3. Confidential - Proficio, Inc
Tips and Tricks for MSSPs Leveraging ArcSight ESM to Win Proof of Concepts
…“Make ArcSight Great Again” Was Not Approved as a Title to this Presentation
4. Confidential - Proficio, Inc
Bryan Borra
SOC and SIEM Director
Bryan manages the SIEM and SOC teams at Proficio. Previously
worked at SAIC / Leidos / McAfee. He’s nicknamed “SIEM
Destroyer” for creating the wrong content at the wrong time for
a few SIEM instances.
Jordan Knopp
SIEM Content Engineer
Jordan leads the development of SIEM content for several key
contracts for Proficio’s ProSOC Services. He also currently serves
as Proficio’s in-house machine learning solution.
Tristan Reed
SIEM Content Engineer
Tristan leads the development of SIEM monitoring solutions for
several products. He has recently been engaged in monitoring
cloud platforms and specializes in bricking IoT devices to be
used in demos.
Proficio
Southern California +
Singapore based MSSP
Proficio is an award-winning MSSP that leverages HPE ArcSight
ESM to provide a multitenant SIEM-as-a-Service offering along
with 24x7 SOC monitoring (ProSOC).
Introducing the Speakers
4
5. Confidential - Proficio, Inc
Agenda
5
Introduce common problems we encounter as an MSSP
Detail solutions to these issues, including:
1. Running efficient reports
2. Deploying effective content architecture
3. Monitoring new cloud data sources
11. Confidential - Proficio, Inc
Reports Requirements as an MSSP
11
Run hundreds of reports on a weekly basis
Have customized templates for branding and client
Be able to provide SIEM-as-a-service around reporting
Never overload the reporting engine
12. Confidential - Proficio, Inc
Reports Templates: Header / Footer
12
Toggling the header and footer
bubble will change the view of the
whole template but only affect…
13. Confidential - Proficio, Inc
Reports Templates
13
Easy Hex Picker:
http://www.ginifab.com/feeds/pms/pms_color_in_image.php
Respond
Select “Properties” on any chart
control and then select
“advanced” on the “Chart” tab
15. Confidential - Proficio, Inc
Reports: Trends and Active Lists
15
Higher EPS as an MSSP, lower report performance
SIEM-as-Service issues
Demand for monthly and weekly reports
Overload on scheduled reports for Fridays and Mondays
16. Confidential - Proficio, Inc
Reports: Trends Versus Active Lists
16
Trends Active Lists
Less than 1,000,000 in a month
Usually have to schedule hourly
Can go back on historical data
Delays on collection by hour / day
More trend failures
Harder to setup than lists
Advantage of aggregation
Less than 100,000 events in a month
Driven by simple rules
Real-time as events are collected
Rules can trigger on repetition
Advantages of keys and value fields
TTLs are straightforward management
Sessions lists…what are those?
17. Confidential - Proficio, Inc
Reports: Common Reports
17
Trends Active Lists
IDPS events of interest
Antivirus events
Event collection statistics
Webfilter event statistics
Windows account logon failures
Windows group changes
Windows account lockouts
Firewall admin commands
Windows user account modifications
Special security devices
18. Confidential - Proficio, Inc
Sample Active List / Trend Setup
18
Rule Action: Add to List
Add to Reporting List
Schedule Hourly Trend
Gather Reporting Trend
Sample: Windows Group Changes
Sample: IDPS Events of Interest
19. Confidential - Proficio, Inc
Reports: Common Reports
19
1. IPS Summary
2. Windows Failed Logons
3. Firewall Command Summary
4. Blacklisted IP Correlation
26. Confidential - Proficio, Inc
Rule Management
Requirements:
Accommodate blanket changes to multiple rules
Rules should be easily readable
Minimize complexity creep
Achievable through layers of abstraction
26
27. Confidential - Proficio, Inc
AV Critical Threat Detected
IDS Spyware Detected
Vulnerability Scanning
Destination IP Watchlist
Super APT Zero Day
…etc.
Additional Correlation Layer: Overview
27
Base / Aggregated Events
Notification Rule
Rule Action: Send Notification
Rule Action: Create Case
Checks Whitelists
Checks destination
28. Confidential - Proficio, Inc
Advantages of Correlation Layering
Easier to manage
Changes can be applied at a higher level
Akin to CSS for HTML
Easier to maintain
Reduces clutter by distributing additional conditions
Low impact
Efficient conditions easy to create
28
30. Confidential - Proficio, Inc
Conditions at Higher Correlation Layer
Efficient conditions:
1. Set unique value as an action in lower corr. rules
2. Type = Correlation
30
Lower level rule action
Ref “All operators are not created equal”:
https://www.protect724.hpe.com/docs/DOC-11160
31. Confidential - Proficio, Inc
Conditions at Higher Correlation Layer
Using filters:
1. Filters have a smaller performance impact in this layer
2. Filter names provide built-in documentation
31
32. Confidential - Proficio, Inc
Correlation Layering
32
Independent Rules Additional Correlation Layer
Changes applied individually to each rule Most changes applied only on one rule
Difficult to annotate Annotation through filters
Increasingly complex/inefficient Very efficient
37. Confidential - Proficio, Inc
Adapting Your View To IaaS
37
Same requirements for assets in the cloud
Monitoring infrastructure (as a service)
Amazon Web Services Infrastructure Traditional View
Security Groups
Firewall Policies
VPC Flow Firewall Traffic
AWS API Calls (CloudTrail) Infrastructure Management
Instances, Images, and Snapshots Logical Infrastructure Hosting Assets
38. Confidential - Proficio, Inc
Building Use Cases (AWS)
38
Identify available data sources
Implement business context modeling
Identifying possible attack vectors
Identifying malicious activity
40. Confidential - Proficio, Inc
Implement Business Context Modeling
40
1. Regular maintenance schedules (creating snapshots)
2. Authorized schedule for AWS account access
3. Typical locations (source addresses) for AWS access
4. Whitelist roles for 3rd party AWS accounts (e.g. CloudTrek)
41. Confidential - Proficio, Inc
Identify Potential Attack Vectors (AWS)
41
Vulnerable Web Services in EC2 Instance
Example: Server Side Request Forgeries to Meta-Data Server
Spear Phishing
An AWS developer’s credentials stolen via malicious email
Unprotected Access Keys
A developer hard coded credentials in a publicly accessible
repository like GitHub
42. Confidential - Proficio, Inc
Identifying Events of Security Interest
42
Modifications to Security Groups
Creating Snapshots / Loading into Volumes
Running New Instances
User Policies