BRM Deliverable - BNI

Summary:

Based on the text provided, it seems that ArcSight is a company offering security management solutions, primarily focused on software tools for security monitoring and incident response. They provide several services to their users, including an enhanced online user community, professional training courses, and specialized consulting services. Here's a summary of these offerings along with some additional context: ### Enhanced Online User Community: The ArcSight community serves as a platform where users can exchange knowledge about the software, share experiences, discuss topics like content development techniques, configuration options, and regional user group meetups for face-to-face discussions. The community includes features such as threaded discussion forums and collaboration groups like Express, FlexConnectors, and Logger. Members include ArcSight staff, Professional Services consultants, partners, and customers from various sectors including technology, consulting, and business. ### Professional Training Courses: ArcSight offers several training programs tailored for different user roles, ranging from basic usage to advanced administration tasks such as managing users, controlling access, setting up notifications, configuring connectors, and optimizing system infrastructure. They also provide courses specific to the use of ArcSight Express 4.0 with Oracle 10g database infrastructure and deeper dives into specific applications within ArcSight, including creating use cases that align with business objectives or processes. ### Specialized Consulting Services: ArcSight Security Operations Consultants collaborate with organizations to offer specialized services in areas such as security project planning, operations and technical administration, security analysis, incident response, security product administration, risk and compliance measurements, or any related area. These consultants have expertise in the operations of an enterprise SOC (Security Operations Center) and provide key services including technical administration, security analysis, incident response, risk and compliance measurements, project planning, and customized solutions tailored to specific organizational requirements. ### ArcSight Solution Utilization Measurement (SUM): This metric is used to assess how effectively an ArcSight solution is being utilized within an organization. It involves several phases aimed at maximizing the value of the solution and includes network modeling for creating representations of enterprise resources monitored, categorizing them comprehensively as possible. This documentation can be found in the ArcSight Express 101 guide available online. ### Next Year's ArcSight User Conference: This event provides opportunities to learn, share best practices, hear about new features, discover smarter ways to use the solution, collaborate with others in related industries, and connect with experts. It is recommended to register through a specific link once it becomes available for access to presentations and more information. ### SOC Services Due to Increased Complexity: With the increasing complexity of managing a Security Operations Center (SOC) that now involves monitoring billions of events daily from various sources, ArcSight offers specialized services to assist in this area. These services include security project planning, operations and technical administration, security analysis, incident response, security product administration, risk and compliance measurements, or any related area. Overall, ArcSight provides a comprehensive suite of offerings that cater to both the novice user looking to learn about their software solutions and more advanced users requiring specialized training and consulting services. Their community and educational resources are particularly valuable for fostering knowledge exchange among professionals in the field, while their consulting arm ensures tailored support for organizations aiming to enhance their security operations capabilities.

Details:

The document titled "HP Enterprise Security Products" provides a detailed overview of the security solutions architected by HP for Bank Negara Indonesia (BNI). It outlines the business requirements mapping process, detailing the architecture, project plan, and recommendations based on extensive experience with similar customers. Key aspects include: 1. **Introduction**: The purpose of this document is to provide BNI with a reference regarding the defined requirements and solution architected using ArcSight Professional Services. It includes details about the planned architecture, diagram of the solution, and project plan. 2. **ArcSight Professional Services**: This section covers:

• **Organization Overview**: Brief introduction to what ArcSight Professional Services does, emphasizing their expertise in tailoring educational and consulting services for various stages of security strategy planning, compliance monitoring, or enhancing existing programs.

• **Delivery Methodology**: Details about the different learning options offered by ArcSight Education, including instructor-led training at both ArcSight and customer facilities, as well as self-study and computer-based training.

3. **Engagement Details**: This section includes:

• **Executive Summary**: A summary of the project's objectives and outcomes.

• **Solution Architecture**: The detailed planned architecture for implementing ArcSight solutions at BNI.

• **BRM Project Plan**: A comprehensive plan detailing how BRM (Business Requirements Mapping) will be executed, including key milestones and timelines.

• **BRM Details**: Detailed information about the requirements defined during the mapping process to ensure that all necessary security measures are in place.

4. **Conclusions**: This section provides an update on the status of tasks and recommendations for maximizing the value of ArcSight solutions based on experience with similar clients. Appendix A: **Solution Utilization Measurement** - Details about how to measure the effectiveness of the implemented solution using various metrics. Overall, this document serves as a comprehensive guide for BNI in understanding and utilizing the ArcSight security solutions tailored to their specific needs, leveraging HP's extensive experience and expertise in similar engagements. The provided text outlines two main services offered by ArcSight under its Professional Services division: ArcSight Consulting and Security Operations. ArcSight Consulting involves assisting customers through various stages of a project lifecycle such as strategy, planning, requirements gathering, design, architecture, implementation, and operations. This process includes verifying system functionality, conducting performance testing, documenting benchmarks, and ensuring that the solution is tailored to unique business needs by leveraging full power of ArcSight products. Security Operations involves helping customers develop an internal security monitoring and response capability. As part of this service, ArcSight consultants assist in gathering business and technical requirements to implement security operations that meet specific business objectives efficiently. This approach aims to shorten the learning curve for customer personnel, leading to cost savings due to operational efficiencies based on mature security operations built upon the ArcSight Express infrastructure. Both services follow a common methodology called ASSURE which includes several key concepts such as aligning solution with business requirements, designing and implementing an effective architecture, ensuring high-performance systems through testing, deploying efficiently using tools and best practices, and ultimately optimizing for long-term success. The ArcSight Professional Services engagement aimed to improve BNI's understanding of utilizing ArcSight's powerful products effectively by defining business requirements and designing a comprehensive solution plan. This included implementing technologies like Express, Logger, Connector Appliance, and NSP for technical implementation. Comprehensive solutions were developed and tested in phases focusing on user feedback refinement and extending the functionality of the system to accommodate additional use cases. The engagement concluded with recommendations for future steps that would enhance the benefits derived from existing ArcSight products based on identified use cases. The consultant helped BNI define and prioritize their requirements by applying the use case paradigm, which explained what constitutes a use case and how they are developed. This allowed Professional Services to create a customized solution for BNI, focusing on addressing top concerns such as monitoring APT threats, gaining visibility of security risks and compliance posture, being alerted by security related incidents, supporting audit and compliance requirements, and ensuring redundancy in the system architecture. The consultant also utilized ArcSight's broad experience in the financial industry to provide guidance tailored to the sector's common requirements. BNI was at Phase 0 - "Planning" for their SUM model (Solution Utilization Measurement) which aims to provide metrics to customers to quantify how fully they are using the Express product. The current architecture within BNI had some disadvantages, including redundancy and failover considerations, with a single appliance handling correlation without redundancy, and long-term retention of events without redundancy. The proposed solution suggested an architecture that includes Smart Connectors on Connector Appliances for better utilization and performance in mid to large environments. This document outlines a proposed architecture for enhancing system performance, scalability, and redundancy through several key components and configurations: 1. **Connector Appliances**: These will be configured with 3 destinations and include Express Appliance, DC and DRC Loggers, and an optional HA Logger for failover support. 2. **SmartConnectors**: These are designed to cascade events between DC and DRC systems. Connector Appliances should be upgraded and used for SmartConnector management. 3. **Logger Appliances**: Must be updated to the latest version for better long-term log retention. 4. **Dedicated Smart Connectors**: Specific to certain device types, such as Cisco ASA firewalls (UDP 1514) and Juniper firewalls (UDP 1515). 5. **Network Interfaces Configuration**: Eth0 is used for management, Eth1 for receiving events, Eth2 for forwarding events, and Eth3 for backup purposes. 6. **Filtering and Field Aggregation**: Implemented at the Smart Connector tier to reduce event volume received by the ESM (Enterprise Security Manager). 7. **Scalability**: Supported through software SmartConnectors installed on dedicated servers with specifications like Quad Core Processors 2.7MHz, 64GB RAM. Each SmartConnector instance requires approximately 2-4GB of RAM and 50GB of disk space. 8. **Redundancy / Failover**: Ensured through cross-site event forwarding for Loggers and Express/ESM systems, with optional third-party clustering for added resilience. An online standby Logger appliance is provided for hot-swappable redundancy purposes. **Highlights** include the focus on scalability through software SmartConnectors, enhanced network interface utilization, and efficient filtering to minimize event load. The architecture also emphasizes operational efficiency in terms of hardware upgrades and configuration adjustments to ensure high performance and reliability across various components. The main goal of this engagement is to ensure that the provided solution aligns with the customer's business requirements related to information security. To achieve this, several steps were taken: 1. **Customer Education**: Presented various educational materials and conducted Q&A sessions to familiarize stakeholders with the concepts and methodologies used in aligning solutions with business needs. 2. **Review Customer Documentation**: While not reviewing all requested documents (e.g., organizational charts, architecture diagrams, incident response process, standard operating procedures, workflow), some customer documentation was reviewed to understand existing practices better. 3. **Identify ArcSight Users Information**: Identified different user roles and their responsibilities within the SIEM system, which helps in understanding how the tool will be utilized to meet specific security monitoring needs. 4. **Determine User Requirements**: Gathered requirements from three main teams:

• **Security Operations**: Aimed at gaining visibility into all security-related activities for incident response and threat detection.

• **Server & Desktop team**: Focused on improving AV and server monitoring, including outdated software updates and performance metrics.

• **Policy & Compliance team**: This was not detailed in the provided summary but would typically focus on ensuring compliance with relevant policies and regulations.

5. **Solution Design**: Based on the identified requirements, a tailored solution design was developed to meet the specific needs of each identified role within the organization. 6. **Implementation**: Although not covered by this engagement, the next phase involves deploying the designed solution according to the established requirements. 7. **Document and Present Results**: Documentation was created to outline findings, requirements, and solutions for review and approval by stakeholders. Throughout these steps, emphasis was placed on understanding emerging APT threats and ensuring comprehensive visibility into security-related activities to effectively respond to incidents and protect against hacking activities. To improve visibility and compliance for ISO 27001, PCI-DSS, and central bank requirements, COMPANY ABC has identified 13 use cases, focusing on six high priority ones. The tasks related to this consulting engagement are summarized in a table indicating their statuses and any follow-on tasks needed. BNI is preparing for three phases of implementation: Phase 1 involves hardware setup and onboarding the smart connector device. After these initial steps, BNI should aim to complete Phase 2 within one year. Regarding data sources, it's crucial to evaluate ArcSight content and integrate multiple data sources for a more comprehensive view, as this can significantly enhance operational awareness by providing detailed information about past attacker behaviors, attack vectors, and session data across various systems. This text discusses a rule-based system used to categorize events from various sources, primarily focusing on system logins rather than application logins. The rule is triggered by /Authentication/Verify behavior indicating a login attempt or failure, but with no specific category for outcome. It specifically targets event sources that are not related to application logins, pointing to systems like UNIX syslog or Windows Event Logs as potential sources. The rule also involves checking the Trusted List for any indications of an attacker, which could suggest other rules may be in place depending on what list is being referred to (e.g., Reconnaissance List). It suggests manual population for the Trusted List but recommends investigating auto-population methods if a different list like Reconnaissance List were used. CIP solution guides provide a catalog of required device types for maximizing bundled content value, available via ArcSight software after purchasing a compliance pack. For specific use cases lacking SmartConnectors, FlexConnectors can be developed either by the customer or professional services, with training provided through ArcSight education offerings. Licensing and development information is provided for both options. Finally, it mentions the Reputation Security Monitor (RepSM) as an example of a system being addressed in this context, which indicates that similar rule-based systems could be applied to various security devices or logs. The HP ArcSight Reputation Security Monitor (RepSM) solution is designed to detect Advanced Persistent Threats (APTs), zero-day attacks, and provide context for security events using Internet reputation data. It utilizes the RepSM threat intelligence service powered by HP DVLabs, which provides information about nodes and networks known for bad behavior. The Model Import Connector for RepSM retrieves this data from the RepSM service, processes it, and forwards it to HP ArcSight Event SIEM (ESM). The solution's content package uses this threat intelligence to detect malware-infected machines, zero-day attacks, and dangerous browsing behaviors. It includes a detailed guide on how to use the data for custom HP ArcSight ESM solutions. Reputation Security Monitor Architecture focuses on the progression of SOC maturity, suggesting that it takes about 60 months for an organization to mature into a truly enterprise solution. The growth curve follows a logarithmic pattern, with significant improvements in the initial stages and diminishing returns as time progresses. Organizations should maintain focus on maturity to avoid regression; most SOCs with dedicated effort achieve an aggregate maturity score of around 2.0 within a year, 2.5 within two years, and 3.0 within three years when leveraging existing frameworks or experience. The document outlines a framework for managing an ed program effectively using ArcSight solution, focusing on case management metrics and documenting relevant roles and processes to enhance detection and resolution mechanisms. Key components include: 1. **Operational Metrics**: This includes tracking various aspects such as cases severity by time frames (day/week/month), status updates of cases (open, working, pending info, escalated, closed), closure reasons (resolved, tuning required, duplicate case, no action required), and categorization of opened and closed cases. 2. **Case Metrics**: This involves detailed tracking of cases opened, closed, escalated by analysts, and identification of stale or aged cases (>30 days). The metric also includes Mean Time To Resolution (MTTR) for each case. 3. **Document Roles and Processes**: The document aims to define clear roles such as analyst and management that outline the responsibilities and access levels required for effective use of the ArcSight solution. Analysts may monitor live channels, respond to notifications, or both; while managers receive weekly reports without direct console login access. These roles are customizable based on organizational needs but should cover core functionalities expected in an enterprise setting. 4. **Analyst Role**: This role is crucial as analysts either observe real-time data from active channels and dashboards for anomalies or directly handle pager notifications triggered by pre-defined correlation rules, depending on their experience tier. More experienced analysts can annotate events post initial investigation to help in further filtering through metadata usage. 5. **Team Structure**: For larger teams, analysts may be divided into tiers with more senior members handling higher responsibility levels and annotations that streamline case management for the team. This hierarchical approach helps in focusing resources effectively and enhances overall performance of the solution. In summary, this document focuses on creating a structured framework around ArcSight solution to improve the efficiency and effectiveness of managing incidents within an organization by clearly defining roles, processes, and metrics required at different levels of engagement with the technology. The document outlines the role of an incident manager within organizations, emphasizing their responsibility for coordinating resources during critical or catastrophic events. Key duties include assigning tasks and resources to contain incidents, keeping management informed about statuses, managing communications with IT security teams and external groups, defining escalation paths, and filtering events based on annotations from analysts. The content developer role can be filled by someone other than an analyst, allowing for continuous evaluation and improvement of event content, which increases the solution's value. ght Professional Services provides a range of specialized consulting services for customers aiming to maximize value from their ArcSight solutions. The services include architectural reviews and designs, deployment reviews and planning, Jumpstart programs combining requirements with solution development, HealthCheck diagnostics, content authoring, FlexConnector development, and upgrade services. These are delivered by experienced industry specialists who aim to tailor the solutions according to individual customer needs. This text describes an enhanced online user community for ArcSight, a company offering security management solutions. The community includes features such as threaded discussion forums and collaboration groups like Express, FlexConnectors, and Logger. Members include ArcSight staff, Professional Services consultants, partners, and customers from various sectors including technology, consulting, and business. The community serves as a platform for users to exchange knowledge about the software, addressing topics like content development techniques, configuration options, and regional user group meetups where issues are discussed face-to-face. Additionally, it provides sample content and FlexConnectors contributed by ArcSight staff and customers to aid in new use case development. The community is open for free registration through a specific URL. In addition to the online support, ArcSight also offers professional training services under their industry-leading services organization. These include both instructor-led courses and self-paced e-learning formats tailored for various user roles within the company or as part of business partnerships. Furthermore, they provide an educational resource known as "ArcSight Self-Study Environment for Operators" which is specifically designed to train users on ArcSight Express, focusing particularly on SOC (Security Operations Center) operators. This course features a virtual environment with sample data and interactive training modules that can be tailored according to the user's role or revisit lessons as needed to refresh their knowledge. Lastly, there's AESA (ArcSight Certified Security Analyst) training designed to enhance individuals' understanding of ArcSight products and make them more proficient in handling security analysis tasks. This training covers a wide range of topics related to using and administering ArcSight, a software tool primarily used for security monitoring and incident response. The main areas covered include basic usage and administration of ArcSight Console, as well as introduction to concepts like rules creation, filters, charts, reports, cases management, vulnerability assessment, and more. For those who aspire to be certified Integrators or Administrators, there are specific training programs designed to cover the entire spectrum from understanding the basics of the software through advanced administration tasks such as managing users, controlling access, setting up notifications, configuring connectors, and optimizing system infrastructure like databases. Additionally, it provides insights into integrating third-party systems which is crucial for comprehensive security operations. The Express 4.0 series of courses delve deeper into specific applications within ArcSight, such as creating use cases that align with business objectives or processes, focusing on the development and testing phases to ensure effective solutions are implemented. Finally, there's a course tailored towards maintaining and optimizing an implementation of ArcSight Express 4.0 specifically when using Oracle 10g database infrastructure, which is essential for ensuring performance and resilience in security operations environments. This training equips learners with both practical skills needed in their roles as well as the foundational knowledge to advance within this field. The main focus is on ArcSight Logger, Threat Remediation Manager, and Connector Appliance with ArcSight Express 4.0. For more information, visit the HP software solutions page or contact your professional services representative. Consider attending next year's ArcSight User Conference for opportunities to learn, share best practices, hear about new features, discover smarter ways to use the solution, collaborate with others in related industries, and connect with experts. Register through a specific link once available for access to presentations and more information. Additionally, consider SOC services due to increased complexity in managing a Security Operations Center (SOC), which now involves monitoring billions of events daily from various sources like firewalls, IPS, IDS, and more. The ArcSight Security Operations Consultants team collaborates with your organization to offer specialized services in areas such as security project planning, operations and technical administration, security analysis, incident response, security product administration, risk and compliance measurements, or any related area. These consultants are well-versed in the operations of an enterprise SOC (Security Operations Center) and provide key services including technical administration, security analysis, incident response, risk and compliance measurements, project planning, and customized solutions tailored to your organization's unique requirements. By leveraging best practices and lessons learned, ArcSight Security Operations Consultants help ensure that your organization achieves its security goals efficiently and effectively. The ArcSight Solution Utilization Measurement (SUM) is a metric used to assess how effectively an ArcSight solution is being utilized within an organization. It consists of several phases that indicate progress towards maximizing value from the solution, ultimately aiming for an "Optimal" state. SUM allows customers to measure their return on investment by evaluating common indicators, and it assists Professional Services in providing guidance to move through each phase. This documentation includes network modeling which involves creating representations of enterprise resources monitored (zones and assets) and categorizing them as comprehensively as possible. Additional details can be found in the ArcSight Express 101 guide available online.