ArcSight Activate framework - Hewlett Packard Enterpriseh41382. · of key events . Challenge . SANS...
-
Upload
nguyenliem -
Category
Documents
-
view
225 -
download
0
Transcript of ArcSight Activate framework - Hewlett Packard Enterpriseh41382. · of key events . Challenge . SANS...
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ArcSight Activate framework Mary Karnes, Solutions Innovation Portfolio Manager #HPProtect
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
A SIEM is the cornerstone of a security program
Currently a SIEM is the BEST (and often ONLY) way to:
Manage risk Risk and compliance
Disrupt the adversary Look for bad guys
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
44% Have trouble managing their SIEM eIQnetworks 2013 SIEM Survey
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
#1 Identification of key events
Challenge
SANS 2012 Log Management and Event Management Survey
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
34% Have trouble writing rules
Information Week Report
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
There are three main challenges with long-term SIEM maintenance
Train and retain Resources
Maintain SIEM Content
Keep up with Security
challenges
Spaghetti content phenomenon • Multi-generation/inconsistencies • Hard-to-support • Lots of rework
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
We’ve built a framework that will revolutionize SIEM engineering
HP’s Activate makes it easy to create, maintain, and mature your SIEM This offering is designed to distill 10+ years of experience with SIEM deployments into what works best.
Train and retain Resources
• Standardized framework enables consistent and repeatable processes that reduce training time for new employees
• Sharable content facilitates technology use and knowledge transfer
Maintain SIEM Content
• Install packages drive fast deployment and efficient use of resources
• Common, reusable methodology to create content and rules
Keep up with Security
challenges
• Guidance, advice, standard use cases, and content packages optimize catching the bad guy
• Documented common framework enables knowledge sharing of threats, trends and monitoring capabilities
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Activate
Technology Process
Application, Network, & System Owners
Incident Handler
Resolution
Escalation People
Level 1 Level 2
Engineer
1
Firewall
Router Intrusion Detection
Web Server Proxy
Server
ESM Server
2
3 4
5
6
KPIs & ROI
Business Stakeholders
7
a mature SIEM Solution
Spend more time integrating
people, process and technology
Spend less time building with
basic content
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
How does it work?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
• Installers • Content Packages
• Methodology • Best Practices • Standardization • Customization
• Install technology • Train tech team • Implement use cases • Develop maturity roadmap
Technology Foundational content with instructions and install packages for end-to-end integration.
Framework Documentation and guidance for content development.
Services Supplemental services offer a wide range of assistance to customers running a SIEM at different maturity levels.
Activate includes three critical components
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
Useful for current users and new users alike
New customers New ESM and Express customers benefit from quick ROI by focusing on SIEM integration rather than content development. They simply bypass all the basic use case research and development.
Struggling clients External expertise is packaged and delivered while providing measures to handle customization. They can collaborate and share ideas with a community using a standard framework.
Anyone following an informed framework improves the community
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
Current content There may be some conflicts with internal components. These can be identified and resolved with minimal outage.
Corrective measures If there are major issues regarding the architecture, content best practices or network modeling rework might be required.
Current content can exist side by side
Will work with your current deployment
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is my return on investment?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Standardization and simplification result in cost savings
Success factors Before After Comments
Time to train SIEM engineers 6-18 months 2-8 weeks 65-95% time reduction in training time
Use case implementation months days 50-75% reduction in time to implement
Content portable and shareable unavail available Gain efficiencies over time
Weed out irrelevant logs challenging obvious Reduction in storage costs
Use Case Efficiency varies standard Able to catch more bad guys
Best practices = catching more bad guys
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
OK, but does it actually work? Do you have success stories?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
An overview of a practical experience deploying Activate
Case study of a beta client
• Enabled inexperienced users to develop useful content in 3 days • Accelerated return on value by 50% • Reduced use case implementation time by 50% • Content easier to understand • More easily able to weed out irrelevant logs & collect relevant logs
Does not replace security know-how (forensics, packet analysis, understanding of indicators and warnings, event flow)
Success
Lessons learned
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
How can I get more details?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
For more information Attend these sessions
• TB3267 - Technical overview of the Activate Framework
• Activate workshop will be directly following Protect on Thursday afternoon and Friday all day
After the event
• Contact your sales rep
Speak to our experts
• [email protected]@hp.com
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session TT3266 Speaker Mary Karnes
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you