POC - Steps v0.2_1

Summary:

The text discusses HP ArcSight's solutions for detecting threats effectively with its unique capabilities. It states that ArcSight has been focusing on the correlation business longer than its competitors, having started in a different line of product before evolving into a SIEM tool. The solution is capable of correlating seemingly unrelated events and detects low and slow attacks by understanding users, network activities, and roles. ArcSight's Express System Management (ESM) uses modern techniques such as pattern recognition and behavioral analysis to detect sophisticated threats efficiently, allowing users to focus on critical incidents affecting their organization without being overwhelmed by millions of irrelevant events. This results in better security with faster response times using fewer resources. The text also differentiates between traditional correlation methods used by other SIEM vendors versus ArcSight's more comprehensive approach. It highlights the extensive capabilities and experience of ArcSight's correlation engine, which has been honed over a decade in the market for log management and correlation. The text discusses the benefits of cross-device correlation in identifying insider threats within a data center environment. It explains how this technology can detect unauthorized activity when regular IT personnel or employees enter restricted areas or use VPNs outside standard working hours. This method helps avoid situations where an individual could be physically at one location and digitally at another, as it is impossible to be present in two places simultaneously. Cross-device correlation provides several benefits by considering the context of assets, users, and locations within an organization's network: 1. **Asset Context**: It differentiates between vulnerabilities specific to certain assets and those applicable across all assets, pinpointing which ports are being used by each asset and whether any exploits are taking advantage of these vulnerabilities. This differentiation helps in understanding the potential risks associated with particular systems or networks more effectively. 2. **User Context**: By integrating with Identity Management (IdM) systems like Active Directory, ESM can analyze user attributes such as roles, departments, account status, and accounts. This context is crucial for identifying issues related to unauthorized access, identity-based threats, and role violations. 3. **Location Context**: It provides a more intuitive view of network activities by converting IP addresses into human-readable names (e.g., subnet or department). This helps in understanding the geographical origin and destination of activity within the organization's infrastructure, helping to validate whether connections are legitimate or indicative of potential threats from outside parties. In conclusion, ESM provides a comprehensive context that aids in understanding and prioritizing events occurring within an organization, thereby making it easier for security teams to respond effectively to emerging threats. ESM (Enterprise Security Manager) provides a comprehensive security operations platform that includes easy-to-use templates for reporting at various levels, real-time alerting, proactive notifications of suspicious activities, detailed analysis through interactive dashboards, and powerful reporting capabilities with customization options. The system features built-in workflow and incident response mechanisms to enhance the overall efficiency and effectiveness of handling potential threats. The text describes a workflow for handling security incidents, particularly those related to potential unauthorized access attempts by former employees. It involves using a case management system to track and manage incidents such as these. In this specific example, an SOC (Security Operations Center) analyst identifies an infected machine that is attempting to connect to botnet command and control centers. The process includes: 1. Identifying the incident: A critical case is opened in the case management system upon detection of the access attempt by a former employee through the infected machine. 2. Tracking events: All associated events within the incident are viewable, allowing for a detailed review of the sequence and nature of the events. 3. Documentation and communication: The analyst can add notes, comments, and supporting documentation (such as diagrams and reports) to the case to aid in further investigation and resolution of the incident. 4. Investigation phase: The SOC analyst investigates the incident by checking the malicious destinations the infected machine is attempting to communicate with, which reveals a large number of international connections indicative of an infection. 5. Containment actions: Using integration capabilities within the system, the analyst identifies and lists the systems that the internal infected machine is trying to contact, proceeding to contain the threat as necessary. This process demonstrates how an organization can efficiently manage and respond to sophisticated cyber threats using integrated tools and processes in a case management system.

Details:

ArcSight Express is a tool used for incident management and investigation within an organization's security framework. In this use case, an employee named swright receives a notification via email on their phone about multiple logon attempts leading to the locking of their Windows account. The user can acknowledge this incident directly from their mobile device using the HP ArcSight Console. Upon acknowledging the incident, swright logs into the HP ArcSight Console with the credentials admin/password. They then navigate to the "pending notifications" section and double-click on the notification titled "Multiple Logon Attempts to Locked Windows Account: swright". This action opens the Inspect/Edit panel where detailed information about the incident is presented, including the events leading up to the account lockout. The user acknowledges the incident by clicking the Acknowledge button. If not acknowledged promptly, the notification might escalate to a higher level of management, but for now, swright proceeds with investigating the issue. The OS Login Overview tab provides an overview of all operating system login activities, which is further visualized in a dashboard that allows interactive data exploration and drill-down capabilities. The user drills down into the detailed events related to swright by double-clicking on their entry in the bar chart. This action presents the events in a grid view, where they can be easily adjusted or changed according to personal preferences. The system also allows for interaction with the display, including resizing and drill-down options that reveal underlying details of the incidents. Finally, the resulting Active Channel shows swright's login activity events in a more meaningful field set tailored towards security and compliance investigations as selected by the user through Field Sets settings, specifically choosing ArcSight Foundation, ArcSight Express, and Security field sets to enhance understanding and investigation of the incident. In this scenario, we are focusing on cybersecurity investigations using tools such as VPN reports and event graphs from HP ArcSight. The goal is to better understand an attacker's activity within a corporate network after being identified through a remote user (swright) who uses a VPN with the IP address 10.0.110.34. First, we create two channels: one for swright and another for the Attacker Address (10.0.100.34). By tracing the attacker's journey from outside the network through the VPN to its internal IP address, it becomes clear that the user is connected via a VPN but has been infected with malware attempting to contact malicious sites. Next, we create another channel specifically for the Attacker Address (10.0.100.34) and analyze firewall events, which show extranet activity including FTP to known malicious sites. This indicates that the attacker is actively trying to access these sites, suggesting a malware infection on swright's device. We then visualize this activity using an event graph, which helps in understanding the sequence of activities and identifying patterns or potential breaches. The graphical representation allows for easier analysis and documentation, making it simpler to track incidents within a case management system provided by HP ArcSight. This feature enables users to organize different cases according to various users (in this case, swright) and automatically tracks all related incidents. Finally, we review the VPN report detailing Successful Logins by Source Address, which shows multiple source addresses used by swright over a short period. This suggests that not only is swright's account compromised but also highlights potential broader network security issues such as unauthorized access or malware infection. In conclusion, through these steps using HP ArcSight and its reporting tools, we can effectively identify and categorize the nature of cyber threats like this attacker, potentially mitigating further damage and enhancing overall cybersecurity posture. HP ArcSight has advanced correlation rules and actions that enable faster identification and response to security incidents, including zero-day attacks, improving efficiency in detecting threats. It offers a comprehensive automated reporting solution for visibility into both security and compliance status within an organization. Logger, a feature of HP ArcSight, allows organizations to display custom Login Banners which serve as a company policy statement and acknowledgment tool for users. This is optional and can be customized to fit each company's needs. When logged in, the dashboard presents information such as failed logins by user and top destination ports. Users can interact with charts like NetFlow Top Destination Ports, seeing detailed event counts and percentages upon hovering or exploring further through a search page. The Logger interface also allows for editing panel formats and customizing displayed data entries to better suit specific needs and visual preferences. In this scenario, you are demonstrating how to use a security dashboard for monitoring events and data related to your Logger system. You start by opening the drop-down dialog box in the upper left corner of the interface to select different custom dashboards created by you or other users based on their interests. These include compliance, network operations, monitor, TippingPoint, and others. You explain that each dashboard is tailored for specific roles within your organization, ensuring only relevant data is accessible. For instance, a compliance dashboard displays items like configuration changes, failed logins, and user privilege modifications, while a network operations dashboard provides insights into traffic distribution by port and identifies source drops to the firewall. The TippingPoint dashboard offers summaries of critical and major severity attacks as well as categorizes them based on ArcSight. Throughout this demonstration, you emphasize the flexibility of these dashboards that Logger can handle due to its role-based access control. This allows users to see only pertinent information according to their roles and interests, making it an efficient tool for managing security and operational tasks across various aspects of your network operations and compliance requirements. This is a step-by-step guide on how to analyze logs for suspicious activities using ArcSight. The user wants to find evidence of confidential information being sent to China by an ex-employee. Here’s what they should do: 1. Go to the Logger menu and select "Analyze, Search" to access the search page. It's similar to Google with a simple interface for searching through logs. 2. Enter the search term (in this case, "dgchung") in the search box. Set the search time to the last hour using the dropdown menu. Click "Go!" or press enter. 3. Check the Field Summary box above the search bar and type "dgchung". This helps narrow down where the string is present across different vendors like Oracle, Microsoft, and Vontu. It also shows the number of events and their percentage contribution to the total. 4. Close the deviceVendor overview by clicking on it if you want more screen space. Alternatively, click the Minimize icon to hide Field Summary. 5. To focus only on important fields relevant to your investigation, switch from an unstructured search in Fields to a structured one using the Security fieldset or other available options. This customization allows you to tailor the view according to your needs. 6. Use Advanced Search by selecting sourceHostName under Name and setting Contains as the Operator. Type "finance" into the box to find any server with a hostname containing the word finance. 7. You can use various operators such as Contains, Starts With, Ends With, =, != etc., depending on your search requirements. This structured approach helps focus on specific elements of log data like hostnames. To effectively utilize the Common Conditions Editor within a system like Logger for searching, follow these steps: 1. **Open Color Block View**: Begin by selecting "Color Block View" in the interface to make it easier to construct queries visually through drag and drop elements. 2. **Access the Common Conditions Editor**: This tool allows you to build complex search queries with ease, using a graphical user interface that makes it simple to add and arrange different conditions. 3. **Conduct Your Search**: After setting up your query in the editor, click "Go!" to execute the search. Note that initially, this might not yield any results because an analyst does not know what they are looking for until searching begins. 4. **Refine Your Query**: If you discover no hits with your initial search terms (e.g., using "dgchung"), try refining your query by adding more specific conditions or adjusting the terms. For example, change "(dgchung OR dchung)" to include a broader term and rerun the search. 5. **Add Additional Search Conditions**: If necessary, add another condition to narrow down your search results (e.g., searching for events related to FTP with a specific destination country). 6. **Use Logical Operators**: To further refine your search, use logical operators such as "AND" or "OR" in the search string. For example, if you want to include all terms starting with "dgchung" and variations like "dchung", use "(dgchung OR dchung)". 7. **Utilize Logger's Search Helper**: As you type your search terms, Logger will provide suggestions and assist with commands like using the pipe (|) command for advanced searches. For example, enter "(dgchung or dchung) AND sourceHostName contains "finance" | top name". 8. **Graphical Charting**: Once you have identified relevant results, use Logger's built-in graphical charting to visualize your findings. This can include pie charts that summarize the types of activities (e.g., creating users, granting roles) based on event names. 9. **Adjust Chart Settings**: Modify the chart type from default line graphs to more suitable visualizations like pie charts for better clarity and understanding of the data. 10. **Experiment with Different Searches**: As part of an investigative process, try out various search combinations and conditions to uncover new insights or verify existing theories about the data you are searching through. | **Feature** | **Description** | | --- | --- | | Export Results | Allows for exporting data and charts as PDF, CSV formats; supports various chart types like bar, pie, area, line, stacked column, or stacked bar. Users can easily change the number of top entries displayed. | | Save local/Save to Logger | Options for saving data locally or within the Logger platform, providing flexibility in storage and accessibility. | | Chart Types | Supports multiple chart types including bar, pie, area, line, stacked column, and stacked bar, enabling diverse visualizations of data. | | Customizable Reporting | Users can customize reports to be displayed in a dashboard format, including URLs for additional information. This feature is useful for providing summarized or linked reports directly from Logger. | | Search Functionality | Allows searching through raw events using specific keywords (e.g., "not cef loss nagios ALERT") to focus on relevant network performance issues such as latency problems. | | Reports Dashboard | Displays customizable reports, like SANS Top 5 IDS Alerts and ArcSight links, providing a consolidated view of key security alerts and external information. | The provided text discusses using the Logger Regex helper within ArcSight for parsing and analyzing events. Here's a summarized version of the steps and actions described: 1. **Introduction to Event Parsing**: The user is instructed to use the Logger Regex helper to parse raw event data. The standard fields like deviceVendor, deviceProduct are blank, but these events are intentionally kept RAW for demonstration purposes. 2. **Accessing the Helper**: The user can click on an event with "SOFT" in it and then click the RAW (Extract Fields) icon. This opens a popup where the Logger Regex helper is used to recognize and parse fields into meaningful names. 3. **Using the Logger Regex Helper**: In the popup, locate the field containing the measurement RTA (Round Trip Average). To select this field for closer examination, click on its name to the left of the numeric value. Adjust the field name from "Word_14" to "RTA". This assigns a new meaningful name to the parsed variable and creates a new column in the fields set. 4. **Applying Regex**: The user clicks OK, which automatically enters the regex statement without errors. To refine the search further, add the condition `| where RTA > 1` to focus on round-trip averages greater than 1 millisecond. 5. **Exporting Results**: After completing the search, click Export Results. Logger offers multiple options for exporting data in various formats such as saving locally, sending to a report, or generating a PDF/CSV file. This process demonstrates how to use ArcSight's Logger Regex helper to enhance event analysis and refine searches based on specific criteria derived from parsed field values. The text describes the structure of an information technology platform with three main layers, each serving specific purposes in managing and analyzing security events: 1. **Core Engine Layer**: This consists of three products designed for different aspects of security management:

• **Logger**: Acts as a long-term forensics store, handling log management.

• **ESM/Express (Enterprise Security Manager)**: A correlation engine that uses multi-dimensional correlations to analyze context about the environment, users, assets, vulnerabilities, threat feeds, and more. This reduces false positives and provides immediate value by improving response times to security incidents.

• **TRM/SMS (Threat Response Module/Simple Network Management Protocol)**: An automated-response engine that works in conjunction with HP TippingPoint Next-Gen SMS server. It functions as the management layer for detecting and responding to security events, such as initiating actions like quarantine when a threat is detected.

2. **Solutions Module Layer**: At the top of the N-tier platform, this layer includes analysis rules, reports, and dashboards that enable users to visualize security risk information in customizable formats. These modules can be either out-of-the-box (OOTB) or custom-built by the company, partners, or customers themselves. 3. **Collection**: The text briefly mentions HP ArcSight, which is a comprehensive system for log collection and analysis that goes beyond just data collection to include more sophisticated functionalities in managing security events. Overall, this platform aims to provide a robust, customizable solution for organizations looking to enhance their security operations through effective log management, advanced correlation engines, and automated response capabilities, while also offering flexibility with customizable reporting tools. ArcSight is a system that helps manage and analyze large amounts of log data from various sources across thousands of devices and hundreds of locations. These sources include physical devices, network and security devices, hosts, databases, and applications. The main goal is to collect secure and reliable audit-quality logs with traffic management controls, while also offering simple deployment and administration features for ease of use. ArcSight has the largest library of connectors, supporting more products from more vendors across a wide range of categories. It currently supports over 350 event sources out of the box, with new ones being added every quarter through partnerships or customer-created connectors called FlexConnectors. These can be used for home-grown applications or legacy systems not yet supported by ArcSight. The key feature of ArcSight is its SmartConnectors, which are highly intelligent and provide a robust architecture to enhance collected events. They collect data from various devices without requiring agents or software on those devices, either passively through listening to syslog messages or actively gathering the data. After collection, the logs are filtered and aggregated for analysis, serving as a foundation for log management and SIEM platforms. The SmartConnector is an intelligent tool designed for network security management that efficiently filters out irrelevant events from the overwhelming amount generated by network devices like routers and switches when logging is enabled. It not only simplifies the process but also reduces unnecessary bandwidth usage by grouping similar significant events together through aggregation methods, thereby creating a condensed event representation instead of transmitting each individual event separately. After filtering and aggregating events, the SmartConnector securely transmits them to ArcSight ESM (Enterprise Security Manager) for further analysis. The data transmission is protected with integrity controls to ensure that the information remains unaltered during transit across the network. Additionally, the data stream is compressed to optimize network usage efficiency. The reliability of the connection between the SmartConnector and ESM is maintained through a continuous heartbeat communication, ensuring minimal disruption even in case of temporary network outages. The system can temporarily store events locally for later transmission once connectivity is restored. Moreover, bandwidth management capabilities within the SmartConnector enable it to allocate an appropriate amount of bandwidth according to specific network conditions (e.g., low bandwidth connections at remote sites or heavily utilized networks), thus minimizing potential strain on the network infrastructure. Lastly, all these functionalities are managed centrally through ESM, simplifying updates, upgrades, and configuration changes. This centralized management also ensures that the SmartConnector operates efficiently and reliably under any circumstances, making it an invaluable tool for security operations in environments where significant volumes of data must be monitored and analyzed in real-time. The text discusses HP ArcSight's solutions for detecting threats effectively with its unique capabilities. It states that ArcSight has been focusing on the correlation business longer than its competitors, having started in a different line of product before evolving into a SIEM tool. The solution is capable of correlating seemingly unrelated events and detects low and slow attacks by understanding users, network activities, and roles. ArcSight's Express System Management (ESM) uses modern techniques such as pattern recognition and behavioral analysis to detect sophisticated threats efficiently, allowing users to focus on critical incidents affecting their organization without being overwhelmed by millions of irrelevant events. This results in better security with faster response times using fewer resources. The text also differentiates between traditional correlation methods used by other SIEM vendors versus ArcSight's more comprehensive approach. It highlights the extensive capabilities and experience of ArcSight's correlation engine, which has been honed over a decade in the market for log management and correlation. The text discusses the benefits of cross-device correlation in identifying insider threats within a data center environment. It explains how this technology can detect unauthorized activity when regular IT personnel or employees enter restricted areas or use VPNs outside standard working hours. This method helps avoid situations where an individual could be physically at one location and digitally at another, as it is impossible to be present in two places simultaneously. Cross-device correlation provides several benefits by considering the context of assets, users, and locations within an organization's network: 1. **Asset Context**: It differentiates between vulnerabilities specific to certain assets and those applicable across all assets, pinpointing which ports are being used by each asset and whether any exploits are taking advantage of these vulnerabilities. This differentiation helps in understanding the potential risks associated with particular systems or networks more effectively. 2. **User Context**: By integrating with Identity Management (IdM) systems like Active Directory, ESM can analyze user attributes such as roles, departments, account status, and accounts. This context is crucial for identifying issues related to unauthorized access, identity-based threats, and role violations. 3. **Location Context**: It provides a more intuitive view of network activities by converting IP addresses into human-readable names (e.g., subnet or department). This helps in understanding the geographical origin and destination of activity within the organization's infrastructure, helping to validate whether connections are legitimate or indicative of potential threats from outside parties. In conclusion, ESM provides a comprehensive context that aids in understanding and prioritizing events occurring within an organization, thereby making it easier for security teams to respond effectively to emerging threats. ESM (Enterprise Security Manager) provides a comprehensive security operations platform that includes easy-to-use templates for reporting at various levels, real-time alerting, proactive notifications of suspicious activities, detailed analysis through interactive dashboards, and powerful reporting capabilities with customization options. The system features built-in workflow and incident response mechanisms to enhance the overall efficiency and effectiveness of handling potential threats. The text describes a workflow for handling security incidents, particularly those related to potential unauthorized access attempts by former employees. It involves using a case management system to track and manage incidents such as these. In this specific example, an SOC (Security Operations Center) analyst identifies an infected machine that is attempting to connect to botnet command and control centers. The process includes: 1. Identifying the incident: A critical case is opened in the case management system upon detection of the access attempt by a former employee through the infected machine. 2. Tracking events: All associated events within the incident are viewable, allowing for a detailed review of the sequence and nature of the events. 3. Documentation and communication: The analyst can add notes, comments, and supporting documentation (such as diagrams and reports) to the case to aid in further investigation and resolution of the incident. 4. Investigation phase: The SOC analyst investigates the incident by checking the malicious destinations the infected machine is attempting to communicate with, which reveals a large number of international connections indicative of an infection. 5. Containment actions: Using integration capabilities within the system, the analyst identifies and lists the systems that the internal infected machine is trying to contact, proceeding to contain the threat as necessary. This process demonstrates how an organization can efficiently manage and respond to sophisticated cyber threats using integrated tools and processes in a case management system.