Consolidated Security and Operations Event Management Guide

HP Consolidated Security andOperations Event ManagementSoftware Version: 1.00

Concept and Configuration Guide

Document Release Date: April 2013

Legal NoticesWarranty

The only warranties for HP products and services are set forth in the express warranty statementsaccompanying such products and services. Nothing herein should be construed as constituting anadditional warranty. HP shall not be liable for technical or editorial errors or omissions containedherein.

The information contained herein is subject to change without notice.

Restricted Rights LegendConfidential computer software. Valid license from HP required for possession, use or copying.Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer SoftwareDocumentation, and Technical Data for Commercial Items are licensed to the U.S. Governmentunder vendor's standard commercial license.

Copyright Notice Copyright 2005 - 2013 Hewlett-Packard Development Company, L.P.

Trademark NoticesAdobe is a trademark of Adobe Systems Incorporated.

Microsoft andWindows are U.S. registered trademarks of Microsoft Corporation.

UNIX is a registered trademark of TheOpenGroup.

HP Consolidated Security andOperations Event Management (1.00) Page 2 of 41


Documentation UpdatesThe title page of this document contains the following identifying information:

l Software Version number, which indicates the software version.

l Document Release Date, which changes each time the document is updated.

l Software Release Date, which indicates the release date of this version of the software.

To check for recent updates or to verify that you are using themost recent edition of a document, goto:

http://h20230.www2.hp.com/selfsolve/manuals

This site requires that you register for an HP Passport and sign in. To register for an HP PassportID, go to:

http://h20229.www2.hp.com/passport-registration.html

Or click theNew users - please register link on the HP Passport login page.

You will also receive updated or new editions if you subscribe to the appropriate product supportservice. Contact your HP sales representative for details.



SupportVisit the HP Software Support Online web site at:

http://www.hp.com/go/hpsoftwaresupport

This web site provides contact information and details about the products, services, and supportthat HP Software offers.

HP Software online support provides customer self-solve capabilities. It provides a fast andefficient way to access interactive technical support tools needed tomanage your business. As avalued support customer, you can benefit by using the support web site to:

l Search for knowledge documents of interest

l Submit and track support cases and enhancement requests

l Download software patches

l Manage support contracts

l Look up HP support contacts

l Review information about available services

l Enter into discussions with other software customers

l Research and register for software training

Most of the support areas require that you register as an HP Passport user and sign in. Many alsorequire a support contract. To register for an HP Passport ID, go to:

http://h20229.www2.hp.com/passport-registration.html

To findmore information about access levels, go to:

http://h20230.www2.hp.com/new_access_levels.jsp



Contents

Welcome to This Guide 7How This Guide is Organized 7

Who Should Read This Guide 7

Additional Online Resources 8

Introduction 9Overview 9

Security andOperations Collaboration 10

Complete Situational Awareness 10

Rapid Issue Identification and Resolution 11

Consolidated Security and Operations Event Management Concepts 12Overview 12

Roles and Responsibilities 13

Operations Event Management 13

Relevant Security Data 13

Categorization of Security Events 14

Event-to-Incident Flow 18

Consolidated Security and Operations Event Management Configuration 20Overview 20

Components 21

Solution Diagram 21

Step 1: Setting up the correlation rules 22

Step 2: Creating a filter 24

Step 3: Assigning privileges on the ESM SourceManager 25

Step 4: Installing the OMi Forwarding Connector 27

Step 5: Installing the BSM Connecter 29

Step 6: Configuring OMi to use security events from ESM 31

Example Summary 41


HP Consolidated Security andOperations Event Management (1.00)Page 6 of 41

Concept and Configuration GuideContents

Welcome to This GuideWelcome to the HP Consolidated Security andOperations Event Management Concept andConfiguration Guide. This guide explains the concepts and configurations necessary for aconsolidated event management solution and the rationale behind itexplaining what information isbeing shared between the operations and security silos, for what purpose the HPproducts are beingused, and how to implement this solution.

This chapter includes:

How This Guide is Organized 7

Who Should Read This Guide 7

Additional Online Resources 8

How This Guide is OrganizedThis guide contains the following chapters:

Chapter 1: Introduction

Provides an overview of the operations management world and states the case for a unifiedSecurity andOperations Bridgemethodology.

Chapter 2: Consolidated Security and Operations Event Management Concepts

Provides the concepts behind themethods provided in this document.

Chapter 3: Consolidated Security and Operations Event Management Configuration

Describes how to install and configure the integration in order to put the concepts into practice.

Who Should Read This GuideThis guide is intended for:

l IT architects who want to understand how to create a consolidated event management solutionin their organization and how to position the different components available tomaximize thevalue of the process andminimize investment and cost,

l IT operators that would like to get additional insights into the security realm and need guidanceas to the best approach,

l security operators that would like to get additional insights into the operations realm and needguidance as to the best approach, and

l technical experts who aremandated to install and configure HPBusiness ServiceManagementand HPArcSightEnterprise Security Manager in the IT environment within such a solution.

Some information in this guidemay duplicate information available in other documentation, but isprovided here for your convenience.


Additional Online ResourcesTroubleshooting & Knowledge Base accesses the Troubleshooting page on the HPSoftwareSupport Web site where you can search the Self-solve knowledge base. ChooseHelp >Troubleshooting & Knowledge Base. The URL for this Web site ishttp://h20230.www2.hp.com/troubleshooting.jsp.

HPSoftware Support accesses the HPSoftware Support Web site. This site enables you tobrowse the Self-solve knowledge base. You can also post to and search user discussion forums,submit support requests, download patches and updated documentation, andmore. ChooseHelp> HPSoftware Support. The URL for this Web site is www.hp.com/go/hpsoftwaresupport.

Most of the support areas require that you register as an HPPassport user and sign in. Many alsorequire a support contract.

To findmore information about access levels, go to:http://h20230.www2.hp.com/new_access_levels.jsp

To register for an HPPassport user ID, go to:http://h20229.www2.hp.com/passport-registration.html.

HPSoftware Web site accesses the HPSoftwareWeb site. This site provides you with themostup-to-date information on HPSoftware products. This includes new software releases, seminarsand trade shows, customer support, andmore. ChooseHelp > HPSoftware Web site. The URLfor this Web site is www.hp.com/go/software.

HPSoftware Solutions Now accesses the HPSW Solution and Integration Portal Web site. Thissite enables you to explore HPProduct Solutions tomeet your business needs, includes a full list ofIntegrations between HPProducts, as well as a listing of ITIL Processes. The URL for this Website is http://support.openview.hp.com/sc/solutions/index.jsp.

Protect 724 Enterprise Security Community accesses the ArcSight Web site for theHPArcSight Enterprise Security Manager community. This community is for ArcSight customers,partners, and employees. The URL for this Web site is https://protect724.arcsight.com/welcome.


Concept and Configuration GuideWelcome to This Guide

Chapter 1

IntroductionThis chapter includes:

Overview 9

Security andOperations Collaboration 10

Complete Situational Awareness 10

Rapid Issue Identification and Resolution 11

OverviewNote:When referred to in this document, the ITOperations Bridge is the group responsiblefor monitoring the application, infrastructure, network, end users, and so on.

Today, most operations teams focus onmaking sure business services are up and running; whilesecurity teams focus on reducing threats and increasing compliance. While they perform their tasksseparately, both teams work toward the same goalkeeping the business running and, therefore,mitigating business risk. To reduce threats, minimize downtime, and protect service availability,today these two teams must work together more closely than they have in the past.

While this is not a brand new concept, a unified security and IT operations methodology offers anapproach to reducing business risk. This is accomplished by improving the collaboration betweenSecurity Operations Centers (SOCs) and the ITOperations Bridge by way of aligning relationshipsand processes, as well as enabling the teams to share technology and information. Ultimately, theaim is to break down the barriers between these organizational silos.

This document explains how to plan and implement an event management solution that utilizes thebest from these two worlds and bridges the gap between security and IT operations.

In essence, risks to business services can result from both security events (hackers who areconstantly working against your defenses) and IT operations events (service outages, degradedapplication performance, poor network performance, and so on). Large enterprises are learning thatthe way to quickly identify and react to threats to the business is to break down operational silosusing collaborative processes, relationships, and shared information.

This new approach to identifying, understanding, and remediating both security and networkoperational threats to the business requires renewed thinking and new behavior from both theSecurity Operations Center and ITOperations Bridge.

This document discusses a unified approach across security and network operations, articulateswhy it matters to your enterprise, and provides the necessary guidance towards implementing thissolution and achieving these common goals.

Page 9 of 41HP Consolidated Security andOperations Event Management (1.00)

Security and Operations CollaborationCollaboration between security and operations can be of great value to an IT organization. It isimportant because, like the enterprise itself, the IT team tends to structure itself around areas ofspecializationcreating organizational silos. A typical enterprise IT organization has teamsspecializing in and accountable for networks, applications development, databases, storage, datacenter maintenance, and user support; with the information security team either reporting directly toIT or part of the corporate security and compliance function. As a result, these teams tend to havedeveloped tools, processes, and configuration informationeach within their own operational silos.While this has allowed each team to create efficient intra-team processes, it does not encouragecross-functional collaboration and inmany cases can foster an "us-versus-them" culture. Thisbecomes evident during a service outage when representatives from different groups might try topass the issue on to some other team, or multiple teams might be working on the same issue fromdifferent angles and with different information.

Consider, for example, the case of a distributed denial of service (DDoS) attack against a criticalapplication. When a user calls into the help desk and complains about the application being slow orunusable, the IT Operations Bridge team follows the standard troubleshooting stepslargelyindependent of the security organization that might already be working on the issue after identifyingthe DDoS attack with its own telemetry. Also, the operations teammight have detected trafficfloods andmight be working to correct the issue in a third operational silo. The result is overlappingefforts, wasted cycles, and excessive time for remediation of a crippling business problem.

Had these organizations amore collaborative relationship, they could have identified the root causemore quickly, put the right resource to work on it, and recovered from the problem soonersavingmoney and reducing the business downtime.

Collaboration between the Security Operations Center and the IT Operations Bridge bringscooperation to the silo world of traditional IT and reduces business downtime with consolidatedsecurity and operations event managementamethodology for bridging the gaps betweenoperational silos while still utilizing the people, processes, and technology already existing withineach silo. This methodology starts with the understanding that security is not just the securityteams problem, any more than network issues are just the network teams problem, or applicationperformance is just the application operation teams problem.

Complete Situational AwarenessSituational awareness is a term used to describe a state of understanding of the current condition ofthe enterprise, its risks, and operational parameters. Often this awareness is lost in the shuffle dueto information sprawl across enterprise systems, organizations, and processes. Themodernenterprise striving for agility must have real-time knowledge not only of operational status, but alsoof any attacks, incidents, or potential issues looming just around the corner. Situational awarenessis not something you get from a product feature. It is the result of people, processes, and intelligenttechnology working in concert to deliver valuable insight to the enterprise.


Concept and Configuration GuideChapter 1: Introduction

Rapid Issue Identification and ResolutionSecurity and operational risk can surface in any corner of your enterprise to create an incident.Being able to identify the connection between a failing physical/logical system component and anunsatisfactory user experience reported to your help desk, alert the appropriate team to confirm andremediate the issue, and notify users that the problem is being fixed can reducemean time toresponse (MTTR).

Using HP Operations Manager i (OMi), the unified HP Business ServiceManagement (BSM)console of consolidated event management, enables you tomonitor andmanage the events thatoccur in your IT environment. It also allows you to correlate related events using a variety ofcorrelation rules based on the type of event and the dynamic topology of the configuration items(CIs) as a part of IT servicemodeling.

The knowledge that a security issuemight impact a physical component at the same time as aslowdown occurs in the network and an unsatisfactory user experience is being reported can helpdirect incident resolution to the right target for remediation. This will reduce theMTTR and savevaluable resources from being directed to false trails.


Concept and Configuration GuideChapter 1: Introduction

Chapter 2

Consolidated Security and Operations EventManagement Concepts


Overview 12

Roles and Responsibilities 13

Operations Event Management 13

Relevant Security Data 13

Categorization of Security Events 14

Event-to-Incident Flow 18

OverviewNote:When referred to in this document, the ITOperations Bridge is the group responsiblefor monitoring the application, infrastructure, network, end users, and so on.

This HPConsolidated Security andOperations Event Management Concept and ConfigurationGuide describes how to provide a full end-to-end operational picture by bridging the gap betweensecurity and operations in event monitoring. This is accomplished by integrating two of HPs marketleading productsHPArcSightEnterprise Security Manager (ESM) and HPOperationsManageri (OMi).

l HPArcSight Enterprise Security Manager is the premiere security event manager thatanalyzes and correlates every event in order to help the ITSecurity Operations Center team withsecurity event monitoringfrom compliance and risk management to security intelligence andoperations. ESM sifts throughmillions of log records and correlates them to find the criticalevents that matter in real time via dashboards, notifications, and reports. This allows you toaccurately prioritize security risks and compliance violations.

l HPOperations Manageri is universal event-correlation software for diverse IT domains. OMiuses the IT topology from the HPBusinessServiceManagement (BSM) Run-time ServiceModel (RTSM) to automatically correlate related events for quicker and easier root-causeidentificationessential in todays complex virtualized and cloud environmentsand forheightened efficiency of ITIL event and incident management.


Roles and Responsibilitiesl IT Operations Bridge: Monitor and react to events that affect the operation of the IT

environment, and report events that affect or may affect overall IT operations.

Note: Sometimes theOperations Bridge is referred to as the Network Operations Center(NOC). This term is somewhat misleading as it leads people to believe that the NOC onlyhandles network issues.

l Security Operations Center (SOC): Monitor information systems for alarms and conditions toprevent, detect, andmanage cyber attacks and other IT security-related incidents.

Operations Event ManagementHPOperations Manager i is HPs universal event-management software that is capable of eventcorrelation for diverse IT domains. It consolidates data from infrastructure, network, application,and capacity using advanced topology and correlation abilities to createmore complete andtransparent operational monitoring and control. The consolidated security and operations eventmanagement methodology proposes to feed relevant security events into OMi. This assists incompleting the operational picture and reduces the disconnect between SOC and IT OperationsBridge groups.

Relevant Security DataIn order to achieve the already mentioned integration, security events detected by ESM that havean impact on the operational picture should be visible on the universal event console and correlationtoolnamely, OMi. Before passing over events from ESM toOMi, first determine which events arerelevant to OMi and which are not. In order to determine relevance, apply the following rules ofthumb. If the answer to either of these questions is yes, the event is relevant to OMi.

1. Does this event directly impact the IT Operations Bridge?

2. Does having this event in OMi enable better decision-making as to resolution, including whichteam should be assigned to resolve the issue?

Examples of a relevant security event may be a Denial of Service (DoS) attack against anapplication that causes a slowdown, or a worm outbreak that causes a network slowdown byconsuming bandwidth. Having access to that information in OMi helps the NOC team correctlyanalyze the root cause for the array of problems reported by servicemonitors and users alike, anddirects operations to solve the problem in an efficient and ultimately quicker manner.

Not all security events are relevant to the operations event management process. Theremight besecurity events that are very important to the organization but have no direct impact on the ITinfrastructure. For example, an employee leaking sensitive information off company premises usingemail may be a severe security issue that needs to be handled by the security team, perhaps byusing technological means to limit the ability to transfer this kind of information. This event should


Concept and Configuration GuideChapter 2: Consolidated Security andOperations Event Management Concepts

bemonitored by ESM and handled by the Security Operations Center. However, this event has noeffect on IT performance and need not bemonitored by the IT Operations Bridge. Sometimes,according to company policy, the IT network operators are not even allowed visibility into thosekinds of events. The events that should be sent to OMi should be events that are alreadycategorized as a security threat.

When all rule conditions and thresholds aremet, ESM generates an internal event called acorrelated event. A correlated event represents the events that contributed to the rule beingtriggered and the relevant data contained in them. Althoughmost ESM users can use the defaultsettings available for retrieving events, OMi users commonly require only correlated events to beretrieved from ESM. Furthermore, there are events that occur on applications and environmentsthat should not be visible to the IT Operations Bridge. For example, the security teammay create ahoneypot environment. A honeypot is a trap set to detect, deflect, or in somemanner counteractattempts at unauthorized use of information systems. Generally it consists of a computer, data, or anetwork site that appears to be part of a network, but is actually isolated andmonitored and seemsto contain information or a resource of value to attackers.

Events that happen in such an environment are of interest to the security team so they can gatherinformation on attackers, their targets, and techniques. On the other hand, the organization candecide that these events should not be followed by the IT Operations Bridge, either becausemonitoring it is a futile increase of their workload or because this is a secret honeypot. In such acase, any event occurring in the honeypot environment should not be sent to OMi.

For the IT Operations Bridge to have the best situational awareness possible, without irrelevantevents overwhelming it, relevant correlated events should be sent from ESM toOMi.

Categorization of Security EventsTo help an organization implement this process and decide what is relevant to OMi and what is not,according to the concept that was presented in the previous section, security event categories arelisted below. The list contains the category's name that can be detected by ESM, a brief descriptionof that category, and a recommendation of whether this can be used for operations eventmanagement and, thus, sent to OMi.

Note: This list is intended to highlight the types of events that are commonly encountered inthe security realm. This is not a comprehensive list of all existing security events, nor is it astrict directive. Every IT organization c use this list as a basis that should be adapted to thespecific environment, use cases, and customizations that already exist.

SecurityEventCategory Description

To be sentto OMi? Rationale

Denial ofServiceattack

An attempt to make amachine ornetwork resource unavailable.

Yes If the attack issuccessful, it couldprobably disruptoperations.





Brute Forceattack

An attack that uses an exhaustive keysearch to try to find data. It may also beused to find credentials to enter asystem.

Yes Such an attack couldcause performanceproblems to thecomponent attacked.

Virus A computer virus is a computerprogram that can replicate itself andspread from one computer to another.

Yes, ifsuccessful

May cause degradationof service because of theresources it consumes,or interrupt functionalityof service because ofinterference with theapplication's code.

Worm A computer worm is a standalonemalware computer program thatreplicates itself in order to spread toother computers. It often uses acomputer network to spread itself,relying on security failures on the targetcomputer in order to access it. Unlike acomputer virus, it does not need toattach itself to an existing program.

Yes Worms almost alwayscause at least someharm to the network,even if only byconsuming bandwidth.

CodeInjection

The exploitation of a computer bug thatis caused by processing invalid data.Code injection can be used by anattacker to introduce (or "inject") codeinto a computer program to change thecourse of execution. There are differentsub-categories of this attack that can becategorized in ESM.

Yes The execution of such anattack can overwhelmthe component targetedand have consequencesfor availability andperformance of the ITOperations Bridge.

TrojanHorse

A non-self-replicating type of malwarethat appears to perform a desirablefunction but instead facilitatesunauthorized access to the userscomputer system. Trojan horses do notattempt to inject themselves into otherfiles like a computer virus does.

Yes Besides stealinginformation, Trojanhorses may harm theirhost computer systems.

Concern This category indicates that somethingthat could be a concern to the companyhas been detected. An example is anemployee sending their resume.

No Does not impactIToperations and shouldbe addressed by thesecurity team.





CovertChannel

A type of computer security attack thatcreates a capability to transferinformation objects between processesthat are not supposed to be allowed tocommunicate according to the computersecurity policy.

No

EmailThreat

A type of computer security attackwhere an attacker uses email forvarious harmful purposes.

Only largescaleattacksthat impactthe emailserviceitself

This kind of attack hasseveral sub-categoriesthat have no effect onIToperations status; forexample, an emailcontaining a hoax,intended to defraud thedestination, or a phishingattempt. This would nothave to be reported toOMi.

Another specific instanceof email threat is amassive spam emailcampaign that canoverwhelmcommunication and havean effect on operations.This should be reportedto OMi.

DirectoryTraversalattack

Exploits insufficient security validation /sanitization of user-supplied input filenames, so that characters representing"traverse to parent directory" are passedthrough to the file APIs. The goal of thisattack is to order an application toaccess a computer file that is notintended to be accessible.

Yes A consequence of suchan attack can be acomponent beingoverwhelmed bymalicious commands orcontent.





PrivilegeEscalationattack

Exploits a bug, design flaw, orconfiguration oversight in an operatingsystem or software application to gainelevated access to resources that arenormally protected from an applicationor user. The result is that an applicationwith more privileges than intended bythe application developer or systemadministrator can perform unauthorizedactions.

Yes Besides obvious securityissues of data leakageandmalicious acts, aconsequence of such anattack can be acomponent beingoverwhelmed bymalicious commands orcontent.

Vulnerability A weakness which allows an attacker toreduce a system's informationassurance.

No

InformationLeak

An event that indicates that a source isable to access sensitive information.

No Does not directly impactIToperations and shouldbe addressed by thesecurity team.

Policy An event that indicates a breach in theorganizations policy; for example,browsing a blacklisted web site.

No

Redirection Communication with target (applicationor site) is being redirected or rerouted toanother place.

Yes Redirection causesservice to be disruptedas the target applicationor site user is trying toaccess is unreachable.

Scan Technique used to discover servicesattackers can break into.

No Potentially a port scancan help the attacker findwhich ports are availablefor him to launch variousattacks. In such cases,those attacks createsecurity events that aresent to OMi, if relevant.





TrafficAnomaly

This is a deviation from the normaltraffic pattern. An intrusion detectionsystem (IDS)may look for unusualtraffic activities, such as a flood of userdatagram protocol (UDP) packets or anew service appearing on the network.

Dependson theoutcome. Ifit leads toservicedisruptions,then yes.

Traffic anomalies can beused to identify unknownattacks and DoS floods,but until identified byEMS as such should notbe sent to OMi, so as notto overwhelm the systemwith data.

Man in theMiddleattack

This is a form of active eavesdropping inwhich the attacker makes independentconnections with the victims and relaysmessages between them, making thembelieve that they are talking directly toeach other over a private connection,when in fact the entire conversation iscontrolled by the attacker.


Spoofingattack

This is a situation in which one personor program successfully masqueradesas another by falsifying data andthereby gaining an illegitimateadvantage.


SessionHijacking

This is exploitation of a valid computersessionsometimes also called asession keyto gain unauthorizedaccess to information or services in acomputer system.

Yes, ifsuccessful

The hijacked sessionmay be the cause for achain of events thatimpacts IToperations.

Event-to-Incident FlowEvent and Incident Management processes are an important part of ensuring the proper behavior ofIT environments and are key processes addressed by both the Security and IT Management (ITM)portfolio products. In ITM, these processes are handled by HPBusiness ServiceManagement andHPServiceManager products.

HPs recommendation in this area is to have a uniform event-to-incident flow. IT Operations Bridgeoperators have the ability to trigger incidents in SM based on the events that aremanaged in theOperations Management module of BSM (OMi) and tomanage the full life cycle of these events andincidents. This whole area is defined by the HPClosed Loop Incident Process (CLIP) Solution. Themanagement of these processes is mostly agnostic to the types of events/incidents that are beingmanaged. This means that the NOC processes can handle security events received from ESM ontop of any other event types. As described earlier in this chapter, for various reasons, not allsecurity events reachOMi .



In order to maintain the uniformity of the processes, their controlled data flow, and in order to servethe need to create incidents from these security events (that do not flow into OMi), it is recognizedthat an alternative route to OMi creating Incidents must exist. This route allows the securityoperators to perform their duty and open incidents in SM without the need to understand if theirevent type should or should not go to OMi. This route is a direct route of security events to incidentsfrom ESM to SM. This ability is currently under development. The long term goal is to help increasethe efficiency in this area. Therefore, the longer term solutionmay use the original route of ESM toOMi to SM, but as ability mentioned here, the security operator role must bemaintained.



Chapter 3

Consolidated Security and Operations EventManagement Configuration

This section lists the technical components and steps needed to create an integration betweenHPArcSightEnterprise Security Manager (ESM) and HPOperations Manager i (OMi) for unifiedoperations event management.


Overview 20

Components 21

Solution Diagram 21

Step 1: Setting up the correlation rules 22

Step 2: Creating a filter 24

Step 3: Assigning privileges on the ESM SourceManager 25

Step 4: Installing the OMi Forwarding Connector 27

Step 5: Installing the BSM Connecter 29

Step 6: Configuring OMi to use security events from ESM 31

Example Summary 41

OverviewThis section describes the practices for completing the necessary steps to install and configure theintegration between HPArcSight Enterprise Security Manager and HPOperations Manageri.

Note:When referred to in this document, the ITOperations Bridge is the group responsiblefor monitoring the application, infrastructure, network, end users, and so on.

ESM OMi Consolidated Event Management Integration Example

Throughout this chapter, an example of an integration between ESM andOMi ConsolidatedEvent Management will be followed to show how the configuration supports this case.

In this example, a computer virus has infected a server, thus causing amemory leak on thesame server and an application relying on this server to slow down its performance.


Componentsl HPOperations Manager i v.9.01 and up

l HPArcSightEnterprise Security Manager v.5.0 and up

l HPBusiness ServiceManagement Connector

l ArcSight Forwarding Connector

Solution Diagram


Concept and Configuration GuideChapter 3: Consolidated Security andOperations Event Management Configuration

The numbers inRed match the step numbers in this chapter.

Step Action

1 Setting up the correlation rules

2 Creating a filter

3 Assigning privileges on the ESM SourceManager

4 Installing the OMi Forwarding Connector

5 Installing the BSM Connecter

6.1 Modeling

6.2 KPI and HI Configuration

6.3 Correlation

Step 1: Setting up the correlation rulesThe first step in a successful operations event management integration between the security andoperations rules is identifying the events that should be sent from ESM toOMi.

For that effect, rules that correlate base events and create categorized correlated events should becreated. HP already provides some out-of-the-box rules in ESM standard content packages; inparticular, the intrusionmonitoring package. For more information, see theArcSightESM StandardContent Guidefor IntrusionMonitoring.

For a list of security event categories that are possible threats, see Chapter 2, "Categorization ofSecurity Events" on page 14. For use cases that are relevant to your organization and are notcovered in existing out-of-the-box content, extra rules should be created. For instructions oncreating rules that produce events with meaningful categorization, see Chapter 16, RulesAuthoring in theESMArcSight Console User's Guide.

The correlation rules update the created correlated events with the accurate descriptivecategorization data to be placed in the seven categorization fields used by ArcSight TaxonomyObject, Behavior, Outcome, Technique, Device Group, Device Type, andSignificance. Thisdata is used to filter the correlated events andmake sure that only the relevant events are sent toOMi. This data is also used by OMi to place the security events within the consolidated operationalpicture. The Target fields identify the asset that is the target of the security threat, and are used tomap the event in the BSM RTSM topology.

Category Event FieldsCategory Field Description

Object Target of the security eventfor example, the operating system, adatabase, a file, or thememory of a server.



Category Field Description

Behavior Action done to the object. Behaviors include access, execution ormodification, and so on.

Outcome Indicates whether the behavior was successful or notforexample, a success, a failure, or an attempt.

An attempt indicates that something was neither a success nor afailure because the outcome is either not clear or there is nostatement that could bemade about the outcome.

Technique Type of events with respect to a security domainfor example, isan event talking about a denial of service, a brute force attack, IDSevasions, exploits of vulnerabilities, and so on.

Device Type Type of device that is the source for the reportfor example, theevents of the Device Type /Firewall are all the events generated bythe firewalls (Checkpoint, Cisco PIX, Netscreen, and so on).

Device Group Type of device group that is the source for the reportfor example,this dimension lets us query all of the /Firewall-type events asopposed to all of the events generated by a firewall.

The distinction is that the former query also returns all of the firewallmessages in, for example, the operating system logs, such asiptables. In the case of an intrusion prevention system, it has twotypes of eventsone type being the firewall's type of events, suchas blocking and passing traffic, and the other type being intrusiondetection style messages, such as detection of malicious behavior.

The former type would contain the value /Firewall in the DeviceGroup and the latter would be /IDS (intrusion detection system).

Significance Impact of the event.

For a fuller description that includes values and examples, see HP ArcSight Event Categorization"A Technical Perspective".

ESM OMi Consolidated Event Management Integration Example continued

In ESM, a rule is added that recognizes the virus according to incoming events and creates acorrelated event with the appropriate fields populated.

The customized actions for such an event are detailed as follows:

1. TheCategory Object is set to /Host/Infection/Virus.

2. TheCategory Behavior is set to /Create, whichmeans a new virus is detected.

3. TheCategory Outcome is set to /Success, whichmeans the virus is createdsuccessfully (which is a negative event).



4. TheCategory Outcome field is set to /Compromise, whichmeans there is a potentialsecurity compromise of the system.

Step 2: Creating a filterThe next step is creating a filter that will only include the relevant operations events as described inChapter 2, "Relevant Security Data" on page 13. The exact criteria for the filter will be based on thecategorization data of the events as described in the previous section. For instructions on creatingfilters, see Chapter 11, "Filtering Events" in theArcSight ESM Console User's Guide.



ESM OMI Consolidated Event Management Integration Example continued

A new filter namedNew Virus Filter is built that admits correlated events of successful virusattacks. The filter admits events that are Type = Correlation, Category Object = /Virus,Category Outcome = /Success, andCategory Behavior = /Create.

This New Virus Filter is added as a sub-filter to a filter namedOMi Filter that admits all eventsthat are relevant to OMi. As shown below, this filter also admits events ofWorm OutbreakandDoS (Denial of Service) attacks.

Step 3: Assigning privileges on the ESM SourceManager

Before installing the ArcSight Forwarding Connector, create a Forwarding Connector account in theSourceManager. Then assign filters for incoming events.

To assign privileges in the Source Manager:

1. Run the ArcSight Console and log on toArcSight Manager.

2. From theNavigator Resources tab, select Users.



3. Under theCustom User Group, create a user group.

4. In the user group, for the user type, create a Forwarding Connector user account as shownbelow:

5. Return to theNavigator Resources tab and right-click your selected user group.

6. From themenu, select Edit Access Control.

7. From the Inspect/Edit window, click theEvents tab under the new user type and assign thefilters created in "Step 2: Creating a filter" on page 24.

ESM OMi Consolidated Event Management Integration Example continued

TheOMi Filter created in "Step 2: Creating a filter" on page 24 is added in the ACL Editor asthe Events Filter for the Forwarding Connector, thus assuring that only relevant events areforwarded to OMi.



Step 4: Installing the OMi Forwarding ConnectorTo install the ForwardingConnector:

1. Download and run the ArcSight executable file for your operating system.

2. Using the installation wizard, follow the folder selection tasks and installation instructions forthe core SmartConnector software:

n Introduction

n Choose Install Folder

n Choose Install Set

n Choose Shortcut Folder

n Pre-Installation Summary

n Installing...

3. When installation of the core SmartConnector component is complete, the following dialog boxis displayed:

Select HP Operations Manager i and click Next.



4. Fill in the parameter information required for the Forwarding Connector configuration.

Parameter Description

Host Enter the fully qualified domain name of the HPBSM Integration Adapter.

Port Enter the port to be used by the device tomonitor for events by the BSMIntegration Adapter monitoring for SNMP traps from the ArcSight Logger.

Version Accept the default value of SNMP_VERSION_2.

Note: SNMP_VERSION_3 is not currently available.

ReadCommunity(v2)

Enter theSNMP Read Community name: default = public

WriteCommunity(v2)

Enter theSNMP Write Community name: default = public

Note: Leave all the (v3) fields empty, since SNMP v3 is currently not available.

Click Next to continue.

5. Select ArcSight Forwarding Connector (Enhanced) and click Next.

6. Enter the ESM SourceManager information and click Next.

Note: The user name and password to be used as the ArcSight SourceManager username and password are the user and password created for the new user in "Step 3:Assigning privileges on the ESM SourceManager" on page 25.

7. Enter a name for the connector and provide other information identifying the connector's use inyour environment. Click Next.

8. Read the installation summary and click Next.

Note: If it is incorrect, click Previous andmake the necessary changes.



9. When the connector completes its configuration, click Next. TheWizard prompts you tochoose whether to run the connector as a process or as a service.

n If running the connector as a service, theWizard prompts you to define the serviceparameters for the connector.

n If running the connector as a process, theWizard directs you to the next step.

10. After making the selections, click Next. TheWizard displays a dialog box confirming theconnector's setup and service configuration.

11. Click Finish andDone.

Note: For a full description of installing the Forwarding Connector for OMi, see theSmartConnector Configuration Guide for ArcSight Forwarding Connector.

Step 5: Installing the BSM Connecter1. Install the BSM Connector on the ESMManager server according to the BSM Connector

Deployment Guide in theHP Software Product Manuals web site and connect it to the BSMgateway machine.

2. In BSM, define the BSM Connector, which should connect automatically. Confirm that it isconnected:

Admin>integrations>BSM connector integration

If it is not automatically connected, create it manually using the following configuration:



Note: For full details about how to configure a BSMConnector integration server, see theBSM online help.

3. From the BSMConnector server, execute the following command to request anOM agentcertificate from BSM:

Ovcert certreq

4. From the BSM server, approve the request using the following command:

Ovcm listpending

An ID of pending certificate request is listed.

For that ID, run the following command:

Ovcm grant

5. Download the latest policy files from the ArcSight download site where you obtained theconnector. Refer to theArcSightHP OM andHP OMi SNMP Interceptor Policy Readme fordetails on uploading the template for Operations Manager forWindows andOperationsManager for UNIX or Linux.

6. Use the Import button on the BSM Connector to load the policy of ESM and select both thexml and data files.

7. Activate the policies on the BSM Connector.

8. Execute the following command on the BSMConnector server:

ovconfchg -ns eaagt -set SNMP_SESSION_MODE NNM_LIBS

Note: This command allows theOM sub-agent on the server that is responsible for SNMPtraps (opctrapi) to receive SNMP V2 traps. Make sure the SNMPtraps Windows serviceis down.



Step 6: Configuring OMi to use security eventsfrom ESM

In order for OMi to receive events from ESM, there are additional settings that need to be configuredin BSM. These include building servicemodels, key performance indicators (KPIs), healthindicators (HIs), and event type indicator (ETI) mappings.

Modeling is the creation of topologies from within the BSM-embedded CMDBwith RTSM usingrelationships to connect a configuration item (CI) to its subordinate entities. Business applicationsand their topologies aremodeled by connecting CIs that affect the business service to the businessservice CI. This is done in a structure that allows viewing the impact of the events on a CI on thebusiness service that uses/contains this CI, granting a better understanding of a problem's rootcauseswith service relations and dependencies on other services.

l KPIs are assigned to the CIs in themodel, and reflect each CI's current health status' high levelfor CI performance and availability. Each CI has its own KPI/KPIs and they are assigned to theCI in the Service Health module of OMi. For the KPI to receive data from the events (such assecurity events) and reflect the status of the CI according to the events, there are objects calledHealth Indicators.

l HIs provide fine-grainedmeasurements on the CIs that represent your monitored applicationsand business services. SomeHIs provide business metrics such as backlog and volume, whileothers monitor various aspects of performance and availability such as CPU load or, in thiscase, virus or DoS attack. When you receive an event that is mapped to an HI, the CI KPIreceives themeasurement according to the assignment andmapping rules that have beenconfigured for this CI type, and that will reflect the overall health status of that CI in the ServiceHealth dashboard in OMi and BSM. When an event is sent to OMi, it is sent with an ETI.

l ETIs aremapping objects that allow us tomap the events to an HI with the correct severity ofthe impact on that HI. The ETI includes a name and a state; for example, Virus:Error. Using HIdefinitions in the indicator repository, Service Health translates the ETI state into one of thestandard Service Health (OMi) statusesCritical, Major, Minor, and so on.

Correlation rules in OMi are based on several variables:

l Topology (modeling): hierarchical view of the IT service and related components, which are usedvia the TBEC (topology-based event correlation) engine to define correlation rules by using theknowledge of the components' impact on each other

l Health Indicators: indicators that are related to the events

Themain purpose of forwarding some of the operationally relevant security events from ESM toOMi is to help the operations team better understand events and problems within the OMi that areaffecting the business services.



In order to achieve that, several actions are necessary:

1. Modeling:Confirm that all of the topology views aremodeled correctly and contain all of thenecessary CIs. In this case, correct business servicemodeling is necessary to use theOMicorrelation capabilities.

2. KPI and HI Configuration:Configure the Health Indicators and the type of events that aremapped to the Health Indicators.

Every relevant CI type should have a KPI for security events. For each type of security eventthat affects this CI, there should be a corresponding HI. Map all of the security HealthIndicators to the security KPI.

Create andmap the HI of this ETI and its related ETI according to theCategory fields of thesecurity events received from ESM.

To create a Health Indicator for a specific ETI:

a. In BSM's Admin > Service Health folder, go toRepositories > Indicators.

b. Go to the CI type, click New , and select Health Indicator . Fill inthe required data.

Tip: Confirm that theStates are aligned with the severity of the events arrivingfrom ESM.

c. Map the events to the created HI. In the HI definition, go toETI Mapping Rules and clickGo to Indicator Mapping Rules.

TheMappingManager window opens.



d. Select the CI type you are working on and click New Item. Provide the name for themapping.

e. In the Filter Events section, create a filter for the events tomap to the Health Indicator.Filter the events according to any attribute in the event.

For mapping details, refer to theArcSightHP OM andHP OMi SNMP Interceptor PolicyReadme.

f. Select the Health Indicator to map the events to and select theBased on severity option.

Next, assign the Health Indicator to the KPI:

a. In BSM's Admin > Service Health folder, go toAssignments > KPI Assignments andselect the CI type.

b. Edit the {CIType} mapping predefinedmapping rule. This allows mapping the securityKPI to all of this types CIs and to allow the new Health Indicator to affect the KPI.

Note: If the CItype is not assigned yet in themapping, add the security KPI and addthe Health Indicator to it.

This procedure needs to be performed with every event being forwarded to OMi from the ESMthat has an impact on the business service.

For more information on how to configure KPIs and HIs, refer to theBusiness ServiceManagement version 9.13 Using Service Health Guide.



ESM OMI Consolidated Event Management Integration Example continued

In this example, a new InfectedFileHI for theComputerCI Type, since the events aremapped to a server, is created.



Map the InfectedFileHI to theComputerCI Type via theMappingManager window openfrom theETI Mapping Rules option of the HI definition view.



In theEvent Filter option, decide to filter all the events that arrive at OMi withnormal/critical/major severity that correspond to the values of Failure/Attempt/Success intheOutcome field from the incoming virus detection security event.

Note: Themapping of the severity of the event from ESM terminology to OMiterminology is done via the BSM connector.



In theAdditional Event Properties tab, filter in only the /Host/Infection/Virus value ofthe event.categoryObjectCustom Attribute.



Map all of the events that are about viruses to the InfectedFileHealth Indicator that werecreated, based on their severity.

Then assign the KPI called security to theComputerCI type, andmap all virus events toit. This is done by going to theAdmin > Service Health > Assignments > KPIAssignments option of BSM, selecting theComputerCI type, and editing theComputerMapping predefinedmapping rule.



This allows us tomap the security KPI to all of the computer's CIs and to allow theInfectedFileHealth Indicator to affect it.

3. Correlation: The correlation between security events and operations events is dependent onthemodeling, plus the KPI and HI configuration. For every security Health Indicator that cancause an operations event, create the proper correlation rules between security's HealthIndicator and severity and the operation's Health Indicator and severity.

For example:

Virus event warning > mapped to Health Indicator: VirusHI, warning severity

Virus event critical > mapped to Health Indicator: VirusHI, critical severity

For more information on how to create correlation rules onOMi, refer to theBusiness ServiceManagement version 9.13 Using Service Health Guide.



Example SummaryThe following list recaptures the example from the beginning of the chapter and showshow each of the configuration steps described in the chapter contribute to create aconsolidated event view:

Situation: A computer virus has infected a server, thus causing amemory leak on the same serverand causing an application relying on this server to slow down its performance.

1. ESM receives a base event from some anti-virus software. The data received is used to createa correlated event of a virus attack on the server using the ESM correlated rules created in"Step 1: Setting up the correlation rules" on page 22. The fact that it is a virus attack is noted intheObject field, the outcome of the attack is noted in theOutcome field, and the parametersfor the target of the attack are identified in the Target fields of the security event.

2. The event is filtered in by the filter for the Forwarding Connector created in "Step 2: Creating afilter" on page 24 that recognizes the correlation event based on the rules and the data in theCategory field as an event that should be forwarded to the Forwarding Connector.

3. That filter, that was assigned to the Forwarding Connector user assigned to the filter in "Step 3:Assigning privileges on the ESM SourceManager" on page 25", allows sending the event tothe Forwarding Connector installed in "Step 4: Installing the OMi Forwarding Connector" onpage 27, and from there to the BSM Connector with its ArcSight policy described in "Step 5:Installing the BSM Connecter" on page 29.

4. The event reaches BSM, and is then processed in several stages:

a. The RTMS uses the information from the Target fields to identify the CI of the targetattacked, usingModeling as described in "Step 6: Configuring OMi to use security eventsfrom ESM" on page 31.

b. OMi uses the information from theCategory fields to identify the ETI of the event, anddecides, according to the related HI policy, about the KPI of the relevant CI as described inKPI and HI Configuration in "Step 6: Configuring OMi to use security events from ESM" onpage 31.

c. Based onOMi Correlation as described in "Step 6: Configuring OMi to use security eventsfrom ESM" on page 31, OMi then surmises that the virus attack is related and is theprobable cause of thememory leak, which in turn causes the application slowdown. Thefollowing BSM screenshot displays the BSM event browser indicating the three eventsthe virus, memory leak, and application slowdown, as well as the cause and effect linksbetween them.

Using all of these automatic processes, the IT Operations Bridge team now has a full picture of allthe events related to the services, including cause and effect, and can use this information to directmediationmeasures, if needed, for the correction of the problem's cause.



Consolidated Security and Operations Event Management Concept and Configuration GuideContentsWelcome to This GuideHow This Guide is OrganizedWho Should Read This GuideAdditional Online Resources

IntroductionOverviewSecurity and Operations CollaborationComplete Situational AwarenessRapid Issue Identification and Resolution

Consolidated Security and Operations Event Management ConceptsOverviewRoles and ResponsibilitiesOperations Event ManagementRelevant Security DataCategorization of Security EventsEvent-to-Incident Flow

Consolidated Security and Operations Event Management ConfigurationOverviewComponentsSolution Diagram

Step 1: Setting up the correlation rulesStep 2: Creating a filterStep 3: Assigning privileges on the ESM Source ManagerStep 4: Installing the OMi Forwarding ConnectorStep 5: Installing the BSM ConnecterStep 6: Configuring OMi to use security events from ESMExample Summary

Consolidated Security and Operations Event Management Guide

Documents

Transcript of Consolidated Security and Operations Event Management Guide