Efficient Cross-Device Content Management with Event Categorization

Summary:

This document focuses on enhancing efficiency in cross-device content utilization within HP ArcSight using event categorization. By mapping individual events into standardized categories, benefits include vendor independence, reduced analyst expertise requirements, and improved rule coverage with less content creation. The authors describe a categorization schema comprising seven main categories (Object, Behavior, Outcome, Actor, Environment, Reason, and Context). They provide examples of how these categories are applied, such as the detection of a "Teardrop Attack" which falls under Object Behavior: DoS, Technique: Teardrop Attack, Device Group & Type: Network, and Significance: Attempt. The categorization aids in understanding and addressing security events effectively. Additionally, the document discusses practical use cases including tracking IP addresses through multi-staged firewall environments and detecting failed logins across multiple operating systems using HP ArcSight's ESM capabilities. Lastly, it serves as a disclaimer that content may be updated or modified at any time without prior notice.

Details:

This document discusses creating efficient cross-device content utilization in HP ArcSight using events, with a focus on categorization. The authors, Till Jaeger and Alexei Suvorov from HP Arcsight, provide insights into benefits of categorization, explain how it works through examples, discuss use cases, and conclude with an overview of the categorization schema. The introduction outlines ArcSight ESM Console view where connectors assign categories to events, which are then normalized and categorized by a Device ESM Manager. The authors define categorization as the process of mapping individual events into a standard set of categories to address inconsistencies in naming across different devices and applications. Benefits of using categorization include vendor independence (no need for new content per vendor), relief for analysts (not needing expert knowledge in all device types), and more effective reuse of existing content, which makes ESM rules more powerful by covering more events with fewer rules. The ArcSight categorization schema consists of seven main categories: Object, Behavior, Outcome, Actor, Environment, Reason, and Context. These categories help to standardize the categorization process across various devices and applications. The categorization example provided describes an incident involving a "Teardrop Attack" detected by the Security Information and Event Management (SIEM) system, which is part of the intrusion detection system (IDS). Here's a summary based on the information given: 1. **Technique**: This refers to the method or technique used in the attack. In this case, it is a "Teardrop Attack" which involves sending specially crafted packets to vulnerable systems with the intention of causing them to crash or reset, often leading to denial of service (DoS). 2. **Security Domain**: The security domain in this context pertains to the network infrastructure being monitored by the SIEM system. It is related to the "Network" as specified under DeviceGroup and DeviceType. 3. **Device Group & Type**: These terms indicate that the event was detected through a network-based device, likely an IPS (Intrusion Prevention System) or similar tool designed to monitor network traffic for signs of malicious activity. The specific vendor is not mentioned but it involves multiple perimeter firewalls. 4. **Significance**: The impact on the object from the device's perspective is described as "Denial of Service" which means that the attack aims to disrupt the normal functioning of the system by overwhelming it with traffic or exploiting vulnerabilities, resulting in the service being unavailable or slowed down for legitimate users. The categorization tuple provides a structured way to describe and classify security events based on their nature and impact:

• **Object Behavior**: "DoS" indicates the type of attack which directly impacts the behavior of the network system by attempting to overwhelm it, thus compromising its functionality.

• **Technique**: "Teardrop Attack" is specified as the method used in this case.

• **Device Group & Type**: The event involves a network device (Network) where an IDS might be monitoring traffic for suspicious activities.

• **Outcome**: This describes what happened as an attempt to compromise the system, which aligns with the "Attempt" category under Significance.

This categorization helps in understanding the nature of the attack and the response needed to mitigate it effectively. These paragraphs discuss different use cases involving tracking certain IP addresses across multiple firewalls in a multi-staged firewall environment, as well as detecting failed logins across multiple operating systems using Enhanced Security Manager (ESM) filters. Here's the summary of each use case: 1. **Tracking a Certain IP Across Multiple Firewalls in Multi-Staged Firewall Environment:**

• The goal is to track an attacker’s IP address, 209.128.98.73, as it moves across several networks and potentially through multiple firewalls located in different geographical locations.

• The firewalls are of two different vendors.

• A rule is used that applies Device Category fields which are independent from the Vendors and Products, indicating a method to handle devices regardless of their specific vendor or product type.

• This scenario involves multiple matches from different firewalls all related to the same attacker but targeting distinct networks. The rule aggregates these entries to track the IP across various networks.

2. **Detect Failed Logins Across Multiple Operating Systems:**

• The goal is to detect failed login attempts on systems running various operating systems, such as Windows, Linux, etc., by using a cross-OS report result in ESM filters.

• This involves setting up a filter condition where multiple operating systems are involved in the reported outcome of failed logins.

In summary, these use cases demonstrate how ESM can be used to track specific IP addresses across varied firewalls and platforms (operating systems), highlighting its ability to aggregate information from different sources and devices for comprehensive threat detection and management. This statement highlights that the content provided may be updated or modified at any time without prior notification. It serves as a disclaimer from Hewlett-Packard (HP), indicating that the data and materials presented are not fixed and can be altered according to future developments, market conditions, or other relevant factors. The copyright notice is dated 2013, further emphasizing that this information may no longer be current by the time it is accessed in subsequent years.