©
©2009 ArcSight2009 ArcSight, Inc. All rights re, Inc. All rights reserved.served.
ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and
ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.company names may be trademarks or registered trademarks of their respective owners.
T
The
he Ar
ArcS
cSig
ight
ht C
Com
ompl
pliia
anc
nce
e T
Too
ool K
l Kit
it
Morris Hicks
Morris Hicks
Consulting Technical Director
Consulting Technical Director
R
Compliance in a Nutshell
1. Document/define
–
Business processes
–
Critical cyber assets
2. Internal controls
–
Properly defined
–
Monitored
Compliance in a Nutshell (cont.)
3. Implement a secure and auditable log archive
–
Converge disparate sources
–
Normalize formats
–
Capture high event rates
–
Transit slow, remote links
–
Establish search, analysis, and reporting
4. Enable event alerting and response
–
Real-time monitoring
–
Rapid notification
–
Intelligent response
–
Workflow
–
Documentation
The ArcSight Approach to Compliance
Prepackaged content—auditors (SOX, HIPAA, PCI,
NERC, ITGOV, FISMA)
Share best practices
Extend the platform—custom use case development
Roadmap
Controls
Regulations don’t specify a
comprehensive set of controls, in
most cases
Frameworks
– ISO 27002:2005 (formerly 17799)
– NIST SP 800-53
– COBIT 4
Other drivers of controls
– Audit findings
– Security assessment findings
– Organizational policy
ArcSight Auditors
Prepackaged content to address most common
controls—SOX, PCI, NERC, HIPAA, FISMA
– Logger: reports, searches, alerts
– ESM: rules, reports, dashboards
ISO 27002-based
Network modeling
– Identify regulated systems
– Categorize regulated systems
– Import active list data
ArcSight Auditors
Content relies on many data sources
– IDS
– OS
– IAM
– Solution guide lists the necessary 20 data sources
UCI (Use Case Identifier) discerns functional content
Graphical summary
Highly configurable
Drill down for detail
Rule Actions & Reports
Rules may initiate actions
– Notifications
– Case creation
Reports
– Scheduled
– On demand
Active Channels
Live event collection
Filter
Sort
Auditors Based on ISO Framework
ISO
Topic
Use
Cases
1-3 Introductory Sections Not Applicable 4 Risk Assessment &
Treatment
Security Overview
High Risk Event Analysis 5 Security Policy Policy Violations
New Services and Hosts 6 Organization of
Information Security
Reporting on Cases
7 Asset Management Asset Inventory Reporting
Data Classification Reporting & Monitoring 8 Human Resources
Security
Watching New Hires & Former Employees Internet Usage Reporting and Monitoring 9 Physical &
Environmental Security
Auditors Based on ISO Framework
ISO
Topic
Use
Cases
10 Communications & Operations
Management
Configuration Management (File & Configuration Changes, Maintenance Schedules)
Audit Trails
Separation of Development, Test, & Operations Facilities
Malicious Code Monitoring
IP Address/User Name Attribution 11 Access Control User Management (User Access)
Authorization Changes Password Policy
Privileged Accounts (Administrative Access) Network Services (including routing, firewall, & VPN)
Segregation of Networks
Auditors Based on ISO Framework
ISO
Topic
Use
Cases
12 Information Systems Acquisition, Development & Maintenance Certificate Management Attack Monitoring Vulnerability Management 13 Information Security Incident Management Internal Reconnaissance Escalated Threats 14 Business Continuity Management Availability
Highly Critical Machines
15 Compliance Intellectual Property Rights & Information Leaks
Personal and Company Information
Resource Misuse (excessive email, illegal content downloads, etc.)
Common Compliance Applications
Access monitoring
Configuration management
Attacks and malicious code
Audit trail
Network segmentation
Extending the Core Capability of Auditors
ISO
Use Case
Examples
Section 10 -Communications & Operations Management Configuration Management
Modifications to application binaries, configuration files/tables and other sensitive files/tables
Report and review of all configuration changes Policy change attempts, unscheduled changes
Audit Trail Audit logs cleared/deleted
Audit logs unavailable, i.e. not received
Attempt to disable/change auditing
Attacks and Malicious Code
High severity attacks, IDS attacks followed by login from attacking host
Attacks from regulated systems Antivirus, P2P, spyware, infections
ISO
Use Case
Examples
Section 11 – Access Controls Administrative AccessSuccessful and unsuccessful logins Local administrative user created or administrative rights granted
Administrative actions (su, sudo, file modification, etc.)
User Access Successful and unsuccessful logins
Local user created, user created followed by access to regulated system, privilege granted followed by access to regulated system
User activity reports Unauthorized
Access
Administrative connections from unauthorized host Access to unauthorized service
Unauthorized user access, new authorized user
ISO
Use Case
Examples
Section 12 – Info-Systems Acquisition, Development & Maintenance Change ManagementChanges made outside of maintenance window Correlate change request to implemented changes
Changes performed by personnel not in an appropriate role
ArcSight Approach to Compliance
Prepackaged content
– Auditors
– Based on ISO framework
– Use case identifier
Best practices
– Engagement drivers
– Common applications of the technology
How the platform can be extended—custom use case
development
Maximizing Value
Articulate requirements
– Select controls from discussed best practices
– Sample control matrix
– Audit results (internal/external)
– Security assessment results/penetration tests
– Security policy & procedures
– Interviews with key personnel (PMO, Internal Audit, Compliance,
InfoSec)
– Architecture overview
Prioritize controls for implementation
Align resources
– Personnel for interviews
How ArcSight Can Help
Convey industry and customer best practices
Provide sample control matrix
Define technical dependencies for selected controls
Implement the solution
