Upload
hp-software-solutions
View
4.025
Download
5
Tags:
Embed Size (px)
Citation preview
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating custom threat reporting with HP ArcSight Eric Itangata, Taras Kachouba Analyst Security Operations, Global Risk and Security Diebold
AGENDA
⤹ Overview ⤹ Industry Threat Reports ⤹ The Need ⤹ Content ⤹ Building Your Report ❓ Q&A
Industry Threat Reports
• There are a number of valuable resources in the industry that provide threat information and predictions
• Most notable, Verizon's DBIR, Symantec's ISTR, and Websense’s Threat Report
INDUSTRY THREAT REPORTS
• These provide good information on the state of
threats in the industry, but may not be specific to
your organization or industry
• Every organization should be aware of what
threats affect them specifically on a daily basis.
What trends are affecting you?
The Need… • You want to be able to tell
management specific
information
• Chances are they have
read the industry reports
• It is important to stay
abreast of not only the
threat landscape, but also
how it impacts you
KEY INFORMATION
• This is going to be what is important to you, your management, and your organization.
• Some key information is: • Malware outbreaks • DDoS attacks • Malicious connection attempts • Bad Actors (internal and external) • Top IDS alerts • Top firewall blocks • Top internal talkers • Phishing
Where to Start
• Once you identify what you want to include in
your report, now you need to gather this
information
• This information can come from a number of
sources, but the best source to use is your
ArcSight platform
Baselines • You need to have a good
understanding of your
network to what is normal
activity
• ArcSight comes with a large
volume of pre loaded
content
• Some of this content needs
to be tweaked for your
environment
Device Reporting
• The information from your threat report will come from a number of devices
• Firewalls, IDS/IPS, WAF, IIS, etc. will provide good detail from external threats
• AV, HIPS, DLP agent information, etc. provide information on endpoint events
• Windows/Linux event logs, DLP, proxy, etc. devices are good sources for brute
force attacks, data exfiltration, user activity threats
• Database security devices are good sources of potential data compromise
Content
• The content in ArcSight Foundation is a great
place to start
• Provides network baseline, intrusion monitoring,
DoS content, malware content, inbound attack
content, etc.
• As you identify your needs, you can also include
your own content
• Geographic event content is an example of this
Example of ArcSight Content
Other content
• Trend information, reports, etc. are great sources of information
• Don’t forget to include your dashboards. These are great sources for visual
representation
• You can generate these from your ESM or logger
Industry Report Information
• Most industry report
information is presented
with main points;
• Overview of
previous year
• Methodology
• Conclusions and
Recommendations
Building the Report • Just as an industry report, you need a narrative, this
should cover the basis of your analysis
• Explain the methodology you used to generate your
report, what ArcSight content used
• Keep the information in an overview format, with crisp
executive focus
• In your conclusions and recommendations, make sure
you make them specific to your findings and with
obtainable goals
The Report Overview
• Compare industry reports to what you are seeing in your environment
• Note differences and how your company stands up with your industry, and in
general
• Identify the attack vectors that led to the breaches and if you have seen them in
your environment
• Identify why you believe you (hopefully) weren’t breached via these attack methods
The Report Methodology
• You want your findings to be based on
accurate information. You need to show
how you came to your findings
• List the trends, filters, reports, etc. that
you used and an overview of them.
The Report Conclusion • Use the content within ArcSight to create graphs, charts,
etc. to give a visual representation to your findings
• If you have multiple locations, show and compare results
from your analysis
• Identify key areas such as top threat vectors, top
attackers, top targets, virus/malware activity, etc.
• Compare your results with industry results
• Remember, this is your report. Present what you think is
relevant and most important to your organization
Recommendations
• Make your recommendations based on the data you collect
• If you see over the timeframe covered an increase in a particular attack vector that
is in line with industry reports, identify that you are seeing that trend
• Conversely, if you are seeing a trend that is outside industry trends, this needs to
be identified
• Management needs to understand that although industry reports are valuable, they
may not accurately paint the right picture for the threats your organizations sees
Questions?
Thank You
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security for the new reality