D3 - T2 - Network Model-092015

ArcSight Network Model
HP ArcSight Proof of Concept Boot Camp Training

TECHNICAL DAY-2
Philippe Jouvellier - HP ESP | Global Partner Enablement
philippe.jouvellier@hpe.com
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Objectives
Upon successful completion on this Lab, you will be able to:

• Understand ArcSight Network Model
• List and describe resources in a Network Model
• Identify the phases in the event lifecycle that use Network model info’s
• Understand events prioritization with the Threat Level Formula
• Understand the context of Assets
• Populate a Network Model
2 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Network Model
HP ArcSight operates on a data model, enabling a business-
oriented view of data derived from physical information
systems.
Modeling network and its assets is part of setup and ongoing
maintenance.
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Seven Phases Event Lifecycle – Overview
1. Data Collection and Event Processing
2. Network Model Lookup and Priority Evaluation*

3. Correlation Evaluation
4. Monitoring and Investigation
5. Workflow Phase 7
6. Incident Analysis and Reporting

Phase 6
7. Storage and Archive
Phase 5
Phase 4
Phase 3
Phase 2
Phase 1
4 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2.4 © Copyright Hewlett-Packard Development Company, L.P. HP Confidential, for training purposes only. - hpenterprisesecurity.com/university
Network Model
How it works ?
 Representation of IP address spaces and nodes on a network as well as the characteristics of
those address spaces and nodes.
What does ESM with a Network Model ?
 ESM uses the Network Model to look up Zones and locate individual Assets involved in events
 Processes Events Priority
What is inside a Network Model ?
 Network modeling stores important info’s such as:
 Open ports for modeled hosts in the network
 Operating Systems running on the modeled hosts in the network
 Know vulnerabilities that might be exposed
 Applications running in the modeled network and their criticality
 …
Why is Asset Modeling Important
• To get the Threat Level Formula (TLF) working more precisely

• To add context to an Asset, e.g. it’s a mail server or it’s identified as a SOX or
Basel II relevant Asset
• To get Geo Views working with private IP ranges too
• To reflect Network of the Organization in views and analysis and alerting
• To add Customer feature for MSSPs and global organizations
What is the Threat Level Formula?
Each event is evaluated against the Threat Level Formula to determine its relative
importance, or priority, to the network
TLF calculates the priority of an event based on agent Severity adjusted by four
factors
Model Confidence, degree asset is modelled in ESM:
– Can take following values
• 0 Target is not modeled at all, target asset id is not populated
• 4 Target asset id is present, but it hasn't been scanned for open ports or vulnerabilities
• 8 Target asset is either scanned for open ports or vulnerabilities, but not for both
• 10 Target asset is scanned for both open ports and vulnerabilities
What is the Threat Level Formula?
Relevance, which will be calculated on the following information

• Event impact on an asset
• Target asset has a vulnerability that is exploited by the event
• Target port is open on the target asset
Severity
• Score assigned to the attack
• Takes into account whether the target has already been compromised or not and also whether
or not it has been observed prior activity from this source
• All this is done using the active lists whose contents are updated by rules
Asset Criticality
• Measures how important the Target Asset is in the context of the Organization. This value is a
User input and influences the outcome of the TLF
Network Model is
needed here to
calculate the events
priority level.
Priority is business
relevant !
Events Priority
Each event is evaluated with the TLF to determine its relative importance, or priority
THREAT LEVEL FORMULA & MECANISM

CALCULATES EVENTS PRIORITY BASED ON AGENT SEVERITY ADJUSTED BY FOUR FACTORS
ARCSIGHT CONNECTOR
VA scanner
DYNAMIC INDEX OF
RAW EVENT CEF FORMAT THREATS
Servers / OS ARCSIGHT CONNECTOR

AGENT SEVERITY
RAW EVENT CEF FORMAT
Mapping of reporting
Security device severity to
ArcSight severity
ARCSIGHT CONNECTOR
Network
SEVERITY MODEL CONFIDENCE
RAW EVENT CEF FORMAT
(Active Lists) (0,4,8,10)
RELEVANCE
Already compromised? Vulnerability exploited ?
Applications ARCSIGHT CONNECTOR Modelled ? open ports ? ArcSight Console
Vulnerable?
Already a target ? vulnerabilities?
RAW EVENT
Databases CEF FORMAT
ASSET CRITICALITY
(User Input)
How important is the
LOG SOURCES CONNECTORS asset for the business?
10 MANAGER
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Priority Rating
• Takes into account Priority Formula Factors and Agent Severity
• Displayed in Priority column of Active Channel
• Easy-to-identify events that need immediate attention
• Color-coded and numbered
0, 1, 2 Green – very low priority

3, 4 Blue - low priority
5, 6 Yellow - medium priority
7, 8 Orange - high priority
9, 10 Red - very high priority
A network belongs to
Modeling Network & Assets only one customer
 NETWORK  Defines owners of the network

 Defines Global Logical Network Networks Customer  One network belongs to only one customer
 Eg., USA, Hong Kong, Europe  Optional
 ZONES
 Contiguous block of IP addresses Zones  Define Physical characteristics of Assets
 Eg., CHICAGO, PARIS, BERLIN, HQ DMZ, HONG KONG Internal  Define Logical categories for Zones
 Eg., DMZ, Criticality, Open port, Location
 ASSET RANGES
Categories
 Set of network nodes addressable as a contiguous block of IP addresses
Asset Ranges
 Eg., 10.10.0.0 through 10.10.255.255
 ASSETS
 Individual nodes on network, such as servers, routers, and laptops
 Inherits categories from Asset Ranges Assets
 Eg., 10.10.10.225
 Vulnerabilities for an Asset

Vulnerabilities
 Scanner agents populate this automatically
 Notice the ID, URI, Name, Resource fields in the event
 ArcSight manager assigns the Asset ID based on IP address/AssetRange and Zone URI
 Referential Integrity to Categories but not to Assets
What are Assets? Zones? Networks? Customers?
Network Model Explained
Item Description
Assets represent individual nodes on the network, such as servers, routers, and laptops
represent a set of network nodes addressable as a contiguous block of IP

Asset ranges addresses
represent portions of the network itself and are also characterized by a
Zones contiguous block of addresses
Networks are helpful when disambiguating two private address spaces
describe the internal or external cost centers or separate business units

Customers associated with networks, if applicable to your business environment
How ArcSight ESM Enriches Events
Asset Model in ArcSight ESM
• To provide events priority the following needs to be added to the network model
• Assets
• Zones
• Networks
• Customers
• Locations
NETWORK MODEL ASSET MODEL

! representation of nodes and
characteristics of network
! attributes of assets for
different purposes
Event Lifecycle
Log source
Raw log
CONNECTOR
1. Normalization & Categorization
2. Add a Customer
3. Add a Network
4. Add a Zone
ESM MANAGER
1. Threat Level Formula
2. Geographic location
Graphical View Using Geo Location
Limitations of Asset Resolution
The unique identifier for the resolved assets are persisted in the database for
future use by
Active channels
Reports
Activity Profiler
Interactive Discovery
If the asset model changes thereafter, the assets are not resolved again for
endpoints of already processed events
We do not tag a reference to asset in the endpoint because there will be too many
of those references to manage
Populating a Network Model
As Rule of Thumb, 3 ways to populate the network model with the assets
• ArcSight Console-Based Methods:

 Individually Using Network Modeling Resources
 In a Batch Using the Network Modeling Wizard
• SmartConnector-Based Methods:
 Using the Asset Model Import FlexConnector
 Automatically From a Vulnerability Scanner Report
• ArcSight-Assisted Method:
 As an Archive File From an Existing Configuration Database
ArcSight Console-Based Methods
 Individually Using Network Modeling Resources
 In a Batch Using the Network Modeling

Wizard
 In a Batch Using the Network Modeling

Wizard
SmartConnector-Based Methods
 Using the Asset Model Import FlexConnector
 Asset Model Import FlexConnector reads Asset, Location, and Asset Category
information from a CSV file which it then then sends to the Manager
 New assets are added and existing assets in the model are updated
 This method does not create asset ranges and assumes that Zones,
Networks, customers and locations are already created.
 Automatically From a Vulnerability Scanner Report
 Set up a scanner SmartConnector to use the output of a vulnerability scan to
convert device information into Assets along with Vulnerability information,
and basic Asset Categories, such as operating system and open ports.
ArcSight-Assisted Method:
 As an Archive File From an Existing Configuration Database
 Many enterprise networks have third-party systems that already model the
properties of the assets in a network.
 One can export these network models, translate the format into the schema
using an ArcSight resource-generating utility, and import it to the Manager as a
resource archive.
Thank you
philippe.jouvellier@hp.com
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use

D3 - T2 - Network Model-092015

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D3 - T2 - Network Model-092015

Uploaded by

Copyright:

Available Formats

ArcSight Network Model

HP ArcSight Proof of Concept Boot Camp Training

Upon successful completion on this Lab, you will be able to:

2. Network Model Lookup and Priority Evaluation*

6. Incident Analysis and Reporting

• To get the Threat Level Formula (TLF) working more precisely

Relevance, which will be calculated on the following information

THREAT LEVEL FORMULA & MECANISM

Servers / OS ARCSIGHT CONNECTOR

0, 1, 2 Green – very low priority

 NETWORK  Defines owners of the network

 Vulnerabilities for an Asset

represent a set of network nodes addressable as a contiguous block of IP

Networks are helpful when disambiguating two private address spaces

describe the internal or external cost centers or separate business units

NETWORK MODEL ASSET MODEL

• ArcSight Console-Based Methods:

 Individually Using Network Modeling Resources

 In a Batch Using the Network Modeling

 In a Batch Using the Network Modeling

You might also like