The ArcSight Compliance Tool Kit

The ArcSight Compliance Tool Kit
Morris Hicks
Consulting Technical Director
2009 ArcSight, Inc. All rights reserved.
ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
Risks are Real and Invite Regulation
www.arcsight.com
2009 ArcSight Confidential
Compliance in a Nutshell
1. Document/define
Business processes
Critical cyber assets
2. Internal controls
Properly defined
Monitored
Enforced
www.arcsight.com
Compliance in a Nutshell (cont.)

3. Implement a secure and auditable log archive
Converge disparate sources

Normalize formats
Capture high event rates
Transit slow, remote links
Establish search, analysis, and reporting
4. Enable event alerting and response
Real-time monitoring
Rapid notification
Intelligent response
Workflow
Documentation
5. Integrate views of who took action, how and when

www.arcsight.com
The ArcSight Approach to Compliance
Prepackaged contentauditors (SOX, HIPAA, PCI,

NERC, ITGOV, FISMA)
Share best practices
Extend the platformcustom use case development
Roadmap
www.arcsight.com
Controls
Regulations dont specify a

comprehensive set of controls, in
most cases
Frameworks
ISO 27002:2005 (formerly 17799)
NIST SP 800-53
COBIT 4
Other drivers of controls

Audit findings
Security assessment findings
Organizational policy
www.arcsight.com
Sample Control Matrix

Control
Key
Risk:
Areas
Risk
Entity
IT does not have

corporate policies and
tools as guidelines for
the Company.
Access
Access
Chgn Mgmt
Chgn Mgmt
Key
IT3
Control
Control Objectives
Type:
Preventive
Entity - Policies:
Ensure IT has processes and
procedures for performing all
activities in the scope of SOX.
M
Logical security tools,
processes and
techniques are not
implemented and/or
configured to enable
restriction of access to
programs, data, and
other information
resources
M
Logical security tools,
processes and
techniques are not
implemented and/or
configured to enable
restriction of access to
programs, data, and
other information
resources
M
All necessary
modifications to existing
financial application
systems are not
implemented in a timely
manner - specifically a
modification that affects
the financials
Key
Key
Emergency program
changes are not
approved, documented
and implemented timely.
Control
No.
www.arcsight.com
IT4
Preventive
Access - Creation and

Modification
Restrict access to programs,
data, and other information
resources.
Key
IT10
Preventive, Access - Netw ork

Detective
Authentication:
Enable restriction of access to
programs, data, and other
information resources on the
netw ork.
Key
IT16
Preventive
Change Mgmt - Testing and

UATs
All necessary modifications to
existing financial application
systems are implemented in a
timely manner - specifically a
modification that affects the
financials
IT17
Preventive, Change Mgmt - Emergency:

Monitoring
Emergency program changes
are approved by Mgmt,
documented and implemented
timely.
Control Activity
Control Owner
Control
Frequency
IT maintains IT policies and

procedures as guidelines for the
company.
IT Director
Annually
Manual
IT Policies; Sign-off
document show ing
that policies are
approved; Location
of policies.
As Occurs
Manual
User Access
Request Form;
HelpDesk Ticket.
n/a
Auto
Corporate Passw ord

Policy; Screen print
of Active Directory
Passw ord Policies
Change Mgmt
SOX related application and
infrastructure changes are tested and Lead
approved by the Business Users or
cross-functionally before they are
applied in the Production environment.
Evidence of approvals are
documented and retained for future
audits.
As Occurs
Manual
Change mgmt
process and policy;
User Acceptance
Test Signoff
approved by
Business Ow ner(s).
Emergency change requests w ill

follow IT escalation process
documented in the Change
Management Policy.
As Occurs
Manual
Change Management
Policy; Change
Request Form; Help
Desk Ticket and
Evidence of Approval
Help Desk
IT creates and modifies user
Manager
accounts and/or assigns access
types based on w ritten request from
authorized Business Ow ners.
Netw ork access is authenticated by

the Domain Controller Active
Directory, w here the passw ord
policies are adhering to the Corp
Passw ord Policy.
Window s
System Admin
Change Mgmt
Lead
Control
Setting
Evidence
ArcSight Auditors
Prepackaged content to address most common

controlsSOX, PCI, NERC, HIPAA, FISMA
Logger: reports, searches, alerts
ESM: rules, reports, dashboards
ISO 27002-based
Network modeling
Identify regulated systems
Categorize regulated systems
Import active list data
www.arcsight.com
ArcSight Auditors
Content relies on many data sources

IDS
OS
IAM
Solution guide lists the necessary 20 data sources
UCI (Use Case Identifier) discerns functional content

UCI DEMO!
www.arcsight.com
UCI DEMO (part 1)
www.arcsight.com
10
UCI DEMO (part 2)
www.arcsight.com
11
Real-time Dashboards
Graphical summary
Highly configurable
Drill down for detail
www.arcsight.com
12
Rule Actions & Reports
Rules may initiate actions

Notifications
Case creation
Reports
Scheduled
On demand
www.arcsight.com
13
Active Channels
Live event collection
Filter
Sort
Drilldown
www.arcsight.com
14
Auditors Based on ISO Framework

ISO
Topic
Use Cases
1-3
Introductory Sections
Not Applicable
Risk Assessment &

Treatment
Security Overview
Security Policy
Policy Violations
High Risk Event Analysis
New Services and Hosts

6
Organization of
Information Security
Reporting on Cases
Asset Management
Asset Inventory Reporting

Data Classification Reporting & Monitoring
Human Resources
Security
Watching New Hires & Former Employees
Physical &
Environmental Security
Physical Building Access
www.arcsight.com
Internet Usage Reporting and Monitoring
15

ISO
Topic
Use Cases
10
Communications &
Operations
Management
Configuration Management (File &

Configuration Changes, Maintenance
Schedules)
Audit Trails
Separation of Development, Test, & Operations
Facilities
Malicious Code Monitoring
IP Address/User Name Attribution
11
Access Control
User Management (User Access)

Authorization Changes
Password Policy
Privileged Accounts (Administrative Access)
Network Services (including routing, firewall, &
VPN)
Segregation of Networks
Role Based Access Monitoring
www.arcsight.com
16

ISO
Topic
Use Cases
12
Information Systems
Acquisition,
Development &
Maintenance
Certificate Management
Information Security
Incident Management
Internal Reconnaissance
Business Continuity
Management
Availability
Compliance
Intellectual Property Rights & Information

Leaks
13
14
15
Attack Monitoring
Vulnerability Management
Escalated Threats
Highly Critical Machines
Personal and Company Information

Resource Misuse (excessive email, illegal
content downloads, etc.)
Policy Breaches (P2P, IM, etc.)
www.arcsight.com
17
Common Compliance Applications

What are the most common ArcSight compliance applications?
Access monitoring
Configuration management
Attacks and malicious code
Audit trail
Network segmentation
www.arcsight.com
18
Extending the Core Capability of Auditors

How are customers extending the core capability of the auditors?
ISO
Use Case
Examples
Section 10 Communications
& Operations
Management
Configuration
Management
Modifications to application binaries, configuration

files/tables and other sensitive files/tables
Report and review of all configuration changes
Policy change attempts, unscheduled changes
Audit Trail
Audit logs cleared/deleted

Audit logs unavailable, i.e. not received
Attempt to disable/change auditing
Attacks and
Malicious
Code
High severity attacks, IDS attacks followed by login

from attacking host
Attacks from regulated systems
Antivirus, P2P, spyware, infections
www.arcsight.com
19

ISO
Use Case
Examples
Section 11
Access
Controls
Administrative
Access
Successful and unsuccessful logins

Local administrative user created or
administrative rights granted
Administrative actions (su, sudo, file modification,
etc.)
User Access
Successful and unsuccessful logins

Local user created, user created followed by access to
regulated system, privilege granted followed by access
to regulated system
User activity reports
Unauthorized
Access
Administrative connections from unauthorized host

Access to unauthorized service
Unauthorized user access, new authorized user
www.arcsight.com
20

ISO
Use Case
Examples
Section 12
Info-Systems
Acquisition,
Development &
Maintenance
Change
Management
Changes made outside of maintenance window
www.arcsight.com
Correlate change request to implemented changes

Changes performed by personnel not in an appropriate
role
21
ArcSight Approach to Compliance
Prepackaged content
Auditors
Based on ISO framework
Use case identifier
Best practices
Engagement drivers
Common applications of the technology
How the platform can be extendedcustom use case

development
Roadmap
www.arcsight.com
22
Maximizing Value
Articulate requirements
Select controls from discussed best practices
Sample control matrix
Audit results (internal/external)
Security assessment results/penetration tests
Security policy & procedures
Interviews with key personnel (PMO, Internal Audit, Compliance,
InfoSec)
Architecture overview
Prioritize controls for implementation
Align resources
Personnel for interviews
System access for technology implementation
www.arcsight.com
23
How ArcSight Can Help
Convey industry and customer best practices
Provide sample control matrix
Define technical dependencies for selected controls
Implement the solution
Training/knowledge transfer
Provide solution roadmap
www.arcsight.com
24

The ArcSight Compliance Tool Kit

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

The ArcSight Compliance Tool Kit

Hochgeladen von

Copyright:

Verfügbare Formate

The ArcSight Compliance Tool Kit

Risks are Real and Invite Regulation

2009 ArcSight Confidential

Critical cyber assets

2009 ArcSight Confidential

Compliance in a Nutshell (cont.)

Converge disparate sources

4. Enable event alerting and response

5. Integrate views of who took action, how and when

2009 ArcSight Confidential

The ArcSight Approach to Compliance

Prepackaged contentauditors (SOX, HIPAA, PCI,

Share best practices

Extend the platformcustom use case development

2009 ArcSight Confidential

Regulations dont specify a

Other drivers of controls

2009 ArcSight Confidential

Sample Control Matrix

IT does not have

Access - Creation and

Preventive, Access - Netw ork

Change Mgmt - Testing and

Preventive, Change Mgmt - Emergency:

IT maintains IT policies and

Corporate Passw ord

Emergency change requests w ill

Netw ork access is authenticated by

2009 ArcSight Confidential

Prepackaged content to address most common

2009 ArcSight Confidential

Content relies on many data sources

UCI (Use Case Identifier) discerns functional content

2009 ArcSight Confidential

UCI DEMO (part 1)

2009 ArcSight Confidential

UCI DEMO (part 2)

2009 ArcSight Confidential

Drill down for detail

2009 ArcSight Confidential

Rule Actions & Reports

Rules may initiate actions

2009 ArcSight Confidential

2009 ArcSight Confidential

Auditors Based on ISO Framework

Risk Assessment &

High Risk Event Analysis

New Services and Hosts

Asset Inventory Reporting

Watching New Hires & Former Employees

Physical Building Access

Internet Usage Reporting and Monitoring

2009 ArcSight Confidential

Auditors Based on ISO Framework

Configuration Management (File &

User Management (User Access)

2009 ArcSight Confidential

Auditors Based on ISO Framework

Intellectual Property Rights & Information

Highly Critical Machines

Personal and Company Information

2009 ArcSight Confidential

Common Compliance Applications

Attacks and malicious code