Professional Documents
Culture Documents
00100000000
00000100000
00100000100 10100010000
You Need to See… 00 10001001100100
00001101000001
10000100001
00100000101
00001001010100 01
… Networked Systems 100 000100000010
010110101 000000100001
001001001000
… Zero-day Threats 10000000 0011
0100000
… Critical Data Stores
… Privileged Users 0010000
1101011
… Network Connections 00010000010
000
0011000100100
0000010000010 1010001
… Fraud Techniques 0100011000100
0010000000000
0101000000010
0
0000100001101 00100000
10101010
… Application Activity 0000100000
0 0010000
0100110000
0001
Attacks
Smart Humans
Defenses
Signatures Ineffective
Traditional defenses
No Choke Point won’t work.
Vulnerabilities
A different approach
Key Systems Unwatched
is required.
Key Users Unwatched
3. Malware/Bot Infiltration
4. Cross-Channel Attacks
5. Insider Attacks
6. Insider Theft
Event
Correlation
User Controls
Monitoring Monitoring
Data
Capture
Fraud App
Monitoring Monitoring
Log Management
IdentityView
ArcSight ESM
FraudView ArcSight TRM
ArcSight Logger
Auditor Apps
ArcSight Express
SAP Auditor
8
www.arcsight.com © 2011 ArcSight Confidential 8
Understanding Log Data - The CEF advantage
unstructured
<166>%ASA-6-106015: Deny TCP (no connection) from 192.168.1.102/59738 to 67.210.229.52/443
flags FIN ACK on interface inside
add labels
into structured
deviceVendor CISCO categorySignificance /Informational/Warning
deviceProduct ASA categoryBehavior /Access
deviceEventClassId 106015 categoryDeviceGroup /Firewall
name Deny TCP categoryOutcome /Failure
transportProtocol TCP categoryObject /Host/Application/Service
sourceAddress 192.168.1.102
sourcePort 59738
destinationAddress 67.210.229.52
destinationPort 443
deviceInboundInterface inside analyze
AssetInformation
Asset Information
Asset Information
Event
Event
Enriches
Context Asset
Context
Asset User Information
Information
Information
Event
Enriches
Context Asset Asset User Information
Information
Event
Enriches
Enriches
Context User Information
Information
Event
Event
Enriches
Enriches Context
Context Asset Asset
User
User Information
History
Information
InformationHistory
Event
Event
Enriches
Enriches Context
Context
Asset
Asset User
User
User Information
Information
Information
History
Information
History
Information
History
Information
Event
Event
Enriches
Context Asset
Context Asset User InformationHistory
Information
InformationHistory
Event
Enriches
Enriches
Context Asset User
User Information
Information
Information
History
Event
Event
Enriches
Enriches Context Asset
Context AssetUser
User
InformationHistory
Information
Information
Information
Event
Event
Enriches
Enriches Context
Context Asset Asset
User
User
Information History
Information
History
Information
Event
Event
Enriches
Enriches Context
Context
Asset
User
User
InformationHistory
History
Information
Information
Information
History
Event
Event
Enriches
Enriches Context
Context
History
User Information
History
User Information
History
History
History
Filters
Rules
Statistics
Meaningful Alerts
www.arcsight.com © 2011 ArcSight Confidential 10
What’s Next
Enterprise IT
Legacy Disruptors
User Layer: local directories, IDMs User Layer: Cloud directories, virtual
users, XACML
ArcSight
Platform Layer: O/S, software Infrastructure/Platform Layer:
platforms, databases, etc. Storage (S3), Processing (EC2), PaaS, IaaS,
virtualized servers, O/S, databases,
switches
Infrastructure Layer: network
devices, etc.
Traditional Identity-Based
Events Events
IP
Asset
Data Address
Scan
Data
Access
Rights User Attributes
Location Roles
DBAs Systems
Dev DB
/.
dba/pw
d
d
dba/pw
/. Dev DB
dba/pwd
/.
Finance DB
dba/pwd
Identity Account Name Type Dept. Manager Name Attacker Target Device Device
Address Address Vendor Product
John Doe cjvdak Full Time Customer Morris Successful 10.1.1.1 192.168.10 Microsoft Windows
Services Hicks Network .10
Login
doej Full Time Customer Morris Customer 10.1.1.1 192.168.20 Peoplesoft CRM
Services Hicks record .20
updated
cjvdak Full Time Customer Morris Limeware 10.1.1.1 106.203.99 McAfee Intrushield
Services Hicks P2P .233
detected
cjvdak Full Time Customer Morris Virus 10.1.1.1 McAfee EPO
Services Hicks quarantin
ed
cjvdak Full Time Customer Morris http:// 10.1.1.1 209.232.12 BlueCoat Proxy
Services Hicks monster.c 3.213
om/jobs
jdoe@ Full Time Customer Morris email to 10.1.1.1 106.203.99 Microsoft Exchange
company.com Services Hicks competito .233
r.com
Identity Account Name Dept. Role Name Attacker Target Device Device
Address Address Vendor Product
Capturing of the riskiest users and aggregating them into the riskiest
departments. Organizations use these metrics to:
• Present meaningful security metrics to executive management
• Prioritize security investments and awareness training
IP Address Identity
10.12.23.7 haroldr
10.12.23.23 czfb12
10.12.22.35 bobc
Update User Sessions with 10.12.23.67 Brianc
Unique Identity
10.10.10.10 jimmyj
ArcSight
ArcSight
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
BOT
Firewall
WiFi/Smartphone
Host
IPS
An+-‐Virus
Trusted
Connec+ons
ACL s
Insider Threat
Designed to be Undetected
Egress
Injected Code Executes When You are Logging
into Financial Institutions
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
£ http://code.google.com/p/arcosi/
£ ArcOSI is a Python based utility available for Unix or Windows that scrapes
several trusted open source intelligence sites for known malicious IP's and
domains and streams them into ArcSight CEF format via Syslog for use in
your SIEM content.
£ OSI Feed support as of 1/13/2011:
– IP Sources Url
• SRI Malware Threat Center http://www.mtc.sri.com/live_data/attackers/
• SAN ISC - DShield http://isc.sans.edu/reports.html
• Project HoneyPot http://www.projecthoneypot.org/list_of_ips.php
• Zeus Tracker https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
• SpyEye Tracker https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist
– Domain Sources Url
• Malware Domain List http://www.malwaredomainlist.com/hostslist/hosts.txt
• Malware Patrol http://www.malware.com.br/cgi/submit?action=list
• Malware Domains http://mirror1.malwaredomains.com/files/BOOT
• Zeus Tracker https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
• SpyEye Tracker https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
£ Where are my remote users coming from, and what are they accessing?
£ Are the remote computers coming in remotely secure and up to date?
Cybercrime is changing
• Pattern Detection
• Historical and Trend Analysis
• Role and Behavior Analysis, Logs, Flows, Roles