HP ArcSight Data Visualization for COP Solutions

Summary:

This document outlines HP Enterprise Security's ArcSight Data Visualization for COP Solutions, designed to integrate cyber information into a Common Operating Picture (COP), enhancing situational awareness and mission readiness by providing real-time data on force positions, statuses, infrastructure, etc., critical in military operations. The system uses ArcSight Events and HP Platform Injection to visualize the cyber situation, tailored to user roles, offering high-level summaries or detailed information based on role needs. Two scenarios are demonstrated: one involving a beaconing host event that triggers threat reflection and another focusing on data loss prevention through suspicious email content identification. These scenarios highlight bi-directional integration between ArcSight ESM and Edge AppBoard, allowing for automated monitoring and management of threats, facilitating informed decision-making in dynamic cyber security environments.

Details:

HP Enterprise Security's ArcSight Data Visualization for COP Solutions aims to incorporate cyber information into a Common Operating Picture (COP), which is a single display of relevant operational information shared among multiple command echelons. This setup facilitates collaborative planning and enhances situational awareness by providing decision makers with real-time data on force positions, statuses, infrastructure, and more. The primary reason to integrate cyber elements into the COP is to ensure mission readiness that relies heavily on cyber assets for critical functions such as command, control, communications, intelligence, surveillance, target acquisition, and reconnaissance. The increasing threat of cyber attacks poses risks like the destruction or degradation of mission-critical cyber assets and compromise of sensitive information. Expanding data feeds through various sources such as net ops (network/systems/application availability, performance, status), critical infrastructure (power, water), weather conditions, emergency notifications, and satellite coverage improves cyber situational awareness. ArcSight / AppBoard: Cyber COP leverages ArcSight Events and HP Platform Injection to provide a visual representation of the cyber situation. This system allows for tailored views based on user roles (analyst/operator, managers/officers, executives) and provides high-level summaries or detailed information as needed by each role. A demonstration using ArcSight / Edge COP showed how data flows from ArcSight ESM through CSV Forwarder and API Query to the Edge AppBoard, enabling a Navy Commander to monitor mission assets effectively. This solution simplifies monitoring of multiple assets across different tools into one unified view, allowing for automated registration of event consequences against mission objectives. This document provides an overview of two scenarios demonstrating the integration between ESM (Enterprise Security Manager) and Edge AppBoard for monitoring and threat management in a cyber environment. Two scenarios are presented: 1. **Scenario 1 - Beaconing Host**: The mission involves monitoring assets participating in an upcoming operation using a tailored Cyber COP dashboard. A beaconing event to a known malicious IP address from a ship is detected, triggering the system to reflect this threat and its impact on the mission through AppBoard. Threat identification and resolution are managed via ArcSight, with status updates reflected in AppBoard. The commander decides to continue with the operation. 2. **Scenario 2 - Data Loss Protection**: Similar to Scenario 1, it involves monitoring assets during an upcoming operation but detects a potential loss of sensitive data through suspicious email content identified by Autonomy / IDOL. This leads to immediate incident response (IR) initiated via ArcSight and reflected in AppBoard. The commander decides to cancel the mission due to the high level of risk indicated by the threat. The demonstration highlights bi-directional integration between ESM and Edge AppBoard, allowing for easy customization to manage missions effectively alongside various event sources. It summarizes how real-time information is presented across a single platform, facilitating informed decision-making in dynamic cyber security environments. This document contains a series of demonstration slides related to various cybersecurity topics, all copyrighted by Hewlett-Packard Development Company, L.P., with the information being subject to change without prior notice. Each slide focuses on different aspects of cyber protection and security measures: 1. Scenario 2-5: Beaconing Host - This slide likely covers a scenario where a host is beaconing, possibly indicating its presence or activity in a network, which could be used for intrusion detection or other cybersecurity monitoring purposes. 2. Scenario 2-6: Data Loss Protection - Focuses on protecting data from loss by implementing measures to ensure the integrity and availability of critical information within an organization's IT infrastructure. 3. Sample COP Views (Configuration Objects Policies) - These slides show examples of how to configure security settings or policies for different applications, devices, or networks using tools like ArcSight / AppBoard Cyber COPs. This is crucial for managing and securing cyber assets effectively. 4. Supporting Slides - Additional information or visual aids that help clarify the main points discussed in the presentation but are not central to the current slide content, such as additional data about specific features of the products mentioned. 5. Sample ArcSight / AppBoard Cyber COPs - This section provides practical examples and views from a product perspective on how to implement cyber protection configurations or policies using ArcSight / AppBoard tools. Each demonstration is numbered sequentially, with clear copyright information at the bottom of each slide, indicating that the content can be subject to updates as per Hewlett-Packard Development Company, L.P.'s policy regarding change without prior notice.