SourceFire High Impact Correlated Intrusion Event Use Case

Summary:

The document "SourceFire 'High Impact' Correlated Intrusion Event Use Case Version 5.0 Patch 2" explains how ArcSight clients can use Sourcefire IPS and RNA for network intrusion monitoring, improving security analysis in ESM (Enterprise Security Manager). This integration adjusts the impact flag event attribute from default 'Unknown' to defined values and colors, aiding analysts in identifying critical events. It is tailored for environments without advanced correlation capabilities and focuses on specific vulnerabilities indicated by high-impact flags ('Red' or 'Orange'). The document provides a method to manage and filter event noise using rules based on IPS event attributes, directing only significant impacts towards further action. Depending on the environment's maturity, actions range from direct human triage in less developed setups to retrospective analysis in more advanced ones. This approach aims to reduce overall event noise by concentrating on critical issues detected through both IPS and RNA mechanisms.

Details:

The document titled "SourceFire 'High Impact' Correlated Intrusion Event Use Case Version 5.0 Patch 2" outlines how ArcSight clients can integrate Sourcefire IPS and RNA for network intrusion monitoring. When combined, the impact flag event attribute in the Sourcefire system moves from its default value of 'Unknown' (0) to a defined impact value and color that aids in security analysis within the ESM (Enterprise Security Manager). Table 1 provides details on this impact flag, including its value, color, and description. The Use Case is designed for security analysts to quickly view high-impact network security events related to assets identified as vulnerable or potentially so by Sourcefire RNA. It's particularly useful in immature IT environments where it focuses on a smaller set of critical intrusion events that have been correlated. The document emphasizes the value this use case adds in such environments, especially those lacking advanced correlation capabilities found in more mature systems. The text outlines a method for managing and filtering event noise in systems that lack dedicated scanning technology, such as Intrusion Prevention Systems (IPS) and Real-time Analysis (RNA). It suggests starting points for tuning these policies by using specific conditions to differentiate between important events (marked with 'Red' or 'Orange' impact flags, indicating vulnerabilities or potential vulnerabilities) and less significant ones. The process involves filtering out non-critical events based on predefined rules that look at the attributes of IPS events marked as 'Red' or 'Orange'. These high-impact events are then used to populate the Defense Center with flag data from RNA. Both IPS and RNA event streams pass through an eStreamer API, but only those with significant impact (marked by colors) are considered for further action based on whether they represent critical vulnerabilities or not. The actions taken in response can vary depending on the stage of development or maturity of the operational environment. In less mature environments, alerts might be directed to human analysts for immediate triage and handling, while more advanced setups could use reports or dashboards for retrospective analysis of IPS data. This approach aims to reduce overall event noise by focusing attention on only the most critical issues detected through both IPS and RNA mechanisms.