Integrating Security with HP CloudSystem Enterprise and ArcSight

Summary:

This document outlines the implementation plan for HP ArcSight ESM (Enterprise Security Manager) to be used within CloudSystem Enterprise environments for enhancing security through monitoring and incident response. Here are some key points from the document: ### 1. **Security Incident Response Metrics** The document emphasizes setting up mechanisms to track and measure information security incidents, including types, volumes, and costs. This involves tracking metrics such as audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events. ### 2. **Audit Logs and Logging Practices** It stresses the importance of implementing practices for auditing and logging that comply with relevant policies and regulations. Audit logs should be reviewed daily, and physical and logical access to these logs should be restricted to authorized personnel only. Additionally, recommendations include using file integrity monitoring (host) and network intrusion detection (IDS) tools to aid in timely incident detection through root cause analysis and effective response strategies. ### 3. **Integration of HP ArcSight Logger and ESM** The document discusses the use of HP ArcSight Logger as a central repository for security and event logging, which then forwards specific events to HP ArcSight ESM for further analysis and action. This approach provides an integrated view across the CloudSystem environment for both application and operating system events. ### 4. **Technical Implementation Details** Appendix A details the ASLinuxAudit.props file used for automated deployment of the ArcSight smart connector for Linux audit logger, configured to send events to the ArcSight Logger with a Smart Connector named "Smart". The configuration includes settings such as log file location ('/var/log/audit/audit.log') and network destination details (host '192.168.153.159', port '443'). ### 5. **Documentation of Installation Process** A section on the configuration of a connector for Linux auditd logs specifically outlines how to send these logs via HTTPS (encrypted) to an ArcSight Logger SmartMessage destination, including details in Appendix B about the installation setup and configurations. ### 6. **Additional Resources and Feedback** The document also provides links to additional resources such as the HP CloudSystem Enterprise product page for more information, a reference architecture guide, and information on the Cloud Security Alliance. It encourages users to provide feedback through an online form to help improve the documentation and invites them to sign up for updates on HP products and services. This comprehensive approach with detailed technical specifications aims to ensure effective implementation of HP ArcSight ESM within CloudSystem Enterprise environments for robust security management and incident response capabilities.

Details:

The technical white paper, "HP CloudSystem Enterprise Integrating Security with HP ArcSight," provides an overview of the integration between HP's cloud management platform, HP CloudSystem Enterprise, and its security analytics tool, HP ArcSight. Here is a summary of the table of contents based on the provided excerpt: 1. **Executive Summary** - Provides a brief introduction to the document. 2. **HP CloudSystem Enterprise Overview** - Discusses the main components and features of HP CloudSystem Enterprise. 3. **HP CloudSystem Enterprise Supply Layer** - Explains how data is supplied or collected in the cloud environment. 4. **HP CloudSystem Enterprise Demand and Delivery: HP Cloud Service Automation** - Describes how services are automated within the cloud system. 5. **HP CloudSystem Enterprise Components** - Lists and explains the various components of HP CloudSystem Enterprise, including hardware, software, and architecture. 6. **HP ArcSight Overview** - Introduces HP ArcSight, focusing on its main features and benefits for enterprise security management. 7. **Enterprise Security Manager (ESM)** - Details the functionality of the ESB module within HP ArcSight designed to manage security across the enterprise. 8. **HP ArcSight Logger** - Explains how events are logged using HP ArcSight, with a focus on RAW and Common Event Format (CEF). 9. **HP ArcSight Connectors** - Discusses the connectors that facilitate communication between HP CloudSystem Enterprise and HP ArcSight for event collection. 10. **Typical Deployment Scenarios** - Describes common setups where events are sent to the HP ArcSight Logger in RAW or CEF formats for analysis and security management. This summary highlights the key topics covered in the white paper, emphasizing how HP CloudSystem Enterprise integrates with HP ArcSight for enhanced enterprise security capabilities. This text appears to be a section header or title for a document, possibly related to a technical guide or manual about ArcSight Logger and its use with HP ArcSight ESM. Here is a summary of the main points mentioned in the text: 1. **ArcSight Logger using Connectors**: Describes how to utilize connectors within ArcSight Logger to facilitate communication and data exchange with other systems or services, likely including HP ArcSight ESM (Enterprise Security Manager). 2. **Sending events to HP ArcSight ESM using Connectors**: A detailed section on how to transmit event information from various devices to the HP ArcSight ESM platform via connectors. This involves configuring and managing connections for data flow between different systems. 3. **Devices**: Discusses the types of devices that can be connected or managed by ArcSight Logger, which could include network devices, servers, or other security appliances. 4. **Grouping devices**: Explains how to organize and categorize devices within the management framework for easier monitoring and administration. 5. **Forwarding events to HP ArcSight ESM**: Outlines the process of sending collected event data from various devices to the HP ArcSight ESM system for centralized log analysis, alerting, and reporting. 6. **Protecting HP CloudSystem Enterprise components with HP ArcSight**: Focuses on how ArcSight can be used to secure HP CloudSystem Enterprise components by providing comprehensive security management capabilities. 7. **Cloud Service Automation 3.1**: Introduces the features of the third version of the Cloud Service Automation, which automates and simplifies the deployment and management of cloud services within enterprise environments. 8. **Matrix Operating Environment**: Describes the architecture and functionality of the Matrix Operating Environment (MOE), a key component for server automation and resource management. 9. **Server Automation**: Explores how ArcSight supports server automation through features like VMware ESXi 5 Host, which allows for automated management and optimization of virtual machines hosted on this platform. 10. **VMware ESXi 5 Host**: Provides detailed information about using ArcSight with a VMware ESXi 5 host, emphasizing its role in automating the deployment and monitoring of hosts within a large-scale virtualization environment. 11. **Networking**: Discusses how ArcSight supports network management and security through tools like the HP TippingPoint Security Management System (SMS) Appliance, which helps protect enterprise networks from cyber threats. Overall, this text is likely part of a documentation series that provides detailed instructions on setting up, configuring, and managing various aspects of HP's ArcSight Logger system, including its integration with other security management systems and devices within the organization. The provided text appears to be a table of contents or a summary for a technical white paper, possibly related to HP ArcSight and cloud security services. Here's a breakdown of the content:

• **Page Numbers**: The numbers refer to specific pages in the document where each topic is detailed further.

### Sections Breakdown: 1. **Protecting CloudSystem Enterprise Services with HP ArcSight** (Page 22) - This section likely introduces the role and importance of HP ArcSight in protecting cloud-based enterprise services. 2. **HP LAMP solution** (Page 25) - A brief overview of the Hewlett Packard's Log Analysis, Monitoring, and Protecting (LAMP) solution which is focused on event management for security purposes. 3. **Working with events** (Page 27) - This section describes how to manage and interact with various types of events generated by the system. 4. **Searching the HP ArcSight Logger** (Page 27) - Instructions or guidelines on using the ArcSight Logger to search for specific logs or events within the security infrastructure. 5. **HP ArcSight ESM – Viewing Events with Active Channels** (Page 29) - Discussion about the Event Status Manager (ESM), focusing on how to view and manage events through active channels. 6. **Zones** (Page 31) - Explanation of zones as a feature in HP ArcSight, which is important for managing and organizing different parts of an enterprise's network or system. 7. **Queries** (Page 31) - The section likely details how to create and execute queries within the ArcSight platform to extract specific information from logged events. 8. **Rules** (Page 34) - A discussion on creating rules for automated actions based on certain conditions related to detected security events, which is crucial for proactive security management. 9. **Cloud Security Alliance** (Page 35) - An overview or mention of the Cloud Security Alliance, possibly discussing its role in promoting best practices and standards in cloud computing security. 10. **Summary** (Page 36) - A concluding summary that likely highlights key points from previous sections and provides a brief conclusion to the white paper's primary topic. ### Appendix:

• **ASLinuxAudit.props** - This appears to be a reference or an appendix section of the document, possibly detailing properties specific to Linux in the context of HP ArcSight.

This summary assumes that each page number corresponds to a distinct chapter or subtopic within the technical white paper, providing quick access points into different aspects of the document's content related to cloud security and event management using HP ArcSight. The technical white paper discusses a reference implementation of an HP ArcSight Security Information and Event Management (SIEM) solution integrated with HP CloudSystem Enterprise to enhance security in private and public cloud environments. It highlights how to configure HP ArcSight Logger, HP ArcSight Enterprise Security Manager (ESM), and HP ArcSight Connectors to monitor and protect the core components of HP CloudSystem Enterprise. The paper is targeted at system integrators, installers, and administrators familiar with CloudSystem Enterprise and HP CloudSystem Matrix, and aims to provide guidance on configuring these security products for enhanced service protection within cloud infrastructures. The article outlines the functional architecture of HP CloudSystem Enterprise, which is designed to manage the entire lifecycle of application-to-infrastructure services in cloud environments. It features seamless integration with HP Cloud Service Automation (CSA), a cloud management platform for brokering and managing enterprise-grade application and infrastructure cloud services. This system works in conjunction with the HP Matrix Operating Environment and additional HP CloudSystem extensions, as well as third-party assets. The supply layer of HP CloudSystem Enterprise utilizes the Matrix Operating Environment to provide infrastructure elements such as compute, network, storage, both physical and virtual, through offerings like HP BladeSystem servers, HP storage, and HP networking. The enterprise can also utilize VMware vCloud Director for additional infrastructure services. Supported third-party resources include servers, storage, and networking from various vendors. HP Cloud Service Automation (CSA) is a software solution that enables the delivery of application services through its user interfaces which allow users to design infrastructure and specify available assets, manage service catalogs, and orchestrate deployment of compute resources for complex multitier applications. It integrates with mature HP management and automation products to provide comprehensive workload management, service design, and a customer portal, thus forming a complete solution for service automation within the cloud environment. HP CloudSystem Enterprise is an advanced cloud infrastructure that includes Cloud Service Automation (CSA), expanding system capabilities for multiple hypervisors like VMware, Microsoft, KVM, and Xen, providing portal services for consumers to request services, delivering IaaS (Infrastructure as a Service) and PaaS (Platform as a Service) in heterogeneous environments, virtual desktop infrastructure (VDI or "Desktop as a Service"), and XaaS (Everything as a Service). It manages the entire cloud service lifecycle, from provisioning infrastructure to ensuring compliance of business and custom applications. Extensions add service assurance, enhanced security, storage management, and network management capabilities. Users can broker, manage on-demand services, enforce compliance, meet SLAs with performance and availability management, secure data through multi-tenancy and role-based access, and deliver comprehensive, unified service lifecycle management. Components of HP CloudSystem Enterprise include HP Operations Orchestration (OO) for communication between integrated products and devices, and HP Server Automation (SA) providing lifecycle server management and automated application deployment, along with provisioning operating systems and tasks like patching and compliance management. The text discusses various automation tools and systems developed by Hewlett Packard Enterprise (HPE) for managing and monitoring IT environments, particularly focusing on database management, middleware management, infrastructure services, application lifecycle management, compliance, security events, and cloud service integration. Here's a summarized overview of each tool mentioned: 1. **HP Database and Middleware Automation (DMA):** This tool provides a content library for managing databases and middleware applications. It automates the deployment of application architectures onto existing infrastructure and also manages these applications by offering pre-packaged workflows for tasks such as patching, compliance, and code release. DMA eliminates the need for manual customization through its automated processes. 2. **HP SiteScope:** This is an agentless monitoring tool designed to monitor infrastructure platforms and key performance indicators (KPIs) of applications. KPIs include CPU, disk, and memory usage among others. It helps in maintaining a comprehensive view of the system's health by tracking various metrics across different components of the IT landscape. 3. **HP Universal Configuration Management Database (UCMDB):** UCMDB serves as a centralized repository for information about relationships between infrastructure elements, applications, and cloud services. This tool maintains accurate and up-to-date data regarding these interdependencies, which is crucial for effective management and troubleshooting of complex IT environments. 4. **HP Matrix Operating Environment:** This environment provides essential infrastructure services that are seamlessly integrated with Cloud Service Automation. It allows the system to dynamically expand capabilities by utilizing public cloud services when needed. The platform aims to provide a flexible and scalable architecture for managing various aspects of an organization's technology stack. 5. **HP ArcSight Enterprise Security Manager (ESM):** As a premiere security event manager, HP ArcSight ESM is capable of analyzing and correlating operational events such as logins, logoffs, file accesses, database queries, among others. It supports IT teams in all aspects of security event monitoring including compliance, risk management, intelligence gathering, and operations. The system is further enhanced with HP Reputation Security Monitor (RepSM) to add reputation-based threat intelligence that can be correlated with security events for more effective threat detection and prevention. These tools from HPE are aimed at enhancing the efficiency of IT operations by automating routine tasks such as provisioning, patching, compliance checks, and monitoring; they also provide valuable insights into application performance, infrastructure health, and potential security threats through comprehensive event analysis and real-time alerts. The HP ArcSight Logger is a comprehensive log management solution that helps improve compliance, risk management, security intelligence, and IT operations against threats like insider and advanced persistent attacks. It collects machine data from any source, unifies it for searching, indexing, reporting, analysis, and retention across devices, formats, and networks. Key features include automated log collection and archiving, fraud detection, real-time threat detection, forensic analysis capabilities, and the ability to detect threats early using HP RepSM's timely reputation data. Additionally, the HP ArcSight Logger supports Bring Your Own Device (BYOD) and mobility trends, managing a vast volume of log data from multiple sources efficiently. It offers scalability in handling both current and future needs. The solution is also compatible with over 300 connectors for collecting logs from various devices and formats, providing a unified event format across IT departments for better security operations management. The HP ArcSight Connectors are another crucial component of the solution, addressing the challenge of managing log records in hundreds of different formats. They provide normalization to a common event format, which enhances reporting and analysis capabilities by decoupling vendor-specific analyses from the events themselves. This approach simplifies IT management by centralizing the governance of logs across various platforms, making it easier for organizations to manage their security infrastructure efficiently while reducing costs associated with compliance and risk management related to cyber threats. The HP ArcSight Connector Appliance (ConApp) simplifies management of a distributed log collection deployment by providing ongoing updates, upgrades, configuration changes, and administration through a centralized web-based interface. This appliance can be deployed as both hardware (appliance) or software. The ConApp ensures future proofing by adapting to different network configurations without requiring reporting or rules changes even when switching from one router model to another (e.g., Cisco to Juniper) or adding a new SQL database to an existing Oracle setup. It supports universal content relevance with its HP ArcSight common event format, which abstracts log syntax differences across various products and allows non-technical users to analyze data intuitively without needing expertise in different log formats. HP ArcSight Connectors offer robust audit quality controls including secure, reliable transmission, bandwidth management, and are available as plug-and-play appliances for quick deployment across diverse network environments from small branches to large data centers. These connectors support a wide range of commercial products and legacy systems out-of-the-box, making them versatile for various technical deployments. This text discusses the use of the Common Event Format (CEF) for standardizing log data from various vendors, which is presented in a unified format for searching and correlation by HP ArcSight ESM and Logger. Log information, including data from network devices and unmodified systems, can be sent to the HP ArcSight Logger for aggregation and further processing through filters to forward specific event information to the ArcSight ESM. The reference implementation involves several servers within the infrastructure, all sending log events in either raw or CEF formats to the HP ArcSight Logger. Additionally, it mentions the use of HP ArcSight Connectors to collect operational data from various host operating systems and send it to the Logger for analysis and action. This text discusses a system for collecting and transmitting log events from various sources to an HP ArcSight Logger, which then forwards them to either a SmartMessage receiver or directly to the HP ArcSight ESM (Enterprise Security Manager). The process involves converting event information into the Common Event Format (CEF) at each host by means of HP ArcSight Connectors. These connectors send log data to both the logger and the ESM, allowing for simultaneous monitoring of multiple high-value assets through a single interface. The setup includes devices such as Onboard Administrator (OA), Virtual Connect (VC), ESXi, network switches, etc., which are connected to the UDP or SmartMessage receivers within the HP ArcSight Logger. These devices are automatically registered and displayed in the Devices section of the logger configuration interface after being added. Additionally, device groups can be created for better organization and management of monitored devices. The text provided outlines the process of setting up an HP ArcSight Logger in order to forward specific log data events to an HP ArcSight Enterprise Security Manager (ESM) system for analysis and correlation. It begins by explaining that a device group named CSE has been created, which includes systems with enabled logging through HP ArcSight Connectors such as CSA, Matrix Operating Environment, SiteScope, UCMDB, Operations Orchestration, and vCenter. The article then explains how to create forwarders in the HP ArcSight Logger for forwarding log data to an ESM Destination. This destination is shown in Figure 8, where it appears as a connector within the ArcSight ESM Console after being configured. In this example, the connector is named "Logger2ESM." Figure 9 illustrates how to create a forwarder based on regular expression queries for forwarding specific events such as failed login attempts. The query in the forwarder specifies that if authentication is verified and results in failure, all related log events should be sent to the ArcSight ESM. Lastly, there's an example of configuring forwarders specifically targeting devices or device groups; here, a forwarder for events from the CSE device group (Figure 10) and another named "CSE Application Events" are created. All events from systems part of the CSE device group will be forwarded to the HP ArcSight ESM system. This setup allows for targeted analysis based on specific criteria defined in the configuration process. In Figure 11, two event forwarders are presented: CSE Application Events and Windows Logon Failures. These are used to protect the core components of HP CloudSystem Enterprise through configuring them to send security information and events to either HP ArcSight ESM or HP ArcSight Logger for enhanced protection. The article details how to configure each component, including collecting information from operating system and application log files using standard syslog and event log collection methods or by utilizing HP ArcSight Connectors for more detailed logging specific to the applications. The configuration involves deploying HP ArcSight Connectors on hosts running CloudSystem Enterprise applications such as: CloudSystem Matrix Central Management Server, Cloud Service Automation, Operations Orchestration, Cloud Service Automation Database server, SiteScope, and Universal Configuration Management Database Server (UCMDB). These applications include two that are hosted together on a Microsoft Windows Server 2008 R2 server - Cloud Service Automation and Operations Orchestration. Operating system events from these applications go to the HP ArcSight logger through specific connectors for each host operating system, while application-specific logs use HP ArcSight Connectors. Detailed monitoring of core applications like CSA, OO, HPIO, UCMDB, and SiteScope is covered in the Cloud Service Automation 3.1 documentation under document ID KM00231339 which requires an HP Passport account for access. This document provides step-by-step instructions on configuring these settings to ensure comprehensive security measures are implemented across all core components of HP CloudSystem Enterprise. The instructions provided outline how to configure application event logging in Common Event Format (CEF) for several specific applications using an ArcSight logger. The supported applications include Cloud Server Automation, Operations Orchestration RAS, Operations Orchestration, SiteScope, UCMDB, and HPIO. The process involves editing the log4j.properties file of each application to support CEF logging by specifying a device vendor (HP), product (CSA for core products), version (3.1), transport type (SYSLOG), host name (an IP address or hostname), port number, and layout pattern. Additionally, the use of a CEF header and an event name should be defined in this file. The modifications to the log4j.properties file include setting up appenders for CEF logging with specified vendor, product, version, transport type, host name, port, layout patterns, and including a CEF header. The eventName is also set according to the application's events to facilitate searching through the logger. After configuring these applications for ArcSight integration by modifying their log4j.properties files as described, follow installation procedures for the HP ArcSight Connector on each host operating system to capture and manage log and event data effectively. This setup is crucial for centralized monitoring and analysis of system activities across various platforms using a unified interface provided by the ArcSight logger in CEF format. This document outlines the installation and configuration steps for the HP ArcSight SmartConnectors on specific Windows 2008 R2 hosts, focusing on CloudSystem Enterprise core applications. The tasks include setting up a UDP receiver on the HP ArcSight Logger to capture events from log4j application logs and configuring logging systems for HP BLc7000 Onboard Administrator (OA) and HP Virtual Connect. 1. **Installation of HP ArcSight Connector**: Install the HP ArcSight Connector for Windows on each host running CloudSystem Enterprise core applications, including OO.fog.cloud.internal, Ora.fog.cloud.internal, Fog.fog.cloud.internal, Sis.fog.cloud.internal, UCM.fog.cloud.internal, and vCenter.fog.cloud.internal. 2. **Configuration of Log4j**: The "log4j.appender.cef1.hostName=192.x.x.x" line in the log4j.properties file specifies the IP address of the HP ArcSight Logger, while a corresponding UDP receiver (UDP Receiver 1) is created on the logger to receive events from each application. 3. **Logging Configuration for Specific Systems**:

• **HP BLc7000 Onboard Administrator (OA):** To enable monitoring and viewing in HP ArcSight:

• Navigate to Active OA -> System Log -> Log Options.

• Enable remote system logging, setting the Syslog Server Address to the IP of the HP ArcSight Logger and using the default port 514 for UDP communication.

• **HP Virtual Connect:** Additional steps are required based on specific instructions not detailed in this document excerpt.

This setup is designed to facilitate event capturing and system logging within the HP ArcSight environment, ensuring comprehensive monitoring of CloudSystem Enterprise applications through a centralized logger and manager interface. The instructions provided in the lecture outline how to apply settings for HP Virtual Connect (VC) monitoring within HP ArcSight Logger and ESM. To set up VC monitoring, follow these steps: 1. **Log into the HP Matrix Operating Environment Portal**: Navigate to "Tools -> Integrated Consoles -> Virtual Connect Enterprise Manager (VCEM)". 2. **Select the VC domain** you wish to monitor from either the "VC Domain Groups" or "VC Domains" tab, and then select "VC Domain Maintenance". 3. **Confirm the warning prompt**: When prompted with a warning about other products potentially being used, type "YES" without quotes and select "OK". 4. **Navigate to System Log** in the Virtual Connect Manager (VCM) interface: From the left navigation bar, select "System Log", then click on the "Configuration" tab. 5. **Define Target for Logging**:

• Set the "Log Host" to the IP address of your HP ArcSight Logger.

• Choose an appropriate "Log Severity" based on your needs.

• Select the transport type ("Transport") as UDP or TCP, depending on how you have configured your UDP/TCP Receiver.

• Enter the desired "Port" for the UDP/TCP communication.

• Set the "Date Format" to RFC 3164.

• Enable logging by setting "Enabled" to "Yes".

6. **Apply the settings** by selecting "Apply". If done correctly, you should see a screen similar to Figure 14 upon refreshing the display. This setup enables VC monitoring in HP ArcSight Logger and ESM. The summarized content provides a step-by-step guide on how to configure various components, such as HP Virtual Connect Manager (VCM), Linux host, and VMware ESXi 5 Host, to communicate with HP ArcSight Logger for monitoring and logging purposes. Here's the breakdown of the steps involved: 1. **HP Virtual Connect Manager (VCM) Setup:**

• Navigate to "Configuration -> Devices" in HP ArcSight Logger after selecting "Test." If successful, you should see the IP or hostname of the HP Virtual Connect Manager registered.

• Sign out and close the VCM window.

• Select the "Complete VC Domain Maintenance" button on the bottom of the screen in the VCEM window.

2. **Linux Host Configuration for Syslog Logging:**

• Edit the `/etc/syslog.conf` file to include: `*.* @192.x.x.x`, replacing `192.x.x.x` with the IP address of the HP ArcSight Logger.

• Restart the syslog daemon to ensure log events are sent in raw format to the HP ArcSight Logger.

3. **VMware ESXi 5 Host Configuration:**

• Log into the host or VMware vSphere Server using the VMware vSphere Client, and navigate to the appropriate view based on whether you're connecting via the server or directly to the host.

• Select the host in the left navigation bar, then go to the "Configuration" tab.

• In the "Advanced Settings," select "Syslog > global."

• Set the "Syslog.global.logHost" variable to point to your HP ArcSight Logger or external syslog server.

By following these steps, you can effectively configure and integrate various systems with HP ArcSight Logger for efficient monitoring and logging. To set up your ESXi Syslog on a VMware ESXi Host for sending events to an HP ArcSight Logger or external syslog server, follow these steps: 1. Install the appropriate HP ArcSight Smart Connector and configure it with the IP address or hostname of your syslog server (e.g., udp://192.168.156.90:514). 2. Navigate to "Advanced System Settings" on your ESXi host, then select "Syslog." 3. Set the "global.logHost" variable to point to your syslog server's address and port. For example: udp://192.168.156.90:514. 4. Click "OK" after setting the variable. 5. Go to "Security Profile," then under the "Software" group box, select "Firewall" and click "Properties." 6. In the "Firewall Properties" window, scroll down to find "syslog" and check the box to enable it. 7. (Optional) To restrict outbound syslog traffic, go back to the "Security Profile," select "Firewall," and then choose the "Only allow connections from the following networks" radio button. Specify your HP ArcSight Logger server or external syslog server for added security. Click "OK." 8. Wait a few minutes for VMware ESXi Host to send its first event, which should appear as the IP or hostname of the host in the "Configuration -> Devices" page within HP ArcSight Logger. Repeat these steps for all your ESXi hosts. 9. As an alternative to Syslog setup on each ESXi host, consider using the VMware vSphere Web Services API to integrate with HP ArcSight and enable monitoring capabilities through a programming interface that allows integration between customer-written or third party applications and VMware vSphere. To set up an HP ArcSight connector to work with VMware vSphere vCenter Server, follow these steps after closing the HP ArcSight Connector Setup window: 1. **Obtain and Import the Certificate:**

• Open Internet Explorer on your vCenter host at `https://localhost`.

• Click on "Certificate Error", then select "View Certificates".

• On the “Details” tab, click "Copy to File…" and choose Base-64 encoded X.509 (.CER). Save it to a location on your local disk.

2. **Run Command Prompt as Administrator:**

• Open Command Prompt with administrative privileges: Start -> All Programs -> Accessories -> Command Prompt, right-click and select "Run as administrator".

3. **Navigate to the Connector's Bin Directory:**

• Change directory to `C:\Program Files (x86)\ArcSightSmartConnectors\current\bin`.

4. **Import the Certificate Using Keytool:**

• Run the command: `arcsight agent keytool -import -trustcacerts -alias vmware -file c:\vcenter-cert.cer -store clientcerts`

• When prompted, type "yes" to trust the certificate.

5. **Rerun Connector Setup:**

• In the same command prompt window, run `runagentsetup`.

6. **Configure the Connector:**

• Open HP ArcSight and select “Add a Connector”.

• Choose “VMware Web Services” as the connector type (Figure 20).

• Set “ValidateCert” to "true" and proceed with further configurations.

By following these steps, you will have successfully configured the HP ArcSight connector to interact with your VMware vSphere vCenter Server. This document outlines the process for adding a VMware Web Services device to ArcSight using a connector. The steps include: 1. Opening the "Enter the device details" window and selecting "Add." You need to enter the host name or IP address, user name with Read-Only permissions, and password. If there's an issue with certificate verification, rerun keytool and check if it was imported correctly or is the wrong one. 2. On the "Enter the type of destination" screen, select "ArcSight Manager (encrypted)." 3. Refer to the ArcSight documentation for completing the Connector installation after selecting this option. 4. Once installed, ensure the service starts and check that the connector is registered in the HP ArcSight ESM Console. Additionally, there's information about configuring HP 58x0 and 59x0 Series Switches to be monitored by pointing their internal system log to the HP ArcSight Logger. This involves logging into the switch via system view, entering specific commands, enabling info-center, and saving the settings. After completing these steps, the IP or hostname of the switch should appear in HP ArcSight. The article discusses integrating the HP TippingPoint Security Management System (SMS) Appliance with HP ArcSight Logger and ESM through a connector, specifically designed to handle syslog information from the SMS appliance. To achieve this integration, steps must be followed to configure and install the HP ArcSight Connector for Windows on an additional system, such as Linux or Windows, which will then point to the HP TippingPoint SMS. The process involves: 1. Installing the HP ArcSight SmartConnectors connector by following the ArcSight documentation – User’s Guide HP ArcSight SmartConnectors. During this step, select "TippingPoint SMS Syslog Extended" when prompted to configure a new connector. 2. On the "Enter the connector details" window, input necessary information for your environment without specifying username and password. Continue by selecting "Next". 3. Proceed to the "Enter the device details" window and add the following:

• Host: Enter the host name or IP address of the HP TippingPoint SMS appliance.

- To ensure security when monitoring with HP TippingPoint SMS, it is recommended to create a user account with Read-Only permissions. This user will have access only to what you want monitored, such as the entire system or specific devices, segment groups, profiles, etc. After setting up this user, follow these steps for Syslog configuration: 1. Log into HP TippingPoint SMS and go to "Admin > Server Properties > Syslog." 2. Click "New..." and enter the necessary information for the installed connector system. You can set up multiple Facilities and Severity levels as per your requirements. 3. For the destination, select "ArcSight Manager (encrypted)." 4. Refer to ArcSight documentation for completing the SmartConnector installation. Afterward, ensure that the HP Connector service is started via Windows Services. 5. Once registered in HP ArcSight ESM, you can enhance security by integrating the HP ArcSight Connector with CloudSystem Enterprise services during provisioning as demonstrated in this technical white paper. The technical white paper discusses the process of creating a Server Automation software policy named ArcSightSecurityPackages to deploy the ArcSight Smart connector on a Red Hat Enterprise Linux 6.3 virtual machine. The deployment involves several steps including installing required Linux packages, zipping the necessary files for silent installation, importing them into Server Automation, and configuring post-install scripts. The process starts with identifying the required Linux packages needed to deploy the ArcSight Smart connector (Figure 25). These include: libcap2-bin, libpcre3, openssl, httpd, mariadb, php, unzip, perl, coreutils, findutils, grep, sed, bash, and auditd. Next, a zip file is created by zipping the Linux smart connector .bin file and the properties file for silent installation (Figure 26). The contents of this zip file are then imported into Server Automation. A post-install script is added to run the silent installer and start the service after deployment (Figure 27), using a response file ASLinuxAudit.props created manually by deploying the ArcSight Smart connector with specific commands for silent installation. Two Server Automation policies, ApacheWordPress-RHEL6 and MariaDB-RHEL6, are defined in the LAMP + WordPress reference implementation to deploy required packages to database and web servers (Figure 28). These policies are modified to include deployment of the ArcSightSecurityPackages policy which automatically deploys the ArcSight Smart Connector for Linux audit logger to both servers and starts logging events to ArcSight Logger. After deployment, the linux_auditd events can be viewed in the summary page of the ArcSight Logger under Agent Type, and nodes will appear in the Configuration > Devices section of the HP ArcSight Logger. The paper also covers searching for events in the HP ArcSight Logger using specific keywords like MOEevent (Figure 29). The MOEevent is a specific type of event defined in the Matrix infrastructure orchestration log4j properties file for HP ArcSight Logger during CSA 3.1 integration with ArcSight Logger (HP Passport account required). This event is configured as follows:

• Appender Name: cef1

• Device Vendor: HP

• Device Product: CSA

• Device Version: 3.1

• Transport Type: SYSLOG

• Host Name: 192.x.x.x

• Port: 514

• Layout: PatternLayout with ConversionPattern set to "%d <%-18t -%x> %-5p %C.%M - %m%n"

• Use CEF Header: true

• Event Name: MOEEvent

Similar event types are defined for other CloudSystem Enterprise applications such as:

• CSAEvent (modified from MOEevent in the log4j.properties file)

• OOEvent (Operations Orchestration)

• OORASEvent (Operations Orchestration RAS)

• SiteScope Event (SiteScope)

• UCMDBEvent (UCMDB)

The document also explains how to configure an HP ArcSight Connector for each Windows operating system in CloudSystem Enterprise, as detailed in the HP ArcSight SmartConnectors User’s Guide. The provided text discusses the logging and viewing of failed logon attempts using HP ArcSight Logger and ESM (Enterprise Security Manager). Here's a summary of the key points: 1. **Logging Failed Logon Attempts**:

• Failed logon attempts are captured and reported in the HP ArcSight Logger.

• In Figure 30, with search criteria set to failed logons over the last five minutes, out of 999 logged events, four were failed logons.

2. **Viewing Events Using Active Channels**:

• Events can be viewed using an Active Channel in HP ArcSight ESM (Enterprise Security Manager).

• To view forwarded events from the ArcSight Logger to the ESM, right-click on the logger connector and set it as the current filter. This will display all current events.

3. **Testing Forwarder**:

• A forwarder for failed logons was created earlier and is now being tested by attempting to log in to a specific server (oo.fog.cloud.internal).

• Setting the Active Channel filter to Logger2ESM Connector allows viewing of forwarded failed logon attempts, as shown in Figure 32.

4. **Customizing the View**:

• The view can be customized by selecting additional columns for event information, such as Event Name, Attacker User Name, Attacker Address, Target Address, Priority, and Device Vendor (Figure 33).

5. **Event Details**:

• Clicking on an event in the custom view provides detailed information about the failed logon attempt (Figure 34).

• Possible event details include fields that can be used as search criteria for queries and rules within the system.

Overall, this document outlines a method to monitor and analyze failed logon attempts using HP ArcSight Logger and ESM, providing detailed insights into each attempted login failure. This passage is about how to manage and monitor high-value assets in a system using zones, create queries for analyzing log activity, and use these tools effectively with an example of creating a query to find failed login attempts. Here's the summary: 1. **Zones**: These are groups based on IP address ranges that help filter and view specific log activities. There is a CloudSystem Enterprise zone grouping its servers. 2. **Query Creation**: Admins can create queries to analyze data from ArcSight ESM (Event Management System). A query named "Failed Login" was used as an example, where key fields like Category Outcome, Category Behavior, Target Address, Target Host Name, and Attacker User Name were selected. Conditions for this specific query included behavior being "Verify" and outcome being false. 3. **Query Viewer**: This tool helps execute the created queries. The viewer named "Failed Logons" was set up to run the "Failed Login" query. By default, data is refreshed every 15 minutes. 4. **Results**: When executed, this query displays all events that match the specified conditions related to failed login attempts. This text discusses configuring queries and rules in HP ArcSight ESM to detect failed logon attempts. The query used involves selecting specific fields such as Category Outcome, Category Behavior, Target Address, Target Host Name, and Attacker User Name. To trigger a rule named "Failed Logon Notify," which sends an email alert, the conditions are set: Category Behavior must be "Authentication/Verify" and Category Outcome must be "Failure." The rules configuration is similar to queries, requiring specific event conditions to be met. For failed logons, these include three occurrences of a failed authentication within two minutes on the same Target Host Name. The rule editor allows setting up such conditions, ensuring that alerts are triggered only when there have been three consecutive failed attempts at logging in to different systems within a short time frame. This setup helps in efficiently monitoring and responding to potential security breaches by promptly notifying of attempted unauthorized access through logon failures. The article discusses configuring rules for aggregation in the HP ArcSight ESM (Extended Security Manager) software, where events meeting specific conditions are summarized if at least three matching conditions occur within two minutes based on certain event fields such as "Target Zone Resource" and "Target Host Name." The actions tab allows setting up various actions to be triggered when these rules are met. In this case, the action chosen is sending a notification, which can include specifying a destination email address and a message about the event (e.g., failed logons). Additionally, it mentions the role of the Cloud Security Alliance (CSA), a non-profit organization dedicated to enhancing cloud security through guidance, education, and best practices. CSA publishes security guidance and a cloud controls matrix to address security issues in cloud computing. The HP ArcSight products are aligned with the areas of concern outlined in the CSA's "Security Guidance for Critical Areas of Focus in Cloud Computing," which delineates 14 domains focusing on various security aspects relevant to cloud environments. These include areas addressed by the HP ArcSight products, specifically Domain 5 focused on Information Management and Data Security, including its sub-section 5.4.1 regarding locations and data handling within clouds. The provided text is a summary of various security controls as outlined in the Cloud Security Alliance's Security Control Matrix, which aims to provide guidance on implementing security measures for cloud computing environments. These controls are designed to address specific aspects such as user access reviews, policy establishment for incident management, and audit tool usage with appropriate access segmentation to protect log data integrity. The table lists these controls along with their descriptions, specifying that they can be addressed using the HP ArcSight solution. This information is crucial for organizations aiming to secure their cloud computing infrastructures by implementing the recommended security measures as outlined in this document from the Cloud Security Alliance. The document outlines the implementation of HP ArcSight ESM (Enterprise Security Manager) for monitoring and enhancing security within CloudSystem Enterprise environments. Key points include: 1. **Security Incident Response Metrics**: Establishing mechanisms to monitor and quantify the types, volumes, and costs of information security incidents. This involves tracking incident response metrics such as audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events. 2. **Audit Logs and Logging Practices**: Implementing practices for auditing and logging that comply with applicable policies and regulations. Audit logs must be reviewed daily, and physical and logical user access to these logs should be restricted to only authorized personnel. Additionally, file integrity monitoring (host) and network intrusion detection (IDS) tools are recommended to facilitate timely incident detection through root cause analysis and effective response strategies. 3. **Integration of HP ArcSight Logger and ESM**: The document discusses the use of HP ArcSight Logger as a central repository for security and event logging, which then forwards specific events to HP ArcSight ESM for further analysis and action. This approach provides an integrated view of both application and operating system events across the CloudSystem environment. 4. **Technical Implementation Details**: Appendix A specifically details the ASLinuxAudit.props file used for automated deployment of the ArcSight smart connector for Linux audit logger, which is configured to send events to the ArcSight Logger with a Smart Connector named "Smart". In summary, this document provides guidance on how to leverage HP ArcSight ESM and Logger to improve security posture in CloudSystem Enterprise environments by enhancing incident response capabilities through detailed logging and monitoring practices. This document outlines the properties and configurations for a connector installation using the InstallAnywhere Installer on Thu Jan 24 13:02:52 EST 2013. The installer is set to run silently with a specified user install directory and an associated ArcSight Agent setup properties file. The main panel 'containeroperation' presents two options: "Add a Connector" (default choice, coded as 'addconnector') or "Enable FIPS mode" (coded as 'setfipsmode'). The default option selected is to add a connector, which directs the system to proceed to the next panel 'connectortype'. In the 'connectortype' panel, it specifies that the connector type to be configured is 'linux_auditd'. Next, in the 'connectorparameter' panel, details for this connector are specified, including the log file name set as '/var/log/audit/audit.log'. The 'connectordestinationtypes' panel then requires a selection of destination types. The default choice here is to select ArcSight Logger SmartMessage (encrypted) with options for host ('192.168.153.159') and port ('443'). Additionally, the receiver name is set as 'Smart'. Overall, this document outlines a series of steps to configure a connector for Linux auditd logs to be sent via HTTPS (encrypted) to an ArcSight Logger SmartMessage destination. This document outlines settings and configurations for a connector named "LinuxAudit" to be installed on a device located in Houston, Texas. The connector is set up with compression enabled and will be installed as a service named "linux_auditd". The display name for the service will be "Linux Audit File", it will start automatically, and there are no specific user inputs required beyond installation. If you choose to continue or exit after this configuration step, the process can be stopped by selecting "exit" at the end of the panel. For more information about HP CloudSystem Enterprise products, visit hpenterprisesecurity.com/products and for general Cloud System information, go to hp.com/go/cloudsystementerprise. Additional resources include understanding the HP CloudSystem reference architecture at http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA3-4548ENW and more about the Cloud Security Alliance at https://cloudsecurityalliance.org/. The text encourages users to provide feedback on HP's documentation through the provided link at hp.com/solutions/feedback for improving it. It also invites them to sign up for updates regarding HP products and services by visiting hp.com/go/getupdated. The page includes a copyright notice indicating that the content is owned by Hewlett-Packard Development Company, L.P., with information subject to change without notice. There are disclaimers about warranties and liability limitations as well as trademark mentions of Microsoft (Windows) and Oracle. Lastly, it specifies a document identifier and publication date: 4AA4-5836ENW, March 2013.