Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Creating custom threat reporting with HP ArcSight


Published on

As a security professional, you have access to a number of data-breach and threat reports, but you shouldn't rely solely on them. Learn how to create a threat report that helps you respond to specific …

As a security professional, you have access to a number of data-breach and threat reports, but you shouldn't rely solely on them. Learn how to create a threat report that helps you respond to specific threats you face on a daily basis using HP ArcSight. We'll show you how you can create reports that are specific to your company with information you gather from HP ArcSight on the threats and events you see. You'll come away knowing how to create a customized threat report you can share with management that compares what you are seeing to what the industry reports show.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Creating custom threat reporting with HP ArcSight Eric Itangata, Taras Kachouba Analyst Security Operations, Global Risk and Security Diebold © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 2. ⤹ ⤹ ⤹ ⤹ ⤹ ❓ AGENDA Overview Industry Threat Reports The Need Content Building Your Report Q&A
  • 3. Industry Threat Reports • There are a number of valuable resources in the industry that provide threat information and predictions • Most notable, Verizon's DBIR, Symantec's ISTR, and Websense’s Threat Report
  • 4. INDUSTRY THREAT REPORTS • These provide good information on the state of threats in the industry, but may not be specific to your organization or industry • Every organization should be aware of what threats affect them specifically on a daily basis. What trends are affecting you?
  • 5. The Need… • You want to be able to tell management specific information • Chances are they have read the industry reports • It is important to stay abreast of not only the threat landscape, but also how it impacts you
  • 6. KEY INFORMATION • This is going to be what is important to you, your management, and your organization. • Some key information is: • Malware outbreaks • DDoS attacks • Malicious connection attempts • Bad Actors (internal and external) • Top IDS alerts • Top firewall blocks • Top internal talkers • Phishing
  • 7. Where to Start • Once you identify what you want to include in your report, now you need to gather this information • This information can come from a number of sources, but the best source to use is your ArcSight platform
  • 8. Baselines • You need to have a good understanding of your network to what is normal activity • ArcSight comes with a large volume of pre loaded content • Some of this content needs to be tweaked for your environment
  • 9. Device Reporting • The information from your threat report will come from a number of devices • Firewalls, IDS/IPS, WAF, IIS, etc. will provide good detail from external threats • AV, HIPS, DLP agent information, etc. provide information on endpoint events • Windows/Linux event logs, DLP, proxy, etc. devices are good sources for brute force attacks, data exfiltration, user activity threats • Database security devices are good sources of potential data compromise
  • 10. Content • The content in ArcSight Foundation is a great place to start • Provides network baseline, intrusion monitoring, DoS content, malware content, inbound attack content, etc. • As you identify your needs, you can also include your own content • Geographic event content is an example of this
  • 11. Example of ArcSight Content
  • 12. Other content • Trend information, reports, etc. are great sources of information • Don’t forget to include your dashboards. These are great sources for visual representation • You can generate these from your ESM or logger
  • 13. Industry Report Information • Most industry report information is presented with main points; • Overview of previous year • Methodology • Conclusions and Recommendations
  • 14. Building the Report • Just as an industry report, you need a narrative, this should cover the basis of your analysis • Explain the methodology you used to generate your report, what ArcSight content used • Keep the information in an overview format, with crisp executive focus • In your conclusions and recommendations, make sure you make them specific to your findings and with obtainable goals
  • 15. The Report Overview • Compare industry reports to what you are seeing in your environment • Note differences and how your company stands up with your industry, and in general • Identify the attack vectors that led to the breaches and if you have seen them in your environment • Identify why you believe you (hopefully) weren’t breached via these attack methods
  • 16. The Report Methodology • You want your findings to be based on accurate information. You need to show how you came to your findings • List the trends, filters, reports, etc. that you used and an overview of them.
  • 17. The Report Conclusion • Use the content within ArcSight to create graphs, charts, etc. to give a visual representation to your findings • If you have multiple locations, show and compare results from your analysis • Identify key areas such as top threat vectors, top attackers, top targets, virus/malware activity, etc. • Compare your results with industry results • Remember, this is your report. Present what you think is relevant and most important to your organization
  • 18. Recommendations • Make your recommendations based on the data you collect • If you see over the timeframe covered an increase in a particular attack vector that is in line with industry reports, identify that you are seeing that trend • Conversely, if you are seeing a trend that is outside industry trends, this needs to be identified • Management needs to understand that although industry reports are valuable, they may not accurately paint the right picture for the threats your organizations sees
  • 19. Questions?
  • 20. Thank You
  • 21. Security for the new reality © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.