Post on 29-Sep-2020
Cfir Homeri Security Presales - Central Eastern Europe & IsraelCfir.homeri@microfocus.com
The New ArcSight Architecture
User Cloud App Servers & Workloads
Network Endpoints IoT Physical
ARCSIGHT ENTERPRISE SECURITY MANAGER24x7 Real-time Monitoring & Correlation
UEBAUser Entity Behavior Analytics
ARCSIGHT LOGGERCompliance | Search |Retention
ARCSIGHT INVESTIGATEHunt | Investigation
SECURITY OPEN DATA PLATFORM
MANAGEMENT CENTERSuite Management & Administration
TRANSFORMATION HUBInformation delivery
SMART/FLEX CONNECTORSData Collection, Enrichment, and Normalization
CONTENTUnified | Actionable | Insight
WEB CONSOLEAccessible Monitoring & Platform Management
ArcSight ESM 7.2
Release Summary
Release Name: ArcSight ESM 7.2.0
GA Date: December 4, 2019
Gen10 Appliance GA Date: January 10, 2020
Key Themes: [Simple, Intelligent, Open, Converged (Sentinel, Interset, ArcSight), etc]
Release Highlights / What’s New?
1. Global Event ID
2. Rules Action
3. AutoPass licensing support and Event Ingestion Metrics
4. MITRE ATT&CK Dashboard
5. Default content available on installation
Global Event ID
ESM 7.2 includes the new Global Event ID feature. SODP assigns a unique event ID to each security event being ingested and distributed. That ID will stick with the event as it moves to and through ArcSight Logger, ESM, and Investigate.
Benefits to the Customer : Global Event ID will help customers track unique security events across their entire ArcSight ecosystem. They can quickly search for and verify that a specific event is the one they are looking for. This helps facilitate threat investigation and cross-portfolio event analysis.
Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event Id field in addition to the Event Id field.
GEIDs are generated using a GEID generator id. Generator id is specified during fresh install/upgrade and should ideally stay the same for the lifetime of the
product.
The generator id must be unique for each ArcSight product (e.g. connectors/ESM/Logger etc.) in an ArcSight deployment.
Events received by ESM from external sources (connectors/TH) should have the GEIDs set by the external source. Only connector version starting 7.12 onwards supports GEID in events.
Events generated internally by ESM (correlation events, audit events, monitor events etc.) will have their GEIDs set by ESM.
7
Global Event IDs
GEIDs can be viewed in Active Channels, Filter, Query Viewers etc.
All places where Security Event fields can be viewed.
Note that if the event source (connectors/TH) do not send events with GEID set, ESM will not set them.
Events archived in previous versions of ESM, prior to upgrade, will not have GEIDs set in them upon reactivation.
8
Global Event IDWhere GEIDs can be viewed
Improve concurrency of deferred rules action execution
Capture the result of external scripts
9
Rules Action Improvement
Multiple threads to handle rules deferred actions
Actions within one rule will be executed in sequence
Configure number of threads to process rules deferred actions.
In server.properties, rules.action.threads
10
Rules Action -- Improve the Concurrency
We save the result of executing rules actions in action event. E.g. ExecuteCommand:Success
The following are fields used to save result in action event:
Device Custom Number 1: Return value
Device Custom Number 2: Execution time
Device String 5: Console output – When there is an error in execution. Limit to 200 characters
11
Rules Action -- Capture the result of external scripts
Return value error code:
0: Success
1000: Invalid platform
1001: Exception in executing the script
Other value: Returned by script
If a script returns a non-zero value(error), there will be console output in device custom string 5.
12
Rules Action -- Capture the result of external scripts
13
Sample SlideIf you are seeking additional funding outside of the annual Portfolio Operation Planning process, state specifics
How many additional persons?
<provide count>
Other funding needs
<provide details>
Business Justification
Describe why this is necessary and should be considered while providing evidence of data to support request
What is scheduled rules?
Query historical events
Run at a specified time interval (hourly, daily, weekly)
Scheduled rules engine is a batch rules engine which filters historical events, generates correlation events and execute rules actions like real-time rules engine
14
Scheduled Rules
With the new licensing model, ESM generates a 45-day median report every day at 23:59:59 UTC
ESM maintains a history of average EPS, SEPS, MMEPS and license capacity.
The history of license usage is maintained in mysql database table arc_epd_stats.
15
45 – day EPS median report
EPD – Events Per Day is the total number of events generated in a twenty-four hour clock period.
SEPS – Sustained EPS is the “constant” Events Per Second that the system sustained within the twenty-four hour clock period. The formula used for this calculation is (EPD/((60*60)*24))
MMEPS – Utilizing the SEPS information recorded per day, the Moving Median value is calculated using a 45 day data set, and shifting the calculation window one day every twenty-four hours after the first 45 days.
Median is calculated by sorting SEPS over a 45 day range and taking the middle one or avg of middle two values (when even number of SEPS available).
16
Calculations
For days 1..45, there isn't enough SEPS collected yet to compute the MMEPS, so we display "approximate" MMEPS
on day 2, this would be the SEPS for day 1
on day 3, this would be the average of SEPS for day 1 and 2
on day 4, this would be the median SEPS for days 1..3
and so on until day 46 where there will be 45 days of SEPS, and a real MMEPS could be computed.
To distinguish the "approx." MMEPS from real MMEPS, the former are shown in gray, while the latter are shown in green/yellow/red.
Reference: https://wiki.arst.hpeswlab.net:8443/display/DEV/45-day+Moving+Median+EPS+Report+on+ACC
17
MMEPS Calculation
Stats page - https://<esm_host>:8443/www/ui-phoenix/com.arcsight.phoenix.PhoenixLauncher/#eventStatistics
CLI tool – exports to a CSV file - bin/arcsight licenseusageexporter
18
Accessing the report
License Metrics
ESM New Content for 7.2
Overview
New Default Content
MISP Model Import Connector
Threat Intelligence Platform
Security Threat Monitoring
MITRE Tagging
Integration Command
Updates to Existing Content
21
Agenda
22
What is MITRE ATT&CK ?
MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
The MITRE ATT&CK™ includes 3 major components Matrices, Tactics Techniques
What:
Dashboard showing events that match the MITRE ATT&CK matrix.
Why:
Having content to tag MITRE ATT&CK use cases enables SOC to identify threats enterprise is facing.
Dashboard will provide visualization of threats identified in an intuitive way.
23
MITRE ATT&CK Dashboard
The Basics – The Pyramid of Pain
25
MITRE ATT&CK – Blueprint for Attack Tactic & Techniques
26
Visualization
Datasource
/All Active Lists/ArcSightFoundation/MITRE ATT&CK/Rules Triggered with Mitre ID
27
Details
MITRE ATT&CK Activity Dashboard with Drilldown
1) User selects “MITRE Activity” from the main dashboards2) Within the tree visualization, user selects a specific
technique.3) All real-time correlation rules related to that alert are
shown on the right, along with more MITRE-related information.
4) When clicked, a special channel opens up with *ONLY* those events related to the selected technique.
1 2
MITRE ATT&CK Activity DashboardA special visualization, showing a tree-view structure: MITRE ATT&CK tactics in the middle + techniques as the branches.
MITRE ATT&CK Activity Dashboard Drilldown Steps
1) User selects “MITRE Technique” from the main dashboard. E.g. “Brute Force”
2) All real-time correlation *rules* related to that alert are shown on the right, along with more MITRE-related information.
3) When clicked on a specific ‘rule’ (e.g. “Brute Force OS and Application Attempts”), a special channel opens up with *ONLY* those events related to that rule.
3
4
3
MITRE ATT&CK Activity Dashboard
MITRE ATT&CK Activity Dashboard with Drilldown
1) The special active channel opens up *ONLY* those special events related to the rule, associated with the chosen MITRE Technique: “Brute Force”
2) All other MITRE ATT&CK artifacts are displayed in the channel.
MITRE ATT&CK Activity Dashboard
MITRE ATT&CK Overview Dashboard
MITRE ATT&CK Matrix Overview Dashboard
MITRE ATT&CK-tagged correlated alerts/events and specific dashboards per MITRE Tactic and MITRE Technique ID are provided OOTB and as a downloadable MITRE ATT&CK Content Pack.
Content: MISP as a Threat Intelligence Feed
MISP - Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing, community driven platform
Has become invaluable platform for the NATO, Europian governments and CERTS
It is a threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
34
What is MISP?
35
New Model Import Connector for MISP has been developed.
Threat Intelligence Feed from MISP can be directly imported into ESM using this new MIC.
The new Threat Intelligence Platform content utilizes this MISP data
MISP as a Threat Intelligence Feed for ArcSight
5 x ESM Active ListsAlways up-to-date through MISP CRCL Model Import Connector.
Suspicious Email List @ ArcSight ESM
Suspicious Domain List @ ArcSight ESM
Suspicious Filehashes @ ArcSight ESM
Suspicious Full URL List @ ArcSight ESM
37
Design Overview
2 new packages – Security Threat Monitoring and Threat Intelligence Platform
Content:Threat Intelligence Platform
40
Threat Intelligence Platform (TIP) package detects security threats based on data feed from MISP which is collected by MIC.
It is possible for customer to import the feed from other source into ESM with the same format of active list.
Intelligence feed from MISP
41
Use cases for Threat Intelligence PlatformGlobal
VariablesRules
42
Reputation Data Overview
Content:Security Threat Monitoring
44
Security Threat Monitoring package detect attacks based on security logs from firewall, IDS/IPS, OS, proxy, scanner etc.
Use Cases
Rules
Use Cases for Security Threat Monitoring
Resources :
2 active channels
2 Dashboards
13 Rules
7 Data Monitors
13 Filters
3 Fieldsets
45
Example - Entity Monitoring
The MITRE Framework for ArcSight ESM are a bunch of ArcSightresources which monitor MITRE ATT&CK rules and it includes the following end user resources:
2 Dashboards
1 Active Channel
1 Integration Command
1 Report
46
MITRE ATT&CK Framework for ArcSight ESM
The MITRE Technique is Mapped to ArcSight Rules
47
MITRE ATT&CK Framework for ArcSight ESM
48
Examples : MITRE ATT&CK Overview Dashboard
49
Examples : MITRE ATT&CK Targets Overview Dashboard
Brute force
Exploit of remote service
2 Integration Commands
50
Integration Commands
Logger 7.0
24 TB of Event storage per Logger
New Search UI
Search based of event occurred time
EPS Licensing
Reporting:
Data Science – Ability to use Python’s Data Science/Predictive analytics capabilities with Reporting
Reporting on ArcSight Investigate – Investigate’s Vertica database can be added as a data source in Logger Reporting, allowing to create reports on Investigate Data.
IP to GeoMapping – Ability to convert IP address to Geo Location and create maps within Reports.
Out of the Box Content updates
Bonding/Trunking of NICs for Appliances
Gen 10
Peer search and reporting perf improvements (Internal Test Metrics Available!!!)52
Whats New
Why?
Need to collect more data, from more sources and retain in for more time.
Adding more Loggers is one solution.
Adding more storage to a logger is another solution.
53
24 TB of Storage
54
24 TB of Storage - Storage Group, Storage Volume
24 TB in Storage Volume.
12 TB for Default Storage Group and 5GB for Internal
Event Grid
Drag and Drop Columns
Resizable columns
Three types Events results Grid
Grid View
Raw Event View
Column View
Event Details
Hide/show null field values
Expand/collapse field categories
Event Comparison
Query Syntax Highlight
Open Filter and Saved Search
Field set selector55
UI Improvements – Search
56
New Search UI - Query with Syntax Highlight
57
New Search UI - Grid View
58
New Search UI - Grid + Raw Event View
59
New Search UI - Raw Event View
60
New Search UI - Event Details
61
New Search UI - Compare Events
62
Logger Gen 10 (Tentative GA – Jan 4th 2020)
DL 360 Gen 10 L7700 Spec
2 x Xeon-G 5118
2 x 12 core = 24 cores
12 x 16 GB = 192 GB RAM
10 GB NIC
2 port Ethernet
2 port SFP
4 x 10TB SAS 7.2K LFF = 40TB HDD
30 TB with RAID 5
24 TB of live Event Data
On Logger reporting, Python Data Science can be used to extract knowledge and gain insights form security data collected in Logger.
Python installed on OS (Redhat/CentOS) is used
Data Science Libraries included in Logger bits
scikit_learn, numpy, pandas, etc.
Turned off by default
Admin Guide Note to turn on Data Science
Python can be used for non data science aspects as well
63
Reporting – Data Science
Create Query object
MySQL / Logger search Query
Data Science Step
Python Script
Learning and predicting
Format/Other steps
Create Report
Grid
Chart
64
Data Science / Predictive Analytics
Data Science Engine component – while creating a reporting Query Object
Python Script of Data Science Engine component
Analyze firewall traffic based on port, and determine probability success for traffic to each port.
Compare future events to see if they conform to model. (i.e. if traffic on port 1234 is 90% fail, I need to pay attention to every success access attempt on that port)
66
Sample Data Science Usecase
67
Reporting on ArcSight Investigate
Configure Vertica
Create Query Object
Create Reports
Schedule
Publish
Export
Charts / Maps
Data Science
MaxMind Library is used for converting IP to Geo location.
Latest MaxMind is available with Logger 7.0
Context updates used by ESM will be used by Logger as well
Download Context update file from Entitlements portal
Logger Configuration -> Import Content
68
Reporting – IP to Geo
69
Report with IP to Geo – Recon Activity
Major rework of content after 4 years
100+ New Reports
Device Monitoring – OS, Anti-Virus, Networking, IDS-IPS, DGA, etc
Foundation – Intrusion, MITRE, Networking, Vulnerability, etc
OWASP
Cloud – CSA-Treacherous-12
8 New Dashboards
Malware Overview
DGA
MITRE
Attack and Suspicious Activity, etc.
70
Logger Out of the Box Content
71
OWASP\A 7 - Cross-Site Scripting\XXS Vulnerabilities(Top Events)
72
OWASP\A 2 - Broken Authentication\Broken Authentication Events (Signatures)
73
MITRE Events
74
MITRE - Radar Overview
75
DGA – Clients by Outgoing Bytes to DGA Domains
76
DGA Domains by Client IP Overview
Good for spotting DNS Tunneling only form the graph
77
DGA – Radar Overview
78
DGA Dashboard
Predefined Visualizations that use data from DNS connectors.
Thank You
@ Cfir.homeri@microfocus.com