Various Use Cases V2.1

Summary:

This document outlines a framework for proactive monitoring and alerting of potential security threats using statistical analysis and predefined severity levels. It covers several aspects including firewall and IDS interaction, moving average data monitors, session reconciliation data monitors, statistics data monitors, user case studies for troubleshooting, and system integrations. Here's the summary of the key points: 1. **Firewall and IDS Interaction**: A successful attack is considered when a firewall accepts an event from an IDS that matches it, while normal connections are those without matching alerts. This section highlights how firewalls and intrusion detection systems (IDS) should work together to detect anomalies. 2. **Moving Average Data Monitor**: This tool helps in visualizing the moving average of events based on selected data fields, smoothing out short-term fluctuations to reveal long-term trends. It is useful for analyzing event data over time. 3. **Session Reconciliation Data Monitor**: This monitor correlates events that occur within a relevant time period, such as a VPN login session. The predefined parameters help in identifying the start and end of sessions, which can be crucial for understanding user activity patterns. 4. **Statistics Data Monitor**: Extends beyond basic moving averages with additional statistical methods like average, standard deviation, skew, kurtosis, and moving average. This allows for more detailed analysis of event data to identify anomalies and potential threats. 5. **User Case 31 - Too Few Events**: When there are fewer events than expected, this can be indicative of an issue. Possible solutions include using filters like "After Hours" or active lists to track user login patterns, possibly updating the average daily trend for more accurate data representation. 6. **User Case 32 - Outside Normal Temporal Window**: This describes situations where events occur outside their expected time frame. Solutions involve adjusting filters based on worker shifts or using an active list to capture only the first login of each day. 7. **Product Integrations**: The document mentions a specific integration with Qualys, which could suggest vulnerability scanning through Qualys as part of the security suite provided by this framework. 8. **SmartConnector for Security Tools**: This section outlines the supported platforms and versions for various security tools that can be integrated using SmartConnectors, such as Qualys, McAfee ePolicy Orchestrator (ePO), Imperva SecureSphere, Snort IDS, Microsoft Systems Center Operations Manager (Operations Manager), and more. 9. **Rity v1.1 SP1 with MOM 2005**: This is a software package that integrates Cisco ASA and FWSM firewalls with ArcSight for enhanced security information management capabilities, allowing the import of syslog events from these devices to monitor network activities within the ArcSight System. 10. **UC 39 - Oracle Identity Management or other LDP IAM Solution**: This pertains to managing user identities and access control in large organizations using Oracle's identity management solutions or similar systems designed for identity and access management (IAM). Ensuring only authorized users have access is crucial for enhancing overall security posture. 11. **UC 40 - Double NAT**: This involves a networking technique where an IP address translates one private network into another, which in turn translates it to the public internet. In such environments, there's a need to link the original threat source through multiple NAT layers for effective detection and response. The solution should be adaptable during demonstrations to facilitate ease of rule creation and evaluation based on real-time scenarios involving multiple NAT layers. Overall, this document provides a comprehensive guide for setting up and configuring various security tools and methods to ensure robust network security monitoring and incident response capabilities.

Details:

This use case documentation outlines various scenarios and procedures for demonstrating how ArcSight, specifically its SIEM (Security Information and Event Management) and FIM (File Integrity Monitoring) capabilities, can be used in a Proof of Concept (POC). The document is prepared by Brian Wolff, Principal Sales Engineer at ArcSight. The main use cases include: 1. Demonstrating everything done across multiple systems using standard replay files in ArcSight. This involves loading the console and navigating to the event graph through right-clicking on the grid area. 2. Simultaneous Logins using Time Proximity: Similar to UC 1, this scenario also uses standard replay files but focuses on tracking simultaneous logins within a short time frame by examining the variable ActorByIPOrAccount.Full Name. 3. Tracking Activities when a generic service account is used for all users on the target system: This involves selecting specific data monitors and using ArcSight's global variables to track activities related to a legacy application login sessions, with particular attention to the use of the SYSTEMUSER as an example of a generic service account. The demonstration includes setting up filters based on MyLegacyApp Events and utilizing global variables AttributableActor.FullName and AttributableActor.Department for contextual information about users. The document provides detailed steps and considerations such as defining triggers, aggregations, and session lists to ensure comprehensive tracking of activities within the specified legacy application environment. This documentation is tailored to showcase how ArcSight can be effectively utilized in a POC setting by illustrating its capabilities in SIEM/FIM data pivoting scenarios. The text provided is a detailed guide on how to set up and configure a rule in ArcSight to detect simultaneous logins from different IP addresses using the same account. Here's a summary of the steps involved: 1. **Setup for Detection**:

• Use a test generator to set up an active channel that looks for specific words like "TEST" in the message column. Generate a test event and observe the results on the active channel.

2. **Creating a Rule (TEST_MIP)**:

• In the rule setup, ensure you capture the Generator ID to prevent the rule from triggering itself. This is done by copying the Resource ID field value, creating a new condition for "Generator ID", and pasting the copied long string into this field.

3. **Conditions Tab**:

• Set conditions to check if the Attacker Addresses are unique while the Target Address (IP address) and possibly the Target User ID are identical. This is to identify cases where multiple logins from different IP addresses are attempted using the same account.

4. **Actions Tab**:

• Use "On First Threshold" correlation category to handle this situation. Set up an active channel named "USE CASES" with evaluation parameters set for the last 10 minutes, continuously evaluating events.

5. **Filtering Events**:

• Configure the filter in the rule to display only relevant events that match your criteria for simultaneous logins from different IP addresses using the same account.

6. **Test Configuration**:

• Set up a test event with specific fields like Attacker Address (10.1.1.1) and Target Address (10.10.10.10). These values help in identifying the events during testing.

This detailed setup is crucial for detecting unauthorized access attempts using different IP addresses with the same account, which could indicate compromised credentials or other security breaches. This document outlines the process for creating and testing two specific user case scenarios in ArcSight, focusing on different aspects of user behavior monitoring such as same IP usage across multiple accounts and login from different geographical locations using a trusted list for whitelisting. The user cases are named UC1 (same account with different source addresses) and UC2 (same IP used by multiple accounts), and UC3 (same account from different geographical locations). For **UC1 - Same Account 2 Source Addr**: To implement this, copy the rule "UC1 – Same Account 2 Source Addr" and rename it to "UC2 – Same IP Multiple Accounts". Ensure that in the Aggregation Tab, the "Target User ID" is unique while the "Source Address" remains identical. Configure the ArcSight "Test" Smart Connector by setting the test event fields appropriately:

• Name: Test Alert Event

• Category Object: /Host/Operating System (required for the rule)

• Attacker Address: 10.1.1.1

• Target User ID: USER 1

Send the event and within 30 seconds, change the attacker address to 206.116.23.54. If the address is on a whitelist (trusted list), suggested enhancements propose adding a "Trusted List" for addresses that should not trigger the rule if they are listed. For **UC2 - Same IP Multiple Accounts**: This involves creating rules to monitor when a user with the same IP address logs into multiple accounts. The main focus is on ensuring that different geographical locations are unique while the User ID remains identical. To set this up, copy or create a rule named "UC3 – Same Account Diff GEO Codes". In the Attributes Tab, remember to copy the Generator ID value for the Geo attributes. For testing, use:

• Name: Test Alert Event

• Category Object: /Host/Operating System (required for the rule)

• Attacker Address: 206.116.23.54

• Target User ID: USER 2

Send the event and within 30 seconds, change the attacker address to 199.2. The same trusted list enhancement can be applied here as well for filtering out known whitelisted IP addresses. The provided information outlines the steps involved in setting up notifications within a system, including user creation, assigning users to notification groups, configuring SMTP, SMPP, and SNMP for sending alerts, and escalation procedures when no response is received. Additionally, it describes how to create rules for specific events such as network authentication mismatches or device product changes and the process of notifying relevant parties with options for user-specific notifications. Lastly, it mentions the creation of a data monitor to track login locations by country and detailed reporting capabilities within the system's console or ArcSight Web viewer. This summary outlines various aspects of a report generation tool, referred to as "ArcSight Logger," which is designed to collect and present data from different sources such as trends, session lists, active lists, cases, notifications, and assets. The tool supports both event-based reporting and the summarization of data related to these entities. Key features include: 1. **Report Binding with Queries**: Reports are created by binding one or more queries to a template. These queries can pull data from trends, session lists, active lists, cases, notifications, and assets. 2. **Data Collection and Reporting**: The tool not only reports on event data but also provides the ability to summarize data from various sources such as cases, notifications, and assets. 3. **Access Control Lists (ACLs)**: ACLs control what content is displayed in the view and determine whether users can create, modify, or execute any content, providing a secure environment for hierarchical policy containers. 4. **Hierarchical Navigator Layout**: The left panel, known as the "Navigator," follows a standard hierarchical layout, allowing users to group folders in various ways that are meaningful for their specific project needs. 5. **Correlation Policies**: Correlations can be applied at the system level and are controlled by ACLs. This feature allows for tailored correlation rules based on specific policies. 6. **Extensibility**: The tool supports several extensibility features, including:

• Provisioning new accounts via API/SDK (with limitations).

• Adding and configuring new log event-generating devices to expand the system's data collection capabilities.

• Manipulating policies, group/tag structure, and general settings for customization.

• Retrieving data from external datasets such as blocklists or reputation services maintained by third parties.

This tool is designed with flexibility in mind, allowing users to tailor its functionality according to specific project requirements and expand the system's capabilities through various APIs and SDKs. This text discusses various functionalities related to event analysis, reporting, integration with external tools, and the use of scripts within the ESM Console. The main points include: 1. **Event Analysis**: It mentions using other tools or presenting evidence in investigations by creating graphs of event relations which can be added to a case file format (.csv). This process involves customizing report formats and ensuring that specific tools are used for analysis purposes. 2. **Integration with External Tools**: The text highlights the integration capabilities within the ESM Console, specifically mentioning its connection with Google Earth through a right-click context menu in the Active Channel. 3. **Triggering Alerts and Running Scripts**: The use cases UC 25 to UC 9 are referenced as sources for understanding how to trigger alerts and run scripts using specific commands. These integration commands allow users to build, configure, and utilize various tools within the ESM Console for enhanced security operations. 4. **Integration Commands Overview**: This section provides a detailed explanation of what integration commands are, their capabilities (running locally or remotely, associating parameters with command execution based on gathered data), and scenarios where they can be particularly useful in integrating external applications like ArcSight NSP and third-party tools to extend the monitoring and investigative powers of the ESM Console. 5. **Demonstrating Google Earth Integration**: The text suggests that this integration is demonstrated through scripts within a rule setup, allowing for dynamic visualization based on event data captured by the ESM Console. 6. **Remediation Actions**: For UC 27 - Remediation, it advises referring to ArcSight TRM materials which cover investigative and remediation actions in response to threats as managed by ArcSight's Threat Response Manager (TRM). This summary provides a broad overview of how the text discusses various methods for improving security operations through integration with external tools, automation via scripts, and detailed report generation within the ESM Console. This passage discusses the use of ESM (Enterprise Security Manager) and TRM (Threat Response Manager) in network security, highlighting how they can work together to protect networks from threats in real-time. The combination of these tools allows for immediate action upon detecting a compromise, with minimal disruption if an attack is identified. Some specific actions mentioned include investigating IP addresses using TRM after selecting them in ESM, quarantining associated nodes via TRM when an IP address is selected in ESM, and automatically quarantining nodes based on rules set within ESM and implemented through the ArcSight TRM CounterAct Connector. Additionally, this passage introduces UC 28 which focuses on demonstrating the capability to write custom parsers for unique or specialized log formats. The document references a Flex Developers Guide for further information and provides a sample configuration file for a FlexConnector used in log processing, detailing how IP addresses, timestamps, request types, URLs, versions, return codes, and other values are parsed from logs using regular expressions. The provided information outlines a system for anomaly detection within event data using specific parameters and tools to identify deviations from normal behavior. Key components include: 1. **Event Severity Mapping**: Defines severity levels based on numerical values, categorizing events into high (400-599), medium (300-399), and low (100-299) categories. This helps in prioritizing alerts for immediate action. 2. **Anomaly Detection**: Focuses on detecting anomalies when asset or event data shows deviations from expected behavior, as outlined in UC 29 and UC 30. These UCs are not detailed further but suggest that they involve comparing current events against a baseline to identify unusual activity. 3. **Moving Average Data Monitor**: Utilizes historical average data (within the range of +/- 33 to 65 for mild deviations, and +/- above 66 for severe) to detect anomalies. The goal is to monitor event throughput as shown in the //All Dashboards/ArcSight Administration/ESM/System Health/Events/Event Throughput dashboard. 4. **Correlation Data Monitors**: These are used to evaluate the event stream by calculating statistics, reconciling events, and computing moving averages. There are two types of correlation data monitors:

• **Event Correlation**: Compares flow volume between two different event streams (e.g., firewall and IDS) to verify or corroborate reported attacks.

• **Event Reconciliation**: Matches every event from one stream with an event from another, useful for comparing events from sensors like a firewall and an IDS where there might be discrepancies in recorded events.

5. **Action on Detection**: When anomalies are detected through these methods (moving average deviation or correlation mismatches), the system triggers alerts to active channels, indicating potential security incidents that need attention. Overall, this framework is designed for proactive monitoring and alerting of potential security threats by identifying abnormal patterns in event data using statistical analysis and predefined severity levels. The provided text discusses various aspects related to firewalls, intrusion detection systems (IDS), data monitors, and statistical methods. Here's a summary of the key points: 1. **Firewall and IDS Interaction**: A successful attack is considered when a firewall accepts an IDS-matched request, while normal connections are those without matching IDS alerts. 2. **Moving Average Data Monitor**: This tool displays the moving average of events based on selected data fields, smoothing out short-term fluctuations to reveal long-term trends. It can also plot values using various numeric fields from events. 3. **Session Reconciliation Data Monitor**: This monitor correlates events that occur within a relevant time period, such as a VPN login session. The session start and end parameters are predefined when creating the data monitor, and it features a scalable session list for collecting session data. 4. **Statistics Data Monitor**: Similar to the Moving Average data monitor but includes additional statistical methods like average, standard deviation, skew, kurtosis, and moving average. This allows for more comprehensive analysis of event data. 5. **User Case 31 - Too Few Events**: Describes a situation where there are fewer events than expected compared to a baseline. The deviation is measured as a percentage up or down. Possible solutions include using filters like "After Hours" or active lists to track user login patterns, possibly updating the average daily trend for more accurate data representation. 6. **User Case 32 - Outside Normal Temporal Window**: Refers to events occurring outside of their expected time frame and suggests potential solutions such as adjusting filters based on worker shifts or using an active list to capture only the first login of each day. 7. **Product Integrations**: Mentioned a specific integration with Qualys, possibly indicating vulnerability scanning through Qualys. In summary, these topics cover concepts in network security (firewalls and IDS), data analysis tools (moving averages, statistics monitors), user case studies for troubleshooting, and system integrations. This document provides a comprehensive guide for installing and configuring the SmartConnector for various security tools to collect event reports. The supported platforms include Java 1.3 or later, with specific versions of Qualys Vulnerability Scanner (4.0, 4.7, 5.0, 6.3, and 6.5), McAfee ePolicy Orchestrator (ePO) products including Host Intrusion Protection System (HIPS), VirusScan Enterprise (VSE), Data Loss Prevention (HDLP), Policy Auditor, GroupShield, Rogue System Detection (RSD), Agent, and Desktop Firewall, Imperva SecureSphere version 6.2, Snort IDS versions 1.7-2.4, 2.6, 2.8, and 2.9, as well as Microsoft Systems Center Operations Manager (Operations Manager) in various versions including 2000, 2005, 2007, and 2007 R2 on Windows Server 2003 R2. Rity v1.1 SP1 with MOM 2005 is a software package that integrates Cisco ASA (Adaptive Security Appliance) and FWSM (Firewall Workstation) firewalls with ArcSight, enhancing security information management capabilities. It allows the import of syslog events from these devices to monitor network activities within the ArcSight System. UC 39 - Oracle Identity Management or other LDP IAM Solution pertains to managing user identities and access control in large organizations using Oracle's identity management solutions or similar systems designed for identity and access management (IAM). This capability helps ensure that only authorized users can access specific resources, enhancing overall security posture. UC 40 - Double NAT involves a networking technique where an IP address is used to translate one private network into another private network, which in turn translates it to the public internet. In such environments, XYZ needs assistance in linking the original threat source through two or more NAT layers for effective detection and response. The solution should be adaptable during demonstrations to facilitate ease of rule creation and evaluation based on real-time scenarios involving multiple NAT layers.