Technical Use Cases with ArcSight ESM

Summary:

This text outlines a comprehensive approach to managing user accounts and enforcing company policies on unauthorized use of resources such as USB devices through automated monitoring tools like ArcSight. The document emphasizes the importance of confidentiality and security measures for preventing unauthorized data transfer from confidential assets. If a USB device is connected to such systems, it triggers a notification that is considered suspicious, leading to immediate action by security analysts to manage potential insider threats more efficiently than manual log reviews. The rule implemented within ArcSight aims to detect when a USB device is used on a system containing confidential data and to disable access to mass storage devices as part of the organization's cybersecurity strategy. This helps in mitigating the risk of sensitive information being copied or removed covertly, especially from internal threats. The use of ArcSight for capturing operating system logs that provide evidence of attempts to insert unauthorized systems is crucial for confirming violations and triggering alerts promptly. The primary benefit of this rule is the immediate notification to security analysts about policy violations, which enables them to manage potential insider threats more effectively than manual log reviews. This feature helps organizations detect malicious activities that might otherwise go unnoticed until too late, ensuring a comprehensive cybersecurity strategy with advanced tools like ArcSight for proactive threat detection and response. In summary, this document highlights the importance of implementing strict policies and utilizing automated monitoring tools such as ArcSight to prevent unauthorized access to sensitive information through USB devices and other resources, thereby safeguarding confidential assets from internal threats while maintaining operational efficiency.

Details:

In this scenario, an attacker uses a zero-day worm (like Zotob) to exploit vulnerabilities in critical services such as MS SQL or MSRPC DCOM. These worms self-propagate and target systems by injecting executable code, gaining administrative privileges, and spreading across networks. Traditional firewalls and intrusion detection/prevention systems may not effectively stop these attacks due to their ability to find and exploit new vulnerabilities quickly. To combat this threat, a security tool like ArcSight ESM is necessary for identifying, diagnosing, and isolating the worm's progress within the network. This helps in detecting even those instances where firewalls or IDS/IPS might miss the attack. The key challenge remains that while such tools can detect and potentially block some aspects of the attack, they cannot guarantee complete prevention without proper configuration and continuous monitoring. In summary, effective defense against these types of attacks requires a combination of robust network security measures (like using ArcSight ESM) to quickly identify and isolate worm-based threats before they can significantly disrupt network functionality or compromise sensitive data. This text discusses network security measures implemented to combat worm attacks, specifically focusing on rules and configurations for detecting and mitigating such threats using ArcSight. The rule set targets specific characteristics of worm activity by looking for systems connecting to multiple devices within a minute, except those associated with infrastructure services like mail, domain, and proxy servers. Unique target addresses and identical attacker and target ports are key indicators identified by the Possible Network Sweep rule. Worm Outbreak correlation is triggered when both Possible Network Sweep and Target Port Activity rules are active, indicating a potential worm outbreak where the same attacker and target port are involved in multiple events. ArcSight's ability to collect event information from various devices allows it to detect even "zero-day" attacks without relying on traditional intrusion detection products, providing an advantage in quickly identifying and containing infected networks. The text describes how Snort IDS detects a buffer overflow attack exploiting the .printer vulnerability on an IIS web server via port 80, which is considered part of the compromised target stage of an attack. This information underscores the importance of proactive network monitoring and security measures to prevent such threats. The provided text discusses defensive techniques used in cybersecurity, specifically focusing on a scenario where an unauthorized FTP session is detected through a Check Point Firewall showing "Action: accept" for both HTTP (port 80) traffic and the compromised system's FTP session. It highlights several key aspects of this situation: 1. **System Characteristics**: The text questions whether the system in question should have been running vulnerable services like IIS, and if it was an authorized web server with proper access controls or used by an internal user against organizational policies. This questioning is crucial for understanding the setup and security measures in place on the system. 2. **Vulnerability Management**: The text suggests that an authorized web server should undergo routine vulnerability scans to identify any weaknesses, which need to be patched or remediated promptly. If vulnerabilities are identified, they should be addressed either through patching or other means until a patch is available for deployment. 3. **Early Detection and Response**: It mentions the use of ArcSight for early detection of compromised communication paths. This tool helps in shutting down the current path of compromise, blocking future access from the attacker, identifying the compromised host, and notifying administrators to clean the system. 4. **Rules Configuration**: The rule used here is designed to detect a successful attack by looking for related events based on matching information from firewall accepts, IDS alarms, and corresponding firewall accepts. This method uses cross-device correlation to automatically prioritize threats based on the compromised host, using both public and private IP addresses captured in firewall logs. 5. **Benefits**: The benefits of this approach are highlighted by its ability to correlate low priority firewall events with high priority IDS alerts, providing a clear picture of the attack and allowing for easier diagnosis and response. 6. **User Monitoring**: This section does not provide complete details but implies monitoring terminated user accounts and any subsequent attempts at accessing them within an organization. In summary, this text provides insights into how to detect unauthorized access through compromised systems, highlights the importance of regular vulnerability assessments and timely patching or remediation, and demonstrates the effectiveness of using advanced SIEM tools like ArcSight for efficient threat detection and response. The summary of the text provided outlines a security policy for detecting and managing user accounts after an employee's termination across various operating systems, as well as handling unauthorized USB devices. Here are the key points: 1. **User Account Deletion Policy**: When an employee is terminated, their account should be deleted from all systems. This involves adding the username to a specific "Deleted User Accounts" Active list maintained by ArcSight. This active list serves as a repository for tracking user accounts that have been deleted across different operating systems and devices. 2. **Rule Configuration**: The rule used for this purpose is configured with specific criteria:

• Category Behaviour set to /Authentication/Delete, indicating the deletion event.

• Category Device Group set to /Operating System, ensuring it applies universally regardless of the OS.

• Category Outcome set to /Success, confirming successful deletions.

• Target User Name must not be NULL, which ensures only valid user accounts are considered.

3. **Rule Applicability**: The rule does not specify a particular operating system (e.g., Windows, IBM Mainframe, UNIX), indicating that it can be applied universally across all systems. This flexibility in configuration allows for consistent enforcement of the policy even as new systems are added or removed. 4. **Active Lists and Their Benefits**: Active lists, like the "Deleted User Accounts" list, serve to track specific items such as deleted user IDs, enabling proactive monitoring for misuse or abuse. They can be used for various purposes including identifying attempts to use deleted accounts, creating a white-list for trusted testers, or tracking specific behaviors from known hostile IPs. 5. **Automated Tracking and Policy Enforcement**: By triggering high priority events based on activities of users in an active list, ArcSight can automate the monitoring process, quickly detecting suspicious user activity. This leads to efficient policy enforcement without manual intervention. 6. **USB Device Violation Detection**: The text also mentions correlating Windows logs to detect unauthorized USB device usage or CD-ROM storage devices, which are considered violations of security policies. In summary, the document outlines a comprehensive approach to managing user accounts and enforcing company policies on unauthorized use of resources like USB devices through automated monitoring tools like ArcSight. This document outlines a policy for managing USB storage devices in an organization, emphasizing the importance of confidentiality and security measures. The policy aims to prevent unauthorized data transfer from confidential assets by detecting when a USB device is connected to such a system. If this occurs, it triggers a notification that is significant as suspicious. The purpose of implementing this rule within ArcSight, part of the organization's insider threat package, is to ensure proactive monitoring and real-time alerting of potential policy violations related to unauthorized data access through USB devices. By disabling USB mass storage device access in confidential data assets, the risk of sensitive information being copied or removed covertly can be mitigated. Additionally, ArcSight can capture operating system logs that provide evidence of any attempts to insert unauthorized systems. These logs are crucial for security analysts to confirm if and when a violation has taken place and to ensure proper alerts are triggered. The primary benefit of this rule is the immediate notification to security analysts about policy violations, which helps in managing potential insider threats more efficiently than manual log reviews. This feature is particularly valuable as it allows organizations to detect malicious activities that might otherwise go unnoticed until too late. In summary, the document emphasizes the importance of a comprehensive cybersecurity strategy, including the use of advanced tools like ArcSight for proactive threat detection and response, ensuring compliance with security policies and safeguarding sensitive information from internal threats. ArcSight detects suspicious activities by pulling data from HR and CRM systems to populate "Active Lists" with users who have been terminated, placed on administrative leave, or sales reps not meeting quota requirements. These lists are then monitored in real-time for any activity involving the listed individuals through correlation rules that can trigger alerts, dashboards, or actions based on administrator designations. Insider threats pose a significant concern to CISOs as employees often have access rights necessary for their daily functions but may still violate security policies. Defensive techniques include well-defined policies and monitoring systems, internal firewall configurations, encryption of HR and CRM server communications, and robust authentication mechanisms across all organizational systems. By leveraging ArcSight's capability to display or alert on real-time insider threats, organizations can more effectively identify, contain, and remediate security policy violations. This is particularly relevant when repeated FTP attempts are made to untrusted servers, which could indicate malicious behavior potentially compromising sensitive information. This summary discusses various defensive techniques and strategies used by organizations to combat the threat of Trojan programs masquerading as legitimate FTP traffic in an attempt to evade security measures. Organizations can mitigate this risk through firewall rule configuration which restricts access to external systems for outbound file transfers while allowing downloads when permitted by organizational policy. Additionally, ArcSight technology is utilized to categorize assets and prioritize them based on various factors like business role, system functions, data classification, regulatory compliance, physical location, and more. This information is then correlated with security event data and vulnerability information to create a comprehensive threat model that helps analysts quickly and accurately distinguish between significant and insignificant threats. The text discusses the benefits of using fully integrated solutions like ArcSight ESM for security analysts. These solutions provide a prioritized alert system based on the likelihood of an attack succeeding and the criticality of assets. This allows analysts to focus remediation efforts on specific areas rather than shutting down entire network subnets, which can be costly in terms of lost productivity or revenue. The integrated approach ensures that potential risks are addressed promptly, thereby minimizing downtime, loss of revenue from compromised systems, and sensitive data breaches. By concentrating on affected systems based on their importance to the organization, analysts can react more effectively to security incidents, reducing the need for extensive manpower in detection, containment, and remediation. In summary, fully integrated solutions enhance analyst efficiency by providing focused insights into vulnerabilities and critical assets, allowing quicker responses and improved outcomes in terms of system integrity and data protection.