The ArcS Ar cSig ight ht Compl om plii ance nc e Tool oo l Kit K it
Morris Hicks Consulting Technical Director © 2009 ArcSight, ArcSight, Inc. All rights reserved. reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
Ri sk sks s ar e Real and Invit nv ite e Regul gu l ation ti on
Compliance in a Nutshell 1. Document/define –
Business processes
–
Critical cyber assets
2. Internal controls –
Properly defined
–
Monitored
–
Enforced
Compliance in a Nutshell (cont.) 3. Implement a secure and auditable log archive –
Converge disparate sources
–
Normalize formats
–
Capture high event rates
–
Transit slow, remote links
–
Establish search, analysis, and reporting
4. Enable event alerting and response –
Real-time monitoring
–
Rapid notification
–
Intelligent response
–
Workflow
–
Documentation
5. Integrate views of who took action, how and when
The ArcSight Approach to Compliance
Prepackaged content—auditors (SOX, HIPAA, PCI, NERC, ITGOV, FISMA)
Share best practices
Extend the platform—custom use case development
Roadmap
Controls
Regulations don’t specify a comprehensive set of controls, in most cases
Frameworks – ISO 27002:2005 (formerly 17799) – NIST SP 800-53 – COBIT 4
Other drivers of controls – Audit findings – Security assessment findings – Organizational policy
ArcSight Auditors
Prepackaged content to address most common controls—SOX, PCI, NERC, HIPAA, FISMA – Logger: reports, searches, alerts – ESM: rules, reports, dashboards
ISO 27002-based
Network modeling – Identify regulated systems – Categorize regulated systems – Import active list data
ArcSight Auditors
Content relies on many data sources – IDS – OS – IAM – Solution guide lists the necessary 20 data sources
UCI (Use Case Identifier) discerns functional content – UCI DEMO!
UCI DEMO (part 1)
UCI DEMO (part 2)
Real-time Dashboards
Graphical summary
Highly configurable
Drill down for detail
Rule Actions & Reports
Rules may initiate actions – Notifications – Case creation
Reports – Scheduled – On demand
Active Channels Live event collection
Filter
Sort
Drilldown
Auditors Based on ISO Framework ISO
Topic
Use Cases
1-3
Introductory Sections
Not Applicable
4
Risk Assessment & Treatment
Security Overview
Security Policy
Policy Violations
5
High Risk Event Analysis
New Services and Hosts 6
Organization of Information Security
Reporting on Cases
7
Asset Management
Asset Inventory Reporting Data Classification Reporting & Monitoring
8
9
Human Resources Security
Watching New Hires & Former Employees
Physical & Environmental Security
Physical Building Access
Internet Usage Reporting and Monitoring
Auditors Based on ISO Framework ISO
Topic
Use Cases
10
Communications & Operations Management
Configuration Management (File & Configuration Changes, Maintenance Schedules) Audit Trails Separation of Development, Test, & Operations Facilities Malicious Code Monitoring IP Address/User Name Attribution
11
Access Control
User Management (User Access) Authorization Changes Password Policy Privileged Accounts (Administrative Access) Network Services (including routing, firewall, & VPN) Segregation of Networks Role Based Access Monitoring
Auditors Based on ISO Framework ISO
Topic
Use Cases
12
Information Systems Acquisition, Development & Maintenance
Certificate Management
Information Security Incident Management
Internal Reconnaissance
Business Continuity Management
Availability
Compliance
Intellectual Property Rights & Information Leaks
13
14
15
Attack Monitoring Vulnerability Management
Escalated Threats
Highly Critical Machines
Personal and Company Information Resource Misuse (excessive email, illegal content downloads, etc.) Policy Breaches (P2P, IM, etc.)
Common Compliance Applications What are the most common ArcSight compliance applications?
Access monitoring
Configuration management
Attacks and malicious code
Audit trail
Network segmentation
Extending the Core Capability of Auditors How are customers extending the core capability of the auditors? ISO
Use Case
Examples
Section 10 Communications & Operations Management
Configuration Management
Modifications to application binaries, configuration files/tables and other sensitive files/tables Report and review of all configuration changes Policy change attempts, unscheduled changes
Audit Trail
Audit logs cleared/deleted Audit logs unavailable, i.e. not received Attempt to disable/change auditing
Attacks and Malicious Code
High severity attacks, IDS attacks followed by login from attacking host Attacks from regulated systems Antivirus, P2P, spyware, infections
Extending the Core Capability of Auditors ISO
Use Case
Examples
Section 11 – Access Controls
Administrative Access
Successful and unsuccessful logins Local administrative user created or administrative rights granted Administrative actions (su, sudo, file modification, etc.)
User Access
Successful and unsuccessful logins Local user created, user created followed by access to regulated system, privilege granted followed by access to regulated system User activity reports
Unauthorized Access
Administrative connections from unauthorized host Access to unauthorized service Unauthorized user access, new authorized user
Extending the Core Capability of Auditors ISO
Use Case
Examples
Section 12 – Info-Systems Acquisition, Development & Maintenance
Change Management
Changes made outside of maintenance window Correlate change request to implemented changes Changes performed by personnel not in an appropriate role
ArcSight Approach to Compliance
Prepackaged content – Auditors – Based on ISO framework – Use case identifier
Best practices – Engagement drivers – Common applications of the technology
How the platform can be extended—custom use case development
Roadmap
Maximizing Value Articulate requirements
– Select controls from discussed best practices – Sample control matrix – Audit results (internal/external) – Security assessment results/penetration tests – Security policy & procedures – Interviews with key personnel (PMO, Internal Audit, Compliance, InfoSec) – Architecture overview
Prioritize controls for implementation
Align resources
– Personnel for interviews – System access for technology implementation
How ArcSight Can Help
Convey industry and customer best practices
Provide sample control matrix
Define technical dependencies for selected controls
Implement the solution
Training/knowledge transfer
Provide solution roadmap