ArcSight day1-RiSK22011

SIEM to ETRM - Lessons learnt and the most
important use cases

Fabian Libeau
Principal Sales Engineer
March, 2011
www.arcsight.com © 2011 ArcSight Confidential 1

Cybercrime Detection is More Challenging Than Ever
00100000000
00000100000
00100000100 10100010000
You Need to See… 00 10001001100100
00001101000001
10000100001
00100000101
00001001010100 01
… Networked Systems 100 000100000010
010110101 000000100001
001001001000
… Zero-day Threats 10000000 0011
0100000
… Critical Data Stores
… Privileged Users 0010000
1101011
… Network Connections 00010000010
000
0011000100100
0000010000010 1010001
… Fraud Techniques 0100011000100
0010000000000
0101000000010
0
0000100001101 00100000
10101010
… Application Activity 0000100000
0 0010000
0100110000
0001

Cybercrime Keeps Growing
$73 Billion Risked by Rogue Trader 45 Million Credit Cards

$7 Billion Lost $250 Million Cost
1.5 Million Debit Cards

Accounts Affected: Unknown
Processing License Revoked $12.5 Billion Market Cap Lost

Modern Breaches Share a Pattern
Acquire target, sneak in, hop around

(Perimeter doesn’t help)
Get privileged access to critical assets

(Impact takes time)
Conduct the crime for an extended time

(Early detection matters)

Today’s Cybercrime Is Different
Attacks
Smart Humans
High Value Targets Business faces more risk

than ever.
Defenses
Signatures Ineffective
Traditional defenses
No Choke Point won’t work.
Vulnerabilities
A different approach
Key Systems Unwatched
is required.
Key Users Unwatched

Modern Threats
1. Borderless Threat Vectors
2. Hackers and Coordinated Attacks
3. Malware/Bot Infiltration
4. Cross-Channel Attacks
5. Insider Attacks
6. Insider Theft

ArcSight SIEM Platform

ArcSight SIEM Platform
Event
Correlation
User Controls
Monitoring Monitoring
Data
Capture
Fraud App
Monitoring Monitoring
Log Management
IdentityView
ArcSight ESM
FraudView ArcSight TRM
ArcSight Logger
Auditor Apps
ArcSight Express
SAP Auditor
8
Understanding Log Data - The CEF advantage
unstructured
<166>%ASA-6-106015: Deny TCP (no connection) from 192.168.1.102/59738 to 67.210.229.52/443
flags FIN ACK on interface inside
add labels
into structured
deviceVendor CISCO categorySignificance /Informational/Warning
deviceProduct ASA categoryBehavior /Access
deviceEventClassId 106015 categoryDeviceGroup /Firewall
name Deny TCP categoryOutcome /Failure
transportProtocol TCP categoryObject /Host/Application/Service
sourceAddress 192.168.1.102
sourcePort 59738
destinationAddress 67.210.229.52
destinationPort 443
deviceInboundInterface inside analyze
investigate Vendor independent

Making Sense out of Log Data - Correlation
AssetInformation
Asset Information
Asset Information
Event
Event
Enriches
Context Asset
Context
Asset User Information
Information
Information
Event
Enriches
Context Asset Asset User Information
Information
Event
Enriches
Enriches
Context User Information
Information
Event
Event
Enriches
Enriches Context
Context Asset Asset
User
User Information
History
Information
InformationHistory
Event
Event
Enriches
Enriches Context
Context
Asset
Asset User
User
User Information
Information
Information
History
Information
History
Information
History
Information
Event
Event
Enriches
Context Asset
Context Asset User InformationHistory
Information
InformationHistory
Event
Enriches
Enriches
Context Asset User
User Information
Information
Information
History
Event
Event
Enriches
Enriches Context Asset
Context AssetUser
User
InformationHistory
Information
Information
Information
Event
Event
Enriches
Enriches Context
Context Asset Asset
User
User
Information History
Information
History
Information
Event
Event
Enriches
Enriches Context
Context
Asset
User
User
InformationHistory
History
Information
Information
Information
History
Event
Event
Enriches
Enriches Context
Context
History
User Information
History
User Information
History
History
History
Filters
Rules
Statistics
Meaningful Alerts
What’s Next
Enterprise IT
Legacy Disruptors
User Layer: local directories, IDMs User Layer: Cloud directories, virtual
users, XACML
Application Layer: local, client- Application Layer: SaaS, mobile apps

server, legacy
ArcSight
Platform Layer: O/S, software Infrastructure/Platform Layer:
platforms, databases, etc. Storage (S3), Processing (EC2), PaaS, IaaS,
virtualized servers, O/S, databases,
switches
Infrastructure Layer: network
devices, etc.

User Activity: A New Axis for Security Monitoring
Traditional Identity-Based
Events Events
IP
Asset
Data Address
Scan
Data
Access
Rights User Attributes
Location Roles

Use Cases

Unauthorized Application Access
£ Which systems have suspicious access/application activity?

£ Are terminated accounts still being used?
£ Which accounts are being used from suspicious locations?
Key Use Case: Correlated Identity
With correlated identity, a simple event
tells you much more
1. Correlate an IP with a user

2. Identify the associated username
3. Enrich the event with user data

Key Use Case: High-Risk User Monitoring
Enterprises use IdentityView to monitor high-risk users, like DBAs,

administrators, contractors, or terminated employees, who access:
• Systems outside their normal role
• Highly sensitive systems
• Systems using shared accounts
DBAs Systems
Dev DB
/.
dba/pw
d
d
dba/pw
/. Dev DB
dba/pwd
/.
Finance DB
dba/pwd

Key Use Case: Role Violations
£ Monitor and report on access of systems outside of a user's role

or department
£ Make sure roles and privileges assigned within applications are
aligned with IDM

Key Use Case: General User Activity Monitoring
Identity Account Name Type Dept. Manager Name Attacker Target Device Device
Address Address Vendor Product
John Doe cjvdak Full Time Customer Morris Successful 10.1.1.1 192.168.10 Microsoft Windows
Services Hicks Network .10
Login
doej Full Time Customer Morris Customer 10.1.1.1 192.168.20 Peoplesoft CRM
Services Hicks record .20
updated
cjvdak Full Time Customer Morris Limeware 10.1.1.1 106.203.99 McAfee Intrushield
Services Hicks P2P .233
detected
cjvdak Full Time Customer Morris Virus 10.1.1.1 McAfee EPO
Services Hicks quarantin
ed
cjvdak Full Time Customer Morris http:// 10.1.1.1 209.232.12 BlueCoat Proxy
Services Hicks monster.c 3.213
om/jobs
jdoe@ Full Time Customer Morris email to 10.1.1.1 106.203.99 Microsoft Exchange
company.com Services Hicks competito .233
r.com
Complete view of user activity across all systems

Key Use Case: Privileged Account Activity
£ Attribute users with privileged account usage to monitor:

– DBA activity (sys, system, SA, etc.)
– Administrator activity (root, administrator, etc.)
Identity Account Name Dept. Role Name Attacker Target Device Device
Address Address Vendor Product
Sam malones IT Unix Successful 10.1.1.1 192.168.10 Microsoft Windows

Malone Administrator Network Login .10
smalone IT Unix Ticket status 10.1.1.1 192.168.20 Remedy ServiceDesk

Administrator updated to .20
“closed”
Root IT Unix SSH login 10.1.1.1 192.168.20 Unix Unix

Administrator .30
root IT Unix syslogd stopped 10.1.1.1 192.168.20 Unix Unix

Administrator .30
root IT Unix syslogd started 10.1.1.1 192.168.20 Unix Unix

Administrator .30
Sys as sysdba IT Unix sqlplus login 10.1.1.1 106.203.99 Oracle Database

Administrator .233

Key Use Case: Activity Based Role Modeling
£ Provide a complete role-based activity report that identifies systems

and applications accessed by role, department, or attribute
£ Expedite IDM deployments by mining roles based on user activity
£ Identify user and access changes made outside of IDM systems
Department Target Hostname Device Vendor Device Product
Human Resources finance.arcsight.com Oracle Financials
dc01.arcsight.com Microsoft Windows
quickarrow.com Bluecoat Proxy
erp.arcsight.com Oracle HRMS
file01.arcsight.com Microsoft Windows
mail.arcsight.com Microsoft Exchange

Exec Dashboard:
User and Department Risk Levels

Key Use Case: Executive Dashboards
Capturing of the riskiest users and aggregating them into the riskiest
departments. Organizations use these metrics to:
• Present meaningful security metrics to executive management
• Prioritize security investments and awareness training

Problem: Shared User Account Attribution
Problem: My auditor requires a report of all admin activity in my applications
– Legacy applications
– Shared privileged (admin) accounts
– No way to tie to actual user
Application Access: Source: 10.10.10.10
[02.5.2009 10:33:46] Login Success 10.10.10.10 fmadmin

23
Solution: Shared User Account Attribution
jimmyj: Login to host

10.10.10.10
IP Address Identity
10.12.23.7 haroldr
10.12.23.23 czfb12
10.12.22.35 bobc
Update User Sessions with 10.12.23.67 Brianc
Unique Identity
10.10.10.10 jimmyj
ArcSight

24
24
Solution: Shared User Account Attribution

IP Address Identity
10.12.23.7 haroldr
[02.5.2009 11:21:51] Login Success 192.168.10.6 fmadmin 10.12.23.23 czfb12
10.12.22.35 bobc
192.168.10.6 katie
10.10.10.10 jimmyj
Check Identity Sessions
ArcSight

25
Bot, Worm and Virus Attacks
Corporate HQ
Public Network Mobile Users
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
£ What malware is infiltrating my environment, and how is it propagating?

£ Is my AntiVirus system able to mitigate malware threats?

Problem: Malware Beaconing
BOT

Challenge: Its All About Command-and-Control
Advanced Malware CnC

Internet Modern
VM-‐Aware malware,
Proxy-‐Aware botnets, APTs,
Polymorphic advanced cyber
Locked threats…
Rely on
Network Defense Host Defense

Firewall Remote Control
IDS/IPS
Other InfecDon Vectors (CnC)
Web/Mail Filter
Gateway AV
Infected USBs/CDs
Proxy
DLP
Traveling Workers
Firewall
WiFi/Smartphone
Host IPS
An+-‐Virus
Trusted Connec+ons
ACL s
Insider Threat

Solution: Detecting Bot Malware Beaconing
Asset class: • Protected System
Geospatial: • Foreign IP address
• Source and Destination IP address and port information # of bytes transferred

IPflow: out # of packets transmitted in the session Protocol type (UDP or TCP)
Single packet transfer
Well-known port (ie: 80, 443, 53)
Destination is to a foreign country
Occurred during off-hours

Solution: Malware Beacon Detection – Behavioral
Analysis

Example: CnC Detection / Termination: Zeus
CnC Zeus Bot
Designed to be Undetected
Egress
Injected Code Executes When You are Logging
into Financial Institutions
Captures User’s Credentials / Sites /

Proxy Challenge Questions / Responses
Botmaster Tools for Financial Transfers
DNS Phones Home Regularly for Updates
Zeus Communication Traits

• Proxy Aware
• Periodic Communication
• Updates CnC Channels Frequently

Detection of Zeus
£ IP List - more than 200 C&C server active at the moment.

£ Periodically updated
£ Upload as active list into ArcSight
£ Analyse traffic information from routers, firewalls, proxies, flows
£ Solutions such as HP Tipping Point and Damballa

Example: Abuse.ch
£ Zeus and SpyEye tracker

£ Provides Crimeware C&C tracking lists
£ Here are some quick statistics about the ZeuS crimeware:
– ZeuS C&C servers tracked: 572
– ZeuS C&C servers online: 246
– ZeuS C&C servers with files online: 54
– ZeuS FakeURLs tracked: 75
– ZeuS FakeURLs online: 30
– Average ZeuS binary Antivirus detection rate: 37.11%

Hacker Detection
Corporate HQ
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
£ Who is attacking me and where are they attacking from?

£ Which of my internal systems are they attacking?

Other sources
£ Servaral lists are available which can be integrated:

– JoeWein.de
• SpamDomains
– iDefense
• Early Warning of Vulnerabilities
– Symantec DeepSight
• Early Warning of Vulnerabilities
– SANS Internet Storm Center
• Blocklist of Malicious IP‘s
– SRI Malware Threat Center
• Blocklist for C&C Servers, Active Source IP‘s
– Malwaredomainlist, Emerging Threat...

Example: Threat Expert
£ Threat Expert gives early warning on new malware.

£ Time between detection and Update of AV Signature is critical
£ Threat Expert provides report incl. Domain name and/ or IP
address of malicous host
£ Download latest report, extract IP and foward into ArcSight
£ Use IP list to detect suspicious communicaton
£ But also Hashes of malicious code are provided which may be

correlated with the host based firewalls/ IPS sending hashes for
process started by a client

Example: ArcOSI
£ http://code.google.com/p/arcosi/
£ ArcOSI is a Python based utility available for Unix or Windows that scrapes
several trusted open source intelligence sites for known malicious IP's and
domains and streams them into ArcSight CEF format via Syslog for use in
your SIEM content.
£ OSI Feed support as of 1/13/2011:
– IP Sources Url
• SRI Malware Threat Center http://www.mtc.sri.com/live_data/attackers/
• SAN ISC - DShield http://isc.sans.edu/reports.html
• Project HoneyPot http://www.projecthoneypot.org/list_of_ips.php
• Zeus Tracker https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
• SpyEye Tracker https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist
– Domain Sources Url
• Malware Domain List http://www.malwaredomainlist.com/hostslist/hosts.txt
• Malware Patrol http://www.malware.com.br/cgi/submit?action=list
• Malware Domains http://mirror1.malwaredomains.com/files/BOOT
• Zeus Tracker https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
• SpyEye Tracker https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist

VPN Sneak Attacks
Corporate HQ
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
£ Where are my remote users coming from, and what are they accessing?
£ Are the remote computers coming in remotely secure and up to date?

Conclusion
Cybercrime is changing
Borderless networks bring new types of crime
Smart humans guiding sophisticated technology
Detection requires new methods
• Pattern Detection
• Historical and Trend Analysis
• Role and Behavior Analysis, Logs, Flows, Roles

To learn more, contact ArcSight at:
info@arcsight.com or 1-888-415-ARST
ArcSight, Inc.
5 Results Way, Cupertino, CA 95014, USA
Corporate Headquarters: 1-888-415-ARST
EMEA Headquarters: +44 (0)844 745 2068
Asia Pac Headquarters: (852) 2166 8302
www.arcsight.com

ArcSight day1-RiSK22011

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ArcSight day1-RiSK22011

Uploaded by

Copyright:

Available Formats

SIEM to ETRM - Lessons learnt and the most

important use cases

www.arcsight.com © 2011 ArcSight Confidential 1

www.arcsight.com © 2011 ArcSight Confidential 2

$73 Billion Risked by Rogue Trader 45 Million Credit Cards

1.5 Million Debit Cards

Processing License Revoked $12.5 Billion Market Cap Lost

www.arcsight.com © 2011 ArcSight Confidential 3

Acquire target, sneak in, hop around

Get privileged access to critical assets

Conduct the crime for an extended time

www.arcsight.com © 2011 ArcSight Confidential 4

High Value Targets Business faces more risk

www.arcsight.com © 2011 ArcSight Confidential 5

1. Borderless Threat Vectors

2. Hackers and Coordinated Attacks

www.arcsight.com © 2011 ArcSight Confidential 6

www.arcsight.com © 2011 ArcSight Confidential 7

investigate Vendor independent

www.arcsight.com © 2011 ArcSight Confidential 9

Application Layer: local, client- Application Layer: SaaS, mobile apps

www.arcsight.com © 2011 ArcSight Confidential 11

www.arcsight.com © 2011 ArcSight Confidential 12

www.arcsight.com © 2011 ArcSight Confidential 13

£ Which systems have suspicious access/application activity?

With correlated identity, a simple event

tells you much more

1. Correlate an IP with a user

www.arcsight.com © 2011 ArcSight Confidential 15

Enterprises use IdentityView to monitor high-risk users, like DBAs,

www.arcsight.com © 2011 ArcSight Confidential 16

£ Monitor and report on access of systems outside of a user's role

www.arcsight.com © 2011 ArcSight Confidential 17

Complete view of user activity across all systems

£ Attribute users with privileged account usage to monitor:

Sam malones IT Unix Successful 10.1.1.1 192.168.10 Microsoft Windows

smalone IT Unix Ticket status 10.1.1.1 192.168.20 Remedy ServiceDesk

Root IT Unix SSH login 10.1.1.1 192.168.20 Unix Unix

root IT Unix syslogd stopped 10.1.1.1 192.168.20 Unix Unix

root IT Unix syslogd started 10.1.1.1 192.168.20 Unix Unix

Sys as sysdba IT Unix sqlplus login 10.1.1.1 106.203.99 Oracle Database

www.arcsight.com © 2011 ArcSight Confidential 19

£ Provide a complete role-based activity report that identifies systems

Department Target Hostname Device Vendor Device Product

Human Resources finance.arcsight.com Oracle Financials

dc01.arcsight.com Microsoft Windows

quickarrow.com Bluecoat Proxy

erp.arcsight.com Oracle HRMS

file01.arcsight.com Microsoft Windows

mail.arcsight.com Microsoft Exchange

www.arcsight.com © 2011 ArcSight Confidential 20

www.arcsight.com © 2011 ArcSight Confidential 21

www.arcsight.com © 2011 ArcSight Confidential 22

Application Access: Source: 10.10.10.10

Application Access: Source: 192.168.10.6

[02.5.2009 10:33:46] Login Success 10.10.10.10 fmadmin

[02.5.2009 11:21:51] Login Success 192.168.10.6 fmadmin

www.arcsight.com © 2011 ArcSight Confidential 23

jimmyj: Login to host

www.arcsight.com © 2011 ArcSight Confidential 24

Application Access: Source: 10.10.10.10

Application Access: Source: 192.168.10.6

[02.5.2009 10:33:46] Login Success 10.10.10.10 fmadmin