IdentityView and FairWarning ESM Demo Script

Summary:

Below is a summary of the document's content regarding the use of ArcSight solutions for monitoring and alerting within an organization, specifically focused on healthcare settings where privacy and security are paramount. The document outlines key processes and features that enhance real-time monitoring and interactive dashboards to detect unauthorized access and suspicious activities: **1. Real-Time Monitoring:** - The system uses ArcSight Connectors with FairWarning data to monitor events related to clinical applications, generating alerts in the ArcSight Common Event Format (CEF). This setup allows for proactive notification of suspicious activities, such as unauthorized access attempts to VIP medical records. **2. Interactivity and Drill Down Features:** - The dashboard enables users to interact with real-time data, including historical event details from David Landers across multiple clinical applications monitored by FairWarning and ArcSight. This interactivity allows for deeper analysis of specific events, such as the unauthorized access mentioned above. **3. Custom Field Sets:** - Specific healthcare-related field names are used to enhance understanding of detected events, particularly in terms of accessing sensitive patient records (like Patient Name and Patient ID). **4. Integration with Identity Management:** - ArcSight IdentityView is integrated with the management system to update session and active lists based on identity data changes. This integration helps maintain a unified view of an individual's identities across different systems, aiding in compliance and security checks. **5. Reporting Capabilities:** - The solution provides detailed reports on all activities related to specific users or roles (e.g., David Landers) across various clinical applications. These reports are crucial for understanding the scope and impact of user actions within the organization's healthcare IT environment. **6. Dashboards and Role Management:** - Using ArcSight IdentityView, users can monitor role violations where certain roles have access to unauthorized systems or applications. The dashboards offer a quick way to identify such issues and generate reports detailing all user activity for specific roles, including accessed systems and applications. **7. Privacy and Security Implications:** - In healthcare settings, the detection of unauthorized access attempts can directly impact patient privacy and data security. The system's capabilities are particularly crucial in ensuring that only authorized personnel have access to sensitive medical information, thereby reducing risks associated with data breaches or misuse. **8. Enhancing User Account Management:** - ArcSight IdentityView simplifies the task of tracking user accounts across various applications by providing detailed reports on observed activity from different accounts held by an individual (e.g., David Landers). This detailed reporting aids in understanding the specific rights and system access required for each role within the organization, enhancing overall identity management practices. In conclusion, this document underscores how ArcSight solutions are instrumental in modern organizational environments like healthcare settings, providing real-time monitoring tools that facilitate interactive dashboards for tracking user activities, detecting suspicious behaviors, and ultimately safeguarding sensitive information from unauthorized access. The use of custom field sets and detailed reporting capabilities within the system helps ensure compliance with regulatory requirements while protecting patient data privacy.

Details:

This document outlines the steps for setting up and running a demonstration using the IdentityView and FairWarning ESM (Extended Security Module) on a demo45.6043 virtual machine. The demonstration involves logging into the ArcSight Console as Admin with credentials "admin/password", importing specific files, and customizing field sets to display clinical-specific information. **Installation Steps:** 1. Tested in demo45.6043 VM. 2. Log in to ArcSight Console as Admin (credentials: admin/password). 3. Import the "IdentityView_FairWarning.arb" file. 4. Download and place "IdentityView_FairWarning.events" from "/All Files/ArcNet Files/FairWarning" into "\arcsight\agent\current" for use with the Replay Connector. 5. Edit the Field Set located at "/All Field Sets/ArcNet Field Sets/FairWarning/Clinical Applications Field Set". Add a note and save it as this is a one-time change required for setup. 6. Make a copy of your existing ESM v 4.5 SP1 Console into another directory. 7. Download "security_event_strings.properties" from "/All Files/ArcNet Files/FairWarning". Replace the file in the new Console's current\i18n\common directory to modify display fields for Patient Name and Patient ID. 8. Start replaying events at 50 events per minute, pausing and resizing dashboards once the events have finished replaying. 9. Note excessive rule recursion issues with rules related to "ISO 8 Human Resources Security/8.3.3 Removal of Access Rights" and Sarbanes Oxley 4.0, disabling these rules to resolve the issue. **Content Included:** 1. Dashboards: "/All Dashboards/ArcNet Dashboards/FairWarning/Clinical Applications Dashboard". 2. Data Monitors: "/All Data Monitors/ArcNet Data Monitors/FairWarning/Clinical Applications Data Monitor". 3. Active Channels: "/All Active Channels/ArcNet Active Channels/FairWarning/ All Events from David Landers". 4. Field Sets: "/All Field Sets/ArcNet Field Sets/FairWarning/ Clinical Applications Field Set". 5. Rules: "/All Rules/ArcNet Rules/FairWarning/Access to a VIP Medical Record". This setup is intended for demonstrating the integration and functionality of IdentityView and FairWarning ESM within a clinical application context, highlighting specific medical record access details. This document outlines various activities, reports, and settings related to David Landers' access and usage within the ArcNet system, specifically focused on privacy and security measures. The content includes archived reports, activity logs, and configuration details about the IdentityView and FairWarning modules used in the healthcare application. Key points include: 1. **Activity Logs**: There are multiple PDFs named "All Activity for David Landers.pdf" and "All Activity for Role.pdf," as well as a document titled "Activity Based Modeling by Employee Type.pdf." These logs record various activities performed by David Landers, potentially indicating his interactions with sensitive medical records or other restricted information. 2. **Disabled Identity**: A separate file named "Activity from Disabled Identity.pdf" might discuss any issues related to David Landers' disabled identity within the system, which could affect access and security protocols. 3. **Filters and Reports**: Specific filters under ArcNet Filters/FairWarning are configured for David Landers (Identity) and Clinical Application Users, indicating focused monitoring of his activities. 4. **Documentation Files**: Documents such as "IdentityView_FairWarning.events," "IdentityView and FairWarning ESM Demo Script.doc," and related screen shots ("Screen Shots.zip") provide detailed documentation on the implementation and usage of these security features within the system. 5. **System Configuration**: Settings like "security_event_strings.properties" contain definitions for various attributes including User ID, Patient Name (as Patient ID), Function, Event Category, etc., which are crucial for understanding how sensitive data is handled in the ArcNet-Healthcare zone. 6. **Setup and Initialization**: Instructions to log into the ArcSight Console as Admin, acknowledge any existing notifications, and delete related cases. The notifications and cases will be titled "Access to a VIP Medical Record." This setup phase ensures that only authorized personnel have access to these records. 7. **Updating Lists**: The IdentityView Active Lists and Session Lists are updated with additional entries, possibly reflecting new or changed accesses by David Landers, ensuring ongoing compliance with privacy and security policies. This summary highlights the comprehensive nature of the documents and procedures designed to manage and secure access to sensitive information within the ArcNet system for a healthcare application, specifically tailored for David Landers' role. The script involves navigating through several ArcSight components to demonstrate how ArcSight ESM, IdentityView, and FairWarning can be used together for security monitoring in a healthcare context. Here's a step-by-step summary of the process: 1. **Open the Dashboard**: Access the "Clinical Applications Dashboard" under "/All Dashboards/ArcNet Dashboards/FairWarning/". 2. **Open the Active Channel**: Select "/All Active Channels/ArcNet Active Channels/FairWarning/" and then choose "All Events from David Landers." 3. **Change Field Set**: Use "/All Field Sets/Foundation/ArcSight Express/ArcSight Express" as the field set. 4. **Open Archived Report**: View "/All Archived Reports/ArcNet Archived Reports/All Activity for David Landers.pdf". 5. **Open Specific Dashboard**: Access "/All Dashboards/ArcSight Solutions/IdentityView 1.1/Suspicious Activity/" and then select "Role Violations" dashboard. 6. **Access Specific Reports**: Retrieve "/All Archived Reports/ArcNet Archived Reports/All Activity for Role.pdf" and "Activity Based Modeling by Employee Type.pdf". 7. **Hide Unnecessary Panels**: Utilize the interface to hide the Navigator, Viewer, and Inspect/Edit panels. 8. **Show Notification and Investigate**: Show a notification, double-click it to view correlated events, and then acknowledge it. 9. **Display Dashboards and Reports**: Present the "Clinical Applications Dashboard", "All Events from David Landers" active channel (with ArcSight Express field set), and other specified dashboards and reports. 10. **Demonstrate Use Case**: Conclude by explaining how these tools can detect unauthorized access to VIP electronic health records, highlighting privacy and security implications in healthcare settings. The document describes the monitoring and alerting processes within an organization using the ArcSight solution. Key points include: 1. Utilization of ArcSight Connectors in a demonstration environment to monitor clinical application events and activity from FairWarning, sending alerts in the ArcSight Common Event Format. 2. Integration of ArcSight ESM with Identity Management through ArcSight IdentityView for session and active lists updates based on identity data changes in the management system. 3. Proactive notification mechanism via email, SMS, or pager when actionable activity occurs, such as unauthorized access to VIP medical records. 4. Use of ArcSight Console and Dashboard features to track escalation processes and monitor users placed on the Suspicious Watchlist. 5. The document does not mention any specific technical details about how the system updates, but it highlights its capability to detect and respond to suspicious activity dynamically. The provided text describes a system that provides real-time monitoring and interactive dashboards for tracking user activities in an environment, such as healthcare settings. Key features include: 1. **Real-Time Monitoring**: The dashboard offers a 360-degree view of all activity from users concerning specific records like medical records accessed by multiple users (three in this case) and unusual behavior detected including accessing the record of a deceased patient and emailing sensitive information to personal accounts. 2. **Interactivity and Drill Down Features**: Users can interact with the dashboard to drill down into details about particular events, such as detailed activity from David Landers across various clinical applications monitored by FairWarning and ArcSight. 3. **Custom Field Sets**: The system uses healthcare-specific names for fields (like Patient Name and Patient ID) to enhance understanding of the significance of detected events. 4. **Integration with Identity Management**: Features like ArcSight IdentityView and Model Import Connector help tie together different accounts used by David Landers across various clinical applications, providing a unified view of his identity within the environment. 5. **Reporting Capabilities**: The system allows for comprehensive visibility into all activities related to specific identities, which is traditionally challenging due to the number of associated accounts. In summary, this system enhances security and compliance by providing an interactive and dynamic platform for monitoring user behavior in complex environments like healthcare, with features that facilitate investigation and reporting on unusual activities. ArcSight IdentityView simplifies the task of tracking user accounts across various applications and platforms by providing comprehensive reports on user activities. It allows users to generate detailed reports based on specific identities, such as Davis Lander's, showing all observed activity from his different accounts. The report includes graphical overviews alongside event details for easy analysis. Beyond basic account tracking, ArcSight IdentityView helps in addressing challenges like role management and understanding role violations within an organization. By using the Dashboards feature, users can quickly identify if certain roles have access to unauthorized systems or applications. This capability extends to departmental insights by revealing which departments are accessing inappropriate systems. Additionally, reports can be generated that detail all user activity for specific roles, including accessed systems and applications along with frequency of usage. These functionalities help in understanding the rights required for a particular role within an organization and what systems or applications they need access to. Overall, ArcSight IdentityView assists in streamlining identity management tasks by providing detailed reporting on user activities across platforms and applications.