Service Account Initial Anomaly Detection Use Case Process

Summary:

The "Service Account Initial Anomaly Detection Use Case Process" is a version 2 document created by Robert Sandoval on August 1, 2011, and later modified by Luke Leboeuf on August 22, 2011. This document aims to assist ArcSight clients in addressing skill gaps and accepting deliberate risks associated with development, operational, and administrative processes in Unix-based enterprise environments. The primary focus is on securing services during system hardening through anomaly detection using basic log consolidation, query, trend, and reporting capabilities within ESM (Enterprise Security Manager). The document outlines a process to identify: 1) Services running on Unix-based systems, 2) System/user accounts under which these services operate, 3) The frequency of service operation, and 4) Systems that are inadequately hardened according to industry standards or organizational policies. It is applicable in environments where only operating system logs can be used for tasks due to solution architecture or data obfuscation. While there are other vendors and products capable of advanced anomaly detection, this document is designed for initial use cases in such scenarios.

Details:

The document titled "Service Account Initial Anomaly Detection Use Case Process.docx" is a version 2 document created by Robert Sandoval on August 1, 2011, with subsequent modifications last made by Luke Leboeuf on August 22, 2011. This document focuses on the process and examples for initiating anomaly detection discussions with clients who are using Unix-based system logs, particularly those working in predominantly Unix-based enterprise environments. The purpose of this document is to provide a method for ArcSight clients dealing with immaturity in development, operational, or administrative processes to secure their services during system hardening. It highlights the importance of addressing skill gaps and deliberately accepting risk due to aggressive application/service release cycles. The document also emphasizes the need to protect data confidentiality, integrity, and availability through enterprise security policies and persistent testing for compliance with audit and regulatory requirements. The document outlines a process called the Service Account Initial Anomaly Detection Use Case Process, which is designed for ArcSight clients to leverage basic log consolidation, query, trend, and reporting capabilities within ESM (Enterprise Security Manager) in order to discover various aspects of system services. This includes identifying: 1. Services running on Unix-based systems 2. System/user accounts under which these services are running 3. The frequency at which these services are operational 4. Systems that have not been adequately hardened according to industry standards, organizational policies, etc. The document specifies the process's applicability in environments where only operating system logs can be used for tasks due to solution architecture or data obfuscation preventing other systems from reading executed commands on end systems. It also mentions that while there are vendors and products capable of performing different forms of anomaly detection beyond the scope of this document, it is intended for initial use in such scenarios.