DOC-5645 - Sample POC Use Cases - Adding to the List

Summary:

The text describes various features and functionalities of the ArcSight solution, an advanced network security management tool designed to address complex cyber threats and large volumes of log data. Here is a summary of key points from the provided information: 1. **Brute-Force Attack Detection**: The ArcSight solution can detect brute-force attacks by analyzing historical data patterns in log files. It is capable of handling up to 576 daily unsuccessful login attempts and has the ability to scale, making it suitable for organizations facing significant security challenges. 2. **Data Handling Capabilities**: The ArcSight Logger appliance is designed to store compressed log data at a rate of approximately 40 TB per device without external storage and maintain one year's worth of logs on disk. This scalability allows the solution to manage extensive volumes of network-related data efficiently. 3. **Advanced Data Modeling and Analysis**: The ArcSight solution can model incoming event data into logical groups such as domains, networks, applications, criticality levels, and filter data based on these attributes for more effective forensic investigations. 4. **User Interface and Visualizations**: ArcSight ESM (Extended Security Management) provides a user-friendly interface with real-time data monitors, active channels, multiple dashboards, and the ability to drill down into events during investigations. Custom dashboards can be created with customer branding for enhanced visualization and analysis. 5. **Threat Response Management**: ArcSight TRM adds intelligence to pinpoint network attackers and suggest quarantine methods, including automated or manual interventions. The solution generates audit events that can serve as high-quality litigation evidence. 6. **Integration of New Technology**: The text discusses how the ArcSight solution does not require modifications if a technology like a Firewall or IDS is replaced with a newer product. This ensures continuity in reporting and data analysis without major changes to existing configurations. 7. **Threat Intelligence Solution Accelerator**: This feature automatically gathers information from the Internet, such as geographic mapping, known botnet channels, hostile networks, which helps in identifying malicious activity that might otherwise go undetected. 8. **Document Management UI Elements**: The text mentions a user interface with options like "Delete Document," "Close," "Share," and "Bookmark." It also refers to plugins for Microsoft Office products indicating integration capabilities between the software and Microsoft's office suite. These features collectively highlight the versatility and robustness of the ArcSight solution in managing sophisticated cyber threats, handling large volumes of data, and providing effective security management across an organization's network infrastructure.

Details:

The document outlines a list of use case ideas for a Proof of Concept (POC) in the field of SOC (Security Operations Center), focusing on various aspects such as network security, telecommunications, and competitive advantage. It provides specific use cases to be included in the POC scoping document, including: 1. Forensic Logging of Raw Data: Collecting raw log information from multiple sources for compliance and litigation purposes. 2. Event Correlation for Incident Creation: Automatically notifying about potential threats or violations by recognizing conditions from various events. 3. Correlation Creation and Management: Automated recognition of compliance or security events, facilitating easy rule creation. 4. Creating and Maintaining Asset Inventory: Maintaining an accurate asset inventory within the SIEM solution to support analytics, reporting, and other functions. 5. Reporting Change and Vulnerability: Identifying and reporting changes in critical assets like device configurations, privileged accounts, and software versions. 6. Audit SIEM Solution: Providing evidence of secure and compliant operation of the SIEM system. 7. Forensic Investigation Tools: Demonstrating analytical tools, screens, and reports for forensic investigations. The provided text outlines various use cases for investigators attempting to reconstruct conditions following a security breach or data disclosure. These use cases include demonstrating reports, dashboards, and alerts specific to Security Operations workflow such as case creation, resolution, alert acknowledgments, event flow health, etc. Some key examples of these use cases are: 1. Repeated Firewall Blocks: UC9 involves repeated firewall blocks targeting critical systems (500 or more drops in 5 minutes from the same source/destination IP pair). This is crucial for understanding persistent threats and unauthorized access attempts. 2. Outbound Traffic Monitoring: UC14 requires monitoring outbound traffic to specific countries, protocols, or users to identify any unusual activity that might indicate data leakage or suspicious behavior towards competitors. 3. Wireless Security Breach Detection: UC16 covers the detection of unauthorized wireless access with evidence found at multiple points including a rogue MAC address on the wireless access point and communication with financial networks having restricted IP access. This use case emphasizes disabling compromised wireless access to secure sensitive data. 4. Web Server Attacks: UC17 describes a scenario where an attacker conducts a "low and slow" scan of a web server, possibly intending to deface or disrupt the website for the organization. This type of attack can be used as an indicator of potential malicious activity and vulnerabilities within the system. These use cases are designed to help investigators quickly identify anomalies and suspicious activities that might not be immediately apparent but could signal ongoing security breaches or attempts at data theft, providing actionable intelligence for immediate response and mitigation strategies. The text outlines various use cases for telecommunications providers, highlighting how the SIEM (Security Information and Event Management) capabilities of ArcSight can be effectively utilized in different scenarios: 1. **Compliance Monitoring**: ArcSight helps telecom providers maintain compliance by providing real-time monitoring and reporting tools that allow auditors to review necessary information securely and efficiently. This is crucial for multi-regulated entities under public and governmental scrutiny, ensuring adherence to required standards. 2. **IT Operations SLA Monitoring**: Given the complexity and mission-critical nature of telecommunications infrastructure, automated SLA management through ArcSight is essential for optimizing performance and efficiency while minimizing operational costs. It involves monitoring both operational and security service level agreements (SLAs). 3. **Log Management**: Telcos must retain communication data for compliance reasons and potential legal use. ArcSight’s scalable logging capabilities support this by providing a robust foundation for managing security, IT operations, and compliance needs effectively. 4. **IP Migration and Next Generation Network Initiatives**: As telecom providers transition to IP backbones and adopt the IMS framework, incorporating advanced security monitoring in new solutions is crucial. ArcSight can be strategically deployed across all tiers of the OSS (Operations Support System) architecture to monitor operational aspects like latency, availability, and correlate these with event data. The solution also demonstrates its ability to handle complex network scenarios involving NAT (Network Address Translation) and overlapping IP address spaces. 5. **Third-Party Contractor Management**: This use case is not detailed in the provided text but typically involves managing and monitoring third-party contractors who interact with the telecom infrastructure, ensuring compliance with company policies and security protocols. Overall, these use cases showcase how ArcSight's SIEM capabilities can be tailored to meet the specific challenges and regulatory requirements of telecommunications providers, enhancing their operational efficiency, security posture, and overall performance. The article discusses how ArcSight technology is used by telecommunications companies (Telcos) to monitor various aspects of their operations, focusing on privileged users, call center activities, application usage, and critical systems. It highlights that these areas require close monitoring due to potential misuse, fraud, and data leakage. ArcSight helps in monitoring third-party contractors through features like logical segregation, user monitoring, session correlation, domain fields, and the customer feature. For privileged users within the Telco environment, ArcSight enables direct connections with Identity and Access Management solutions to track user roles and activities for misuse detection. In call centers, ArcSight monitors employee and contractor interactions with sensitive data and core systems using features such as VoIP logs correlated with customer records to detect insider threats or anomalies in behavior. For critical applications like provisioning and billing systems used by both employees and partners, ArcSight provides SmartConnectors for standard business applications and FlexConnectors for non-standard applications. This ensures that the usage patterns are monitored continuously to identify any misuse, fraud, or data leakage incidents. Finally, ArcSight also monitors core infrastructure processes crucial for Telco uptime, ensuring overall system reliability and security. ArcSight is designed to support various security processes that help ensure continuous uptime. It can automatically generate alerts for unscheduled downtime, unauthorized changes, failed patches, and other issues. Additionally, it offers customizable Service Level Agreement (SLA) and business continuity dashboards and reports tailored to each customer's needs. ArcSight also focuses on protecting sensitive data by integrating with most Data Loss Prevention (DLP), Digital Asset Management (DAM), and Intrusion Prevention Systems/Intrusion Detection Systems (IPS/IDS) technologies. Customers can create custom lists to monitor files or directories containing sensitive information such as customer data, product plans, financial data, employee data, strategic plans, and regulatory compliance. The system also monitors web portals for increased online services and billing options, aiming to keep them secure from attacks and fraud. ArcSight provides automated monitoring and alerting that protect websites and portals from potential threats. Another feature is bandwidth throttling which allows the management of event flow in geographically distributed networks using features such as compression, batching, time delay, committed bit-rate, aggregation, and filtering. This helps reduce WAN utilization during an attack scenario. Lastly, ArcSight offers a unified search interface that combines different search methods for mixed or unknown data types, streamlining the search experience and improving the unification of all available log searches. The article discusses how Logger Search methodologies (structured, unstructured/raw, Regex) enhance intuitive product usability by allowing the use of search operators like "AND", "OR", "NOT", "EQUAL TO", "NOT EQUAL TO", etc. This capability is demonstrated in Use Case 31 - Threat Evaluation, where ArcSight uses a threat formula to collect and analyze information about IDM user roles, critical assets, vulnerability data, zone information, attack susceptibility, and watchlists in real-time. It provides the ability to reduce false positives and monitor critical infrastructure based on the specific nature of attacks and asset vulnerabilities. Use Case 32 - Notification and Workflow focuses on how ArcSight's Enterprise Security Manager (ESM) helps integrate security monitoring and investigations with existing workflow procedures, particularly focusing on how users are informed about incidents and their audit trail of responses. This includes escalating incidents to other team members or departments within the organization. The article also mentions that all workflow tools like annotations, cases, notifications, and escalations provide metrics for reporting purposes, allowing managers to track the progress and response times of incident security and investigation processes. In summary, both use cases highlight ArcSight's capability to efficiently evaluate threats, manage notifications, and streamline workflow processes through advanced search methodologies and integrated tools designed to optimize real-time threat analysis and management decision-making within large organizations. UC33 - Powerful Reporting in ArcSight ESM offers a user-friendly drag-and-drop Boolean interface for report creation without requiring SQL or scripting knowledge. Utilizing normalization and categorization, this system ensures future-proof reports regardless of changing vendors, providing comprehensive technical, operational, and trend reports that convey security status and meet regulatory reporting requirements. The framework supports business-level reporting with standard and customizable templates for compliance, risk assessment, and user profiling, presenting richly correlated information in a format that enables stakeholders to identify risks, assess the value and effectiveness of security measures, and answer key business questions efficiently without overwhelming content. UC34 - Pattern Detection within ArcSight ESM features the Threat Detector module, which allows users to analyze data spanning weeks, months, or years to uncover relationships between events that might be missed by real-time correlation. For instance, it can detect low-and-slow attacks where an attacker uses a stealthy method such as guessing passwords with a scripted approach (attempting twice and then waiting for 5 minutes before retrying), avoiding immediate detection due to the gradual lowering of attack thresholds. This module helps in identifying sophisticated cyber threats that might otherwise evade standard detection methods. This text discusses various capabilities of the ArcSight solution, specifically focusing on its capacity for handling large volumes of data related to network security incidents and user authentication attempts (576 daily unsuccessful login attempts). The solution is designed to detect brute-force attacks by analyzing historical data patterns using a routine that mines through log data. It can be used in conjunction with the ArcSight Logger appliance, which demonstrates its ability to store at least 40 TB of compressed log data on one device without external storage and maintain a year's worth of logs locally on disk. Additionally, the solution is capable of modeling incoming event data into logical groups such as domains, networks, applications, criticality levels, and it can filter and logically segregate data based on these attributes. This feature allows for better organization and analysis of network information related to specific assets and zones, enabling more effective forensic investigations. The ArcSight Logger appliance has the ability to store over 42 TB of event data in a digitally-signed, indexed format, which supports rapid search capabilities and advanced pattern recognition suitable for complex forensic investigations. The solution is designed with a user-friendly interface that allows investigators to perform searches using simple commands or combinations of advanced operators, providing results within minutes rather than days. In summary, the ArcSight solution is equipped with features that enable it to effectively address challenges related to network security incidents, including brute-force attacks and large volumes of log data. Its ability to model data, support forensic investigations, and provide efficient search capabilities make it an ideal choice for organizations looking to enhance their cybersecurity measures. ArcSight ESM (Extended Security Management) is a Java-based application running in its own virtual machine. It offers stunning visuals through real-time data monitors, active channels, multiple dashboards, and the ability to drill down into events during investigations. Users can create unlimited custom dashboards with customer branding, utilizing tools like event graphs and Custom Image Maps for enhanced visualization and analysis. ArcSight ESM and ArcSight TRM (Threat Response Management) provide a secure and audible response engine that quarantines attackers at various layers of the OSI model. TRM adds intelligence to pinpoint network attackers and suggest quarantine methods, with options for automated or manual interventions. This process generates audit events in ESM which can be reported as high-quality litigation evidence. ArcSight's ability to drill down on dashboards to underlying events, create custom dashboards, and utilize other tools like event graphs and Custom Image Maps is highlighted. The solution also demonstrates how ArcSight ESM rule actions provide various response actions through alerts, case creation, script execution, and integration with third-party tools. Lastly, the solution emphasizes the importance of not needing modifications if a technology, such as Firewall or IDS, is replaced with a newer product. This ensures that reports continue to run effectively without requiring any changes. This text discusses the integration of new technology into reports and the categorization schema used by ArcSight to ensure future-proofing and content reusability. The authors highlight how ArcSight developers map proprietary vendor event IDs to their own categorization system, allowing all content including 360+ reports to leverage this categorization for future applications. The text also mentions that if a customer switches from Juniper to Cisco firewalls, the report will continue to function because it looks for Category Device=/Firewall. This demonstrates how categorization and content reusability can provide a powerful solution in situations like switching vendors without needing major changes. The second part of this summary discusses the use of ArcSight's Threat Intelligence Solution Accelerator for incorporating threat intelligence feeds. The accelerator automatically gathers information from the Internet, such as geographic mapping, known botnet channels, hostile networks, and uses it to identify systems attempting to access malicious domains or IP addresses on a network. This approach helps security experts (SEs) detect potential malware, advanced persistent threats, botnets, and other malicious activities that might otherwise go undetected. The effectiveness of this method has been highlighted during Proof of Concept (POC) engagements, allowing for the identification of some previously unnoticed malicious activity. This appears to be a user interface (UI) element or screen within an application, possibly related to document management or collaboration software. The UI includes several buttons and options such as "Delete Document," "Close," "Share," "Bookmark," and various actions like "Show 17 Bookmarks" and "More Like This." There are also mentions of plugins for Microsoft Office products ("Jive for Microsoft Office") which suggests integration capabilities between this software and Microsoft's office suite. The interface prompts a confirmation before deleting a document, asking if you are sure about the action.