Data Network Asset Model Primer v1.0

Summary:

The document you've provided outlines a comprehensive strategy for enhancing security measures within an organization, particularly focusing on improving Intrusion Detection System (IDS) capabilities, network configuration, and asset management. Here’s a summary of its key points and benefits: ### Key Points: 1. **Network Configuration**: - The document describes the setup of two data centres with separate client VPN infrastructure that can communicate within their respective zones but only through B2B VPN for communication with the DMZ. Accessing devices like printers, servers, firewalls (excluding desktops) via public IP or VPN is restricted unless authorized. 2. **Security Measures**: - The need to categorize assets using CIA values and defining network zones (DMZ, VPN, desktop, wireless subnets) for strict access controls. This includes restricting all user access to POS system components like databases and web servers to a management network only. 3. **Asset Management**: - Defining baseline network flow characteristics for anomaly detection and performing vulnerability scans on TCP/UDP ports from different networks to identify risks associated with service vulnerabilities. 4. **Integrated Data Model for ArcSight SIEM Solution**: - Enhancement of the CMDB by adding hostname, customer names (teams), and CIA values to include IP address information for use by ArcSight. Integration of existing databases (CMDB and IPAM) with McAfee vulnerability and TCP/UDP service information for comprehensive network and asset visibility. 5. **Automated Asset Updates**: - Enhancing automated asset updates for ArcSight SIEM solutions to ensure no security vulnerabilities in POS applications are exposed to the internet, including strict access controls on networks. ### Benefits: - **Reduced False Alerts**: By focusing vulnerability scans and IDS capabilities more effectively through detailed network configuration and asset categorization, there is a reduction in false alerts about misconfigurations in the IDS. - **Improved Security Posture**: With enhanced security measures such as restricted access and real-time monitoring of TCP/UDP services, the overall security posture of the organization is improved, reducing the risk of cyber threats and data breaches. - **Compliance and Governance**: The detailed categorization and strict access controls align with compliance requirements and governance standards, ensuring that the organization operates within legal and regulatory frameworks. - **Data Integrity**: By integrating databases (CMDB and IPAM) and enhancing asset management, there is a significant improvement in data integrity, leading to better decision making and operational efficiency. - **Risk Mitigation**: The vulnerability scans help identify potential risks associated with service vulnerabilities across various network interfaces, enabling proactive risk mitigation strategies. ### Conclusion: The document provides a structured approach to enhance security within an organization through detailed network configuration, asset management, and IDS capabilities. By focusing on reducing false alerts and improving overall security posture, the strategy helps in mitigating cyber risks while ensuring compliance with governance standards. The integration of existing databases and enhancement of automated processes contribute significantly to improved data integrity and operational efficiency.

Details:

This document is a draft review providing an introduction to defining a data model for ArcSight, which includes both network and asset models. It aims to provide customers with an overview of available options for defining such a model and its importance in the SIEM solution. The document outlines how it will be tailored according to customer objectives during a workshop, focusing on specific use cases and integration scenarios relevant to each organization's needs. The benefits of a well-planned data model include enhanced context for overall SIEM correlation, events schema, and reporting capabilities, which lead to better understanding of protected assets, risks, faster analytics, and situational awareness for monitoring network access between zones or asset ranges. This supports process, policy, and procedure adherence by providing specific rules (use cases) tailored to the organization's requirements. ArcSight Enterprise Security Manager (ESM) is a software tool designed to help organizations manage security compliance by providing risk assessments based on standards such as PCI DSS (Payment Card Industry Data Security Standard), SOX (Sarbanes-Oxley Act), HIPAA (Health Insurance Portability and Accountability Act), and ISO 27001. It enables businesses to define specific classifications for their assets, which helps in identifying criticality and the periodization of SIEM (Security Information and Event Management) data for more efficient risk management. The ArcSight ESM Data Model is built on a comprehensive framework that integrates both Network Model and Asset Model. This integration allows for clearer identification of network events and provides enhanced layers of detail to improve the correlation capabilities of Arc Sight’s ESM system. The modeling of the network plays a crucial role in the baseline configuration of ArcSight ESM, which necessitates ongoing operational maintenance to ensure its effectiveness. The Network Model within ArcSight ESM is a representation of nodes on an organization's network and certain characteristics of the network infrastructure itself. It includes information about individual assets and entire zones on the protected network. By capturing detailed attributes related to these assets—such as criticality, exposure to vulnerabilities, hosting of applications, and potential involvement in hostile activities—the Network Model helps ESM to better understand the context of security events, enabling more informed decision-making regarding response strategies. Overall, ArcSight ESM's data model is a powerful tool for organizations looking to enhance their cybersecurity posture by efficiently managing risks associated with various compliance standards and improving the effectiveness of SIEM systems in detecting potential threats. The text provides information about the Network Model, which includes resources such as Assets, Asset Ranges, Zones, and Networks. It specifies that all these resources except Customers are part of the Assets resource. Assets represent individual nodes on the network like servers, routers, and laptops, while Asset Ranges represent a set of contiguous IP address blocks. Zones are portions of the network characterized by contiguous address blocks, and Networks differentiate between two private address spaces with overlapping IP ranges. The text further explains that Customers describe internal or external cost centers or separate business units associated with networks, and customer tagging is mainly developed for Managed Security Service Provider (MSSP) environments but can also be used by private organizations to denote various entities like cost centres, internal groups, or subdivisions. The purpose of the Customer designation is to keep event traffic from multiple entities separately identified, considering each entity as "owner" of an event rather than its source or target. To summarize the provided information on discovering and managing assets using ArcSight SmartConnectors and ArcSight Enterprise Security Manager (ESM), here are the main points: 1. Asset Identification: Every network-visible interface with an IP or MAC address is considered a separate asset unless it belongs to a specified asset range. Not all interfaces need to be modeled; only those relevant for correlation and reporting should be included. Multiple active network interfaces on one piece of hardware (e.g., router, web server) can be modeled as alternate interfaces in the Assets tab. 2. Asset Ranges: These are groups of interconnected assets that use a contiguous block of IP addresses. They are useful for tracking many nodes such as servers or those using DHCP, and they help manage practicality in asset tracking across networks. When an event is processed by SmartConnector or ArcSight ESM, the log source endpoints are identified either individually or within an asset range based on their identifier. 3. Zones: These represent functional parts of a network with contiguous IP addresses, like DMZs, VPNs, wireless LANs, or DHCP networks. Every asset or address range is associated with a zone, and the system comes pre-configured with standard global IP address ranges as zones. 4. Asset Aging Function: ArcSight ESM includes an asset aging function that tracks the last time an asset was scanned and diminishes its confidence in the priority formula over time if it hasn't been scanned for a configurable period, eventually reducing its model to zero. These points highlight how IP addresses are used as assets within specific zones, with considerations for relevant interfaces, and automated mechanisms like asset ranges and aging functions to manage and update these assets efficiently. To summarize this information, it appears to be related to managing and organizing assets in a network environment, particularly focusing on zones, asset groups, and vulnerabilities. Here's a simplified breakdown of the points made: 1. **Zones**: These are used for importing assets via batch process or from vulnerability scanners. Zones automatically assign IP addresses that match them; it is recommended to have zones in place before importing assets as this simplifies the process. If not, you must manually assign assets to zones or re-batch them. 2. **Asset Groups**: These are logical groupings of one or more asset resources within a hierarchical structure. Properties assigned to an Asset Group apply to all associated assets. They serve as a main control for permissions (role based access control) and can be used for delegating responsibility in reporting on assets. 3. **Asset Model**: This involves the creation of a resource that describes attributes of assets, including locations and vulnerabilities. These resources are part of the overall network modeling process. Vulnerabilities are typically discovered and updated by scanners, while locations map IP addresses to owning bodies. The system allows for manual changes such as associating vulnerabilities with Knowledge Base articles or overriding default location mappings through the Location resource. In summary, the text discusses essential aspects of managing assets in a networked environment, including how to organize them into zones, groups, and how to handle their attributes like locations and vulnerabilities. This text discusses several aspects related to asset management in systems, particularly within the context of an enterprise network using ArcSight for monitoring and managing security events. Firstly, it mentions that assets being modeled may have a location attribute set, which can differ from the database-mapped IP address locations. This flexibility allows for more accurate geographical representation of assets in the system. The text then introduces the concept of 'Asset Categories', which are resources used to describe properties of an asset such as its usage and role within the network. These categories serve multiple purposes including enhancing differentiation, relevance, and context amidst the vast number of events passing through the network. Asset categories define a security classification, identity, ownership, and criticality for assets on the network. The categorization is hierarchical, with root categories defining properties and member categories specifying possible values for those properties. Asset Categories can be assigned to individual assets, asset ranges, or even entire groups of assets (asset groups). When an asset falls within a range, it inherits the category definitions from that range. Asset Groups are collections of one or more assets that share common characteristics; their hierarchy means any property set at this level applies to all contained assets. Lastly, while discussing assignment of categories, it's important to note that categories assigned to zones apply to network properties and not specific assets within them. This is relevant for networks where asset locations are variable, such as wireless or VPN networks, helping in categorizing traffic flows more effectively. The document discusses implementing a data model for use with HP's ArcSight solution, focusing on three main options for setting up the network and asset model: manually, through the Network Modelling Tool (using CSV files), and using the Asset Import Connector. Each method has its advantages and disadvantages. **Option 1: Manually**

• This method involves creating Zones, Assets, and Asset Ranges within the ArcSight console by entering data manually. It is best suited for small to medium-sized deployments or corrections/enhancements of existing configurations.

• **Pros**: Allows for precise control over individual parameters, easy adjustments without large datasets.

• **Cons**: Not scalable for larger networks; time-consuming and less efficient compared to other methods.

**Option 2: Network Modelling Tool**

• This approach involves importing three CSV files (for Zones, Assets, and Asset Ranges) into the ArcSight console using a wizard. It provides a structured way of consolidating necessary information for the network model.

• **Pros**: Simplistic and controlled method for defining the network model; supports incremental updates.

• **Cons**: Requires data to be modeled in specific CSV formats; relies on manual GUI/wizard for import, which may not be as efficient as direct console manipulation.

**Option 3: Asset Import Connector (SmartConnector)**

• HP ArcSight offers a SmartConnector that automatically imports network and asset information into the system once configured with appropriate settings. This method is more automated than previous options but still relies on predefined templates for data entry which may not suit all users or environments.

• **Pros**: Automated import process simplifies large deployments; potentially less error-prone due to direct integration with SmartConnector capabilities.

• **Cons**: Limited customization and potential for misalignment between imported data and actual network configuration, unless carefully managed through setup and ongoing adjustments.

In summary, the choice of method depends on the size of the deployment, user preference, and specific requirements such as scalability, ease of use, and integration with existing systems. Each option has its trade-offs, but for larger or more complex deployments, automated methods like the Asset Import Connector are generally preferred due to their efficiency and reduced risk of human error. The text discusses two methods for importing and managing assets in HP ArcSight: through the use of CSV files or vulnerability scanners/network scanners, along with auto-asset creation using SmartConnectors. For CSV file import, the process is automated, which can be advantageous due to its efficiency. However, it does not support the inclusion of network zones or asset ranges in the data being imported. Moreover, users must model their data into a specific CSV format, though ArcSight provides a GUI for mapping company-specific data formats to meet the required import format. On the other hand, vulnerability scanners and network scanners are common tools in enterprise networks that can populate assets using scan data from these devices. HP offers SmartConnectors which allow for automatic or manual import of this scan data into ArcSight. The advantages here include leveraging well-known tools to gather information on asset footprints and vulnerabilities, providing additional context through TCP/UDP services usage. However, these scanners are primarily used for basic asset info and do not facilitate modeling for zones or ranges without further manual configuration. Lastly, the text introduces auto-asset creation using SmartConnectors, which automatically generates assets when new IP addresses appear in log sources. This method offers an alternative means of adding devices that might have been overlooked previously. In summary, while both methods offer different advantages and challenges in managing asset information, they each cater to specific needs and tools commonly used within enterprise environments. The text discusses the importance of creating a data model in ArcSight, particularly focusing on Zones and Assets. It suggests that at least one foundation dataset should be created as Zones, which can then be used alongside other data modelling options for additional flexibility. For networks with overlapping IP address subnets, it is recommended to create them manually. The goal of the data model is to manage and provide context for security analytics and SIEM needs, allowing for better event enrichment and correlation rules within ArcSight. The text also addresses the complexity involved in defining assets, stating that not all interfaces of an asset need to be linked together, as each IP address is treated individually by ArcSight, which is typical for enterprise customers with complex configurations like CMDB (Configuration Management Database) or CI (Common Information Model). It emphasizes the importance of developing a strategy on asset modeling with HP Professional Services to ensure optimal use of the ArcSight solution and validate project requirements. The text concludes with the mention of a case study in Appendix A, illustrating how complex asset modeling can be applied for specific customer needs. The text discusses the process of defining requirements and criteria for a network model, specifically in the context of setting up a corporate network environment within ArcSight. It outlines an example of such an environment that includes various components like Wide Area Network (WAN), Datacentre 1 and 2 Local Area Networks (LANs) with internet connectivity points-of-presence (POPs), satellite sales branches, head offices in the UK and the US providing various network services including wireless networks and DHCP service for desktops and printers. Based on this scenario, specific requirements are outlined to create zones within ArcSight: 1. Subsidiary company IP address ranges should be represented as a single entity zone. 2. Head Office UK IP address ranges should form another zone. 3. Head Office US IP address ranges should also form their own zone. 4. DataCentre 2 and DataCentre 1 IP address ranges should each have separate zones. 5. Satellite Sales branches WAN IP address ranges should be grouped into a single entity zone. 6. If there are overlapping IP addresses between any of these zones, additional networks should be created in ArcSight accordingly. The primary objective is to establish foundational information within ArcSight that enables the identification and management of individual assets either through manual methods or automated processes using SmartConnectors or vulnerability scanning data for asset creation. The text also highlights a preference for automated updates of these zones in ArcSight, though it notes that HP's standard documentation only offers manual options. The document outlines the process of defining "Zones" by categorizing various subnets into specific types based on their function within a network infrastructure. This includes defining Asset Ranges for all subnets in two main hubs (DataCentre 1 and 2), each with different characteristics: 1. **DMZ Infrastructure**: Subnets are categorized as DMZ with static IP addressing. 2. **Client VPN Infrastructure**: Subnets are categorized as Remote Access Client VPN with DHCP addressing. 3. **B2B VPN Infrastructure**: Subnets are categorized as Remote Access VPN. 4. **Customer VPN subnets**: Further categorized by specific customer VPNs, including NAT settings if applicable. 5. **Wireless and Printer Networks**: Specific to the Head Office US:

• Wireless network for each subnet is categorized as corporate wireless DHCP IP.

• Printer VLAN network for each subnet is categorized as a Printer network.

6. **Desktop Network**: For each subnet, it's categorized as a Desktop DHCP IP. 7. **Management Networks**: Subnets are categorized as management networks within the Management VRF. Subsidiaries in Sales Satellite Branches and Head Office UK are not considered for this scope, nor is there a need to define Asset Ranges for subsidiary companies since they are already defined as zones. The purpose of these categorizations is to enhance event schema information with additional granularity. This text discusses various aspects related to asset management and security within an organization's infrastructure. It notes that providing additional advantages and risk context for each individual asset is beneficial, which also allows for enhanced analytics to identify the source and destination addresses of events. The need for automated asset range updates to ArcSight by HP (which seems to be a specific software or system) is highlighted, as they typically offer standard methods for manual definition but can provide non-standard options through consultancy engagements. The objective includes ensuring that all individual assets are included in finance applications and public facing infrastructure, with the condition that within six months of going live with the project, valid vulnerability data and defined TCP/UDP services should be present for both finance applications and public infrastructure. Several use cases related to Event of Interest are proposed: 1. Network communications from the DMZ should not initiate connectivity into Datacentres or further into the network. 2. Communications originating from any non-B2B VPN public IP addresses should only access defined public facing infrastructure or individual assets, and other types of communication are considered deviations from policy. 3. Printer VLAN communications should not be initiated from this VLAN. 4. DataCentre 1 and 2 Client VPN Infrastructure can communicate within the DataCentre 1 and 2 zones, while DataCentre 1 and 2 B2B VPN Infrastructure can only communicate with the DMZ of these datacentres. 5. Reports and dashboard statistics should be provided if DataCentre 1 and 2 Client VPN Infrastructure communicates to the Management network. 6. Accessing devices such as printers, servers, firewalls, routers (excluding desktop devices) using a system default username from non-management networks via public IP or client/B2B VPN is considered a deviation of policy, with higher priority if it involves these communication channels. 7. All assets defined under finance should only be accessed by authorized personnel. The text outlines a network setup for a point-of-sale (POS) web application, including various components and their IP addresses within a firewall configuration. It emphasizes the need for defining all assets and infrastructure dependencies, assigning financial IPs to each asset, and performing vulnerability scans on TCP/UDP ports from different networks such as LAN, Internet, and specific DMZs. The purpose of these scans is to identify risks associated with service vulnerabilities across various network interfaces. This document outlines strategies for improving security measures in an organization. Specifically, it focuses on enhancing Intrusion Detection System (IDS) capabilities to better detect and respond to threats by understanding the attack sources, destination vulnerabilities, and types of TCP/UDP services such as Apache and Windows Internet Information Server (IIS). The benefits include reducing the severity of incident alerts when there are misconfigurations in the IDS. For instance, if an attacker targets a Windows IIS server but the organization is actually running an Apache web server, or if the system falsely identifies vulnerabilities that are not present, this can lead to less critical incidents being reported by the IDS. Another key aspect is enhancing automated asset updates for ArcSight SIEM solutions and ensuring there are no security vulnerabilities in POS applications exposed to the internet. This includes strict access controls and network configurations such as restricting all user access to point-of-sale (POS) system components, including databases and web servers, to a management network only. The document also emphasizes defining baseline network flow characteristics for detecting anomalies and outlines how these measures align with objectives set forth in Appendix A – Case Study One, which discusses the customer's request to fully automate the data model for ArcSight SIEM solution using their CMDB and IPAM databases for asset management and service inventory. This case study highlights a project aimed at integrating existing databases (CMDB and IPAM) with McAfee vulnerability and TCP/UDP service information for comprehensive network and asset visibility within an enterprise environment. The phased approach to the fully automated integrated data model ensures that critical infrastructure is managed effectively without sacrificing security or compliance requirements. The solution involves identifying customers for escalation or support based on specific use cases, utilizing confidentiality, integrity, and availability values as categories. For services like financial systems, payment card systems, and human resources systems, there's a need to categorize assets using service and security classifications which are not currently present in the CMDB. Additionally, defining network zones (DMZ, VPN, desktop, wireless subnets) requires creating a specific network model with DNS names instead of IP addresses in the CMDB. To address these gaps, HP Professional Service will perform the following integrations: 1. **CMDB Integration**: Enhance the CMDB data by adding hostname, customer names (teams), and CIA values to include IP address information for use by ArcSight. This is achieved by creating an Asset Name in ArcSight through server properties file editing. 2. **ArcSight Asset Database Creation**: Develop a specific database that combines data from the CMDB and DNS using hostnames as keys, adding IP address information from DNS and category details from IPAM (IP Address Management). This database will transform the dataset into an XML export in the ArcSight Archive bundle (ARB) format for further use. 3. **Archiving**: The ARB file is then used to store all the necessary data points required by the organization, ensuring comprehensive asset management and network configuration understanding. This end-to-end approach aims to bridge the gaps in the customer's CMDB and provide a more robust, integrated view of their IT assets and networks, supporting better decision making and operational efficiency. The process involves importing data into ArcSight via a grep perl script, which is then used to update an IPAM database manually with categorizations for each zone, detailing VPN DHCP ranges, and inheritance by assets. This method ensures minimal labor while allowing automation of updating the categorizations in the ArcSight asset model. Additionally, vulnerability data will be imported to each asset using its IP address and a key index, which is represented in the diagram as the ArcSight Asset Database.