Sample POC Use Cases

Summary:

The text provided outlines several key features and capabilities of ArcSight ESM (Enterprise Security Manager) and its related products, such as ArcSight Threat Response Manager (TRM). These functionalities are crucial in modern security operations for incident detection, response, and forensic investigations. Here’s a summary breakdown of the main points discussed: 1. **Correlation and Forensic Investigations**: ArcSight ESM provides active channels, multiple dashboards, and drilldown capabilities to enhance correlation across different data sources. This is particularly important in modern IT environments where security threats are complex and dynamic. The ability to correlate events from various layers of the OSI model helps in identifying patterns and potential threats more efficiently. 2. **Threat Response Capabilities**: ArcSight ESM’s threat response capabilities, including ArcSight Threat Response Manager (TRM), enable secure and audible responses such as quarantining attackers at different network layers. TRM adds intelligence to pinpoint the location of network attackers and suggests methods for eliminating threats, with options for automated policies or manual intervention based on approval. This process generates audit events that can be used for reporting and as high-quality litigation evidence. 3. **Future-Proofing and Adaptability**: ArcSight ESM is designed to avoid obsolescence by continuously improving its features and integrating with other tools like third-party applications. This ensures the solution remains valuable in forensic investigations and threat management, adapting to changes in technology or threats without significant modifications. 4. **Categorization and Content Reusability**: The system should be able to automatically adapt and integrate new technologies without modifications, supporting various technologies including firewalls and IDS products from different vendors. This includes mapping proprietary vendor event IDs to a unified categorization schema for all reports, ensuring functionality across different hardware or software replacements. 5. **Threat Intelligence Collection**: Integration with HP ArcSight Threat Intelligence Solution Accelerator enhances the detection of potential malicious activities such as malware, advanced persistent threats, and botnets by analyzing network access attempts to known malicious domains and IP addresses. This is supported by successful proof-of-concept (POC) engagements demonstrating effectiveness in detecting previously undetected malicious activity. 6. **User Interface for Content Management**: The provided user interface example for the i.R.O.C.K. powered by Jive SBS ® platform is tailored for managing and interacting with documents or content efficiently. Key features include actions like editing, version management, moving documents, setting up notifications, sending as email, viewing print previews, bookmarking, and adjusting visibility settings based on user relationships or access rights. These capabilities collectively contribute to a robust security operations framework that is adaptable, scalable, and capable of handling changes in technology and threats efficiently without substantial modifications to existing configurations.

Details:

The document "Sample POC Use Cases - Please Add to the List" is a versioned document created by Gary Freeman on January 25, 2012, last modified by him on January 27, 2012. It aims to contribute to the Proof of Concept (POC) scope in a scoping document related to SOC (Security Operations Center) use cases. The document suggests five potential use case ideas for POC: 1. **Forensic Logging of Raw Data**: This involves collecting raw log information from various sources and storing it in a format or media suitable for compliance and litigation purposes. 2. **Event Correlation for Incident Creation**: Automatically notifies about potential threats, compliance violations, or vulnerabilities by recognizing conditions from events across multiple sources. 3. **Correlation Creation and Management**: Facilitates the automated recognition of compliance or security events and simplifies rule creation processes. 4. **Creating and Maintaining Asset Inventory**: Ensures that an accurate representation of the corporate network and asset components is maintained within the SIEM solution, supporting analytics, reporting, and other functions. 5. **Reporting Change and Vulnerability**: Identifies and reports on changes to critical assets, such as hardware or software updates, vulnerabilities, and compliance issues. These use cases are intended to be included in the POC section of a scoping document for a SOC environment, focusing on enhancing log management, event correlation, asset inventory management, and reporting capabilities within a security operations center. The document outlines several use cases related to different aspects of network security, including SIEM solution auditing, forensic investigation tools, SOC metrics, firewall configurations, VPN/ASA settings, proxy traffic monitoring, Netflow bandwidth utilization, and unauthorized wireless access detection. Key points include: 1. **Audit SIEM Solution (UC6)**: Ensures the secure and compliant operation of a SIEM solution by providing evidence that it is operating correctly. 2. **Forensic Investigation Tools (UC7)**: Demonstrates the analytical tools, screens, and reports available for investigating security breaches or data disclosures. This includes the ability to reconstruct conditions post-breach. 3. **SOC Metrics (UC8)**: Shows reports, dashboards, and alerts specific to Security Operations workflow, such as case management, alert handling, and event flow health. 4. **Network Security Use Cases**:

• **Firewall Configurations**:

• **Repeated Firewall Blocks to Critical Systems (UC9)**: Alerts when there are over 500 firewall drops from the same IP pair within a short period.

• **Firewall - Connection to Specific Country or Competitor IP Space (UC10)**: Monitors outbound traffic connecting to known risky IP ranges or competitor sites for suspicious activity.

• **Firewall Failure (UC11)**: Triggers an alert upon detecting any firewall failure.

• **VPN/ASA Settings**:

• **Multiple VPN Sessions from the Same Account (UC12)**: Alerts when more than one VPN session is detected within 60 minutes for a single user.

• **User Authentication via VPN (UC13)**: Triggers an alert upon successful user authentication events, which are then correlated into sessions.

• **Proxy Traffic Monitoring**:

• **Outbound Traffic to Specific Country, by Protocol or by User (UC14)**: Provides reports and dashboards showing the top “N” outbound web activities.

• **Netflow Bandwidth Utilization**:

• **Statistics (UC15)**: Displays statistics on top activity by device, protocol, or user based on Netflow data.

• **Unauthorized Wireless Access (UC16)**: Detects unauthorized access through wireless networks at multiple points: rogue MAC address on the wireless AP, communication with a financial network from an unauthorized IP, and file downloads from financial servers to the wireless network.

These use cases collectively cover various aspects of cybersecurity, providing detailed mechanisms for detecting and responding to potential threats in real-time or post-event scenarios. UC17 highlights a scenario where an attacker conducts a stealthy scan on a web server with malicious intent to deface the shopping portal, causing embarrassment and financial loss. The discovery of this vulnerability triggers immediate actions such as patching or enabling intrusion prevention systems (IPS) to prevent exploitation before it occurs. UC18 discusses how SIEM functions can be utilized by auditors to gather information for compliance assessments in telecommunications providers that are subject to multiple regulations and public scrutiny. ArcSight's real-time monitoring and reporting capabilities ensure compliance with various regulatory standards. In UC19, the IT infrastructure of telecom networks is managed efficiently through automated SLA (Service Level Agreement) management using ArcSight. This ensures minimal operational costs while maintaining high performance and reliability for both operations and security SLAs. UC20 focuses on log management in telecommunications companies, emphasizing the need to retain communications data for compliance reasons. ArcSight's scalable logging capabilities provide a robust foundation for managing both security and IT operations effectively. Lastly, UC21 discusses how Telco migration to an IP backbone, along with IMS (IP Multimedia Subsystem) framework adoption, presents a chance to integrate state-of-the-art security monitoring into new network solutions specifications by strategically placing collection points throughout the network. The text discusses various use cases (UC) related to monitoring in the telecom industry using the ArcSight platform. Each UC focuses on specific scenarios where real-time monitoring is crucial, such as third-party contractor activities, privileged user behavior, call center operations, and application usage by both employees and partners for detecting misuse, fraud, and data leakage. UC22: Third-Party Contractor Monitoring - Outlines how ArcSight helps monitor third-party users to alert security staff in case of misuse or anomalies. Features like logical segregation, user monitoring, session correlation, domain fields are highlighted as useful for this purpose. UC23: Privileged User Monitoring - Focuses on the need to closely monitor privileged users who perform critical operations and changes within the telecom environment. ArcSight assists in real-time detection of misuse, fraud, and data leakage by integrating with Identity and Access Management solutions, providing user information and role assessment based on intended roles. UC24: Call Center - Discusses the challenge of handling sensitive customer data and accessing core systems in call centers. ArcSight can monitor VoIP logs and correlate them with customer record activity to establish a baseline for normal behavior, while significant deviations might indicate an insider threat. UC25: Application Usage Monitoring for Misuse and Fraud - Highlights the importance of monitoring access and usage patterns of critical applications like provisioning and billing systems by both employees and partners. ArcSight provides SmartConnectors for many business applications and FlexConnectors to collect data, enabling proactive detection of misuse, fraud, and data leakage. Overall, these use cases demonstrate how ArcSight can be effectively deployed in telecom environments to enhance security measures, ensuring the integrity and protection of sensitive information through real-time monitoring and analysis. UC26 - Critical Systems Monitoring: This involves monitoring the infrastructure that supports critical processes for Telco uptime. ArcSight helps ensure this by generating automatic alerts for issues like unscheduled downtime, unprivileged changes, and failed patches. It also allows creating custom SLA and business continuity dashboards and reports tailored to each customer's needs. UC27 - Sensitive Data Protection: In addition to integrating with various DLP, DAM, and IPS/IDS technologies, ArcSight enables customers to create their own lists for monitoring files or directories containing sensitive data types such as Customer Data, Product Plans, Financial Data, Employee Data, Strategic Plans, and ensuring regulatory compliance. UC28 - Web Portal Monitoring: As more services are conducted online, websites and portals become targets of both attacks and fraud. ArcSight provides automated monitoring and alerting to keep these operations secure. Competitive Advantage Use Cases: UC29 - Bandwidth Throttling: This use case involves managing the event flow in distributed networks using features like compression, batching, time delay, committed bit-rate, aggregation, and filtering. It helps reduce WAN utilization during an attack scenario by limiting event rates and utilizing caching. UC30 - Unified Search Interface: ArcSight Logger offers a unified interface for combining existing and new search methods to enhance user experience and efficiency in data retrieval across the organization. This passage discusses a structured search method for mixed data types, allowing unification of all Logger Search methodologies (structured, unstructured/raw, Regex) and facilitating intuitive product usability by combining Field Based or Regex search within the same window. It also highlights ArcSight's threat evaluation capabilities, which leverage real-time information on IDM user roles, critical assets, vulnerability data, zone information, attack susceptibility, and watchlists to reduce false positives and monitor critical infrastructure effectively. For example, when an MS SQL injection targets an Oracle database, ArcSight adjusts the severity of the incident because Oracle is not susceptible to MS SQL attacks. Conversely, privileged users accessing critical infrastructure late at night with a USB thumb drive can generate low-severity events, but their elevated privileges and asset sensitivity lead to a higher alert level by ArcSight, triggering notifications and workflows for potential security breaches. Additionally, ArcSight's ESM provides an integrated process framework for connecting security monitoring and investigations with existing workflow procedures, ensuring that forensic teams receive timely notifications and have clear audit trails of incident responses, including escalation options within the same team or across different teams through workflow tools like Incident Management, Event Manager, and Logger. ArcSight ESM (Enterprise Security Manager) offers robust reporting and pattern detection capabilities that help in efficiently managing incident security and investigations. It provides various metrics such as notifications, cases, escalations, and more to measure progress and response times. For instance, notifications must be acknowledged within a specified time frame based on severity; if not, they are escalated to the second-level response team. ArcSight ESM boasts a powerful reporting system that is user-friendly with a 'drag-and-drop' Boolean interface for creating reports without requiring SQL or scripting knowledge. This setup allows for future-proofing as it supports multiple vendors and utilizes normalization and categorization, ensuring comprehensive technical, operational, and trend reports. These reports help in assessing the security status and meeting regulatory requirements by providing business-level insights through customizable templates. Moreover, ArcSight includes a Threat Detector module that enables detailed analysis of past data to detect patterns not visible in real-time correlations. For example, it can identify low-and-slow attacks where an attacker uses evasive techniques such as guessing passwords slowly and avoid detection by lowering the attack threshold. This capability helps in enhancing security measures against sophisticated cyber threats. This text discusses the capabilities of the ArcSight solution regarding log data storage and forensic investigations. It states that the solution must include at least 40 TB of compressed log data on one appliance without needing external storage devices. Additionally, it should be able to store a year's worth of log data locally on disk. For forensic investigations, the solution should allow investigators to restore a year's worth of historical log files onto a single appliance for complex pattern searches and reporting against terabytes of data quickly. The ArcSight Logger appliance is highlighted as capable of storing more than 42 TB of event data in a digitally-signed, indexed format, which supports forensic investigations effectively. The passage describes ArcSight Enterprise Security Manager (ESM) as a powerful tool designed for efficient forensic investigations by providing advanced operators in a simple interface. It integrates directly with Logger to assist in the investigation process, ensuring proper case management and bi-directional integration that can pull data from Logger. ArcSight ESM offers stunning visualizations through its Java-based application within a virtual machine, featuring real-time data monitors, active channels, multiple dashboards, and drilldown capabilities for correlation and forensic investigations. The passage also highlights the threat response capabilities of ArcSight ESM and ArcSight Threat Response Manager (TRM), which provide a secure and audible response engine to quarantine attackers at various layers of the OSI model. TRM adds intelligence to pinpoint network attackers and suggests methods to eliminate threats, with options for automated policies or manual intervention based on approval. This process generates audit events within ESM that can be used for reporting and as high-quality litigation evidence. Finally, the passage mentions ArcSight ESM's ability to avoid obsolescence by continuously improving its features and integrating with other tools like third-party applications, ensuring it remains a valuable asset in forensic investigations and threat management. This text discusses the importance of categorization and content re-usability in systems management software like ArcSight. It emphasizes that when using ArcSight, which supports various technologies including firewalls and IDS products from different vendors, the solution should be able to automatically adapt and integrate new technology without modifications. The system maps proprietary vendor event IDs to a unified categorization schema for all reports, ensuring they continue to function with any replacement of hardware or software components like transitioning from Juniper to Cisco firewalls. This future-proofing approach helps in maintaining existing reports' functionality across different technologies and vendors, enhancing the adaptability and scalability of the system. Additionally, the text highlights another feature of ArcSight which is its integration with HP ArcSight Threat Intelligence Solution Accelerator for threat intelligence collection. This tool automatically collects open-source threat intelligence data from the internet to identify potential malicious activities such as malware, advanced persistent threats, botnets, etc., by analyzing network access attempts to known malicious domains and IP addresses. The effectiveness of this feature is demonstrated through successful proof-of-concept (POC) engagements with customers, where it has helped in detecting previously undetected malicious activity. Overall, the text underscores how these capabilities contribute to a future-proof and adaptable security operations framework that can efficiently handle changes in technology or threats without significant modifications or updates to existing configurations. This is a user interface for managing and interacting with a document or content within an application, specifically tailored to the i.R.O.C.K. powered by Jive SBS ® 4.0.11 platform. The interface provides various actions and options for users to manage their interactions with the content:

• **Actions**: Users can perform multiple tasks directly from this section, including editing the document (presumably allowing real-time modifications), managing different versions of the document, moving it to another location within the system, and sending it as an email. It also allows setting up notifications for updates or changes related to this document.

• **Edit document**: Allows users to modify the content directly in the platform.

• **Manage versions**: Enables tracking and management of different revisions or versions of the document.

• **Move document**: Provides functionality to relocate the document to another section or storage within the system.

• **Receive email notifications**: Sets up automatic alerts for updates, comments, or any significant actions related to the document, which can be sent via email.

• **Stop email notifications**: Conversely, allows users to disable these alerts if they no longer wish to receive them.

• **Send as email**: Facilitates sending a copy of the document directly to others through an email service.

• **View print preview**: Previews how the document will appear when printed, including any formatting or special views set up for printing purposes.

• **Bookmark this**: Allows users to save the document for quick access in the future, either publicly so all can see or privately only accessible by them.

• **Bookmarked By (9)**: Indicates that 9 people have bookmarked this document, providing a way to gauge interest and relevance among users.

• **View:** Various options like "Everyone," "Connections," and "Only Notes" allow customization of who can view the content based on their relationship or access rights within the system.

• **Retrieving data ...**: Typically indicates that the application is loading information related to bookmarks, links, and other document interactions.

• **Incoming Links:** Lists any documents or pages that are directly linked from external sources back into this platform, showing potential references or dependencies of this content.

The interface also includes a feature to retrieve more data (e.g., "Retrieving data...") and shows incoming links (e.g., "Where can I find the proof of concept scoping guides?"), which are useful for navigation within the platform's documentation structure, indicating potential connections or dependencies between different documents.