The ArcSight Compliance Tool Kit

© 2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

The ArcSight Compliance Tool Kit

Morris Hicks

Consulting Technical Director

Risks are Real and Invite Regulation

www.arcsight.com © 2009 ArcSight Confidential 2

Compliance in a Nutshell

1. Document/define– Business processes – Critical cyber assets

2. Internal controls– Properly defined– Monitored– Enforced


Compliance in a Nutshell (cont.)

3. Implement a secure and auditable log archive– Converge disparate sources– Normalize formats– Capture high event rates – Transit slow, remote links– Establish search, analysis, and reporting

4. Enable event alerting and response– Real-time monitoring– Rapid notification – Intelligent response– Workflow– Documentation

5. Integrate views of who took action, how and when


The ArcSight Approach to Compliance

Prepackaged content—auditors (SOX, HIPAA, PCI, NERC, ITGOV, FISMA)

Share best practices

Extend the platform—custom use case development

Roadmap


Controls

Regulations don’t specify a comprehensive set of controls, in most cases

Frameworks– ISO 27002:2005 (formerly 17799)– NIST SP 800-53– COBIT 4

Other drivers of controls– Audit findings– Security assessment findings– Organizational policy


Sample Control MatrixAreas Risk Control

Risk: Key ControlNo.

Control Type: Control Objectives Control Activity Control Owner Control

FrequencyControl Setting

Evidence

Entity IT does not have corporate policies and tools as guidelines for the Company.

M Key IT3 Preventive Entity - Policies:

Ensure IT has processes and procedures for performing all activities in the scope of SOX.

IT maintains IT policies and procedures as guidelines for the company.

IT Director Annually Manual IT Policies; Sign-off document show ing that policies are approved; Location of policies.

Access Logical security tools, processes and techniques are not implemented and/or configured to enable restriction of access to programs, data, and other information resources

M Key IT4 Preventive Access - Creation and Modif ication

Restrict access to programs, data, and other information resources.

IT creates and modifies user accounts and/or assigns access types based on w ritten request from authorized Business Ow ners.

Help Desk Manager

As Occurs Manual User Access Request Form; HelpDesk Ticket.

Access Logical security tools, processes and techniques are not implemented and/or configured to enable restriction of access to programs, data, and other information resources

M Key IT10 Preventive, Detective

Access - Netw ork Authentication:

Enable restriction of access to programs, data, and other information resources on the netw ork.

Netw ork access is authenticated by the Domain Controller Active Directory, w here the passw ord policies are adhering to the Corp Passw ord Policy.

Window s System Admin

n/a Auto Corporate Passw ord Policy; Screen print of Active Directory Passw ord Policies

Chgn Mgmt All necessary modifications to existing f inancial application systems are not implemented in a timely manner - specifically a modification that affects the financials

M Key IT16 Preventive Change Mgmt - Testing and UATs

All necessary modif ications to existing f inancial application systems are implemented in a timely manner - specifically a modif ication that affects the financials

SOX related application and infrastructure changes are tested and approved by the Business Users or cross-functionally before they are applied in the Production environment. Evidence of approvals are documented and retained for future audits.

Change Mgmt Lead

As Occurs Manual Change mgmt process and policy; User Acceptance Test Signoff approved by Business Ow ner(s).

Chgn Mgmt Emergency program changes are not approved, documented and implemented timely.

M Key IT17 Preventive, Monitoring

Change Mgmt - Emergency:

Emergency program changes are approved by Mgmt, documented and implemented timely.

Emergency change requests w ill follow IT escalation process documented in the Change Management Policy.

Change Mgmt Lead

As Occurs Manual Change Management Policy; Change Request Form; Help Desk Ticket and Evidence of Approval


ArcSight Auditors

Prepackaged content to address most common controls—SOX, PCI, NERC, HIPAA, FISMA– Logger: reports, searches, alerts– ESM: rules, reports, dashboards

ISO 27002-based

Network modeling– Identify regulated systems– Categorize regulated systems – Import active list data


ArcSight Auditors

Content relies on many data sources– IDS– OS– IAM– Solution guide lists the necessary 20 data sources

UCI (Use Case Identifier) discerns functional content– UCI DEMO!


UCI DEMO (part 1)


UCI DEMO (part 2)


Graphical summary

Highly configurable

Drill down for detail

Real-time Dashboards


Rule Actions & Reports

Rules may initiate actions– Notifications– Case creation

Reports– Scheduled– On demand


Active Channels

Live event collection

Filter

Sort

Drilldown


Auditors Based on ISO Framework

ISO Topic Use Cases1-3 Introductory Sections Not Applicable

4 Risk Assessment & Treatment

Security Overview

High Risk Event Analysis

5 Security Policy Policy Violations

New Services and Hosts

6 Organization of Information Security

Reporting on Cases

7 Asset Management Asset Inventory Reporting

Data Classification Reporting & Monitoring

8 Human Resources Security

Watching New Hires & Former Employees

Internet Usage Reporting and Monitoring

9 Physical & Environmental Security

Physical Building Access



ISO Topic Use Cases10 Communications &

Operations Management

Configuration Management (File & Configuration Changes, Maintenance Schedules)Audit Trails

Separation of Development, Test, & Operations FacilitiesMalicious Code Monitoring

IP Address/User Name Attribution

11 Access Control User Management (User Access)

Authorization Changes

Password Policy

Privileged Accounts (Administrative Access)

Network Services (including routing, firewall, & VPN)

Segregation of Networks

Role Based Access Monitoring



ISO Topic Use Cases12 Information Systems

Acquisition, Development & Maintenance

Certificate Management

Attack Monitoring

Vulnerability Management

13 Information Security Incident Management

Internal Reconnaissance

Escalated Threats

14 Business Continuity Management

Availability

Highly Critical Machines

15 Compliance Intellectual Property Rights & Information Leaks

Personal and Company Information

Resource Misuse (excessive email, illegal content downloads, etc.)

Policy Breaches (P2P, IM, etc.)


Common Compliance Applications

Access monitoring

Configuration management

Attacks and malicious code

Audit trail

Network segmentation

What are the most common ArcSight compliance applications?


Extending the Core Capability of Auditors

ISO Use Case ExamplesSection 10 -Communications & Operations Management

Configuration Management

Modifications to application binaries, configuration files/tables and other sensitive files/tables

Report and review of all configuration changes

Policy change attempts, unscheduled changes

Audit Trail Audit logs cleared/deleted

Audit logs unavailable, i.e. not received

Attempt to disable/change auditing

Attacks and Malicious Code

High severity attacks, IDS attacks followed by login from attacking host

Attacks from regulated systems

Antivirus, P2P, spyware, infections

How are customers extending the core capability of the auditors?


ISO Use Case ExamplesSection 11 –Access Controls

Administrative Access

Successful and unsuccessful logins

Local administrative user created or administrative rights granted

Administrative actions (su, sudo, file modification, etc.)

User Access Successful and unsuccessful logins

Local user created, user created followed by access to regulated system, privilege granted followed by access to regulated system

User activity reports

Unauthorized Access

Administrative connections from unauthorized host

Access to unauthorized service

Unauthorized user access, new authorized user



ISO Use Case ExamplesSection 12 –Info-Systems Acquisition, Development & Maintenance

Change Management

Changes made outside of maintenance window

Correlate change request to implemented changes

Changes performed by personnel not in an appropriate role



ArcSight Approach to Compliance

Prepackaged content– Auditors– Based on ISO framework– Use case identifier

Best practices– Engagement drivers– Common applications of the technology

How the platform can be extended—custom use case development

Roadmap


Maximizing Value

Articulate requirements– Select controls from discussed best practices– Sample control matrix– Audit results (internal/external)– Security assessment results/penetration tests– Security policy & procedures– Interviews with key personnel (PMO, Internal Audit, Compliance,

InfoSec)– Architecture overview

Prioritize controls for implementation

Align resources– Personnel for interviews– System access for technology implementation


How ArcSight Can Help

Convey industry and customer best practices

Provide sample control matrix

Define technical dependencies for selected controls

Implement the solution

Training/knowledge transfer

Provide solution roadmap


The ArcSight Compliance Tool Kit

Documents

Transcript of The ArcSight Compliance Tool Kit