Arxan CEF Certified Configuration Guide

Summary:

The document "Common Event Format Configuration Guide for GuardIT 4.0" by Arxan Technologies, Inc., outlines how software protected with GuardIT 4.0 can be configured to send syslog messages about tampering events to ArcSight systems. This setup is crucial for monitoring and responding effectively against potential threats such as unauthorized access, modification, or reverse engineering of intellectual property. GuardIT 4.0 integrates protection routines (Guards®) into software binaries to prevent tampering through obfuscation techniques. It detects attacks at runtime by triggering events like debugging, tampering, and authentication failures. The document details how specific code is added to the application for each Guard (Anti-debug, Checksum, and Authentication), which generates syslog messages when tampering or unauthorized actions are detected. The guide covers event types including Debugging Detected, Tampering Detected, Tampering Repaired, Information Event, and Unknown Event. The system has predefined responses to these events like Application Terminated, Application Repaired, and No Action Taken. It also explains the mapping between GuardIT events and ArcSight data fields such as file name of the protected binary, time of tampering action, affected host information, MAC address, and user ID. This integration allows for comprehensive security monitoring and automated responses based on detected issues.

Details:

The document titled "Common Event Format Configuration Guide for GuardIT 4.0" was authored by Arxan Technologies, Inc., and released on June 26, 2009. It serves as a guide for configuring software protected by GuardIT 4.0 to collect events via syslog for interoperability with ArcSight systems. The document has undergone several revisions, initially published on June 24, 2009, and then updated on June 26, 2009, with a final certification marking the update. GuardIT 4.0 is designed to embed protection routines (Guards®) into software binaries to prevent tampering, which typically occurs for unauthorized access, modification, or reverse engineering that could lead to theft of intellectual property. The software uses interdependent protection routines and obfuscation techniques to resist tampering by detecting attacks at runtime through event triggers. If a Guard detects an attack, it responds with actions such as restoring instructions, displaying messages, resisting debuggers, or terminating the program. The main focus of this configuration guide is to outline how protected applications using GuardIT 4.0 can be integrated with ArcSight systems for event collection and analysis through the Common Event Format (CEF). This integration allows for enhanced security monitoring and response capabilities by leveraging the real-time event data provided by GuardIT's protective measures against tampering attempts. The document describes a system for detecting and responding to tampering events within protected applications using ArcSight connectors. Before deployment by GuardIT, specific code is integrated into the application to enable syslog reporting via the Anti-debug Guard (for debugging detection), Checksum Guard (for binary tampering), and Authentication Guard (for external module tampering). When tampering or unauthorized debugging is detected, events are generated and reported using the syslog protocol. The document also outlines several event types that can be generated by this system, including:

• Debugging Detected: Triggered when unauthorized debugging of the protected application is detected.

• Tampering Detected: Occurs when binary tampering in the protected application or its modules is identified.

• Tampering Repaired: Initiated after a Checksum Guard detects tampering and a Repair Guard restores the original state of the application.

• Information Event: For non-critical, informational purposes.

• Unknown Event: Used as a catch-all for any events not explicitly covered by other definitions.

The response to these events includes predefined actions such as Application Terminated (if terminated due to tampering), Application Repaired (if repaired through the Repair Guard), and No Action Taken (for reporting only). The system is designed to ensure that applications can be protected against unauthorized modifications, with appropriate notifications and automated responses based on the detected issues. The text describes a mapping between specific events detected by GuardIT® Connector and the corresponding ArcSight event data fields. It outlines how various device-related actions, such as tampering (with categories like "Exit," "Repair," etc.) are linked to different data fields within ArcSight. These include the file name of the protected binary (fname), the time of the tampering action (rt), the IP address and host name of the affected host (dst and dhost respectively), along with the MAC address (dmac) and user ID (duid). This mapping is crucial for ensuring that relevant information from these events can be effectively transferred to ArcSight, allowing for comprehensive analysis and response capabilities.