Improving Incident Response Workflow

Transcript

1. Improving IR Workflow Using Risk-Based Escalation in HP ArcSight ESM

   MetaNet IVS @meta_net http://MetaNetIVS.com

2. What This Talk Is About We leveraged the power of

   ArcSight ESM to build advanced content which enables custom, risk-based, automated incident workflow. 2

3. Why Should You Care 3 ★ Objectives: ★ Show capability

   of ArcSight ESM as a platform ★ Teach the audience to create uncommon use cases based on novel ideas ★ Share our stories and practical experience

4. Larry Wichman Security Engineer, Kemper Anton Goncharov Principal, MetaNet IVS

5. The Customer 5 • Diversified insurance holding company • Individual

   and small business market

6. Customer Environment • Feeds • MS Windows Server • McAfee

   AntiVirus • CheckPoint Firewall • Cisco ASA • Snort IDS • McAfee Web Gateway • Foundstone • Nessus Vulnerability Scanner ! • EPS: 600 • Cases per Day: 1-2 • Enterprise Systems: 9000 • Enterprise Users: 3000 ! • Things We Like: • Dashboards and drill downs • Things We Dislike: • ESM client is not appropriate for our management • Querying multiple Active Lists at once 6

7. The Problem 7 Triggered Rules don’t translate well into actionable

   events or Cases

8. The Idea 8 Low Risk (Severity Score 1) Medium Risk

   (Severity Score 2) High Risk (Severity Score 3) Indicator Examples ‣ AV: Malware Found and Cleaned ‣ Proxy: Blocked Outbound Connection ‣ FW: Outbound SSH Connection ‣ AV: Malware Found and Not Cleaned ‣ AV: File Infected ‣ Proxy: Blocked Connection (non-US) ‣ IDS: High Severity Alert ‣ Threat Intel: Connection to Known C&C Host ‣ AV: Buffer Overflow ‣ SIEM: Compromise Event to Vulnerable Asset 1 1 1 + + 1 + 2 3

9. Solutions Provider 9 • SIEM and Event Management Solutions Provider

   • Heavy focus on HP ArcSight and Splunk solutions • Based in San Francisco, CA • Team members world-wide • Custom SIEM tools and methodologies • Experts in: • Maintenance of challenging environments • Complex integrations • Distributed architectures • Custom solutions for a variety of applications • Services catered to customer needs Purveyors of Finely Crafted Analytics

10. THE SOLUTION

11. Logic Flow 11 Obligatory Confusing Chart. Point With Stick.

12. Content Overview 12 Filters Active Lists Rules Cases Reports

13. Content Detail 13 Risk Score 2pts+ Low Severity Filters Risk

    Score 1pt Not Risk Score Set 1 Not

14. Content Detail 14 Risk Score 2pts+ Low Severity Filters Risk

    Score 1pt Risk Score +1 Risk Score Set 1 Alert Case Case Notification

15. Content Detail 15 Risk Score 2pts+ Low Severity Filters Medium

    Severity Filters Risk Score 1pt Not Not Risk Score +1 Risk Score Set 1 Risk Score Set 2 Alert Case Case Notification

16. Content Detail 16 Risk Score 2pts+ Low Severity Filters Medium

    Severity Filters Risk Score 1pt Alert Case Case Notification Risk Score +1 Risk Score Set 1 Risk Score Set 2 Risk Score +2

17. Content Detail 17 Risk Score 2pts+ Low Severity Filters Medium

    Severity Filters High Severity Filters Risk Score 1pt Risk Score Set 3 Not Alert Case Case Notification Risk Score +1 Risk Score Set 1 Risk Score Set 2 Risk Score +2 Not

18. Content Detail 18 Risk Score 2pts+ Low Severity Filters Medium

    Severity Filters High Severity Filters Risk Score 1pt Risk Score Set 3 Risk Score +3 Alert Case Case Notification Risk Score +1 Risk Score Set 1 Risk Score Set 2 Risk Score +2

19. Rule Example: Risk Score +2 19

20. THE RESULTS

21. Reduction In Generated Cases 21

22. Other Customizations: Workflow 22

23. Final Thoughts 23 Only systems reaching 3+ risk severity will

    trigger incident response 1 1 1 1 3 1 1 2 2 1 1 1 1 1 3 1 1 1 2 1 3 1 1 1 2 1 1

24. Thank You http://MetaNetIVS.com/downloads @meta_net