Workflow With HP ArcSight ESM

Workflow with ArcSight ESM
Brian McNelly, Senior Consultant
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Workflow best practices
Verified on ArcSight 6.0C and earlier versions
Event workflow: stages and annotations

SOC Console monitoring stages and workflow
Problem it solves
ArcSight
Queued
SOC triage
Active
channel(s)
Level 1
Design, testing &

focused monitoring
Work can flow between different users with different roles thus
ensuring continuous investigations with escalating levels of
complexity and reducing the likelihood of duplicating effort.
Features
Steps (called stages) that make up a collaborative workflow
used by security operations analysts
Level 1
investigating
A light-weight way to isolate and escalate individual events

SOC case
created
Active
channel(s)
Level 2
SOC case
created
False positive
no action
Event
triage
Level 2
escalation
A method to inform, escalate, and track events of interest

Key SOC benefits
Triage tool used before escalating an event to an incident
Level 2
investigating
Ownership is tracked as are comments and workflow to

ensure investigations are consistent
False positive
no action
Event
triage
Measurable and visible to organizational leaders
Event annotation stages

Stage setup
Require the analyst to modify the
annotation stage before any final action
can be taken
Use workflow controls on subsequent
stages
Accountability
Analytical Quality
Ownership
Best practice: active channels

Active channel setup
ArcSight
Simple single pane of glass

Only present Correlated Events
for analysis
Use the message field to present
important information
Opt-in rules by setting annotation stage
Individual Active Channels
Start with a baseline setup
Allow individuals write access to their
channel
Analyst can personalize their active
channel
5
ArcSight
ArcSight
Individual channels
ArcSight
Shared channel
ArcSight
Customizable case management

Problem it solves
Centralization of information related to a security incident that
includes the underlying events, analytical history, and related data
within a single interface.
Features
Ability to track incidents through HP ArcSights built-in trouble
ticket system
Use as standalone ticketing solution OR integrate with third-party
case management system
Key SOC benefits
Labels, fields & values can adapt to SOC incident taxonomy
Events attached to investigation retained for historical analysis
and reporting
User interaction with case attributes is logged (audit trail)
GUI customizations carry over to HP ArcSight Web interface
Case workflow customization advantages

Internal case routing
SOC metrics
Stakeholder escalation
Ownership
Route cases to SOC sub-groups
Engineering
Level 2 Analysts
Eliminates case management
by folder structure
SOC feedback loop
Individual and SOC KPIs

Stakeholder metrics
Incident types
Incident categories
Time to resolution
Locations
Web console
Two way communication
Event logs
Feedback loop
Case UI customization - files

CaseUI
Controls layout for user interface
Resource Strings
Controls values of the dropdown boxes, and data labels
Label Strings
Controls the labels of tabs, tables, and headers
Case Properties
Determines attributes of cases written to ArcSight events
Before and after
Before and after
10
Case workflow: Search Groups

Problem it solves
Search groups actively display query results based on case
attributes, events, and/or time that is customizable to an
individual.
Features
Use Common Conditions Editor for Query
Ability to query events attached to a case
A method to inform, escalate, and track events of interest
Key SOC benefits
Displays results based case attribute changes in real-time
Cases can appear in more than one Search Group result
11
Lessons learned
Plan ahead!
Who are SOC stakeholders?
How will the SOC use ArcSight cases?
How are you going to use cases internally?
Filter requests/engineering feedback
Metrics
What metrics do you need to generate?
How do you categorize your incidents?
Development plan
Use a development or backup system
Schedule and communicate changes
12
For more information
Attend these sessions
Visit these demos
After the event
TT1197, How Mature is your SOC?
Mock SOC, Solution Pavilion
Contact your sales rep
BS1195, 5G/SOC: The Worlds Most

Advanced SOC
Software Pavilion
Visit HP ESP at: www.hp.com/go/espservices
TT1208, Got Reports?
Visit HP SIOC at: www.hp.com/go/sioc

Download the whitepaper at: Building a
Successful SOC'
Your feedback is important to us. Please take a few minutes to complete the session survey.
13
Thank you
Security for the new reality


Workflow With HP ArcSight ESM

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Workflow With HP ArcSight ESM

Uploaded by

Copyright:

Available Formats

Workflow with ArcSight ESM

Brian McNelly, Senior Consultant

Workflow best practices

Verified on ArcSight 6.0C and earlier versions

Event workflow: stages and annotations

Design, testing &

A light-weight way to isolate and escalate individual events

A method to inform, escalate, and track events of interest

Ownership is tracked as are comments and workflow to

Measurable and visible to organizational leaders

Event annotation stages

Best practice: active channels

Simple single pane of glass

Customizable case management

Case workflow customization advantages

Individual and SOC KPIs

Case UI customization - files

Before and after

Before and after

Case workflow: Search Groups

For more information

Attend these sessions

Visit these demos

After the event

TT1197, How Mature is your SOC?

Mock SOC, Solution Pavilion

Contact your sales rep

BS1195, 5G/SOC: The Worlds Most

Visit HP ESP at: www.hp.com/go/espservices

TT1208, Got Reports?

Visit HP SIOC at: www.hp.com/go/sioc

Security for the new reality

You might also like