Professional Documents
Culture Documents
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Objectives
2 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Network Model
HP ArcSight operates on a data model, enabling a business-
oriented view of data derived from physical information
systems.
Modeling network and its assets is part of setup and ongoing
maintenance.
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Seven Phases Event Lifecycle – Overview
1. Data Collection and Event Processing
Phase 4
Phase 3
Phase 2
Phase 1
4 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2.4 © Copyright Hewlett-Packard Development Company, L.P. HP Confidential, for training purposes only. - hpenterprisesecurity.com/university
Network Model
How it works ?
Representation of IP address spaces and nodes on a network as well as the characteristics of
those address spaces and nodes.
What does ESM with a Network Model ?
ESM uses the Network Model to look up Zones and locate individual Assets involved in events
Processes Events Priority
What is inside a Network Model ?
Network modeling stores important info’s such as:
Open ports for modeled hosts in the network
Operating Systems running on the modeled hosts in the network
Know vulnerabilities that might be exposed
Applications running in the modeled network and their criticality
…
5 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Why is Asset Modeling Important
6 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
What is the Threat Level Formula?
Each event is evaluated against the Threat Level Formula to determine its relative
importance, or priority, to the network
TLF calculates the priority of an event based on agent Severity adjusted by four
factors
Model Confidence, degree asset is modelled in ESM:
– Can take following values
• 0 Target is not modeled at all, target asset id is not populated
• 4 Target asset id is present, but it hasn't been scanned for open ports or vulnerabilities
• 8 Target asset is either scanned for open ports or vulnerabilities, but not for both
• 10 Target asset is scanned for both open ports and vulnerabilities
7 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
What is the Threat Level Formula?
9 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Events Priority
Each event is evaluated with the TLF to determine its relative importance, or priority
Network
SEVERITY MODEL CONFIDENCE
RAW EVENT CEF FORMAT
(Active Lists) (0,4,8,10)
RELEVANCE
Already compromised? Vulnerability exploited ?
Applications ARCSIGHT CONNECTOR Modelled ? open ports ? ArcSight Console
Vulnerable?
Already a target ? vulnerabilities?
RAW EVENT
Databases CEF FORMAT
ASSET CRITICALITY
(User Input)
How important is the
LOG SOURCES CONNECTORS asset for the business?
10 MANAGER
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Priority Rating
• Takes into account Priority Formula Factors and Agent Severity
• Displayed in Priority column of Active Channel
• Easy-to-identify events that need immediate attention
• Color-coded and numbered
11 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
A network belongs to
Modeling Network & Assets only one customer
ZONES
Contiguous block of IP addresses Zones Define Physical characteristics of Assets
Eg., CHICAGO, PARIS, BERLIN, HQ DMZ, HONG KONG Internal Define Logical categories for Zones
Eg., DMZ, Criticality, Open port, Location
ASSET RANGES
Categories
Set of network nodes addressable as a contiguous block of IP addresses
Asset Ranges
Eg., 10.10.0.0 through 10.10.255.255
ASSETS
Individual nodes on network, such as servers, routers, and laptops
Inherits categories from Asset Ranges Assets
Eg., 10.10.10.225
Item Description
Assets represent individual nodes on the network, such as servers, routers, and laptops
13 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
How ArcSight ESM Enriches Events
Asset Model in ArcSight ESM
• To provide events priority the following needs to be added to the network model
• Assets
• Zones
• Networks
• Customers
• Locations
14 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Event Lifecycle
Log source
Raw log
CONNECTOR
1. Normalization & Categorization
2. Add a Customer
3. Add a Network
4. Add a Zone
ESM MANAGER
1. Threat Level Formula
2. Geographic location
15 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Graphical View Using Geo Location
16 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Limitations of Asset Resolution
The unique identifier for the resolved assets are persisted in the database for
future use by
Active channels
Reports
Activity Profiler
Interactive Discovery
If the asset model changes thereafter, the assets are not resolved again for
endpoints of already processed events
We do not tag a reference to asset in the endpoint because there will be too many
of those references to manage
17 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Populating a Network Model
As Rule of Thumb, 3 ways to populate the network model with the assets
18 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Populating a Network Model
ArcSight Console-Based Methods
19 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Populating a Network Model
ArcSight Console-Based Methods
20 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Populating a Network Model
ArcSight Console-Based Methods
21 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Populating a Network Model
SmartConnector-Based Methods
Using the Asset Model Import FlexConnector
Asset Model Import FlexConnector reads Asset, Location, and Asset Category
information from a CSV file which it then then sends to the Manager
New assets are added and existing assets in the model are updated
This method does not create asset ranges and assumes that Zones,
Networks, customers and locations are already created.
Automatically From a Vulnerability Scanner Report
Set up a scanner SmartConnector to use the output of a vulnerability scan to
convert device information into Assets along with Vulnerability information,
and basic Asset Categories, such as operating system and open ports.
22 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Populating a Network Model
ArcSight-Assisted Method:
As an Archive File From an Existing Configuration Database
Many enterprise networks have third-party systems that already model the
properties of the assets in a network.
One can export these network models, translate the format into the schema
using an ArcSight resource-generating utility, and import it to the Manager as a
resource archive.
23 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Thank you
philippe.jouvellier@hp.com
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use