Data Network Asset Model Primer (July 2013)

Summary:

This text outlines several strategic security measures aimed at enhancing network and information security through automation, strict access controls, and proactive detection mechanisms. Here’s a summary of the key points discussed: 1. **Security Measures**: The system uses an IDS to detect hostile payloads targeting both Windows Internet Information Server (IIS) and Apache services. While these incidents are reported as severe by the IDS, they are not considered critical because the actual service running on these systems is Apache, not IIS. This highlights a nuanced understanding of potential threats in different environments. 2. **Automated Asset Updates**: There's an emphasis on automating updates for ArcSight using Windows Update to ensure that patches and updates are automatically deployed without manual intervention. This is particularly crucial for maintaining the security posture of POS applications visible from the internet. 3. **Network Security**: Access to the Point of Sale system database and web servers is restricted to the management network only, with specific service accounts controlling interactions between the database server and POS web servers. Defining baseline traffic flows helps in proactively detecting anomalies that could indicate potential threats without compromising network performance or security. 4. **Automation and Asset Management**: The project involves fully automating the data model for ArcSight SIEM by leveraging its CMDB and IPAM databases to manage assets, networks, zones, and incorporate vulnerability data from a McAfee solution. This approach aims to enhance asset classification and network management through integration. 5. **Use Case Definition**: Specific use cases are defined based on the type of incident (network security, application vulnerabilities, etc.), which helps in managing tickets efficiently within the support hierarchy. 6. **Asset Categorization**: The method for categorizing assets in the ArcSight system involves updating IPAM manually to automatically assign categories using vulnerability data and IP addresses as keys. This process includes transforming collected data into a specific XML format (ARB) for import into ArcSight, with further details provided visually through diagrams or attachments. In summary, these security measures are designed to improve asset visibility, network management, and proactive threat detection through automation and integration of various database systems.

Details:

This document outlines a draft review of the "Data Network Asset Model Primer," intended as an introduction to ArcSight Professional Services' data modeling workshop. It aims to familiarize customers with the various options available for defining a data model within ArcSight, which includes both network and asset models. The goal is to enhance context, correlation, reporting capabilities, and situational awareness related to security measures in SIEM solutions. The primer highlights the benefits of having a well-planned data model for ArcSight SIEM, such as improved contextual understanding, enhanced schema, and better compliance with standards like PCI, SOX, HIPAA, and 27001. The document also explains how customer objectives guide the workshop customization to meet specific needs, including use cases and integration scenarios tailored to each enterprise's requirements. ArcSight ESM is a software tool designed to assist in monitoring and managing security events from various physical information systems. It operates on a data model which includes both a Network Model and an Asset Model. The Network Model represents the nodes on a network, such as devices connected to it, along with specific characteristics of the network. This helps in tracking and identifying involved devices during traffic monitoring. ArcSight ESM captures information about these assets by creating models that include individual assets and zones, which are crucial for understanding event sources and destinations. For critical assets within a protected network, such as servers hosting important applications or services, detailed facts like open ports and the operating system running on them can be captured through network modeling. This data is valuable for making informed decisions about how to address specific events, providing insights that could help in identifying potential threats more effectively. The text discusses the concept of an asset in network modeling, which refers to any network endpoint having an IP address, MAC address, host name, or external ID that is significant enough to warrant detailed characterization for correlation and reporting purposes. Assets include various types such as servers, routers, laptops, and can be automatically created through devices discovered by a vulnerability scanner or reported through ArcSight SmartConnectors. The text also introduces related concepts:

• **Asset Ranges**: Represent a set of network nodes addressable as a contiguous block of IP addresses.

• **Zones**: Portions of the network characterized by a contiguous block of addresses.

• **Networks**: Distinguish between two private address spaces with overlapping IP address ranges.

• **Customers**: Describe internal or external cost centers, business units associated with networks; useful for separating event traffic from multiple entities and can be applied in both MSSP environments and private organizations for cost center, group, or subdivision identification.

The text concludes by reiterating the importance of considering certain points when dealing with assets in network modeling. The discovery of assets in a network involves considering each visible interface's IP address as a separate asset unless it falls within a specified range. Network interfaces include firewalls, routers, web servers, and any device with an IP or MAC address. Relevant IP addresses are modeled manually in the Assets tab as alternate interfaces on single hardware pieces like routers or web servers with internal and external interfaces. ArcSight ESM offers asset aging to track the last scan time; if not scanned within a configurable period, its model confidence decreases until it reaches zero. Asset ranges group contiguous IP address blocks for multiple network nodes that are impractical to track individually, such as server VLANs or DMZs, and assets that may come and go like desktop PCs and laptops using DHCP. SmartConnector or ArcSight ESM identifies log source endpoints as either single assets or part of an asset range, with the identifier populated in the event schema. Zones are network functional parts represented by contiguous IP addresses, such as DMZ, VPN, wireless LAN, or DHCP networks. Each asset or address range is associated with a zone, and ArcSight uses standard global IP ranges as default zones without requiring extra setup for resolution. In this summary, we're discussing several key aspects of managing assets within a networked environment, focusing on dynamic and static DHCP zones, hierarchical Asset Groups, and the importance of zones for importing assets from scanners or batches. We also touch on the role of IP address zones in automating asset assignment and manual configuration options. Additionally, we explore the concept of Asset Ranges as a means to delegate responsibility through role-based access control (RBAC) and how locations are managed within the system. Finally, we briefly mention the vulnerabilities associated with assets, which are typically discovered and updated by scanners, and how they can be linked or manually updated in relation to knowledge base articles or other asset management functions. The text discusses several key points related to asset categorization in a system context. It defines "Asset Categories" as resources that describe properties of assets based on their usage and outlines how they can add differentiation, relevance, and context to large volumes of network events. The categories establish a security classification, identity, ownership, and criticality for the assets within the network. The root of a specific category (such as Criticality in the group /All Asset Categories/System Asset Categories/Criticality) defines the property itself, while its members (like Very High, High levels) define possible values for that property. Asset categories can be assigned to individual assets, asset ranges, and asset groups. Assigning them at the most granular level of individual assets and asset ranges ensures specificity. If an asset falls within a defined range, it inherits the categories from that range. Asset Groups are collections of one or more assets where properties assigned to a group apply to all members in the group. Categories assigned to asset groups affect all assets and asset ranges within the group, while those assigned directly to individual assets only impact those specific assets. The text also mentions how these categories can be used to describe network characteristics such as wireless or encrypted status for networks with non-constant assets like a wireless or VPN network. The document discusses implementing a data model for network management, focusing on how assets are categorized and assigned zones in HP's ArcSight system. It explains that while there are standard options supported by HP, such as manually creating zones, assets, and asset ranges, or using a Network Modelling Tool to import CSV files, the most recommended approach is to use Asset Import Connector for automation. The document outlines several implementation options: 1. **Manual Implementation**: This method involves manually adding, configuring, or deleting parameters for Zones, Assets, and Asset Ranges in the console. It's useful for adjustments but not suitable for large-scale deployments due to its manual nature. 2. **Network Modelling Tool**: This option uses a CSV file template for Zones, Assets, and Asset Ranges to import data into the ArcSight console using the network model wizard. The advantage is that it provides a structured way of consolidating necessary information for the network model, allowing incremental updates in case adjustments are needed. However, the process requires modeling data into specified CSV formats manually. 3. **Asset Import Connector**: HP ArcSight offers a SmartConnector to automatically import assets using the same CSV format template as mentioned above. This method is preferred because it automates the importing process and simplifies large-scale deployments by streamlining the data entry tasks, making it more efficient for managing network models. The summary highlights the features and drawbacks of HP ArcSight's asset import capabilities, particularly focusing on vulnerability scanners and network scanners, as well as auto-asset creation using SmartConnectors. For **Vulnerability Scanners or Network Scanners**:

• **Pros:** These are common in enterprise networks and provide valuable information about assets, including vulnerabilities that help prioritize risks and understand the TCP/UDP services used by assets. However, they do not automatically populate asset ranges or zones without additional configuration.

• **Cons:** They mainly focus on providing asset information but lack a feature to directly model information for network zones or asset ranges without manual setup; unassigned assets appear as undefined in the ArcSight console until configured manually.

**Option – Auto Asset Creation using SmartConnectors**:

• **Pros:** This method can automatically create assets when new IP addresses are detected, potentially filling gaps not covered by other import methods.

• **Cons:** It is not recommended as a sole asset creation method, serving more as a supplementary tool to handle missed devices during the initial importing process.

In summary, while vulnerability scanners and network scanners offer useful information about assets, their implementation in ArcSight lacks direct support for automatic population of zones or ranges without additional setup, making manual configuration necessary for incomplete data handling. The auto-asset creation feature can be a valuable addition to ensure comprehensive coverage but is not ideal as the primary method. The article emphasizes the importance of establishing a robust data model, specifically in ArcSight, as it enables various data modelling options to be utilized concurrently. Zones are recommended to be created as a foundation dataset within ArcSight, facilitating automatic asset definition using vulnerability reports and integration from IPAM databases. For organizations with overlapping IP address subnets, networks should be manually created due to potential complexities. A well-managed data model provides context for security analytics and SIEM needs, suggesting that customers focus on detailed Zone, Asset Range, and Asset models within specific network sections. This approach optimizes the use of data for event enrichment and correlation rules in ArcSight. The necessity of linking all interfaces of an asset may vary based on customer requirements. In many cases, a single device like a firewall or server is defined as multiple assets due to individual IP addresses being treated as separate entities by ArcSight. This practice is common among enterprise customers who manage databases such as the Customer Management Database (CMDB) and Configuration Information (CI). To ensure optimal return on investment of the ArcSight solution, HP Professional Services recommend developing a strategy for asset modeling in conjunction with them. The provided options are based on HP's documented practices and can be tailored to specific customer needs through case studies like Appendix A. The text provides an example of how to set up a network model using a corporate network environment, which includes various elements such as Wide Area Network (WAN), Datacentre 1 and 2 Local Area Networks (LANs) with internet connectivity point of presence (POP), providing DMZ infrastructure, Client VPN infrastructure, business to business VPN infrastructure (B2B), satellite sales branches on their own WAN, head office in the UK and US offering corporate wireless network services, guest wireless network services, DHCP service for corporate desktops, and a printer network. The objective is to create zones within ArcSight to represent all major network hubs such as subsidiary company IP address ranges, Head Office UK IP address ranges, Head Office US IP address ranges, DataCentre 2 IP address ranges, DataCentre 1 IP address ranges, and Satellite Sales branches WAN IP address ranges. If there are overlapping IP addresses between any zones, corresponding networks should be created in ArcSight for better asset management and identification. The text also mentions that while HP only provides standard documented methods to manually define zones, a consultancy engagement with HP Professional Service can offer non-standard options for automated zone updates to ArcSight. The document outlines a comprehensive plan for defining and categorizing asset ranges across various network infrastructures within two data centers (DataCentre 1 and 2) and the head office in the US. The primary focus is on creating detailed subnet definitions with specific IP addressing schemes based on their function, such as DMZ, Remote Access VPN, Corporate wireless DHCP IP, Printer network, Desktop DHCP IP, and management network. For DataCenters:

• Each hub has subnets defined according to whether they serve a DMZ (with static IP) or are part of Client VPN, B2B VPN, customer VPNs with specific NAT configurations.

• These subnets help in categorizing assets for enhanced analytics and risk context by providing additional information about the source and destination addresses related to events on these networks.

For Head Office US:

• The network infrastructure includes wireless (corporate and DHCP IP), printer VLAN, desktop DHCP IP, and management VRF subnets categorized accordingly.

Sales Satellite Branches and head office UK are not part of this scope due to being out of scope for the current project phase. The document emphasizes that by categorizing these asset ranges, it provides more detailed information which can be used for analytics and risk assessments, enhancing network management and security. The goal is to automatically update asset ranges for ArcSight, which typically requires manual definition as per HP's standard documentation. However, HP Professional Services can offer non-standard options through consultancy engagements. Key objectives include including all individual assets for finance applications and public facing infrastructure in the first six months of project implementation. By this time, valid vulnerability data and TCP/UDP services should be defined for these applications and infrastructure. Additionally, specific use cases for Event of Interest are to be outlined:

• Network communications from DMZ should not initiate connectivity into Datacenters or further into the network.

• Communications originating from public IP addresses (excluding B2B VPN) should only access assets as per defined asset ranges or categories. Any deviation is considered a policy violation.

• Printer VLAN communication should not be initiated from the printer VLAN.

• DataCentre 1 and 2 Client VPN Infrastructure can communicate within their respective datacenter zones, while DataCentre 1 and 2 B2B VPN Infrastructure can only communicate with DMZ areas of these datacenters.

• Reporting on statistics for communications involving DataCentre 1 and 2 Client VPN Infrastructure to the Management network is required.

• If default usernames are used to access devices other than desktop devices (printers, servers, firewalls, routers, etc.), this should only be from the management network; any deviation from public IP addresses or VPNs should be treated as a critical policy breach.

• All finance assets must be accessed via specific DHCP ranges for desktops, with exceptions for management network access.

This asset model example is not provided in the text but would typically include diagrams and details to help visualize the setup. The provided text outlines a web application architecture designed to be accessible over the internet, featuring several interconnected components including routers, firewalls, and various servers. These include three POS point-of-sale Webservers, one database server, and multiple DMZs for different purposes such as public facing traffic, internal communication between servers, and management. The requirements for this setup involve defining all assets with their IP addresses and interfaces clearly mapped out to ensure security measures like firewalls are properly configured. This includes scanning TCP/UDP ports on all networks (LAN, Internet, DMZs) to identify vulnerabilities and potential threats. The vulnerability scans aim to provide a comprehensive inventory of services running on each port across the different network segments, helping in understanding the risk landscape and enhancing analytics for better security posture. The objectives of this setup are not explicitly mentioned but can be inferred from the requirement of scanning ports and mapping IP interfaces. This implies that the primary goal is to ensure the secure operation of all components, with a focus on identifying and mitigating risks associated with network vulnerabilities. The detailed scan results help in understanding how threats might move through these networks, aiding in directing defensive actions such as blocking malicious traffic or enhancing server security measures based on real-time threat data from intrusion detection systems. This text discusses several aspects related to network security, asset management, and automation. Here's a summary of key points: 1. **Security Incidents**: The system identification and detection system (IDS) is detecting hostile payloads targeting both Windows Internet Information Server and Apache services. Although the incidents are reported by the IDS as severe, they are not considered critical since the actual service running on these systems is Apache, not IIS. This distinction suggests that while the security alerts are significant, the impact of potential threats may be less severe than initially perceived. 2. **Automated Asset Updates**: There's a desire to provide automated updates for ArcSight using the Windows Update feature, which would allow automatic deployment of patches and updates without manual intervention. This is particularly relevant for maintaining the security posture of POS (Point of Sale) applications visible from the internet, as well as ensuring secure network access controls. 3. **Network Security Measures**: The requirements include restricting all user access to the Point of Sale system database and web servers to the management network only. Access should be restricted to specific service accounts for database server interactions with POS web servers. Network traffic flow baselines are to be defined to detect anomalies, which can help in proactively managing potential threats without compromising network performance or security. 4. **Automation and Asset Management**: The customer project aims to fully automate the data model for ArcSight SIEM by leveraging their CMDB (Configuration Management Database) and IPAM (IP Address Management) database. These tools are used to manage individual assets, create networks, zones, and asset ranges, incorporating TCP/UDP service inventory and vulnerability data from a McAfee solution. 5. **Use Case Definition**: Specific use cases for escalation or support are defined based on the type of incident, whether it's related to network security, application vulnerabilities, or other IT issues. These use cases help in managing tickets (cases) efficiently within the support hierarchy. Overall, these points highlight a strategic approach towards enhancing network and information security through automation, strict access controls, and proactive detection mechanisms. The goal is to improve asset classification and network management by integrating information from various sources, specifically focusing on confidentiality (CIA), integrity, availability values, IP addresses, DNS names, and subnet zones. To achieve this, HP Professional Service will perform several integration tasks using the customer's CMDB: 1. **CMDB Integration**: The service will use the CMDB to get hostname information, customer names (teams), and CIA values but will need to enhance this with IP address data for better visibility in ArcSight. This includes creating an Asset Name automatically by editing the server properties file in ArcSight. 2. **Creating Specific ArcSight Asset Database**: The service will develop a database that collects all necessary data from multiple sources, including CMDB and DNS. It uses hostnames as keys to map IP addresses from DNS, adding subnet information from IP Address Management (IPAM) for complete IP address details. This database also includes category information relevant to CIA values. 3. **Transforming Data**: The ArcSight Asset Database will transform the collected data into an XML export format specific to ArcSight called ARB (Archive Bundle). 4. **Importing Data into ArcSight**: The ARB file is then imported into ArcSight using a grep perl script for further analysis and management. 5. **Updating IPAM Database**: Finally, categorizations for each zone, such as VPN and DHCP ranges, will be manually updated in the IPAM database to ensure accurate IP address tracking and classification within the network zones. This text discusses a method for categorizing assets in the ArcSight system, which involves updating IPAM (IP Address Management) manually to automatically assign categories to the assets. The process includes importing vulnerability data into each asset using its IP address and a key index. Additionally, it mentions that a diagram representing the created ArcSight Asset Database is provided as an attachment or reference for further understanding of this categorization method.