tips and tricks for mssps leveraging hpe security arcsight esm to win proof of concepts

46

Upload: bryan-borra

Post on 16-Apr-2017

354 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts
Page 2: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Page 3: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Tips and Tricks for MSSPs Leveraging ArcSight ESM to Win Proof of Concepts

…“Make ArcSight Great Again” Was Not Approved as a Title to this Presentation

Page 4: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Bryan BorraSOC and SIEM Director

Bryan manages the SIEM and SOC teams at Proficio. Previously worked at SAIC / Leidos / McAfee. He’s nicknamed “SIEM Destroyer” for creating the wrong content at the wrong time for a few SIEM instances.

Jordan KnoppSIEM Content Engineer

Jordan leads the development of SIEM content for several key contracts for Proficio’s ProSOC Services. He also currently serves as Proficio’s in-house machine learning solution.

Tristan ReedSIEM Content Engineer

Tristan leads the development of SIEM monitoring solutions for several products. He has recently been engaged in monitoring cloud platforms and specializes in bricking IoT devices to be used in demos.

ProficioSouthern California +Singapore based MSSP

Proficio is an award-winning MSSP that leverages HPE ArcSightESM to provide a multitenant SIEM-as-a-Service offering along with 24x7 SOC monitoring (ProSOC).

Introducing the Speakers

4

Page 5: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Agenda

5

Introduce common problems we encounter as an MSSP

Detail solutions to these issues, including:

1. Running efficient reports

2. Deploying effective content architecture

3. Monitoring new cloud data sources

Page 6: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: Modern Visuals

6

Page 7: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: What We See

7

Page 8: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: What Our Customers Told Us

8

Page 9: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Concurrently Running Reports Limit

9

Limit of 5 “NumberOfReportsCurrentlyQueryingDB”

Ref:

/All Dashboards/ArcSight Administration/ESM/System Health/Resources/Reporting/Report Details

Page 10: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: What We Asked Ourselves

10

Page 11: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports Requirements as an MSSP

11

Run hundreds of reports on a weekly basis

Have customized templates for branding and client

Be able to provide SIEM-as-a-service around reporting

Never overload the reporting engine

Page 12: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports Templates: Header / Footer

12

Toggling the header and footer

bubble will change the view of the

whole template but only affect…

Page 13: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports Templates

13

Easy Hex Picker:

http://www.ginifab.com/feeds/pms/pms_color_in_image.php

Respond

Select “Properties” on any chart

control and then select

“advanced” on the “Chart” tab

Page 14: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports Templates

14

Page 15: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: Trends and Active Lists

15

Higher EPS as an MSSP, lower report performance

SIEM-as-Service issues

Demand for monthly and weekly reports

Overload on scheduled reports for Fridays and Mondays

Page 16: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: Trends Versus Active Lists

16

Trends Active Lists

Less than 1,000,000 in a month

Usually have to schedule hourly

Can go back on historical data

Delays on collection by hour / day

More trend failures

Harder to setup than lists

Advantage of aggregation

Less than 100,000 events in a month

Driven by simple rules

Real-time as events are collected

Rules can trigger on repetition

Advantages of keys and value fields

TTLs are straightforward management

Sessions lists…what are those?

Page 17: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: Common Reports

17

Trends Active Lists

IDPS events of interest

Antivirus events

Event collection statistics

Webfilter event statistics

Windows account logon failures

Windows group changes

Windows account lockouts

Firewall admin commands

Windows user account modifications

Special security devices

Page 18: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Sample Active List / Trend Setup

18

Rule Action: Add to List

Add to Reporting List

Schedule Hourly Trend

Gather Reporting Trend

Sample: Windows Group Changes

Sample: IDPS Events of Interest

Page 19: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: Common Reports

19

1. IPS Summary

2. Windows Failed Logons

3. Firewall Command Summary

4. Blacklisted IP Correlation

Page 20: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: Special Reports

20

1. CrowdStrike Summary 2. DARKTRACE Summary

3. Cylance Summary

Page 21: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: Portal Reporting Solution

21

Choose Report Time Choose PresentationChoose Recipients

Page 22: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Reports: Portal Reporting Solution

22

Page 23: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Content Architecture

23

Rule management

Designing rules for scalability

Additional correlation layers

Page 24: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Thinking Ahead

24

Page 25: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Thinking Ahead

25

Page 26: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Rule Management

Requirements:

Accommodate blanket changes to multiple rules

Rules should be easily readable

Minimize complexity creep

Achievable through layers of abstraction

26

Page 27: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

AV Critical Threat Detected

IDS Spyware Detected

Vulnerability Scanning

Destination IP Watchlist

Super APT Zero Day

…etc.

Additional Correlation Layer: Overview

27

Base / Aggregated Events

Notification Rule

Rule Action: Send Notification

Rule Action: Create Case

Checks Whitelists

Checks destination

Page 28: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Advantages of Correlation Layering

Easier to manage Changes can be applied at a higher level

Akin to CSS for HTML

Easier to maintain Reduces clutter by distributing additional conditions

Low impact Efficient conditions easy to create

28

Page 29: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Managing Rules

29

Rule Actions

Page 30: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Conditions at Higher Correlation Layer

Efficient conditions:

1. Set unique value as an action in lower corr. rules

2. Type = Correlation

30

Lower level rule action

Ref “All operators are not created equal”:

https://www.protect724.hpe.com/docs/DOC-11160

Page 31: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Conditions at Higher Correlation Layer

Using filters:

1. Filters have a smaller performance impact in this layer

2. Filter names provide built-in documentation

31

Page 32: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Correlation Layering

32

Independent Rules Additional Correlation Layer

Changes applied individually to each rule Most changes applied only on one rule

Difficult to annotate Annotation through filters

Increasingly complex/inefficient Very efficient

Page 33: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Effects of Correlation Layering

Before

33

After

Page 34: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Monitoring the Cloud: Sales Perspective

34

Page 35: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Monitoring the Cloud

35

Cloud Computing Services

Adapting Your View to IaaS

Building Use Cases

Page 36: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Cloud Computing Services

IaaS PaaS SaaS

36

Page 37: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Adapting Your View To IaaS

37

Same requirements for assets in the cloud

Monitoring infrastructure (as a service)

Amazon Web Services Infrastructure Traditional View

Security GroupsFirewall Policies

VPC Flow Firewall Traffic

AWS API Calls (CloudTrail) Infrastructure Management

Instances, Images, and Snapshots Logical Infrastructure Hosting Assets

Page 38: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Building Use Cases (AWS)

38

Identify available data sources

Implement business context modeling

Identifying possible attack vectors

Identifying malicious activity

Page 39: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Identify Data Sources (AWS)

39

Leverage Existing Audit Capabilities

AWS

CloudTrail

Amazon

CloudWatch

Identify Assets of Security Interest

Compute Storage Database Networking

Amazon

EC2

AMI

instances

Amazon

S3

snapshot

bucket

Amazon

DynamoDB

Amazon

RDS

Amazon

Redshift

Amazon

VPC

flow logs

VPN

gateway

Page 40: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Implement Business Context Modeling

40

1. Regular maintenance schedules (creating snapshots)

2. Authorized schedule for AWS account access

3. Typical locations (source addresses) for AWS access

4. Whitelist roles for 3rd party AWS accounts (e.g. CloudTrek)

Page 41: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Identify Potential Attack Vectors (AWS)

41

Vulnerable Web Services in EC2 Instance Example: Server Side Request Forgeries to Meta-Data Server

Spear Phishing An AWS developer’s credentials stolen via malicious email

Unprotected Access Keys A developer hard coded credentials in a publicly accessible

repository like GitHub

Page 42: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Identifying Events of Security Interest

42

Modifications to Security Groups

Creating Snapshots / Loading into Volumes

Running New Instances

User Policies

Page 43: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc

Questions?

43

Page 44: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Confidential - Proficio, Inc 44

www.Proficio.com

Page 45: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Page 46: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Thank you

46