HP ArcSight Express and NetFlow

Summary:

The HP Enterprise Security Business whitepaper discusses the integration of SIEM (Security Information and Event Management) with NetFlow to improve network management situational awareness. It introduces ArcSight as a solution that combines real-time correlation capabilities with market-leading NetFlow collection, normalization, and categorization. By correlating NetFlow data with security events, administrators can reduce false positives and negatives, enhance situational awareness, and improve incident response times. The whitepaper emphasizes the importance of combining network monitoring with security information for effective threat detection and situational awareness in modern IT environments.

Details:

The HP Enterprise Security Business whitepaper discusses how integrating SIEM (Security Information and Event Management) with NetFlow can improve situational awareness in network management. It highlights a scenario where a network administrator detects an unusual spike in traffic to several international domains outside their network, which turns out to be due to a new botnet attacking the organization. The paper explains that while traditional methods of monitoring using NetFlow analysis and SIEM technology have been separate responsibilities, organizations are increasingly relying on IT systems exposed to the internet for business operations. Consequently, they need to rely more heavily on both network and security information to understand and counter malicious threats. The whitepaper introduces ArcSight, a solution that combines real-time, multi-vector correlation capabilities with market-leading NetFlow collection, normalization, and categorization. It can collect NetFlow data directly from network devices or via integration with third-party technologies. The ArcSight Express module processes this data to create an accurate prioritized incident list by correlating NetFlow data with real-time security, server, and user information in the correlation engine. This approach significantly reduces false positives and negatives, enhancing situational awareness across the organization. By integrating network data with security events through technologies like ArcSight, administrators gain a more comprehensive understanding of application activity, user behavior, and business transactions. This leads to improved incident response times, better prioritization of work, faster resolution of performance and security issues, and easier compliance demonstrations to auditors. The whitepaper concludes by emphasizing the importance of combining network monitoring with security information for effective threat detection and situational awareness in modern IT environments. NetFlow records are exported from routers as data about application sessions over networks. These can be tracked using three main techniques to help administrators understand network traffic and bandwidth usage. First, combining SIEM log events and NetFlow data improves event context and detail for IT administrators, allowing them to prioritize important issues more effectively. Second, correlating interesting or suspicious traffic with security information helps identify false positives, such as an internal user performing normal online activities that might be misinterpreted as a threat. Third, tying in security information allows administrators to build a comprehensive picture of network security by analyzing combined data from both networks and security events. This can help detect more advanced threats like persistent threats or APTs, which require observing multiple types of indicators over time for detection. The text discusses how relying solely on traffic data from NetFlow in network monitoring can lead to threats such as cross-device correlation issues and session correlation challenges. It highlights the importance of SIEM (Security Information and Event Management) systems for evaluating traffic spikes, identifying malicious intent, and understanding user activities. By correlating SIEM data with traffic data, it becomes possible to determine if an incident is malicious or not. The text also introduces ArcSight Express as a solution that combines network monitoring capabilities with robust security features. This system collects and correlates NetFlow and security information effectively, allowing for the tracking of sessions automatically, without manual piecemeal efforts. Moreover, the ArcSight Connectors facilitate universal data collection from various devices without the need for agent deployment across the enterprise, ensuring efficient monitoring and analysis while maintaining high standards for data integrity. The text emphasizes how this system is designed to adapt as network technologies evolve, providing a "future-proof" approach to monitoring. ArcSight Express is a Security Information and Event Management (SIEM) solution that focuses on providing efficient storage, compliance visibility, enterprise event correlation, vulnerability correlation, and regulation-specific applications. It includes ArcSight Logger, which acts as a complete log management solution for long-term data retention, with fast search rates without compromising efficiency. The system is designed to assist in anticipating potential network attacks by monitoring both short and longer term historical behavioral analysis on the network through NetFlow monitoring, using pre-built compliance applications that are tailored to specific regulations (like SOX, HIPAA, PCI, NIST, FISMA). ArcSight Express also offers rules-based response capabilities, enabling organizations to respond more swiftly to incidents and reduce their impact. This is achieved by creating a best threat mitigation plan based on approved responses, which can then be executed upon and documented in detail. ArcSight is a technology that has been around since 2005, helping organizations collect and analyze network data to monitor security events more effectively. It focuses on providing detailed insights into suspicious activities within the enterprise network by integrating NetFlow data with its SIEM (Security Information and Event Management) solution. This approach helps in understanding the full context of potential threats, thus reducing unnecessary investigation time for false positives and improving overall security posture. ArcSight Express is a specific type of SIEM solution designed to centralize security monitoring across an organization's network. It collects, stores, analyzes, reports, and responds to all activity occurring within the enterprise using data from both networks and security systems. By doing so, it allows for more efficient management of IT resources and faster resolution times through automated compliance reporting. The integration of NetFlow data with ArcSight Express provides a comprehensive solution that not only enhances security measures but also aids in automating regulatory compliance reports. This results in cost savings and reduced manual effort required to manage network and security operations, making the overall process more efficient. Additionally, this setup helps organizations meet audit requirements faster and cheaper than before, positioning them well for future audits or IT-related mandates.