Maintaining privacy with HPE ArcSight Petr Hněvkovský, CISSP, CISM, CISA, CEHSenior Solution Architect, EMEA
Nov, 2016
Forward-looking statementsThis is a rolling (up to three year) roadmap and is subject to change without notice
This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard Enterprise's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett Packard Enterprise may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.
2
Hewlett Packard Enterprise confidential informationThis is a rolling (up to three year) roadmap and is subject to change without notice
This Roadmap contains Hewlett Packard Enterprise Confidential Information.
If you have a valid Confidential Disclosure Agreement with Hewlett Packard Enterprise, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of three years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from HPE and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with Hewlett Packard Enterprise’s prior written approval.
3
Agenda
Data de-identification
ArcSight native use case
Voltage Data Security capability
ArcSight & Voltage PoC
Live demo
Under the integration hood
Q&A
A streetview example
5
Data anonymization drivers with ArcSight
Shared services
Managed Security Providers
Strict Controls Reduction
Big data initiatives
Security data lakes
Hunting and Analytics
PII, PCI & HIPPA sensitive data
GDPR compliance
VIPs & Intelectual Property
8
ArcSight native de-identificationData obfuscation
9
Elements we will talk about
Connector
ESM / Express
Logger
10
Connector obfuscation – ESM console view
11
A powerful mix – example scenariohttp://h71056.www7.hp.com/gfs-shared/downloads-203.pdf
Connector
ESM/ Express
Logger
– Only obfuscated events to ESM
– Special User with Logger
Integration Command can
search for unobfuscated data
on remote logger within ESM
console
– Only special user is allowed to access
unobfuscated data on Logger— Destination specific obfuscation
search
12
Voltage Data SecurityUnderstand the capability
13
HPE Data Security – Voltage SecureData recap Data de-identification with Format-Preserving Encryption (FPE)
14
AES
FPE 345-753-5772
8juYE%Uks&dDFa2345^WFLERG
Tax ID
934-724-2356
First Name – Gunther
Last Name – Robertson
SSN – 575-72-2356
DOB – 20-07-1966
First Name – Uywjlqo
Last Name – Muwruwwbp
SSN – 575-67-8745
DOB – 18-06-1972
Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW
Oiuqwriuweuwr%oIUOw1@
HPE Data Security – Voltage SecureData recapData de-identification with Secure Stateless Tokenization (SST)
15
Credit card
934-724-2356
Tax ID
1234 5678 8765 4321
SST 347-982-83098736 5533 4678 9453
Field level, format-preserving, reversible data de-identificationCustomizable to granular requirements addressed by encryption and tokenization
16
Credit card
4171 5678 8765 4321
SSN/ID
934-72-2356
DOB
31-07-1966
Full 8736 5533 4678 9453 347-98-8309 [email protected] 20-05-1972
Partial 4171 5681 5310 4321 634-34-2356 [email protected] 20-05-1972
Obvious 4171 56AZ UYTZ 4321 AZS-UD-2356 [email protected] 20-05-1972
FPESST
De-Identified / Protected -Data
Sensitive / Live -Data
FPEFPESSTFPEFPE
HPE Data Security – Data protection with HP FPE and HP SST
17
Name SS# Credit Card # Street Address Customer ID
James Potter 385-12-1199 37123 456789 01001 1279 Farland Avenue G8199143
Ryan Johnson 857-64-4190 5587 0806 2212 0139 111 Grant Street S3626248
Carrie Young 761-58-6733 5348 9261 0695 2829 4513 Cambridge Court B0191348
Brent Warner 604-41-6687 4929 4358 7398 4379 1984 Middleville Road G8888767
Anna Berman 416-03-4226 4556 2525 1285 1830 2893 Hamilton Drive S9298273
Name SS# Credit Card # Street Address Customer ID
Kwfdv Cqvzgk 161-82-1292 37123 48BTIR 51001 2890 Ykzbpoi Clpppn S7202483
Veks Iounrfo 200-79-7127 5587 08MG KYUP 0139 406 Cmxto Osfalu B0928254
Pdnme Wntob 095-52-8683 5348 92VK DEPD 2829 1498 Zejojtbbx Pqkag G7265029
Eskfw Gzhqlv 178-17-8353 4929 43KF PPED 4379 8261 Saicbmeayqw Yotv G3951257
Jsfk Tbluhm 525-25-2125 4556 25ZX LKRT 1830 8412 Wbbhalhs Ueyzg B6625294
learn more at www.hp.com/go/datasecurity
HPE SecureData – Data Security Platform
18
HPE SecureData
Web Services API (REST,
SOAP)
HPE SecureDatanative APIs
(C, Java, C#, .NET)
API
HPE SecureData
Management Console
Authentication and authorization
sources (e.g., active directory)
HPE SecureData
Hardware Security Module (HSM)
HPE SecureData Command Lines and Automated
File Parsers
API
HPE SecureData File Processor
High availability
HPE SecureData – Data Security Platform
19
HPE SecureData Management
Console
Authentication and authorization sources (e.g. active directory)
Hardware Security Module (HSM)
HPE SecureDataWeb Services API
HPE SecureDatanative APIs
(C, Java, C#, .NET)
HPE SecureData Command Lines and
Automated File Parsers
HPE SecureData z/Protect, z/FPE
HPE SecureData Native UDFs
Partnerintegrations
SaaS & PaaS cloud apps
Policy controlled data protection and masking services and clients
Paymentterminals
Volume key management
Production databases
Mainframeapplications
and databases
Third party applications
Teradata,Hadoop
And Vertica
ETL & data integration
suites
NetworkInterceptors
Paymentsystems
Business applications, data stores and processes
HPE NonstopApplications and
Databases
Web/cloudapplications
(AWS, Azure)
Enterprise applications
Volumes and storage
Third party SaaSgateways
HPE SecureData
API
ArcSight & Voltage = SOC with PrivacyData protection prove of concept
20
Using HPE Security – Data security for event de-identification Where to implement?
21
EventsHPE VoltageSecureData
HPE ArcSightESM/Logger
HPE ArcSightArcMc/Connectors
b
c
a
ArcSight with Voltage privacy prove of concept
22
PCI events
HPE VoltageSecureData
Tokenize specificattributes Fraud
detection
De-tokenizespecific attributes
cc_number=
2081-8866-4532-5518
cc_number=
1111-2222-3333-4444
Outsourced or internal butnon PCI complient environment
HPE ArcSightESM cc_number =
2081-8866-4532-5518
CERT
case
live demo
In this short demo we want to
23
–Receive windows logon event messages and de-identify the username attribute “duser”
– Pick any base event with a de-identified user-name in it
–Right click on that user name and invoke an integration command to access the original attribute
Using HPE Security – Data security for event de-identification Proof-of-concept
24
Events HPE VoltagesecureData
HPE ArcSightESM
AttributeDe-Ident.
Original attribute
Protected attribute
TLS
TLS
De-identified Syslog MessageSyslog, TCP or UDP/514
Python script thatreceives syslog eventsand replaces specificattributes with theirprotected version. It uses the CLI clientto call the HPE VoltagesecureData API.
It then sends on thesyslog event with theprotected attribute(s)to the HPE ArcSightconnector/ESM/Logger
Original syslog message
SyslogUDP514
Using HPE Security – Data security for event de-identification Proof-of-concept
25
EventsHPE VoltagesecureData
HPE ArcSightESM
User with appropriateprivileges right-clickson protected eventfield and requests theoriginal item via anintegration commandcalling the HPE VoltageWeb-API.
Original attribute
Protected attribute
Accesspecific attrib.
TLS
TLS
ArcSight & Voltage integrationUnder the hood options
27
#0 Data anonymization with external mapper
28
Source Event data
Connector external mapper
ESMLogger
VoltageSecure Data
server
• Not suited for the use case
• Required DB to API middleware
• Not pursued
DB to API middleware
#1a Data anonymization in-line
29
Source Event data
Collecting Connector
Syslogprocessor
ESMLogger
Forwarding Connector
VoltageSecureData
server
• First PoC design worked
• Python + Voltage SDCL
• Data travels to Voltage server
CEFCEF
#1b Data anonymization in-line
30
Source Event data
Collecting Connector
ESMLogger
Forwarding Connector
VoltageSecureData
server
• Faster than 1a
• Perl + Voltage REST API
• Data travels to Voltage server
CEFCEF
Syslogprocessor
#1c Data anonymization in-line
31
Source Event data
Collecting Connector
ESMLogger
Forwarding Connector
VoltageSecureData
server
• Work in progress
• Java + Voltage SimpleAPI
• Key is pulled from Voltage server
CEFCEF
Syslogprocessor
#2 Data anonymization diode
32
Source Event data
Collecting Connector
File Processor
ESMLogger
Forwarding Connector
VoltageSecureData
server
• Faster bulk processing, but delay
on file handling
• Voltage File Processor
• Key is pulled from Voltage server
CSV CSV
#3 Data anonymization event broker
33
Source Event data
Collecting Connector
Kafka Event Broker
ESMLogger
VoltageSecureData
server
Subscribe to„sensitive“ topic
Publish the „anonymized“ topic
publish subscribe
• Work in progress..
• Kafka internal transformation or
external subsriber/publisher?
Data anonymization options with Voltage Data Security
34
Source Event data
File Processor
ESMLogger
Syslogprocessor
Kafka Event Broker
in-line
data-diode
messagebus
Start small to get fast results
Both ArcSight and Voltage provide
open and flexible architecture to
solve your privacy requirements.
Try it!
35