-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
ArcSight SIEM and data privacy best practices Frank Lange, Sr.
Sales Engineer
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
2
A StreetView example
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
3
Data privacy in the SIEM world
National data protection laws Data privacy guidelines Workers
council requirements Use cases: Protect user related data - still
do correlation Prevent the forwarding of specific events outside
of
a legal entity still retain them locally
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
4
Elements we will talk about
ESM/Express
Logger
Connector
ArcSight
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Connector
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
6
Connector obfuscation configuration
Destination specific setting in One or many fields Uses md5 hash
algorithm One way operation High performance
.\current\user\agent\3nOjT4xEBABCBuS8G8BXhnw==.xml
...
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
7
Connector obfuscation ESM console view
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
ESM/Express
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
9
ESM/Express role-based access
Access Control Lists (ACL) based on User Groups with
inheritance
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
10
ESM/Express I. FieldSets
FieldSet A number of fields in specific order ActiveChannel
allows default FieldSet Adhoc customizable (Add/Remove Column)
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
11
ESM/Express II. Event Filter
Restricts access to a subset of events Based on standard Filters
Enforced on User Group level Transparent to the user
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
12
ESM/Express III. Actors
IdentityView Granular restriction via ACL Restriction on all
Actors/a Domain/Types Allows Mixed Mode
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
13
ESM/Express III. Actors
Not an all-or-nothing option, allows view of Actor data based on
membership level
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Logger
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
15
Logger Search Group Filter
Restricts access to a subset of events only Restriction based on
user group membership transparent to the Logger user RegEx filters
Applies on peer Loggers Performance on RegEx speed
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
All together
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
17
A powerful mix example scenario
Only obfuscated events to ESM Special User with Logger
Integration Command can search for unobfuscated data on remote
Logger within ESM console
Only special user is allowed to access unobfuscated data on
Logger
Destination specific obfuscation
Search
ESM/Express
Logger
Connector
ArcSight
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
18
Summary
Multi-layer approach Impact on SIEM design Correlation and data
privacy at the
same time Like a StreetView for SIEM
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Thank you
-
Copyright 2013 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Security for the new reality
ArcSight SIEM and data privacy best practicesA StreetView
exampleData privacy in the SIEM worldElements we will talk
aboutConnectorConnector obfuscation configurationConnector
obfuscation ESM console viewESM/ExpressESM/Express role-based
accessESM/Express I. FieldSetsESM/Express II. Event
FilterESM/Express III. ActorsESM/Express III. ActorsLoggerLogger
Search Group FilterAll togetherA powerful mix example
scenarioSummaryThank youSlide Number 20
