BNI DRC DMZ Monitoring Use Case Report

Summary:

This document outlines the implementation of a comprehensive set of security measures for Bank Negara Indonesia's (BNI) electronic banking services within the Demilitarized Zone (DRC DMZ), using ArcSight software. The setup includes distinct use cases for each tier (web server, application, and database), with custom filters and rules to detect potential malicious activities related to Internet Banking. Key features include: - **Use Cases**: Each tier has a specific use case that integrates with security controls like firewalls and intrusion prevention systems. These cases have 11 filters, 7 rules, 1 stage, 1 active channel, and 14 data monitors, along with 4 dashboards for visualizations. - **Data Feeds**: The system relies on data feeds from devices such as DRC Web Server Tier Firewalls, Intrusion Prevention Systems (IPS), and Web Application Firewalls (WAF). - **Filters and Rules**: Custom filters refine specific conditions relevant to each tier's security needs, with actions like annotation for tracking suspicious activities. - **Stages and Active Channels**: Alerts flow through stages based on severity levels, displayed via active channels for efficient management. - **Dashboards**: Four dashboards provide real-time visualizations of alerts and events across different tiers: DRC Web Tier Alert Dashboard, DRC Web Tier Event Graphs Dashboard, DRC Application Tier Alert and Event Graph Dashboard, and DRC Database Tier Alert and Event Graph Dashboard. - **ARB Package**: A custom ARB (ArcSight Rapid Build) Package named "BNI DRC DMZ Monitoring" was developed by HP Professional Services for BNI, containing resources to be imported into the ArcSight system. This setup aims to enhance the security posture of BNI's electronic banking services within the DRC DMZ through improved threat detection and response capabilities using ArcSight solutions.

Details:

This document outlines a comprehensive set of use cases and dashboards designed to enhance security measures for Bank Negara Indonesia's (BNI) electronic banking services within the DRC DMZ (Demilitarized Zone). The purpose is to provide detailed information on specific use cases, including alerts and event graphs across three main tiers: Web Tier, Application Tier, and Database Tier. The document begins with an introduction detailing its purpose and scope, which includes providing details and status of the identified use cases and dashboards for BNI by ArcSight Professional Services. It covers current statuses of all use cases included in this engagement and offers recommendations for future enhancements based on experience working with similar customers. Use Cases are constructed to address business needs, focusing on events detected across three tiers: Web Server Tier, Application Tier, and Database Tier. These tiers utilize various security controls aimed at detecting potential malicious activities related to the Internet Banking application. Use cases are designed to assess alerts from each tier and investigate instances where security controls may have triggered false positives or actual threats requiring further investigation. The use case report is structured around several key components: filters for refining data, rules defining actions based on detected events, stages that manage alert flow, active channels facilitating communication between systems, and detailed dashboards providing real-time visualizations of alerts and events across different tiers. Overall, this document serves as a guide to enhance the security posture of BNI's electronic banking services within the DRC DMZ by leveraging ArcSight solutions for improved threat detection and response capabilities. This document outlines a comprehensive set of security measures implemented across different tiers (web server, application, and database) within a DMZ using ArcSight software. The solution is designed to efficiently manage alerts from various firewall, intrusion prevention system, and web application firewalls by employing custom filters and rules tailored for each tier's specific needs. Key features of the setup include:

• **Use Cases**: There are distinct use cases for each tier (web server, application, database) that integrate with security controls like firewalls and intrusion prevention systems. Each case includes 11 filters, 7 rules, 1 stage, 1 active channel, and 14 data monitors, along with 4 dashboards.

• **Data Feeds**: The system relies on data feeds from devices such as DRC Web Server Tier Firewalls, Intrusion Prevention Systems (IPS), and Web Application Firewalls (WAF). These are critical for providing real-time insights into network activities across different levels of the DMZ.

• **Filters and Rules**: Custom filters and rules have been developed to analyze specific conditions relevant to each tier's security needs. This includes aggregation based on severity levels: web server alerts are set at medium, application layer at high, and database at very high. Actions in these rules involve annotation for display on active channels, which helps in tracking suspicious activities effectively.

• **Stages and Active Channels**: Alerts from the system flow through stages and are displayed via active channels based on severity levels. This setup aids in prioritizing alerts and managing them efficiently within the network security framework.

The document provides a detailed breakdown of how these components interact to provide a robust, tiered approach to network threat detection and response, ensuring that each layer of the DMZ is monitored effectively with relevant data and actionable insights. A custom stage has been set up in the DRC environment using ArcSight to notify security analysts about alerts. These alerts use an "add to DRC Alerts Stage" action, which is then used by the Active Channel DRC Alerts to show correlated events from these alerts. Four dashboards were created based on discussions: 1. DRC Web Tier Alert Dashboard - Displays alerts generated by Firewall, Intrusion Prevention, and Web Application Firewall in the DRC Web Tier. It shows priority, event name, attacker's IP address, country location of the attacker, and target IP address. 2. DRC Web Tier Event Graphs Dashboard - Shows graphs for events related to the Web Tier from the mentioned devices. 3. DRC Application Tier Alert and Event Graph Dashboard - Displays alerts and event graphs specific to the DRC Application Tier, with similar information as above. 4. DRC Database Tier Alert and Event Graph Dashboard - Similar functionality but tailored for the DRC Database Tier. An ARB Package named "BNI DRC DMZ Monitoring" was developed by HP Professional Services for BNI. It includes resources that can be imported into the BNI ArcSight Express 3.0 system. After importing, these rules need to be deployed as real-time rules within the system. The text outlines a project focused on deploying real-time rules using ArcSight technology, which is particularly beneficial for advanced use case development related to cybersecurity in financial institutions. Specifically, this initiative targets enhancing surveillance of high privileged user activities and improving understanding of user access within the BNI Core Banking System, as well as analyzing logs from DMZ applications such as web servers and application servers. The project involves: 1. Identifying specific use cases for advanced development related to user activity and security analysis in banking systems. 2. Targeting various log sources including core banking system logs, database logs, audit activities, and user access logs from the DMZ (a demilitarized zone typically used for protecting internal networks). 3. Determining whether these logs can be effectively processed using existing SmartConnectors or if custom FlexConnectors need to be developed to enhance data analysis capabilities. 4. Ultimately aiming to provide deeper insights into banking system activities and improve security measures in the online banking channel through detailed log analyses. This project is part of a larger engagement with BNI, focusing on enhancing their cybersecurity posture by leveraging real-time log analytics tools like ArcSight to detect and respond more efficiently to potential threats related to high privileged users and unauthorized access within critical systems.