ArcSight_Whitepaper_EnterpriseView

7/28/2019 ArcSight_Whitepaper_EnterpriseView

1/7

Whitepaper

ArcSight, Inc.

5 Results Way, Cupertino, CA 95014, USAwww.arcsight.com [email protected]

Corporate Headquarters: 1-888-415-ARSTEMEA Headquarters: +44 870 351 6510

Asia Pac Headquarters: 852 2166 8302

ArcSight EnterpriseView

Monitoring Enterprise-wide Business Risk

Research 008-013009-03


2/7

Whitepaper: ArcSight EnterpriseView

ArcSig

OverviewThis paper presents ArcSight EnterpriseView, a solution designed to help customers understand who is on the network, what

data they are seeing, and which actions they are taking with that data. While doing so, EnterpriseView provides the context to

understand whether the business faces additional risk of data loss, compliance breach, or fraud.

ArcSight EnterpriseView was created to help organizations better understand their business and security risk by connectingthe dots across the many activities that occur during normal business operations. Many companies look to Security Informatio

and Event Management (SIEM) technologies to correlate activity and detect network threats. EnterpriseView raises the bar by

applying real-time correlation and analysis to a much broader level of business information.

To better understand the drivers behind EnterpriseView, consider the evolution of security information and event managemen

Background SIEM and Modern Threats

Over the past decade, adoption of SIEM technologies has followed several phases.

Phase 1 - Secure the Perimeter

Initially, SIEM was deployed to monitor network perimeter security devices. Most new SIEMinstallations today begin this way as well. The SIEM is deployed to ensure that rewalls, IDS/IP

and VPNs are working correctly, blocking external threats such as worms, bots, etc. In addition

malware does get through the rewall, the SIEM can help administrators determine the extent o

the infection and which machines need quarantining or rebuild.

Phase 2 - Defend the Network

After ensuring that the perimeter is secure, organizations

typically move on to the internal network, i.e. servers and

desktops. Typical analysis at this level involves monitoring to ensure that systems have the

latest security patches or anti-virus updates. Again, the goal is to monitor to ensure that threat

prevention products are working correctly. And again, if these products miss a threat (for

example, if an employee gets a virus on his laptop while surng the web over the weekend,then plugs in to the corporate network on Monday morning), SIEM products help the IT

administrators determine which products need repair or rebuilding.

While these scenarios have been quite common for many years, changes in the business

and technology environment are driving customers to reconsider their notions of security

monitoring.

Whats Changing

Organizations of almost all sizes and industries now struggle with these changes:

More Transactions Online Electronic banking, payment services such as PayPal, self-service wire transfer and self-

service stock trading are just a few of the electronic transaction services now widely used by consumers. As a result, mtransactions are electronic than ever before, which creates more payment and nancial information at risk of a breach.

More Mergers and Acquisitions Mergers bring new systems, new users, and more points where information can fal

through the cracks, and therefore open up new threats. For example, when two large organizations are integrated, it ta

time to rationalize the user communities, and existing systems may not recognize the merged users. In the confusion, i

much easier for a malicious insider to take sensitive data without detection.


3/7

Directories

What did my DBAs do last week? Database Qu

Badge Swipe

USB Files Sa

VPN Logins

Files Access

Emails Sent

Screen Print

Web Surfing

Hosted Apps

Identity Management Systems

Users

Roles


ArcSig

More Layoffs In a recent survey1, 71% of IT administrators

responded that they would take sensitive information, if they

knew they would be laid off. Though this gure is likely too

high, it highlights the risk of key users retaliating to loss of

employment by stealing data. As economic conditions worsen,

this risk only rises.

More Outsourcing As more business functions are

outsourced to partner organizations, the trusted outsider,

i.e. a non-employee who has access to a companys internal

systems, becomes more common. IT departments must

balance the need to trust partner organizations against risk to

the business.

More SaaS Finally, architectures that deliver applications as hosted services are becoming very common. As a result

a corporation may no longer control the operations, access, and data of its critical applications. This has implications fo

security monitoring.

The result of the above changes is a need for a new security and risk monitoring platform. A recent study by McAfee indicatesthat businesses are at risk of losing billions2 due to data breach or theft. An effective solution to the risks posed by the modern

IT operating environment must secure the perimeter and defend the network against malware and hackers, while also protect

against fraud, data breaches, and risky actions by trusted users. This is a threat to the business and requires new types of

analysis.

Some ExamplesTo highlight the risks that organizations must manage, given the changes described above, consider the following scenarios:

Privileged User Monitoring

Organizations will spend billions of dollars on identitymanagement products this year. Despite that expense, most

companies cannot answer the question, What did my DBAs

do last week? That is because the answer requires not only

the user and role management of an IdM solution, but also

the activity collection and correlation of a SIEM solution. For

example, the answer might require all DBA user account IDs,

as well as badge entries into company buildings, emails sent,

database queries executed, les saved to USB drives, les

opened on the le system, web activity, etc. By connecting

identity information with role information and also with activity

information, a complete picture emerges. As a result, risky

activity by privileged users becomes easier to identify and prevent.

Sensitive Data Protection

Products such as data leakage prevention (DLP) and database activity monitoring (DAM) are often purchased to detect

unusual activities around condential data. However, each product is focused at a specic area (e.g. the companys relationa

databases) and is likely not able to tie together activities that occur enterprise wide. For example, a user might query a datab

for customers social security numbers (database), save the results to a le on the network (le system), copy the le to a loca

1 ComputerWorld (www.computerworld.com) , December 2, 2008

2 Unsecured Economies: Protecting Vital Information, McAfee January 2009


4/7

LOGIN

jsmADMIN/PaS$word

IP: 10.0.0.4

IP: 10.0.0.5

ADMIN/PaS$word

12/4/08

10:05 AM

windows: fbarnes

OP: 10.0.0.5

App: Finance

User ID: ADMIN

12/5/08

11:15 AM

windows: jsmith

OP: 10.0.0.4

App: Finance

User ID: ADMIN

fbar


ArcSig

USB drive (desktop), or email it to a Hotmail account (web gateway). Even worse, a large organization may have deployed an

entirely different data monitoring product at each of these points. A useful solution would correlate activities at each of these

points, as well as with activities occurring elsewhere. As a result, detecting unauthorized activity that will cause a data breach

happens early, before the information is lost.

Fraud Detection

Online banking is popular with banks as well as customers, due to lower costs and faster response. Unfortunately, onlinefraud is rising as fast as online banking. The most common scenario is some form of account takeover, often via phishing. Th

customers account is compromised, and a hacker transfers the money out before the problem is detected. By the time the

customer complains, the money is gone. However, fraudulent activity can often be detected by correlating account informatio

and activity and comparing it to historical data. For example, is the customer wiring out an unusually large amount of money?

Was this account set up only recently? Is it a single-custody account (only one signature required)? Has the security informat

or max wire amount been changed recently? Connecting these bits of information can give a rm time to identify and block

fraudulent transactions.

Shared Account Control

A common IT security problem involves shared administrative accounts,

either in server operating systems or in legacy custom applications.

Multiple users share an admin account and password to login andexecute transactions. For example, these may be adding new users or

executing trades. In either case, the organization cannot control usage,

since it can not determine who exactly is using the shared account.

An effective solution uses correlation of user domain accounts, IP

addresses, and shared accounts to determine who logged into the

shared application at any particular time. As a result, the organization

can demonstrate controls over access to key internal systems.

EnterpriseView Defined

EnterpriseView is an application that extends ArcSight ESM, a market-leading event correlation solution designed to monitornetwork security event information. By leveraging key functions in ESM and extending them into the area of user monitoring,

sensitive data protection, fraud detection, and risk management, EnterpriseView provides a new type of real-time event

monitoring. The examples described above are handled via built-in components within EnterpriseView.

Key EnterpriseView components include:

User Model Framework

ArcSight ESM operates based on an Asset Model that denes network assets, their classications, zones, criticality, etc.

EnterpriseView operates on a User Model that allows sophisticated correlation and analysis of users, in the same way that ES

correlates network asset activity. The User Model enables direct correlation of key attributes such as user role, department, e

IdentitySync Adapters

IdentitySync adapters connect to user identity stores, such as directories and identity management solutions, and synchroniz

users identity and role information into the EnterpriseView User Model. As this information changes in the corporate systems

the adapters automatically update the User Model. IdentitySync adapters are very useful, as they allow EnterpriseView to det

role violations and access violations. For example, if a user account is terminated in the corporate IdM system, IdentitySync

adapters will update EnterpriseView and enable it to re an alert if the terminated user accesses a local server. The sync

process happens automatically, including recovery after a directory failure.


5/7

Sales AdminFinance D

File Serv

Access Oracle

Financials App

OKAY

Open Excel Sheets

on Finance File Server

NOT OKAY


ArcSig

Role Violation Monitoring

EnterpriseView includes built-in rules and reports for detecting role

violations, according to company policy. For example, the system can

auto-detect when a sales rep accesses les on the nance server, and

alert in real-time. If any users role changes in the corporate IdM system,

the IdentitySync adapters will update EnterpriseView within seconds, so

that role violation rules always operate on up-to-date information.

Unique ID Mapping

A typical employee has multiple account IDs: Windows domain ID, email ID, VPN ID, application IDs, badge, etc. It is difcult

to get a full view of user activity without tying these IDs and the related activity logs together. EnterpriseView contains a

component for mapping multiple accounts to a single master ID (designated by each customer). It then collects all activity

across all of a users accounts and rolls the activity up to the user level.


6/7

DataView

PartnersIdentityV

Partne

AppView

Partners

EnterpriseView


ArcSig

ActivityProfling

By examining historical log data, EnterpriseView can determine unusual activities for a particular user, relative to previous

behavior or to other users in the same role. When these proles are created, EnterpriseView can then auto-generate new rule

to detect unusual behavior in the future. As a result, it becomes easier to prevent unauthorized behavior and to evaluate use

activity relative to corporate policy.

DLP RulesCompanies are increasingly buying data leakage prevention (DLP) products to help identify risky activities around their sensit

data. DLP products often generate many false positives, and even in broad deployments there are multiple points on the

network where DLP products can not reach. EnterpriseView contains built-in rules to correlate verdicts from DLP products wit

database security products, Web gateways, email gateways, and other products to lter out false positives and detect true ris

of data loss.

Fraud Detection Rules

EnterpriseView provides visibility into both internal and external activity. A very common risk is fraud, typically from account

takeover. EnterpriseView contains a broad set of predened fraud detection rules, created by working with leading nancial

institutions. One organization detected nearly $1 million worth of potential wire transfer fraud within two weeks of deploying

EnterpriseView. The common framework components in EnterpriseView can be applied to both insider-threat and external

hacker scenarios.

Auto-Escalation Watchlists

A key component within EnterpriseView, used for both internal and external threat monitoring, is automatic escalation of user

watchlists. Based on a variety of pre-built or customer-dened rules, EnterpriseView can move certain users through multiple

watchlists. One set of actions might place 1,000 out of 50,000 employees on a suspicious list. Additional actions might move

of those suspicious users onto a malicious list. As a result, security administrators can focus attention on those users who m

bring the biggest risks to the business.

EnterpriseView Ecosystem

While EnterpriseView is an excellent platform for real-time business event monitoring andanalysis, it must also t well into the typical IT architecture. To improve integration with

complimentary technologies, EnterpriseView also supports an ecosystem of partner products.

These have been pre-integrated either via a specialized adapter or Common Event Format

(CEF) output. EnterpriseView can accept events from partner products and also provides pre-

built rules and reports for correlating partner data. Partners fall into one of three groups:

IdentityView Partners These partners specialize in one or more aspects of identity

management. IdentityView partners include Oracle, Sun, Microsoft, and Aveksa.

DataView Partners These partners specialize in one or more aspects of data

monitoring, typically via DLP or database activity monitoring (DAM) products. DataView

partners include McAfee (Reconnex), Fidelis, Guardium, Imperva, Secerno andSentrigo.

AppView Partners These partners specialize in one or more aspects of application

monitoring, to make sense of transactions and application activity. AppView partners

include Radware and Greenlight Technologies.


7/7


ArcSig

To learn more, contact ArcSight at: [email protected] or 1-888-415-ARST 2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product andcompany names may be trademarks or registered trademarks of their respective owners.

Why ArcSightAs the market-share leader in event management, ArcSight is uniquely positioned to deliver real-time enterprise event

monitoring to leading public and commercial organizations. ArcSight helps nearly two thousand of the worlds most demandin

organizations protect their networks and monitor compliance. EnterpriseView builds from years of experience at ArcSight and

extends the ArcSight architecture into new areas.

Customers benet by leveraging the investment they have already made in data collection, analysis, correlation, and reportin

The future-proof architecture of the ArcSight SIEM Platform allows customers to swap vendor products without losing

the ability to monitor the network. With EnterpriseView, customers can similarly evolve their identity, data, and application

infrastructures without losing the ability to monitor the business.

The success of ArcSight in the SIEM market comes from our ability to support customer needs, both today and in the future.

SummaryA challenging economic environment increases the risks of loss due to fraud and theft of data. There is more sensitive data

online than ever before and more paths to access it. Securing the business in such an environment requires new solutions thleverage and integrate a variety of security technologies. ArcSight EnterpriseView is such a solution.

It builds on the proven data collection and correlation strengths of the ArcSight SIEM Platform, while also extending that platfo

to new types of monitoring. EnterpriseView integrates the capabilities of data leakage protection products, database activity

monitoring products, identity management and directory products, as well

as web gateways, application rewalls and transaction monitoring solutions.

EnterpriseView lls in the visibility gaps across these other useful technologies,

while correlating user actions across them.

Early phases of SIEM typically focus on securing the perimeter and defending

the network. By adding monitoring of key users, condential information, and

critical applications, EnterpriseView brings the third and most useful phase,allowing organizations to protect the business, i.e. those assets that are

valuable and difcult to replace.

Some customers have identied and prevented fraud within the rst week of

deploying EnterpriseView. Others have used EnterpriseView to extend the life

of existing legacy applications, by layering in application monitoring in lieu of

new access control systems.

Documents

ArcSight_Whitepaper_EnterpriseView