© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Defining, building, and
making use cases work
Paul Brettle – Presales Manager, Americas
Pacific Region
What is a use case?
•
Compliance – FISMA, PCI, SOX, etc…
•
Network security – firewalls, IDS, routers & switches
•
Malware
•
Systems – application and operating system
•
User monitoring – identity, privileged user, shared accounts
•
SOC metrics – management metrics, analyst team, infrastructure performance
•
Fraud – banking, atms
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
Defining a Use Case
Problem
statement
Define
the objective
Identify
data source
Define
thresholds
Identify
deliverables
Evaluate
and refine
1
2
3
4
5
6
Example use case – audit log cleared
Identify
Data source
How do I know when the audit
log is cleared on my systems?
I need to be notified when
audit logs are cleared for
my critical assets
Operating System
IDS/IPS (Host)
Firewalls
How do I want to be made
aware?
•
Notification to CIRT
•
Dashboard tracking
•
Compliance
•
Report to Auditors of
Audit Log Cleared
Problem
statement
Define
the objective
Identify
data source
Identify
deliverables
Evaluate
and refine
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Building a use case
•
Capture the data / requirements consistently
•
Utilise a standard process
•
What works for you is great
•
Consider Use Case forms
•
https://protect724.arcsight.com/docs/DOC-1523
(Cindy Jones)
•
Targeted, simple, manageable
Simple tactics to make your life easy
•
KISS principle still stands
•
Normal mechanisms stand, but control is the key part
•
Keep named user control around role based access
•
Limit options for access rights – operators DON’T need write to rules!
•
Group by general use / log source type / purpose – your choice!
•
Use the numbering structures / schemes
•
Remember the use case process and captured data
•
Build out on deliverables
•
Build out on threat / risk
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
ArcSight use cases
•
Under used previously – been present since ESM 4.5
•
Much more content and documentation around for ESM 6.0c and Express 4.0
•
Look at focused content built around specific data sets
•
Usually focused around several active lists – imported or used as standard
•
Linked resources for filters, active channels etc – common naming, structure etc
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Steps to build use cases
1. Problem statement
2. Define objectives
3. Identify data sources
4. Define thresholds
5. Identify the deliverables
6. Evaluate & refine as needed
Example use case
•
Problem statement:
•
Identify unauthorized privileged user access to critical servers
•
Define the objective:
•
Ensure we have the ability to identify when unauthorized access is:
•
Attempted
•
Succeeds
•
Occurs without authorization
•
Identify unusual behavior
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Example use case
Identify the data sources:
•
Servers
•
Network devices
•
Other?
But also need to identify supporting data sources:
•
Who is an privileged user?
•
Can we identify them easily?
•
How can we identify if they are allowed / authorized or not?
•
Change control system? Change window?
Example use case
•
Data source -> list
•
Log data -> event
•
Alert -> rule
•
Consider supporting
information
•
Critical servers – asset list
•
Privileged users – external list
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
Example use case
Define the thresholds
•
How to trigger rules?
•
What content to build out?
Where does the information go?
•
Individuals?
•
Team to process?
•
Tracking list?
Example use case
Identify deliverables
•
Content to show
what we want
•
Dashboards
•
Reports
•
Alerts
•
How to use the data?
•
Dashboards
•
Investigation
•
Ease of use?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Example use case
Evaluate and refine
•
How to improve?
•
Where to refine and get better?
•
What content can be extended?
•
Focus on key data / log sources – better privileged user information
•
Integrate automated data feeds – export / import
•
Improve data, quality and content
Building Meaningful Use Cases
Review of use case approach
Formalized approach to understand what is required
Define, develop, build and use focused content
Process helps define what is needed:
•
Problem Statement
•
Define Objectives
•
Identify Data Sources
•
Define Thresholds
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Summary
User
Monitoring
Threat
Intelligence
Perimeter
Monitoring
Insider
Threat
App
Monitoring
Social
Media
Feed
Server
Admin
Monitor
Third
Party
Monitor
Network
Anomaly
Detection
Baseline
Monitoring
Advanced
Malware
Monitor
Please fill out a survey.
Hand it to the door monitor on your way out.
Thank you for providing your feedback, which
helps us enhance content for future events.
Session TB3057 Speaker Paul Brettle
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
