Professional Documents
Culture Documents
May 2006
► Raised Alerts
► Case Workflow
9 Attack 9 Verified
9 Pre-attacks formation breaches
9 Normal
9 Audit trail 9 Policy 9 Potential
9 Raw events violations
9 Failed attacks breaches
9 False alarms 9 Identified
vulnerabilities 9 Misuse
ArcSight
Console TM
Intrusion
Firewalls Intrusion
Detection
Intrusion Applications
Firewalls Intrusion
Detection Applications
Applications
Firewalls
Firewalls Systems
Detection Applications
Applications Sign-On
Firewalls
Firewalls Detection
Systems
Hosts Applications
Applications Sign-On
Sign-On
Systems
Systems Applications
Applications
Applications
Intrusion Intrusion
Intrusion
Detection
Intrusion Intrusion Directory
Intrusion Detection
Intrusion
Intrusion Anti
Detection
Intrusion
Systems
Detection Detection Anti Services
Detection Systems
Detection
Network
Detection Virus
Systems
Detection
Systems Systems Virus
Databases
Systems Systems
Equipment
Systems
Systems
—Merriam-Webster Dictionary
Vulnerability Agents
Scanner
Asset Agent Severity Asset Criticality
Information Mapping of reporting
How important is this
device severity to
asset to the business?
ArcSight severity
Unix/Linux/
AIX/Solaris Severity Model Confidence
Is there a history with Has asset been
Relevance
Security this attacker or target Are ports open on asset?
scanned for open ports
Is it vulnerable?
Device (active lists)? and vulnerabilities?
Agents
Security
Device
Event
Mainframe
& Apps Prioritized
Security Event
Device
Windows
Manager
Systems
© 2005 ArcSight Confidential 18
Event Correlation
Attempted Brute
Force Attack 5 or more failed
Attempted Brute
logins in a minute
Multiple failed logins Force Attack
from same source
on Windows systems
Attempted Brute
Force Attack
Attempted Brute
Force Attack + Successful
Login
Successful
login to Windows system
50% increase
in traffic per port
and machine
?
j8 I think the following slides can be used as some of the voice over from the previous 4-6 slides?
jkyte, 10/11/2005
Model-Based Reasoning
► Checking the protected network
• Does the device exist?
• Applications present
• Operating systems
• Vulnerabilities exposed
• Business significance
► Extensible via active lists
• Attackers: suspicious, recon, hostile
• Devices: scanned, attacked, compromised
Severity
What is the attack potential?
Asset Criticality
How valuable is the target?
Priority
Which incident should be worked first?
© 2005 ArcSight Confidential 25
Mathematical
► Statistical data monitors ► Pattern discovery
• Moving average • Covariant occurrence of
individual events
• Statistics
• Correlation
Firewall Blocks
Scan Events
1. Rule
Assign for further analysis if
• More than 20 firewall drops
• from an external machine
• to an internal machine
3. Open a ticket for Operations to
quarantine and clean infected machines
2. Filter