Workflow With HP ArcSight ESM

Workflow with ArcSight ESM Brian McNelly, Senior Consultant

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Workflow best practices

Verified on ArcSight 6.0C and earlier versions


Event workflow: stages and annotations SOC Console monitoring stages and workflow

Problem it solves ArcSight Queued

SOC triage Active channel(s) Level 1

Design, testing & focused monitoring

Work can flow between different users with different roles thus ensuring continuous investigations with escalating levels of complexity and reducing the likelihood of duplicating effort. Features • Steps (called stages) that make up a collaborative workflow used by security operations analysts

Level 1 investigating

• A light-weight way to isolate and escalate individual events SOC case created

Active channel(s) Level 2

SOC case created

3

False positive no action

Event triage

Level 2 escalation

• A method to inform, escalate, and track events of interest Key SOC benefits • Triage tool used before escalating an event to an incident

Level 2 investigating

• Ownership is tracked as are comments and workflow to ensure investigations are consistent False positive no action

Event triage

• Measurable and visible to organizational leaders


Event annotation stages Stage setup • Require the analyst to modify the annotation stage before any final action can be taken • Use workflow controls on subsequent stages – Accountability – Analytical Quality – Ownership

4


Best practice: active channels Active channel setup

ArcSight

• Simple single pane of glass – Only present Correlated Events for analysis – Use the message field to present important information – Opt-in rules by setting annotation stage • Individual Active Channels – Start with a baseline setup – Allow individuals write access to their channel – Analyst can personalize their active channel 5


ArcSight

ArcSight

Individual channels

ArcSight

Shared channel

ArcSight

Customizable case management Problem it solves Centralization of information related to a security incident that includes the underlying events, analytical history, and related data within a single interface. Features • Ability to track incidents through HP ArcSight’s built-in trouble ticket system • Use as standalone ticketing solution OR integrate with third-party case management system Key SOC benefits • Labels, fields & values can adapt to SOC incident taxonomy • Events attached to investigation retained for historical analysis and reporting • User interaction with case attributes is logged (audit trail) • GUI customizations carry over to HP ArcSight Web interface

6


Case workflow customization – advantages Internal case routing

SOC metrics

Stakeholder escalation

• Ownership • Route cases to SOC sub-groups – Engineering – Level 2 Analysts • Eliminates case management by folder structure • SOC feedback loop

• • • • • •

• • • •

7

Individual and SOC KPI’s Stakeholder metrics Incident types Incident categories Time to resolution Locations


Web console Two way communication Event logs Feedback loop

Case UI customization - files CaseUI • Controls layout for user interface

Resource Strings • Controls values of the dropdown boxes, and data labels

Label Strings • Controls the labels of tabs, tables, and headers

Case Properties • Determines attributes of cases written to ArcSight events

8


Before and after

9


Before and after

10


Case workflow: Search Groups Problem it solves Search groups actively display query results based on case attributes, events, and/or time that is customizable to an individual. Features • Use Common Conditions Editor for Query • Ability to query events attached to a case • A method to inform, escalate, and track events of interest Key SOC benefits • Displays results based case attribute changes in real-time • Cases can appear in more than one Search Group result

11


Lessons learned Plan ahead! • Who are SOC stakeholders? • How will the SOC use ArcSight cases? • How are you going to use cases internally? – Filter requests/engineering feedback

Metrics • What metrics do you need to generate? • How do you categorize your incidents?

Development plan • Use a development or backup system • Schedule and communicate changes

12


For more information

Attend these sessions

Visit these demos

After the event

• TT1197, How Mature is your SOC?

• Mock SOC, Solution Pavilion

• Contact your sales rep

• BS1195, 5G/SOC: The World’s Most Advanced SOC

• Software Pavilion

• Visit HP ESP at: www.hp.com/go/espservices

• TT1208, Got Reports?

• Visit HP SIOC at: www.hp.com/go/sioc • Download the whitepaper at: ‘Building a Successful SOC'

Your feedback is important to us. Please take a few minutes to complete the session survey.

13


Thank you


Security for the new reality © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Workflow With HP ArcSight ESM

Recommend Documents