SlideShare a Scribd company logo

Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

B
Bryan Borra
1 of 46
Download to read offline
– – – –
Confidential - Proficio, Inc Tips and Tricks for MSSPs Leveraging ArcSight ESM to Win Proof of Concepts …“Make ArcSight Great Again” Was Not Approved as a Title to this Presentation
Confidential - Proficio, Inc Bryan Borra SOC and SIEM Director Bryan manages the SIEM and SOC teams at Proficio. Previously worked at SAIC / Leidos / McAfee. He’s nicknamed “SIEM Destroyer” for creating the wrong content at the wrong time for a few SIEM instances. Jordan Knopp SIEM Content Engineer Jordan leads the development of SIEM content for several key contracts for Proficio’s ProSOC Services. He also currently serves as Proficio’s in-house machine learning solution. Tristan Reed SIEM Content Engineer Tristan leads the development of SIEM monitoring solutions for several products. He has recently been engaged in monitoring cloud platforms and specializes in bricking IoT devices to be used in demos. Proficio Southern California + Singapore based MSSP Proficio is an award-winning MSSP that leverages HPE ArcSight ESM to provide a multitenant SIEM-as-a-Service offering along with 24x7 SOC monitoring (ProSOC). Introducing the Speakers 4
Confidential - Proficio, Inc Agenda 5  Introduce common problems we encounter as an MSSP  Detail solutions to these issues, including: 1. Running efficient reports 2. Deploying effective content architecture 3. Monitoring new cloud data sources
Confidential - Proficio, Inc Reports: Modern Visuals 6
Confidential - Proficio, Inc Reports: What We See 7
Confidential - Proficio, Inc Reports: What Our Customers Told Us 8
Confidential - Proficio, Inc Concurrently Running Reports Limit 9 Limit of 5 “NumberOfReportsCurrentlyQueryingDB” Ref: /All Dashboards/ArcSight Administration/ESM/System Health/Resources/Reporting/Report Details
Confidential - Proficio, Inc Reports: What We Asked Ourselves 10
Confidential - Proficio, Inc Reports Requirements as an MSSP 11  Run hundreds of reports on a weekly basis  Have customized templates for branding and client  Be able to provide SIEM-as-a-service around reporting  Never overload the reporting engine
Confidential - Proficio, Inc Reports Templates: Header / Footer 12 Toggling the header and footer bubble will change the view of the whole template but only affect…
Confidential - Proficio, Inc Reports Templates 13 Easy Hex Picker: http://www.ginifab.com/feeds/pms/pms_color_in_image.php Respond Select “Properties” on any chart control and then select “advanced” on the “Chart” tab
Confidential - Proficio, Inc Reports Templates 14
Confidential - Proficio, Inc Reports: Trends and Active Lists 15  Higher EPS as an MSSP, lower report performance  SIEM-as-Service issues  Demand for monthly and weekly reports  Overload on scheduled reports for Fridays and Mondays
Confidential - Proficio, Inc Reports: Trends Versus Active Lists 16 Trends Active Lists  Less than 1,000,000 in a month  Usually have to schedule hourly  Can go back on historical data  Delays on collection by hour / day  More trend failures  Harder to setup than lists  Advantage of aggregation  Less than 100,000 events in a month  Driven by simple rules  Real-time as events are collected  Rules can trigger on repetition  Advantages of keys and value fields  TTLs are straightforward management  Sessions lists…what are those?
Confidential - Proficio, Inc Reports: Common Reports 17 Trends Active Lists  IDPS events of interest  Antivirus events  Event collection statistics  Webfilter event statistics  Windows account logon failures  Windows group changes  Windows account lockouts  Firewall admin commands  Windows user account modifications  Special security devices
Confidential - Proficio, Inc Sample Active List / Trend Setup 18 Rule Action: Add to List Add to Reporting List Schedule Hourly Trend Gather Reporting Trend Sample: Windows Group Changes Sample: IDPS Events of Interest
Confidential - Proficio, Inc Reports: Common Reports 19 1. IPS Summary 2. Windows Failed Logons 3. Firewall Command Summary 4. Blacklisted IP Correlation
Confidential - Proficio, Inc Reports: Special Reports 20 1. CrowdStrike Summary 2. DARKTRACE Summary 3. Cylance Summary
Confidential - Proficio, Inc Reports: Portal Reporting Solution 21 Choose Report Time Choose PresentationChoose Recipients
Confidential - Proficio, Inc Reports: Portal Reporting Solution 22
Confidential - Proficio, Inc Content Architecture 23  Rule management  Designing rules for scalability  Additional correlation layers
Confidential - Proficio, Inc Thinking Ahead 24
Confidential - Proficio, Inc Thinking Ahead 25
Confidential - Proficio, Inc Rule Management  Requirements:  Accommodate blanket changes to multiple rules  Rules should be easily readable  Minimize complexity creep  Achievable through layers of abstraction 26
Confidential - Proficio, Inc AV Critical Threat Detected IDS Spyware Detected Vulnerability Scanning Destination IP Watchlist Super APT Zero Day …etc. Additional Correlation Layer: Overview 27 Base / Aggregated Events Notification Rule Rule Action: Send Notification Rule Action: Create Case Checks Whitelists Checks destination
Confidential - Proficio, Inc Advantages of Correlation Layering  Easier to manage  Changes can be applied at a higher level  Akin to CSS for HTML  Easier to maintain  Reduces clutter by distributing additional conditions  Low impact  Efficient conditions easy to create 28
Confidential - Proficio, Inc Managing Rules 29 Rule Actions
Confidential - Proficio, Inc Conditions at Higher Correlation Layer  Efficient conditions: 1. Set unique value as an action in lower corr. rules 2. Type = Correlation 30 Lower level rule action Ref “All operators are not created equal”: https://www.protect724.hpe.com/docs/DOC-11160
Confidential - Proficio, Inc Conditions at Higher Correlation Layer  Using filters: 1. Filters have a smaller performance impact in this layer 2. Filter names provide built-in documentation 31
Confidential - Proficio, Inc Correlation Layering 32 Independent Rules Additional Correlation Layer Changes applied individually to each rule Most changes applied only on one rule Difficult to annotate Annotation through filters Increasingly complex/inefficient Very efficient
Confidential - Proficio, Inc Effects of Correlation Layering Before 33 After
Confidential - Proficio, Inc Monitoring the Cloud: Sales Perspective 34
Confidential - Proficio, Inc Monitoring the Cloud 35  Cloud Computing Services  Adapting Your View to IaaS  Building Use Cases
Confidential - Proficio, Inc Cloud Computing Services IaaS PaaS SaaS 36
Confidential - Proficio, Inc Adapting Your View To IaaS 37  Same requirements for assets in the cloud  Monitoring infrastructure (as a service) Amazon Web Services Infrastructure Traditional View Security Groups Firewall Policies VPC Flow Firewall Traffic AWS API Calls (CloudTrail) Infrastructure Management Instances, Images, and Snapshots Logical Infrastructure Hosting Assets
Confidential - Proficio, Inc Building Use Cases (AWS) 38  Identify available data sources  Implement business context modeling  Identifying possible attack vectors  Identifying malicious activity
Confidential - Proficio, Inc Identify Data Sources (AWS) 39 Leverage Existing Audit Capabilities AWS CloudTrail Amazon CloudWatch Identify Assets of Security Interest Compute Storage Database Networking Amazon EC2 AMI instances Amazon S3 snapshot bucket Amazon DynamoDB Amazon RDS Amazon Redshift Amazon VPC flow logs VPN gateway
Confidential - Proficio, Inc Implement Business Context Modeling 40 1. Regular maintenance schedules (creating snapshots) 2. Authorized schedule for AWS account access 3. Typical locations (source addresses) for AWS access 4. Whitelist roles for 3rd party AWS accounts (e.g. CloudTrek)
Confidential - Proficio, Inc Identify Potential Attack Vectors (AWS) 41  Vulnerable Web Services in EC2 Instance  Example: Server Side Request Forgeries to Meta-Data Server  Spear Phishing  An AWS developer’s credentials stolen via malicious email  Unprotected Access Keys  A developer hard coded credentials in a publicly accessible repository like GitHub
Confidential - Proficio, Inc Identifying Events of Security Interest 42  Modifications to Security Groups  Creating Snapshots / Loading into Volumes  Running New Instances  User Policies
Confidential - Proficio, Inc Questions? 43
Confidential - Proficio, Inc44 www.Proficio.com
– – – –
Thank you 46

Recommended

ESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfProtect724v2
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMAnton Goncharov
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight Mohamed Zohair
 
ArcSight Enterprise View Deployment Guide
ArcSight Enterprise View Deployment GuideArcSight Enterprise View Deployment Guide
ArcSight Enterprise View Deployment GuideProtect724gopi
 
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0Protect724
 
Architecture
ArchitectureArchitecture
ArchitectureShiva Chunduru
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSightSridhar Karnam
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 

Recommended

ESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfProtect724v2
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMAnton Goncharov
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight Mohamed Zohair
 
ArcSight Enterprise View Deployment Guide
ArcSight Enterprise View Deployment GuideArcSight Enterprise View Deployment Guide
ArcSight Enterprise View Deployment GuideProtect724gopi
 
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0Protect724
 
Architecture
ArchitectureArchitecture
ArchitectureShiva Chunduru
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSightSridhar Karnam
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
HP ArcSight Demonstrating ROI For a SIEM Solution
HP ArcSight Demonstrating ROI For a SIEM SolutionHP ArcSight Demonstrating ROI For a SIEM Solution
HP ArcSight Demonstrating ROI For a SIEM Solutionrickkaun
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewbrty_ngtglobal
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Jay Steidle
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMichael Nickle
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolutionStijn Vande Casteele
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforcesreenivas1591
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesReliaQuest
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) ArkhipovaOWASP Russia
 
IBM Qradar
IBM QradarIBM Qradar
IBM QradarCoenraad Smith
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
IMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignIMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignStephanie Holman
 
Security Events correlation with ESPER
Security Events correlation with ESPERSecurity Events correlation with ESPER
Security Events correlation with ESPERNikolay Klendar
 

More Related Content

What's hot

HP ArcSight Demonstrating ROI For a SIEM Solution
HP ArcSight Demonstrating ROI For a SIEM SolutionHP ArcSight Demonstrating ROI For a SIEM Solution
HP ArcSight Demonstrating ROI For a SIEM Solutionrickkaun
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewbrty_ngtglobal
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Jay Steidle
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMichael Nickle
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesReliaQuest
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) ArkhipovaOWASP Russia
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 

What's hot (20)

HP ArcSight Demonstrating ROI For a SIEM Solution
HP ArcSight Demonstrating ROI For a SIEM SolutionHP ArcSight Demonstrating ROI For a SIEM Solution
HP ArcSight Demonstrating ROI For a SIEM Solution
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforce
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
 

Viewers also liked

IMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignIMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignStephanie Holman
 
Security Events correlation with ESPER
Security Events correlation with ESPERSecurity Events correlation with ESPER
Security Events correlation with ESPERNikolay Klendar
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningDell EMC World
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through CorrelationAnton Chuvakin
 
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached Dell EMC World
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017IBM Security
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataErtugrul Akbas
 
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...Ertugrul Akbas
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017Ramiro Cid
 
End-User Computing Insights: A study of digital maturity
End-User Computing Insights: A study of digital maturityEnd-User Computing Insights: A study of digital maturity
End-User Computing Insights: A study of digital maturityDImension Data
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 
2017 Cybersecurity Predictions
2017 Cybersecurity Predictions2017 Cybersecurity Predictions
2017 Cybersecurity PredictionsPaloAltoNetworks
 
Corp Overview 11510
Corp Overview 11510Corp Overview 11510
Corp Overview 11510jduhaime
 
2017 Consumer Survey: Healthcare Cybersecurity and Digital Trust
2017 Consumer Survey: Healthcare Cybersecurity and Digital Trust2017 Consumer Survey: Healthcare Cybersecurity and Digital Trust
2017 Consumer Survey: Healthcare Cybersecurity and Digital Trustaccenture
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 

Viewers also liked (17)

IMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignIMC 618 - Public Relations Campaign
IMC 618 - Public Relations Campaign
 
Security Events correlation with ESPER
Security Events correlation with ESPERSecurity Events correlation with ESPER
Security Events correlation with ESPER
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response Planning
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
 
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
 
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
 
End-User Computing Insights: A study of digital maturity
End-User Computing Insights: A study of digital maturityEnd-User Computing Insights: A study of digital maturity
End-User Computing Insights: A study of digital maturity
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
2017 Cybersecurity Predictions
2017 Cybersecurity Predictions2017 Cybersecurity Predictions
2017 Cybersecurity Predictions
 
Corp Overview 11510
Corp Overview 11510Corp Overview 11510
Corp Overview 11510
 
2017 Consumer Survey: Healthcare Cybersecurity and Digital Trust
2017 Consumer Survey: Healthcare Cybersecurity and Digital Trust2017 Consumer Survey: Healthcare Cybersecurity and Digital Trust
2017 Consumer Survey: Healthcare Cybersecurity and Digital Trust
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 

Similar to Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

Glue con2011 future_of_net_systems
Glue con2011 future_of_net_systemsGlue con2011 future_of_net_systems
Glue con2011 future_of_net_systemsJames Urquhart
 
Cso 4any ram rev 2.6 management summary
Cso 4any ram rev 2.6 management summaryCso 4any ram rev 2.6 management summary
Cso 4any ram rev 2.6 management summaryCSO GmbH
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
Best Practices for Monitoring Your Cloud Environment and Applications
Best Practices for Monitoring Your Cloud Environment and ApplicationsBest Practices for Monitoring Your Cloud Environment and Applications
Best Practices for Monitoring Your Cloud Environment and ApplicationsProlifics
 
QRadar_on_Cloud_client_presentation.PPTX
QRadar_on_Cloud_client_presentation.PPTXQRadar_on_Cloud_client_presentation.PPTX
QRadar_on_Cloud_client_presentation.PPTXNatashaVerma29
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSTrend Micro
 
2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinarAlgoSec
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security PresentationAjay p
 
Cisco Connect Toronto 2017 - Introducing the Network Intuitive
Cisco Connect Toronto 2017 - Introducing the Network IntuitiveCisco Connect Toronto 2017 - Introducing the Network Intuitive
Cisco Connect Toronto 2017 - Introducing the Network IntuitiveCisco Canada
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Amazon Web Services
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsAngelo Agatino Nicolosi
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Amazon Web Services
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld
 
Application Modernization with PKS / Kubernetes
Application Modernization with PKS / KubernetesApplication Modernization with PKS / Kubernetes
Application Modernization with PKS / KubernetesPaul Czarkowski
 
Sify - IT Management Services
Sify - IT Management ServicesSify - IT Management Services
Sify - IT Management Serviceswebhostingguy
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2jeffirby
 

Similar to Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts (20)

Glue con2011 future_of_net_systems
Glue con2011 future_of_net_systemsGlue con2011 future_of_net_systems
Glue con2011 future_of_net_systems
 
Cso 4any ram rev 2.6 management summary
Cso 4any ram rev 2.6 management summaryCso 4any ram rev 2.6 management summary
Cso 4any ram rev 2.6 management summary
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
Best Practices for Monitoring Your Cloud Environment and Applications
Best Practices for Monitoring Your Cloud Environment and ApplicationsBest Practices for Monitoring Your Cloud Environment and Applications
Best Practices for Monitoring Your Cloud Environment and Applications
 
QRadar_on_Cloud_client_presentation.PPTX
QRadar_on_Cloud_client_presentation.PPTXQRadar_on_Cloud_client_presentation.PPTX
QRadar_on_Cloud_client_presentation.PPTX
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
 
Cisco Connect Toronto 2017 - Introducing the Network Intuitive
Cisco Connect Toronto 2017 - Introducing the Network IntuitiveCisco Connect Toronto 2017 - Introducing the Network Intuitive
Cisco Connect Toronto 2017 - Introducing the Network Intuitive
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial Institutions
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
 
Application Modernization with PKS / Kubernetes
Application Modernization with PKS / KubernetesApplication Modernization with PKS / Kubernetes
Application Modernization with PKS / Kubernetes
 
SAP HANA Cloud Security
SAP HANA Cloud SecuritySAP HANA Cloud Security
SAP HANA Cloud Security
 
Sify - IT Management Services
Sify - IT Management ServicesSify - IT Management Services
Sify - IT Management Services
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2
 

Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts

  • 1.
  • 3. Confidential - Proficio, Inc Tips and Tricks for MSSPs Leveraging ArcSight ESM to Win Proof of Concepts …“Make ArcSight Great Again” Was Not Approved as a Title to this Presentation
  • 4. Confidential - Proficio, Inc Bryan Borra SOC and SIEM Director Bryan manages the SIEM and SOC teams at Proficio. Previously worked at SAIC / Leidos / McAfee. He’s nicknamed “SIEM Destroyer” for creating the wrong content at the wrong time for a few SIEM instances. Jordan Knopp SIEM Content Engineer Jordan leads the development of SIEM content for several key contracts for Proficio’s ProSOC Services. He also currently serves as Proficio’s in-house machine learning solution. Tristan Reed SIEM Content Engineer Tristan leads the development of SIEM monitoring solutions for several products. He has recently been engaged in monitoring cloud platforms and specializes in bricking IoT devices to be used in demos. Proficio Southern California + Singapore based MSSP Proficio is an award-winning MSSP that leverages HPE ArcSight ESM to provide a multitenant SIEM-as-a-Service offering along with 24x7 SOC monitoring (ProSOC). Introducing the Speakers 4
  • 5. Confidential - Proficio, Inc Agenda 5  Introduce common problems we encounter as an MSSP  Detail solutions to these issues, including: 1. Running efficient reports 2. Deploying effective content architecture 3. Monitoring new cloud data sources
  • 6. Confidential - Proficio, Inc Reports: Modern Visuals 6
  • 7. Confidential - Proficio, Inc Reports: What We See 7
  • 8. Confidential - Proficio, Inc Reports: What Our Customers Told Us 8
  • 9. Confidential - Proficio, Inc Concurrently Running Reports Limit 9 Limit of 5 “NumberOfReportsCurrentlyQueryingDB” Ref: /All Dashboards/ArcSight Administration/ESM/System Health/Resources/Reporting/Report Details
  • 10. Confidential - Proficio, Inc Reports: What We Asked Ourselves 10
  • 11. Confidential - Proficio, Inc Reports Requirements as an MSSP 11  Run hundreds of reports on a weekly basis  Have customized templates for branding and client  Be able to provide SIEM-as-a-service around reporting  Never overload the reporting engine
  • 12. Confidential - Proficio, Inc Reports Templates: Header / Footer 12 Toggling the header and footer bubble will change the view of the whole template but only affect…
  • 13. Confidential - Proficio, Inc Reports Templates 13 Easy Hex Picker: http://www.ginifab.com/feeds/pms/pms_color_in_image.php Respond Select “Properties” on any chart control and then select “advanced” on the “Chart” tab
  • 14. Confidential - Proficio, Inc Reports Templates 14
  • 15. Confidential - Proficio, Inc Reports: Trends and Active Lists 15  Higher EPS as an MSSP, lower report performance  SIEM-as-Service issues  Demand for monthly and weekly reports  Overload on scheduled reports for Fridays and Mondays
  • 16. Confidential - Proficio, Inc Reports: Trends Versus Active Lists 16 Trends Active Lists  Less than 1,000,000 in a month  Usually have to schedule hourly  Can go back on historical data  Delays on collection by hour / day  More trend failures  Harder to setup than lists  Advantage of aggregation  Less than 100,000 events in a month  Driven by simple rules  Real-time as events are collected  Rules can trigger on repetition  Advantages of keys and value fields  TTLs are straightforward management  Sessions lists…what are those?
  • 17. Confidential - Proficio, Inc Reports: Common Reports 17 Trends Active Lists  IDPS events of interest  Antivirus events  Event collection statistics  Webfilter event statistics  Windows account logon failures  Windows group changes  Windows account lockouts  Firewall admin commands  Windows user account modifications  Special security devices
  • 18. Confidential - Proficio, Inc Sample Active List / Trend Setup 18 Rule Action: Add to List Add to Reporting List Schedule Hourly Trend Gather Reporting Trend Sample: Windows Group Changes Sample: IDPS Events of Interest
  • 19. Confidential - Proficio, Inc Reports: Common Reports 19 1. IPS Summary 2. Windows Failed Logons 3. Firewall Command Summary 4. Blacklisted IP Correlation
  • 20. Confidential - Proficio, Inc Reports: Special Reports 20 1. CrowdStrike Summary 2. DARKTRACE Summary 3. Cylance Summary
  • 21. Confidential - Proficio, Inc Reports: Portal Reporting Solution 21 Choose Report Time Choose PresentationChoose Recipients
  • 22. Confidential - Proficio, Inc Reports: Portal Reporting Solution 22
  • 23. Confidential - Proficio, Inc Content Architecture 23  Rule management  Designing rules for scalability  Additional correlation layers
  • 24. Confidential - Proficio, Inc Thinking Ahead 24
  • 25. Confidential - Proficio, Inc Thinking Ahead 25
  • 26. Confidential - Proficio, Inc Rule Management  Requirements:  Accommodate blanket changes to multiple rules  Rules should be easily readable  Minimize complexity creep  Achievable through layers of abstraction 26
  • 27. Confidential - Proficio, Inc AV Critical Threat Detected IDS Spyware Detected Vulnerability Scanning Destination IP Watchlist Super APT Zero Day …etc. Additional Correlation Layer: Overview 27 Base / Aggregated Events Notification Rule Rule Action: Send Notification Rule Action: Create Case Checks Whitelists Checks destination
  • 28. Confidential - Proficio, Inc Advantages of Correlation Layering  Easier to manage  Changes can be applied at a higher level  Akin to CSS for HTML  Easier to maintain  Reduces clutter by distributing additional conditions  Low impact  Efficient conditions easy to create 28
  • 29. Confidential - Proficio, Inc Managing Rules 29 Rule Actions
  • 30. Confidential - Proficio, Inc Conditions at Higher Correlation Layer  Efficient conditions: 1. Set unique value as an action in lower corr. rules 2. Type = Correlation 30 Lower level rule action Ref “All operators are not created equal”: https://www.protect724.hpe.com/docs/DOC-11160
  • 31. Confidential - Proficio, Inc Conditions at Higher Correlation Layer  Using filters: 1. Filters have a smaller performance impact in this layer 2. Filter names provide built-in documentation 31
  • 32. Confidential - Proficio, Inc Correlation Layering 32 Independent Rules Additional Correlation Layer Changes applied individually to each rule Most changes applied only on one rule Difficult to annotate Annotation through filters Increasingly complex/inefficient Very efficient
  • 33. Confidential - Proficio, Inc Effects of Correlation Layering Before 33 After
  • 34. Confidential - Proficio, Inc Monitoring the Cloud: Sales Perspective 34
  • 35. Confidential - Proficio, Inc Monitoring the Cloud 35  Cloud Computing Services  Adapting Your View to IaaS  Building Use Cases
  • 36. Confidential - Proficio, Inc Cloud Computing Services IaaS PaaS SaaS 36
  • 37. Confidential - Proficio, Inc Adapting Your View To IaaS 37  Same requirements for assets in the cloud  Monitoring infrastructure (as a service) Amazon Web Services Infrastructure Traditional View Security Groups Firewall Policies VPC Flow Firewall Traffic AWS API Calls (CloudTrail) Infrastructure Management Instances, Images, and Snapshots Logical Infrastructure Hosting Assets
  • 38. Confidential - Proficio, Inc Building Use Cases (AWS) 38  Identify available data sources  Implement business context modeling  Identifying possible attack vectors  Identifying malicious activity
  • 39. Confidential - Proficio, Inc Identify Data Sources (AWS) 39 Leverage Existing Audit Capabilities AWS CloudTrail Amazon CloudWatch Identify Assets of Security Interest Compute Storage Database Networking Amazon EC2 AMI instances Amazon S3 snapshot bucket Amazon DynamoDB Amazon RDS Amazon Redshift Amazon VPC flow logs VPN gateway
  • 40. Confidential - Proficio, Inc Implement Business Context Modeling 40 1. Regular maintenance schedules (creating snapshots) 2. Authorized schedule for AWS account access 3. Typical locations (source addresses) for AWS access 4. Whitelist roles for 3rd party AWS accounts (e.g. CloudTrek)
  • 41. Confidential - Proficio, Inc Identify Potential Attack Vectors (AWS) 41  Vulnerable Web Services in EC2 Instance  Example: Server Side Request Forgeries to Meta-Data Server  Spear Phishing  An AWS developer’s credentials stolen via malicious email  Unprotected Access Keys  A developer hard coded credentials in a publicly accessible repository like GitHub
  • 42. Confidential - Proficio, Inc Identifying Events of Security Interest 42  Modifications to Security Groups  Creating Snapshots / Loading into Volumes  Running New Instances  User Policies
  • 43. Confidential - Proficio, Inc Questions? 43
  • 44. Confidential - Proficio, Inc44 www.Proficio.com