Sample POC Use Cases

Summary:

On January 25, 2012, Gary Freeman compiled a list of potential Use Cases (UCs) for the Proof of Concept (POC) Scope section of a scoping document. These UCs are categorized into four main types: SOC (Security Operations Center), Network Security, Telecommunications, and Competitive Advantage. The use cases include forensic logging, event correlation, asset inventory management, reporting changes and vulnerabilities, audit SIEM solutions, and more for each category. Specific UC examples within the telecommunications sector focus on compliance monitoring, IT operations SLA monitoring, log management, and enhancing security monitoring with ArcSight technology features such as integrating state-of-the-art security into telecoms transitioning to IP backbones, managing third-party contractors, privileged user monitoring, sensitive data protection, and unified search interfaces. Overall, these use cases demonstrate how ArcSight can enhance security measures across various telecom operations, protect sensitive information, detect fraud and insider threats, manage bandwidth efficiently, ensure compliance with regulatory standards, and provide comprehensive forensic investigations and threat intelligence capabilities.

Details:

On January 25, 2012, Gary Freeman created a list of potential Use Cases (UCs) for inclusion in the Proof of Concept (POC) Scope section of a scoping document. The UCs are categorized into four main types: SOC (Security Operations Center), Network Security, Telecommunications, and Competitive Advantage. **SOC Use Cases:** 1. **Forensic Logging of Raw Data**: Collect raw log information from various sources for compliance and litigation purposes. 2. **Event Correlation for Incident Creation**: Generate automated incident notifications based on events that may indicate threats or compliance violations. 3. **Correlation Creation and Management**: Automated recognition of security events to facilitate rule creation and management. 4. **Creating and Maintaining Asset Inventory**: Maintain an accurate asset inventory within the SIEM solution for analytics, reporting, and other functions. 5. **Reporting Change and Vulnerability**: Identify and report changes in critical assets such as device configurations, privileged accounts, and software versions. 6. **Audit SIEM Solution**: Provide evidence of secure and compliant operation of the SIEM solution. 7. **Forensic Investigation Tools**: Offer analytical tools, screens, and reports for reconstructing conditions after a security breach or data disclosure. 8. **SOC Metrics**: Display reports, dashboards, and alerts specific to Security Operations workflow, including case creation, resolution, alert acknowledgments, and event flow health. **Network Security Use Cases:** 9. **Repeated Firewall Blocks to Critical Systems**: Alert when there are 500 or more firewall drops within a 5-minute period from the same source/destination IP pair. 10. **Firewall Connection to Rogue Country or Competitor IP Space**: Monitor outbound traffic connecting to known rouge IP ranges or competitor sites for suspicious activity. 11. **Firewall Failure Alert**: Notify when any firewall failure is detected. 12. **VPN / ASA Multiple Session Detection**: Trigger an alert when multiple VPN sessions are detected within a 60-minute period. 13. **User Authentication via VPN or ASA**: Recognize successful user authentication events and add users to session correlation. 14. **Outbound Traffic Analysis by Country, Protocol, or User**: Provide reports on top outbound web activities. 15. **Netflow Bandwidth Utilization Statistics**: Display statistics for top activity by device, protocol, or user. 16. **Unauthorized Wireless Access Detection**: Detect unauthorized access via wireless network communication with financial networks and file downloads from financial servers. 17. **Web Defacement by Attackers**: Early warning signs of reconnaissance activities that prompt actions to prevent web server exploitation (e.g., patching vulnerabilities or enabling IPS to block attacks). **Telecommunications Use Cases:** 18. **Compliance Monitoring**: Demonstrate the use of SIEM for audits and compliance with regulatory requirements, particularly in highly-regulated sectors like telecommunications. 19. **IT Operations SLA Monitoring**: Automate SLA management for complex IT infrastructures crucial to telecom operations, enabling efficient and effective network management. 20. **Log Management (Security, IT Operations, and Compliance)**: Retain communications-related data for compliance with legal requirements and possible law enforcement use, leveraging ArcSight’s scalable logging capabilities. UC21 to UC30 are focused on enhancing security monitoring in telecom operations with ArcSight technology. These use cases involve implementing IP migration, next-generation network initiatives, and outsourcing contractor monitoring, among other aspects of telecom management. Key features highlighted include:

• **UC21**: Integrating state-of-the-art security monitoring into new solutions for telecoms migrating to an IP backbone and adopting the IMS framework by strategically placing collection points across all tiers of the OSS architecture. This includes correlating operational latency, availability, and security metrics with event data.

• **UC22**: Monitoring third-party contractors using ArcSight to detect misuse or behavioral anomalies, highlighting features like logical segregation, user monitoring, session correlation, domain fields, and a customer feature for effective oversight.

• **UC23**: Monitors privileged users in critical operations environments of telecoms to prevent misuse, fraud, and data leakage, including the ability to connect with Identity and Access Management solutions for real-time user information and role assessment.

• **UC24**: Ensures call center employees handle sensitive customer data securely by monitoring VoIP logs and customer record activities to detect insider threats or suspicious behaviors.

• **UC25**: Monitors critical applications like provisioning and billing systems for misuse, fraud, and data leakage through the use of SmartConnectors for many business apps and FlexConnectors for custom or home-grown applications.

• **UC26**: Provides monitoring services for mission-critical processes such as provisioning, network administration, to ensure uptime and prevent unauthorized changes or unscheduled downtimes.

• **UC27**: Enhances sensitive data protection by allowing customers to create custom lists to monitor files or directories containing various types of confidential information including customer data, product plans, financial data, employee data, and strategic plans.

• **UC28**: Monitors web portals for potential attacks and fraud through automated monitoring and alerting mechanisms.

• **UC29**: Demonstrates bandwidth throttling capabilities using ArcSight's connector framework to manage event flow in geographically distributed networks, reducing WAN utilization during an attack scenario by managing bit-rate usage.

• **UC30**: Introduces a unified search interface for all existing and new Logger search methods within the ArcSight platform, providing flexibility and ease of use for users handling mixed or unknown data types.

These use cases collectively showcase how ArcSight technology can be strategically applied across various aspects of telecom operations to enhance security monitoring, protect sensitive information, detect fraud and insider threats, manage bandwidth usage efficiently, and ensure overall operational resilience and compliance with regulatory standards. ArcSight, a security monitoring tool, excels in combining search operators such as "AND", "OR", "NOT" to effectively evaluate threats. It uses real-time data analysis to assess critical infrastructure like databases and user activities, adjusting severity levels based on the susceptibility of systems to specific attacks (e.g., Oracle is not susceptible to MS SQL injection). ArcSight's ESM (Enterprise Security Manager) provides a comprehensive framework for integrating security monitoring with workflow processes, ensuring timely notifications and escalations in response to incidents. It offers powerful reporting tools that are customizable and compliant, allowing stakeholders to identify risks effectively. Additionally, ArcSight features pattern detection capabilities through Threat Detector, enabling the discovery of stealthy attacks not detected by real-time correlation. The solution boasts high compression for log data storage on a single appliance (up to 40 TB) and can store a year's worth locally. It also supports advanced data modeling for better contextual understanding of network events and assets. The ArcSight solution provides a comprehensive framework for various security and investigative tasks, including forensic investigations, stunning visuals, threat response, avoiding obsolescence, and threat intelligence. Key features include the ability to store and search large volumes of log files efficiently, create customizable dashboards with real-time data monitoring, automate threat responses, and adapt to changes in network technology seamlessly through categorization and content reusability. The solution also integrates external threat intelligence feeds to detect malicious activities more effectively.