CIP SOX Demonstration Script Version 1.1

Summary:

The steps outlined provide a comprehensive approach for using ArcSight to investigate compliance issues, particularly with regards to Sarbanes-Oxley (SOX) requirements concerning terminated employees and policy violations in financial systems. Below is a detailed breakdown of each step as described in your text, incorporating the findings from the "After Hours Login Attempt" scenario: ### 1. Investigating "After Hours Login Attempt" Rule Violation #### Navigate to the Demo Live Active Channel - **Filter Based on Correlated Events:** Go to the active channel and filter events based on patterns indicating unauthorized access, such as failed login attempts after normal business hours. - **Sort by Priority:** Focus on rules with high priority (e.g., priority 10) that are specific to terminated employees or policy violations. In this case, "Terminated Employee Access Attempt" is a relevant rule. #### Review the Active List for Terminated Employees - **Navigate to ArcSight Solutions/Sarbanes-Oxley:** Locate the active list specifically for terminated employees and review it for any entries related to the user involved in the event that triggered the rule. - **Show Entries:** Right-click on the Terminated Employees active list, select "Show Entries" to confirm the presence of the terminated user. This step helps validate if there has been a breach or unauthorized access attempt by this individual. #### Creating a Case for Terminated Employees - **Right-Click Rule in Event Inspector:** In the Event Inspector, right-click on the rule related to terminated employees and select "Correlation Options" then "Correlation Trigger." This will show actions including creating a case to further investigate the violation. - **Navigate to All Cases/ArcSight Solutions/Sarbanes-Oxley:** Go to the case management section where you can view and review the closed loop process of the Terminated Employee Case, which includes details about the rule violation and subsequent action taken. ### 2. Detecting Policy Violations #### From Financial Systems Activity Dashboard - **Drill into Targeted SOX Assets Datamonitor:** Go to the specific section that monitors SOX asset activities for policy violations. - **Review "Traffic Flagged as a Policy Violation":** Look at events flagged by rules such as Disallowed Port Access, which indicate unauthorized access or protocol violations. - **Expand Rule in Event Inspector:** In the Event Inspector, expand the rule to show specific events that led to the violation (e.g., Disallowed Port Access). #### Demonstrate Further Details - **Click on Triggered Events:** Click on individual events within the expanded rule view to scroll through related data and gain deeper insights into the circumstances surrounding the policy violation. ### Recommendations for Policy Improvement Based on findings from failed login attempts, recommendations can be made regarding system enhancements: - **Create New Active List:** Suggest creating a list based on specific usernames allowed access during off-hours to prevent future unauthorized attempts. ### Brute Force Login Investigation - **Review Datamonitor for Brute Force Attempts:** Look at the "Last Brute Force Attempts targeting SOX Systems" datamonitor to identify patterns of failed login attempts across multiple systems. - **Adjust Rule Settings:** Set up a rule to detect brute force attacks using settings like Correlation Trigger and Aggregation tab adjustments to focus on specific time frames and thresholds for attempted logins. ### Summary of Findings and Recommendations The investigation revealed potential issues with unauthorized access through failed login attempts, which triggered SOX compliance rules. Based on these findings: - **SOX Report Review:** Identified a violation related to section 9.4.1 of Sarbanes-Oxley concerning disallowed port access during off-hours by an individual not listed in the allowed login list. - **Recommendation for Policy Improvement:** Suggested creating a second active list based on usernames to allow controlled access during non-business hours, using the username from failed attempts as a starting point. This detailed process demonstrates how ArcSight can be used to proactively identify and address compliance issues related to terminated employees and policy violations in financial systems, through active list management, case creation, and rule analysis.

Details:

The Compliance Insight Package for Sarbanes-Oxley is a pre-configured set of rules, reports, dashboards, and active lists aimed at providing an immediate log management structure in line with Sarbanes-Oxley compliance requirements. Below are the detailed steps to set up a demo environment before conducting a demonstration of this package: **ONE TIME Demo Setup Steps:** 1. Navigate to the specific section for Sarbanes-Oxley rules under "Real-time Rules" and edit the "After Hours Login Attempt: Sarbanes-Oxley Regulated Systems." Adjust the hour condition (HourOfDay >=) to 13 if you are conducting the demo after 1 PM, ensuring the rule triggers during your demonstration. 2. Modify the "Last Brute Force Attempts" on the SOX-Financial - Logon Activity Dashboard to target the datamonitor specific to Sarbanes-Oxley systems. Edit the "Sarbanes Oxley Probable Brute Force Filter" by removing the "Target Zone InGroup" part of the filter, which is necessary for the brute force login rule to fire and populate in the Last Brute Force Attempts dashboard. 3. Adjust the "Terminated Employee Access Attempt" rule in Sarbanes-Oxley real-time rules by deleting one instance of the Terminated Employees Active list and consolidating the remaining condition into a single event with two conditions. 4. Update the description for the edit open case action to include: "Response: Revoke rights, notify HR." Add the user name Micah to the Terminated Employees Active List. **Demo Setup Steps:** 1. Open the SOX dashboards including:

• Financial Systems Activity

• Event Graphs

• Logon Activity

2. Launch the Demo Live Channel. 3. Initiate the SOX events feed at 50 EPM, which contains a total of 2976 events. Note that you should not use the Vulnerable Systems Dashboard as it does not contain demo content for this particular demonstration. **Introduction:** The Compliance Insight Package for Sarbanes-Oxley is designed to adhere to "best practices" in log management, providing a structured approach to meet Sarbanes-Oxley compliance standards through predefined rules, reports, dashboards, and active lists. The article discusses the methodology used by ArcSight for Sarbanes-Oxley (SOX) compliance solutions, which is based on a combination of ISO-17799 and NIST 800-53 standards. While ISO-17799 provides a comprehensive framework for building security programs, it lacks specificity in guiding the review of compliance logs. To address this gap, ArcSight incorporates NIST 800-53 as a supplement to enhance monitoring of information system controls. This combination is particularly relevant because NIST 800-53 is mandated for US Federal Agencies and recommended by NIST for commercial organizations facing compliance requirements. The methodology focuses on information directly related to the integrity of financial reporting, streamlining the audit process. Additionally, ArcSight's Compliance Insight Package for SOX restricts information to only those systems involved in financial reporting, providing reports with top vulnerabilities that are crucial for passing SOX audits. The passage outlines a procedure for handling and analyzing security vulnerabilities in an organization's systems as part of compliance efforts, specifically under the Sarbanes-Oxley Act (SOX). Here’s a summary of the steps involved: 1. **Start the SOX Events File**: Initiate a process to monitor events related to vulnerabilities in systems governed by SOX regulations. 2. **Access the Dashboard**: Navigate to the specific dashboard for financial system activity, which includes a sub-section dedicated to last events targeting SOX systems and priority issues. 3. **Identify Warning Events**: Look for events marked as warnings about vulnerable software on any SOX system. These are triggered by the Nessus scanner results. 4. **Review Event Details**: Double-click on such an event to open a detailed view in an Active Channel, which provides insights into the specific vulnerability details. Use the Event Inspector Panel to expand rules and trace back how this issue was detected. The Model Confidence (10) indicates high confidence in the model’s detection capability, while Relevance (10) suggests that the event is highly relevant for assessing risk. 5. **Understand Business Impact**: Examine the Business Impact tab in the Event Inspector to understand other roles and responsibilities of this system within the organization's infrastructure. 6. **Asset Analysis**: Locate the affected asset from the list provided by the rule, such as "ArcNet – West (San Jose)". Review current vulnerabilities directly on this asset or generate a full report for all SOX assets to assess their vulnerability status according to NIST 800-53 standards. 7. **Scheduling Reports**: Demonstrate how to schedule reports tailored to different user needs and roles, ensuring that relevant stakeholders receive timely information about system vulnerabilities and compliance status. This process is crucial for maintaining regulatory compliance and assessing potential risks associated with IT systems within the organization's financial operations. This document outlines how ArcSight can automate and enhance the process of creating and distributing compliance reports through its correlation capabilities. The scenario focuses on managing log-on activities, specifically terminated employee activity, to ensure compliance with Sarbanes-Oxley (SOX) regulations. ArcSight's solution is designed to correlate information efficiently for reporting purposes within the SOX framework. By navigating to specific report locations in the ArcSight Solutions/Sarbanes-Oxley section and running reports such as "Number of Successful User Logins," users can filter data to only include relevant systems. The tool allows for summarizing information by user name, restricting it to specific SOX systems, and scheduling these reports to be distributed among different users based on their filters. This process not only automates the compliance reporting but also ensures that each operator receives pertinent information tailored to their role within the organization. Additionally, ArcSight offers various report formats such as graphical displays, which can help in visually presenting data effectively. The document emphasizes how ArcSight's correlation features are used by customers to streamline manual review processes and reduce inefficiencies associated with large, raw data reports. By automating heavy lifting of identification tasks through correlation, organizations can more efficiently address compliance criteria like terminated employee log-ins, suspicious access patterns, and excessive administrator activity. In summary, ArcSight's automation and efficiency in reporting contribute significantly to the overall compliance process by reducing manual workload and enhancing the effectiveness of report review procedures. It demonstrates how advanced technology solutions like ArcSight can be a powerful tool for managing complex regulatory requirements efficiently and effectively. The provided text outlines a demonstration of how an ArcSight Compliance Insight Package for Sarbanes-Oxley (SOX) can be used to address complex issues such as identifying terminated employee user IDs and detecting violations of customized policies. Here’s a summarized breakdown of the process: 1. **Identifying Terminated Employee Access Attempts:**

• Navigate to the Demo Live Active Channel and filter it based on correlated events.

• Sort the channel by priority, focusing on rules with a high priority (e.g., rule with priority 10 called "Terminated Employee Access Attempt").

• Review the active list for Terminated Employees in the ArcSight Solutions/Sarbanes-Oxley section and show that the user involved in the event is listed, which triggers the rule.

• Explain how to populate an active list by right-clicking the Terminated Employees active list and choosing "show entries" to confirm the presence of the terminated user.

• Demonstrate creating a case for terminated employees by right-clicking the rule in the Event Inspector, selecting Correlation Options and then Correlation Trigger, and showing that one action is to create a Case.

• Navigate to All Cases/ArcSight Solutions/Sarbanes-Oxley to view and explain the closed loop process of the Terminated Employee Case.

2. **Detecting Policy Violations:**

• From the Financial Systems Activity Dashboard, go to the Targeted SOX Assets Datamonitor.

• Drill into the "Traffic Flagged as a Policy Violation" in the Last 20 Events Targeting SOX Assets Table Datamonitor and expand the relevant rule (e.g., Disallowed Port Access) in the Event Inspector.

• Show how specific events led to the rule firing, such as Disallowed Port Access causing "Traffic Flagged as a Policy Violation."

• Demonstrate further details by clicking on the event that triggered the Disallowed Port Access Rule and scroll through related data.

This text provides a step-by-step guide on how to use ArcSight for SOX compliance, focusing particularly on using active lists, cases, and rule analysis to identify and address issues related to terminated employees and policy violations in financial systems. To summarize, the process involves several steps in the ArcSight system to investigate an "After Hours Login Attempt" rule violation identified through Sarbanes-Oxley (SOX) compliance checks. Here's a breakdown of the key actions and findings: 1. **Event Inspection**: In the Event Inspector, identify the specific port used during the login attempt that triggered the rule. This revealed that only port 22 was allowed according to the "Allowed Port Financial Systems" list. 2. **SOX Report Review**: Run a custom SOX report, specifically the "Sarbanes-Oxley – Disallowed Port Access – Violators Report," to identify systems where unauthorized access occurred based on the denied port. The report indicated that the violated rule was related to section 9.4.1 of Sarbanes-Oxley regarding access control policies and network services. 3. **User List Review**: In the ArcSight Solutions, navigate to the "Sarbanes-Oxley" section and review the "24-7 allowed login active list." The failed password event indicated that the user was not part of this list, which is a violation of policy. 4. **Recommendation for Policy Improvement**: Based on these findings, it is recommended to create a second 24-7 Active List specifically based on usernames. This new list should include users who are allowed to login during off-hours. The username from the failed password event can be used to populate this list. 5. **Brute Force Login Investigation**: For brute force login attempts targeting specific SOX assets, review the "Last Brute Force Attempts targeting SOX Systems" datamonitor. Look for events labeled as "Brute Force Logins – Single Source – SOX Target User Specific." This event provides details on failed login attempts and can be expanded to show more information about these failed attempts. In summary, the process involves using ArcSight tools to inspect specific events, review compliance reports, identify policy violations, and recommend system improvements based on findings from rule violations and audit data. The Event Inspector displays a record of 5 failed logon attempts against an SOX asset, indicating potential brute force login attempts. To analyze this, navigate to the Impact Analysis tab, which categorizes and highlights the importance of these assets in real-time event sequences. To specifically identify brute force attacks, adjust the rule settings: select Correlation Options and set a Correlation Trigger. The rule is designed to detect patterns indicative of brute force login attempts against SOX targets. Upon examining the Aggregation tab, you can see how the threshold has been configured to focus on instances where there are 5 attempts within a span of 2 minutes. This setup helps in effectively identifying and responding to potential brute force attacks targeting the SOX assets.