Download - The ArcSight Compliance Tool Kit
© 2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
The ArcSight Compliance Tool Kit
Morris Hicks
Consulting Technical Director
Risks are Real and Invite Regulation
www.arcsight.com © 2009 ArcSight Confidential 2
Compliance in a Nutshell
1. Document/define– Business processes – Critical cyber assets
2. Internal controls– Properly defined– Monitored– Enforced
www.arcsight.com © 2009 ArcSight Confidential 3
Compliance in a Nutshell (cont.)
3. Implement a secure and auditable log archive– Converge disparate sources– Normalize formats– Capture high event rates – Transit slow, remote links– Establish search, analysis, and reporting
4. Enable event alerting and response– Real-time monitoring– Rapid notification – Intelligent response– Workflow– Documentation
5. Integrate views of who took action, how and when
www.arcsight.com © 2009 ArcSight Confidential 4
The ArcSight Approach to Compliance
Prepackaged content—auditors (SOX, HIPAA, PCI, NERC, ITGOV, FISMA)
Share best practices
Extend the platform—custom use case development
Roadmap
www.arcsight.com © 2009 ArcSight Confidential 5
Controls
Regulations don’t specify a comprehensive set of controls, in most cases
Frameworks– ISO 27002:2005 (formerly 17799)– NIST SP 800-53– COBIT 4
Other drivers of controls– Audit findings– Security assessment findings– Organizational policy
www.arcsight.com © 2009 ArcSight Confidential 6
Sample Control MatrixAreas Risk Control
Risk: Key ControlNo.
Control Type: Control Objectives Control Activity Control Owner Control
FrequencyControl Setting
Evidence
Entity IT does not have corporate policies and tools as guidelines for the Company.
M Key IT3 Preventive Entity - Policies:
Ensure IT has processes and procedures for performing all activities in the scope of SOX.
IT maintains IT policies and procedures as guidelines for the company.
IT Director Annually Manual IT Policies; Sign-off document show ing that policies are approved; Location of policies.
Access Logical security tools, processes and techniques are not implemented and/or configured to enable restriction of access to programs, data, and other information resources
M Key IT4 Preventive Access - Creation and Modif ication
Restrict access to programs, data, and other information resources.
IT creates and modifies user accounts and/or assigns access types based on w ritten request from authorized Business Ow ners.
Help Desk Manager
As Occurs Manual User Access Request Form; HelpDesk Ticket.
Access Logical security tools, processes and techniques are not implemented and/or configured to enable restriction of access to programs, data, and other information resources
M Key IT10 Preventive, Detective
Access - Netw ork Authentication:
Enable restriction of access to programs, data, and other information resources on the netw ork.
Netw ork access is authenticated by the Domain Controller Active Directory, w here the passw ord policies are adhering to the Corp Passw ord Policy.
Window s System Admin
n/a Auto Corporate Passw ord Policy; Screen print of Active Directory Passw ord Policies
Chgn Mgmt All necessary modifications to existing f inancial application systems are not implemented in a timely manner - specifically a modification that affects the financials
M Key IT16 Preventive Change Mgmt - Testing and UATs
All necessary modif ications to existing f inancial application systems are implemented in a timely manner - specifically a modif ication that affects the financials
SOX related application and infrastructure changes are tested and approved by the Business Users or cross-functionally before they are applied in the Production environment. Evidence of approvals are documented and retained for future audits.
Change Mgmt Lead
As Occurs Manual Change mgmt process and policy; User Acceptance Test Signoff approved by Business Ow ner(s).
Chgn Mgmt Emergency program changes are not approved, documented and implemented timely.
M Key IT17 Preventive, Monitoring
Change Mgmt - Emergency:
Emergency program changes are approved by Mgmt, documented and implemented timely.
Emergency change requests w ill follow IT escalation process documented in the Change Management Policy.
Change Mgmt Lead
As Occurs Manual Change Management Policy; Change Request Form; Help Desk Ticket and Evidence of Approval
www.arcsight.com © 2009 ArcSight Confidential 7
ArcSight Auditors
Prepackaged content to address most common controls—SOX, PCI, NERC, HIPAA, FISMA– Logger: reports, searches, alerts– ESM: rules, reports, dashboards
ISO 27002-based
Network modeling– Identify regulated systems– Categorize regulated systems – Import active list data
www.arcsight.com © 2009 ArcSight Confidential 8
ArcSight Auditors
Content relies on many data sources– IDS– OS– IAM– Solution guide lists the necessary 20 data sources
UCI (Use Case Identifier) discerns functional content– UCI DEMO!
www.arcsight.com © 2009 ArcSight Confidential 9
UCI DEMO (part 1)
www.arcsight.com © 2009 ArcSight Confidential 10
UCI DEMO (part 2)
www.arcsight.com © 2009 ArcSight Confidential 11
Graphical summary
Highly configurable
Drill down for detail
Real-time Dashboards
www.arcsight.com © 2009 ArcSight Confidential 12
Rule Actions & Reports
Rules may initiate actions– Notifications– Case creation
Reports– Scheduled– On demand
www.arcsight.com © 2009 ArcSight Confidential 13
Active Channels
Live event collection
Filter
Sort
Drilldown
www.arcsight.com © 2009 ArcSight Confidential 14
Auditors Based on ISO Framework
ISO Topic Use Cases1-3 Introductory Sections Not Applicable
4 Risk Assessment & Treatment
Security Overview
High Risk Event Analysis
5 Security Policy Policy Violations
New Services and Hosts
6 Organization of Information Security
Reporting on Cases
7 Asset Management Asset Inventory Reporting
Data Classification Reporting & Monitoring
8 Human Resources Security
Watching New Hires & Former Employees
Internet Usage Reporting and Monitoring
9 Physical & Environmental Security
Physical Building Access
www.arcsight.com © 2009 ArcSight Confidential 15
Auditors Based on ISO Framework
ISO Topic Use Cases10 Communications &
Operations Management
Configuration Management (File & Configuration Changes, Maintenance Schedules)Audit Trails
Separation of Development, Test, & Operations FacilitiesMalicious Code Monitoring
IP Address/User Name Attribution
11 Access Control User Management (User Access)
Authorization Changes
Password Policy
Privileged Accounts (Administrative Access)
Network Services (including routing, firewall, & VPN)
Segregation of Networks
Role Based Access Monitoring
www.arcsight.com © 2009 ArcSight Confidential 16
Auditors Based on ISO Framework
ISO Topic Use Cases12 Information Systems
Acquisition, Development & Maintenance
Certificate Management
Attack Monitoring
Vulnerability Management
13 Information Security Incident Management
Internal Reconnaissance
Escalated Threats
14 Business Continuity Management
Availability
Highly Critical Machines
15 Compliance Intellectual Property Rights & Information Leaks
Personal and Company Information
Resource Misuse (excessive email, illegal content downloads, etc.)
Policy Breaches (P2P, IM, etc.)
www.arcsight.com © 2009 ArcSight Confidential 17
Common Compliance Applications
Access monitoring
Configuration management
Attacks and malicious code
Audit trail
Network segmentation
What are the most common ArcSight compliance applications?
www.arcsight.com © 2009 ArcSight Confidential 18
Extending the Core Capability of Auditors
ISO Use Case ExamplesSection 10 -Communications & Operations Management
Configuration Management
Modifications to application binaries, configuration files/tables and other sensitive files/tables
Report and review of all configuration changes
Policy change attempts, unscheduled changes
Audit Trail Audit logs cleared/deleted
Audit logs unavailable, i.e. not received
Attempt to disable/change auditing
Attacks and Malicious Code
High severity attacks, IDS attacks followed by login from attacking host
Attacks from regulated systems
Antivirus, P2P, spyware, infections
How are customers extending the core capability of the auditors?
www.arcsight.com © 2009 ArcSight Confidential 19
ISO Use Case ExamplesSection 11 –Access Controls
Administrative Access
Successful and unsuccessful logins
Local administrative user created or administrative rights granted
Administrative actions (su, sudo, file modification, etc.)
User Access Successful and unsuccessful logins
Local user created, user created followed by access to regulated system, privilege granted followed by access to regulated system
User activity reports
Unauthorized Access
Administrative connections from unauthorized host
Access to unauthorized service
Unauthorized user access, new authorized user
Extending the Core Capability of Auditors
www.arcsight.com © 2009 ArcSight Confidential 20
ISO Use Case ExamplesSection 12 –Info-Systems Acquisition, Development & Maintenance
Change Management
Changes made outside of maintenance window
Correlate change request to implemented changes
Changes performed by personnel not in an appropriate role
Extending the Core Capability of Auditors
www.arcsight.com © 2009 ArcSight Confidential 21
ArcSight Approach to Compliance
Prepackaged content– Auditors– Based on ISO framework– Use case identifier
Best practices– Engagement drivers– Common applications of the technology
How the platform can be extended—custom use case development
Roadmap
www.arcsight.com © 2009 ArcSight Confidential 22
Maximizing Value
Articulate requirements– Select controls from discussed best practices– Sample control matrix– Audit results (internal/external)– Security assessment results/penetration tests– Security policy & procedures– Interviews with key personnel (PMO, Internal Audit, Compliance,
InfoSec)– Architecture overview
Prioritize controls for implementation
Align resources– Personnel for interviews– System access for technology implementation
www.arcsight.com © 2009 ArcSight Confidential 23
How ArcSight Can Help
Convey industry and customer best practices
Provide sample control matrix
Define technical dependencies for selected controls
Implement the solution
Training/knowledge transfer
Provide solution roadmap
www.arcsight.com © 2009 ArcSight Confidential 24