Upload
ivanc081
View
116
Download
11
Tags:
Embed Size (px)
DESCRIPTION
ArcSight SIEM Best Practices
Citation preview
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ArcSight SIEM and data privacy best practices Frank Lange, Sr. Sales Engineer
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
A StreetView example
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
Data privacy in the SIEM world
National data protection laws Data privacy guidelines Workers council requirements Use cases: Protect user related data - still do correlation Prevent the forwarding of specific events outside of
a legal entity still retain them locally
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Elements we will talk about
ESM/Express
Logger
Connector
ArcSight
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Connector
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
Connector obfuscation configuration
Destination specific setting in One or many fields Uses md5 hash algorithm One way operation High performance
.\current\user\agent\3nOjT4xEBABCBuS8G8BXhnw==.xml
...
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Connector obfuscation ESM console view
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ESM/Express
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
ESM/Express role-based access
Access Control Lists (ACL) based on User Groups with inheritance
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
ESM/Express I. FieldSets
FieldSet A number of fields in specific order ActiveChannel allows default FieldSet Adhoc customizable (Add/Remove Column)
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
ESM/Express II. Event Filter
Restricts access to a subset of events Based on standard Filters Enforced on User Group level Transparent to the user
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
ESM/Express III. Actors
IdentityView Granular restriction via ACL Restriction on all Actors/a Domain/Types Allows Mixed Mode
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
ESM/Express III. Actors
Not an all-or-nothing option, allows view of Actor data based on membership level
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Logger
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Logger Search Group Filter
Restricts access to a subset of events only Restriction based on user group membership transparent to the Logger user RegEx filters Applies on peer Loggers Performance on RegEx speed
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
All together
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
A powerful mix example scenario
Only obfuscated events to ESM Special User with Logger
Integration Command can search for unobfuscated data on remote Logger within ESM console
Only special user is allowed to access unobfuscated data on Logger
Destination specific obfuscation
Search
ESM/Express
Logger
Connector
ArcSight
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Summary
Multi-layer approach Impact on SIEM design Correlation and data privacy at the
same time Like a StreetView for SIEM
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security for the new reality
ArcSight SIEM and data privacy best practicesA StreetView exampleData privacy in the SIEM worldElements we will talk aboutConnectorConnector obfuscation configurationConnector obfuscation ESM console viewESM/ExpressESM/Express role-based accessESM/Express I. FieldSetsESM/Express II. Event FilterESM/Express III. ActorsESM/Express III. ActorsLoggerLogger Search Group FilterAll togetherA powerful mix example scenarioSummaryThank youSlide Number 20