SlideShare a Scribd company logo

Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM

Anton Goncharov
Anton Goncharov

The document discusses how an insurance company used ArcSight to build custom risk-based workflows that automated incident response. Rules and events were assigned risk scores based on severity, and filters and cases were created to escalate only the highest risk events. This reduced the number of generated cases while still addressing critical issues. The solutions provider helped implement this system to make the SIEM more effective for the company's needs.

Data & Analytics
1 of 24
Download to read offline
Improving IR Workflow Using Risk-Based Escalation in HP ArcSight ESM MetaNet IVS @meta_net http://MetaNetIVS.com
What This Talk Is About We leveraged the power of ArcSight ESM to build advanced content which enables custom, risk-based, automated incident workflow. 2
Why Should You Care 3 ★ Objectives: ★ Show capability of ArcSight ESM as a platform ★ Teach the audience to create uncommon use cases based on novel ideas ★ Share our stories and practical experience
Larry Wichman Security Engineer, Kemper Anton Goncharov Principal, MetaNet IVS
The Customer 5 • Diversified insurance holding company • Individual and small business market
Customer Environment • Feeds • MS Windows Server • McAfee AntiVirus • CheckPoint Firewall • Cisco ASA • Snort IDS • McAfee Web Gateway • Foundstone • Nessus Vulnerability Scanner ! • EPS: 600 • Cases per Day: 1-2 • Enterprise Systems: 9000 • Enterprise Users: 3000 ! • Things We Like: • Dashboards and drill downs • Things We Dislike: • ESM client is not appropriate for our management • Querying multiple Active Lists at once 6
The Problem 7 Triggered Rules don’t translate well into actionable events or Cases
The Idea 8 Low Risk (Severity Score 1) Medium Risk (Severity Score 2) High Risk (Severity Score 3) Indicator Examples ‣ AV: Malware Found and Cleaned ‣ Proxy: Blocked Outbound Connection ‣ FW: Outbound SSH Connection ‣ AV: Malware Found and Not Cleaned ‣ AV: File Infected ‣ Proxy: Blocked Connection (non-US) ‣ IDS: High Severity Alert ‣ Threat Intel: Connection to Known C&C Host ‣ AV: Buffer Overflow ‣ SIEM: Compromise Event to Vulnerable Asset 1 + 1 + 1 1 + 2 3
Solutions Provider 9 • SIEM and Event Management Solutions Provider • Heavy focus on HP ArcSight and Splunk solutions • Based in San Francisco, CA • Team members world-wide • Custom SIEM tools and methodologies • Experts in: • Maintenance of challenging environments • Complex integrations • Distributed architectures • Custom solutions for a variety of applications • Services catered to customer needs Purveyors of Finely Crafted Analytics
THE SOLUTION
Logic Flow 11 Obligatory Confusing Chart. Point With Stick.
Content Overview 12 Filters Rules Active Lists Cases Reports
Content Detail 13 Risk Score 2pts+ Low Severity Filters Risk Score Set 1 Not Risk Score 1pt Not
Content Detail 14 Risk Score 2pts+ Low Severity Filters Risk Score 1pt Risk Score +1 Risk Score Set 1 Case Alert Case Notification
Content Detail 15 Risk Score 2pts+ Low Severity Filters Medium Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Not Not Risk Score +1 Case Alert Case Notification
Content Detail 16 Risk Score 2pts+ Low Severity Filters Medium Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Case Alert Case Notification Risk Score +1 Risk Score +2
Content Detail 17 Not Risk Score 2pts+ Low Severity Filters Medium Severity Filters High Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Risk Score Set 3 Case Alert Case Notification Risk Score +1 Risk Score +2 Not
Content Detail 18 Risk Score 2pts+ Low Severity Filters Medium Severity Filters High Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Risk Score Set 3 Risk Score +3 Case Alert Case Notification Risk Score +1 Risk Score +2
Rule Example: Risk Score +2 19
THE RESULTS
Reduction In Generated Cases 21
Other Customizations: Workflow 22
Final Thoughts 1 1 1 1 3 1 1 2 2 1 1 1 1 1 3 1 1 1 1 2 3 1 1 23 Only systems reaching 3+ risk severity will trigger incident response 2 1 1 1
http://MetaNetIVS.com/downloads @meta_net Thank You

Recommended

ESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfESM_101_6.9.0.pdf
ESM_101_6.9.0.pdf
Protect724v2
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Bryan Borra
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
Scott Carlson
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSight
Sridhar Karnam
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
rty_ngtglobal
 
Architecture
ArchitectureArchitecture
Architecture
Shiva Chunduru
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
Mohamed Zohair
 
HP ArcSight Demonstrating ROI For a SIEM Solution
HP ArcSight Demonstrating ROI For a SIEM SolutionHP ArcSight Demonstrating ROI For a SIEM Solution
HP ArcSight Demonstrating ROI For a SIEM Solution
rickkaun
 

Recommended

ESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfESM_101_6.9.0.pdf
ESM_101_6.9.0.pdf
Protect724v2
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Bryan Borra
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
Scott Carlson
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSight
Sridhar Karnam
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
rty_ngtglobal
 
Architecture
ArchitectureArchitecture
Architecture
Shiva Chunduru
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
Mohamed Zohair
 
HP ArcSight Demonstrating ROI For a SIEM Solution
HP ArcSight Demonstrating ROI For a SIEM SolutionHP ArcSight Demonstrating ROI For a SIEM Solution
HP ArcSight Demonstrating ROI For a SIEM Solution
rickkaun
 
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Protect724
 
ArcSight Enterprise View Deployment Guide
ArcSight Enterprise View Deployment GuideArcSight Enterprise View Deployment Guide
ArcSight Enterprise View Deployment Guide
Protect724gopi
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforce
sreenivas1591
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Jay Steidle
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
OWASP Russia
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
Michael Nickle
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
ReliaQuest
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
Stijn Vande Casteele
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
Camilo Fandiño Gómez
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Security Events correlation with ESPER
Security Events correlation with ESPERSecurity Events correlation with ESPER
Security Events correlation with ESPER
Nikolay Klendar
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
Anton Chuvakin
 

More Related Content

What's hot

Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Protect724
 
ArcSight Enterprise View Deployment Guide
ArcSight Enterprise View Deployment GuideArcSight Enterprise View Deployment Guide
ArcSight Enterprise View Deployment Guide
Protect724gopi
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforce
sreenivas1591
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Jay Steidle
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
OWASP Russia
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
Michael Nickle
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
ReliaQuest
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
Stijn Vande Casteele
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
Camilo Fandiño Gómez
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 

What's hot (20)

Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
 
ArcSight Enterprise View Deployment Guide
ArcSight Enterprise View Deployment GuideArcSight Enterprise View Deployment Guide
ArcSight Enterprise View Deployment Guide
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforce
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 

Viewers also liked

Security Events correlation with ESPER
Security Events correlation with ESPERSecurity Events correlation with ESPER
Security Events correlation with ESPER
Nikolay Klendar
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
Anton Chuvakin
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
Ertugrul Akbas
 
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
Ertugrul Akbas
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 

Viewers also liked (6)

Security Events correlation with ESPER
Security Events correlation with ESPERSecurity Events correlation with ESPER
Security Events correlation with ESPER
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
 
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 

Similar to Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM

Perfect Profilers Final Presentation
Perfect Profilers Final PresentationPerfect Profilers Final Presentation
Perfect Profilers Final Presentation
Julie Michlinski
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
Resolver Inc.
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Rapid7
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
Splunk
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
Nathan Case
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overview
ManageEngine EventLog Analyzer
 
SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019
Advanced Technology Consulting (ATC)
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
Scalar Decisions
 
Neotys PAC - Andreas Grabner
Neotys PAC - Andreas GrabnerNeotys PAC - Andreas Grabner
Neotys PAC - Andreas Grabner
Neotys_Partner
 
Custom defense - Blake final
Custom defense - Blake finalCustom defense - Blake final
Custom defense - Blake final
Minh Le
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
Novell
 
NormShield 2018 Cyber Security Risk Brief
NormShield 2018 Cyber Security Risk BriefNormShield 2018 Cyber Security Risk Brief
NormShield 2018 Cyber Security Risk Brief
NormShield
 

Similar to Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM (20)

Perfect Profilers Final Presentation
Perfect Profilers Final PresentationPerfect Profilers Final Presentation
Perfect Profilers Final Presentation
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overview
 
SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
Neotys PAC - Andreas Grabner
Neotys PAC - Andreas GrabnerNeotys PAC - Andreas Grabner
Neotys PAC - Andreas Grabner
 
Stu w22 a
Stu w22 aStu w22 a
Stu w22 a
 
B3948
B3948B3948
B3948
 
Custom defense - Blake final
Custom defense - Blake finalCustom defense - Blake final
Custom defense - Blake final
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
NormShield 2018 Cyber Security Risk Brief
NormShield 2018 Cyber Security Risk BriefNormShield 2018 Cyber Security Risk Brief
NormShield 2018 Cyber Security Risk Brief
 

Recently uploaded

STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
sameer shah
 
Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)
TravisMalana
 
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Subhajit Sahu
 
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
slg6lamcq
 
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
dwreak4tg
 
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
mbawufebxi
 
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdfUnleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
Enterprise Wired
 
一比一原版(CBU毕业证)卡普顿大学毕业证如何办理
一比一原版(CBU毕业证)卡普顿大学毕业证如何办理一比一原版(CBU毕业证)卡普顿大学毕业证如何办理
一比一原版(CBU毕业证)卡普顿大学毕业证如何办理
ahzuo
 
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
Timothy Spann
 
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
ahzuo
 
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
mzpolocfi
 
Influence of Marketing Strategy and Market Competition on Business Plan
Influence of Marketing Strategy and Market Competition on Business PlanInfluence of Marketing Strategy and Market Competition on Business Plan
Influence of Marketing Strategy and Market Competition on Business Plan
jerlynmaetalle
 
Everything you wanted to know about LIHTC
Everything you wanted to know about LIHTCEverything you wanted to know about LIHTC
Everything you wanted to know about LIHTC
Roger Valdez
 
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
axoqas
 
Machine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptxMachine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptx
balafet
 
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
Walaa Eldin Moustafa
 
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdfEnhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
GetInData
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
g4dpvqap0
 
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
Timothy Spann
 
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
oz8q3jxlp
 

Recently uploaded (20)

STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
 
Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)
 
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
 
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
 
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
 
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
 
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdfUnleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
 
一比一原版(CBU毕业证)卡普顿大学毕业证如何办理
一比一原版(CBU毕业证)卡普顿大学毕业证如何办理一比一原版(CBU毕业证)卡普顿大学毕业证如何办理
一比一原版(CBU毕业证)卡普顿大学毕业证如何办理
 
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
 
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
 
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
 
Influence of Marketing Strategy and Market Competition on Business Plan
Influence of Marketing Strategy and Market Competition on Business PlanInfluence of Marketing Strategy and Market Competition on Business Plan
Influence of Marketing Strategy and Market Competition on Business Plan
 
Everything you wanted to know about LIHTC
Everything you wanted to know about LIHTCEverything you wanted to know about LIHTC
Everything you wanted to know about LIHTC
 
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
 
Machine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptxMachine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptx
 
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
 
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdfEnhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
 
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
 
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
 

Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM

  • 1. Improving IR Workflow Using Risk-Based Escalation in HP ArcSight ESM MetaNet IVS @meta_net http://MetaNetIVS.com
  • 2. What This Talk Is About We leveraged the power of ArcSight ESM to build advanced content which enables custom, risk-based, automated incident workflow. 2
  • 3. Why Should You Care 3 ★ Objectives: ★ Show capability of ArcSight ESM as a platform ★ Teach the audience to create uncommon use cases based on novel ideas ★ Share our stories and practical experience
  • 4. Larry Wichman Security Engineer, Kemper Anton Goncharov Principal, MetaNet IVS
  • 5. The Customer 5 • Diversified insurance holding company • Individual and small business market
  • 6. Customer Environment • Feeds • MS Windows Server • McAfee AntiVirus • CheckPoint Firewall • Cisco ASA • Snort IDS • McAfee Web Gateway • Foundstone • Nessus Vulnerability Scanner ! • EPS: 600 • Cases per Day: 1-2 • Enterprise Systems: 9000 • Enterprise Users: 3000 ! • Things We Like: • Dashboards and drill downs • Things We Dislike: • ESM client is not appropriate for our management • Querying multiple Active Lists at once 6
  • 7. The Problem 7 Triggered Rules don’t translate well into actionable events or Cases
  • 8. The Idea 8 Low Risk (Severity Score 1) Medium Risk (Severity Score 2) High Risk (Severity Score 3) Indicator Examples ‣ AV: Malware Found and Cleaned ‣ Proxy: Blocked Outbound Connection ‣ FW: Outbound SSH Connection ‣ AV: Malware Found and Not Cleaned ‣ AV: File Infected ‣ Proxy: Blocked Connection (non-US) ‣ IDS: High Severity Alert ‣ Threat Intel: Connection to Known C&C Host ‣ AV: Buffer Overflow ‣ SIEM: Compromise Event to Vulnerable Asset 1 + 1 + 1 1 + 2 3
  • 9. Solutions Provider 9 • SIEM and Event Management Solutions Provider • Heavy focus on HP ArcSight and Splunk solutions • Based in San Francisco, CA • Team members world-wide • Custom SIEM tools and methodologies • Experts in: • Maintenance of challenging environments • Complex integrations • Distributed architectures • Custom solutions for a variety of applications • Services catered to customer needs Purveyors of Finely Crafted Analytics
  • 11. Logic Flow 11 Obligatory Confusing Chart. Point With Stick.
  • 12. Content Overview 12 Filters Rules Active Lists Cases Reports
  • 13. Content Detail 13 Risk Score 2pts+ Low Severity Filters Risk Score Set 1 Not Risk Score 1pt Not
  • 14. Content Detail 14 Risk Score 2pts+ Low Severity Filters Risk Score 1pt Risk Score +1 Risk Score Set 1 Case Alert Case Notification
  • 15. Content Detail 15 Risk Score 2pts+ Low Severity Filters Medium Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Not Not Risk Score +1 Case Alert Case Notification
  • 16. Content Detail 16 Risk Score 2pts+ Low Severity Filters Medium Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Case Alert Case Notification Risk Score +1 Risk Score +2
  • 17. Content Detail 17 Not Risk Score 2pts+ Low Severity Filters Medium Severity Filters High Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Risk Score Set 3 Case Alert Case Notification Risk Score +1 Risk Score +2 Not
  • 18. Content Detail 18 Risk Score 2pts+ Low Severity Filters Medium Severity Filters High Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Risk Score Set 3 Risk Score +3 Case Alert Case Notification Risk Score +1 Risk Score +2
  • 19. Rule Example: Risk Score +2 19
  • 23. Final Thoughts 1 1 1 1 3 1 1 2 2 1 1 1 1 1 3 1 1 1 1 2 3 1 1 23 Only systems reaching 3+ risk severity will trigger incident response 2 1 1 1