TRM General Demo 010708 Ver1.1

Summary:

This document outlines a step-by-step guide for accessing and setting up the ArcSight Network Security Platform (NSP) demo, followed by a demonstration of its capabilities using TRM (Real Time Monitor). The setup involves downloading the Cortona VRML plugin and navigating through topology maps. Key features highlighted in the demo include investigating network nodes and simulating quarantine actions with rules and response logs for detailed analysis. **Accessing the NSP Demo:** - URL: https://209.10.215.245 - Recommended browser: Firefox - Authentication via SE Wiki Page **First Time Demo Setup:** 1. Download and install Cortona VRML Plug-in (recommended for Firefox). 2. Login using NSP username and password. 3. Navigate to NCM, click on the 3D Viewer Plugins link corresponding to your browser. 4. For Firefox, open with Firefox; for Internet Explorer, select "run". 5. Click "view map" for the All Devices topology map. 6. Use Fit button and adjust map by clicking left mouse button for rotation, panning, etc. **TRM General Demo:** - Focuses on investigating network nodes and simulating quarantine actions using rules and response logs. **Key Features Demonstrated:** 1. **Network Node Investigation**: Navigate through the topology maps to find specific devices like routers or switches. 2. **Quarantine Simulation with Rules**: Set up custom rules for quarantining action, including authorization requirements based on IP addresses, MAC addresses, and user accounts. 3. **Response Logs**: Detailed log of all actions taken during quarantine processes provide an audit trail. 4. **Real-Time Capabilities**: Capable of reducing risk by applying business policies to response programs effectively. 5. **Enhanced Security Measures**: Provides a platform for enhanced security measures against potential threats to systems. **Demo Task 2.2.1:** - Access the TRM Rules section and view or modify authorization and denial rules as needed, including integration with ArcSight ESM (Enterprise Security Manager). **Demo Task 2.2.2:** - Expand specific rules to set detailed settings for quarantine actions in different regions: East, West, Federal, EMEA, APAC. **Demo Task 2.2.3 and 2.2.4:** - Attempt to quarantine nodes by entering the appropriate address for each region. Demonstrates what happens when attempting to quarantine without authorization (denial due to rule requirements). Shows how to authorize a request after setting up rules. In conclusion, this guide provides step-by-step instructions on accessing and using ArcSight NSP demo features with TRM, emphasizing the platform's capabilities in managing security incidents through detailed investigations and simulated quarantine actions based on user-defined rules.

Details:

This document provides a step-by-step guide for accessing and setting up an ArcSight Network Security Platform (NSP) demo, followed by a general demonstration of its capabilities using TRM (Real Time Monitor). The setup includes downloading the Cortona VRML plugin and navigating through topology maps. Key features highlighted in the demo include investigating network nodes and simulating quarantine actions, with rules and response logs for detailed analysis. **Accessing the NSP Demo:**

• URL: https://209.10.215.245

• Recommended browser: Firefox

• Authentication via SE Wiki Page

**First Time Demo Setup:** 1. Download and install Cortona VRML Plug-in (recommended for Firefox). 2. Login using NSP username and password. 3. Navigate to NCM, click on the 3D Viewer Plugins link corresponding to your browser. 4. For Firefox, open with Firefox; for Internet Explorer, select "run". 5. Click "view map" for the All Devices topology map. 6. Use Fit button and adjust map by clicking left mouse button for rotation, panning, etc. **TRM General Demo:**

• Focuses on investigating network nodes and simulating quarantine actions.

• **Investigate & Simulate**:

• Navigate to TRM Tab.

• Enter the appropriate quarantine node address based on region:

• East: 10.1.0.10

• West: 10.2.0.20

• Federal: 10.3.0.30

• EMEA: 10.4.0.40

• APAC: 10.5.0.50

• Click "Investigate" button to proceed.

**Additional Features:**

• **Quarantine Node**: Demonstrated as part of the investigation process.

• **Response Log**: Provides detailed logs for analysis after performing actions.

• **Rules**: Allows users to define and apply specific rules for different scenarios.

This demo script outlines a structured approach to familiarize users with key functionalities of ArcSight NSP, particularly through TRM, facilitating real-time investigation and simulated response capabilities. The article outlines a process used by TRM (a hypothetical system) to manage network nodes through three main steps: Locate, Analyze, and Quarantine. In the "Locate" step, TRM identifies the node's position on the network relative to its control points. For analysis, it performs a real-time investigation of running tasks in the Investigate Window. Upon determining that the MAC address of the node is unique (meaning only one device is using this address), TRM initiates a quarantine action by disabling the switch port connected to the node. This process allows TRM to manage and control network nodes effectively, with default actions being customizable through rules based on specific conditions. The provided text discusses the features and benefits of using ArcSight TRM (Threat Response Manager) for managing network devices, particularly focusing on quarantining nodes as a response action. Here's a summary of the key points from the text: 1. **Audit Trail and Mapping**: One of the significant business benefits of TRM is its ability to provide an audit trail of all response actions, allowing organizations to map their response process to existing business processes. This includes documenting various aspects of the quarantine process such as trouble ticket numbers, comments, and customizable category assignments. 2. **Automatic Quarantine Expiry**: Customers can specify if quarantines should remain indefinite or be automatically removed by TRM after a set timeframe. In this demo environment, it is configured to remove all quarantines after 1 hour. 3. **Detailed Results View**: The quarantine results window provides detailed information about the quarantine action including the result, execution time, and command log. TRM does not use SNMP for quarantine actions; instead, it acts as a network or security engineer would by accessing the device and issuing necessary commands. 4. **Business Policy Application**: Customers can apply business policies to TRM in the form of rules to ensure that specific responses are taken based on predefined criteria. This helps in managing and automating response processes efficiently. These points highlight how ArcSight TRM supports systematic, efficient, and documented network device management, including quarantining actions with configurable expiration times and detailed audit trails. The provided text is a detailed demonstration of how to interact with rules and quarantine actions within a system called TRM (Threat Response Management). Here's a summary of what it covers: 1. **Understanding Rules in TRM**:

• TRM allows users to override default responses by creating custom rules based on criteria like IP addresses, MAC addresses, or specific user accounts.

• These rules can also be used to deny actions against critical infrastructure such as server farms.

• The effectiveness of quarantine actions is evaluated according to these rules.

2. **Demo Task 2.2.1**:

• Navigating to the TRM Rules section, where you can view and modify authorization and denial rules.

• Example: A rule requires authorization for all requests from a specific user ID used for integration with ArcSight ESM.

3. **Demo Task 2.2.2**:

• Expanding specific rules to see detailed settings, such as additional requirements for quarantine actions in different regions (East, West, Federal, EMEA, APAC).

4. **Demo Task 2.2.3 and 2.2.4**:

• Demonstrating how to open a Quarantine Node and input the appropriate address for each region.

• In Figure 2.2.3, attempting to quarantine a node results in a denial due to matching rule requirements (authorization required).

• In Figure 2.2.4, after authorizing the request, you can successfully quarantine the node.

This text is useful for those needing to configure and understand how rules are applied in a threat response management system to ensure appropriate actions based on defined criteria. The text discusses two main concepts related to quarantine rules in a network management system. 1. **Quarantine Authorization Queue**: When an authorization is required for quarantining actions, this rule applies. Unlike the deny rule that requires explicit permission through authorization, the process for requesting and managing these authorizations involves sending the request into a specific authorization queue based on configuration. This setup allows for better tracking and management of quarantine requests. 2. **Managing Disabled Rules**: These rules can override default quarantine actions. For instance, they can be configured to change the action from default quarantine to other alternatives like MAC filter or VLAN Quarantine. The process involves navigating through specific interfaces (Dashboards > Workflow > Auth Queue for viewing pending quarantine requests and TRM > Rules > Authorization & Deny for enabling/disabling rules) to manage these configurations. Once a rule is enabled, it can be used to simulate quarantine actions on specified node addresses, allowing for testing and adjustment of the response process based on different environments within an enterprise network. In summary, this text explains how to handle quarantine requests through authorization queues and how disabled rules can be reconfigured to manage quarantine actions effectively in a network environment. The document discusses a tool called TRM (Threat Response Manager) and its features for managing security incidents such as quarantining devices in response to threats. It starts by explaining how to access the "Response Log" through TRM, where all actions taken during a response are documented, providing a comprehensive audit trail for both customers and auditors. The document also highlights that TRM allows users to view detailed information about each action performed during the quarantine process, including device-level command logs. Furthermore, the document emphasizes the benefits of using TRM by describing its real-time investigation capabilities, which enable ArcSight customers to effectively reduce risk through quarantining offending nodes and applying business policies to their response program. The tool is designed to empower customers with enhanced security measures in managing potential threats to their systems.