 5. **Connector Obfuscation – ESM Console View**: Provides a visual representation of how this obfuscation appears and functions within the ESM console, aiding in understanding the practical implementation of data privacy measures. 6. **ESM/Express – Role-Based Access**: Discusses how role-based access control is implemented through ACLs based on user groups with inheritance, enhancing security and accessibility controls within the system. This document serves as a guide for implementing data privacy practices in conjunction with SIEM tools like ArcSight, ensuring compliance with legal requirements while maintaining operational efficiency. This text discusses various features and components of a software system called ESM/Express, which appears to be related to event management or monitoring. Here's a summary of the key points from each section: 1. **FieldSet**:

• A structured layout of fields in a specific order.

• The ActiveChannel can set default FieldSets.

• Adhoc customization allows adding or removing columns for flexibility.

2. **Event Filter**:

• Restricts access to only a subset of events based on predefined filters.

• Enforced at the user group level, ensuring privacy and relevant information visibility.

• The filter is transparent to users, meaning it operates invisibly in the background without altering user interfaces or interactions significantly.

3. **Actors**:

• Includes an IdentityView feature that provides granular access control lists (ACLs).

• Allows restrictions on all Actors and domains/types, providing a mixed mode of access.

• This system does not enforce an all-or-nothing approach; instead, it offers varying degrees of visibility based on membership levels.

4. **Logger**:

• Specifically addresses the Logger module within the ESM/Express framework.

• Implements a Search Group Filter that restricts access to only a subset of events related to user group membership.

• The filter operates seamlessly, remaining transparent to users and not affecting their regular usage experience.

• It supports Regex filters for more specific criteria matching.

• Applies across peer Loggers for consistent filtering and performance considerations are made regarding Regex execution speed.

5. **Integration Command**:

• Describes an integration feature where a special user with access to the Logger can search for unobfuscated data within ESM/Express, even if the events in question are normally obfuscated. This suggests that while some events may be intentionally hidden or modified (perhaps for privacy or security reasons), specific users with appropriate permissions can still access and process this information as needed.

Overall, these features collectively aim to provide a flexible, secure, and efficient event management system tailored to complex user requirements and data handling needs within the specified software environment. This text discusses a multi-layer approach to SIEM (Security Information and Event Management) design that includes an obfuscation feature within Logger connectors for ArcSight by Hewlett-Packard. The purpose of this setup is to provide a way for only specific users to access unobfuscated data, ensuring correlation while maintaining privacy. This method allows for a more comprehensive view of the system similar to Google StreetView's functionality but tailored specifically for SIEM systems.