Add to collection(s) Add to saved
  1. No category
Uploaded by Niranjan Reddy

use case hpe arcsight

advertisement 
Defining, building, and
making use cases work
Paul Brettle – Presales Manager, Americas
Pacific Region
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is a use case?
•
•
•
•
•
•
•
•
2
Compliance – FISMA, PCI, SOX, etc…
Network security – firewalls, IDS, routers & switches
Malware
Systems – application and operating system
User monitoring – identity, privileged user, shared accounts
SOC metrics – management metrics, analyst team, infrastructure performance
Fraud – banking, atms
Others?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Defining a Use Case
Problem
1
statement
6
5
3
Evaluate
Define
and refine
the objective
Identify
Identify
deliverables
data source
Define
thresholds
4
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2
3
Example use case – audit log cleared
How do I know when the audit
Problem
log is cleared on my systems?
statement
How do I want to be made
aware?
• Notification to CIRT
• Dashboard tracking
• Compliance
• Report to Auditors of
Audit Log Cleared
Evaluate
Define
and refine
the objective
Identify
Identify
deliverables
data source
Data
I need to be notified when
audit logs are cleared for
my critical assets
Operating System
IDS/IPS (Host)
Firewalls
Define
thresholds
What are my thresholds?
(Always, Frequency based,
4
something else?)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Building a use case
• Capture the data / requirements consistently
• Utilise a standard process
•
•
•
What works for you is great
Consider Use Case forms
https://protect724.arcsight.com/docs/DOC-1523 (Cindy Jones)
• Targeted, simple, manageable
• Steer clear of monolithic packages
5
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Simple tactics to make your life easy
• KISS principle still stands
• Normal mechanisms stand, but control is the key part
•
•
•
•
•
•
•
6
Keep named user control around role based access
Limit options for access rights – operators DON’T need write to rules!
Group by general use / log source type / purpose – your choice!
Use the numbering structures / schemes
Remember the use case process and captured data
Build out on deliverables
Build out on threat / risk
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ArcSight use cases
• Under used previously – been present since ESM 4.5
• Much more content and documentation around for ESM 6.0c and Express 4.0
• Look at focused content built around specific data sets
•
•
Usually focused around several active lists – imported or used as standard
Linked resources for filters, active channels etc – common naming, structure etc
• Wizard tool to drive content configuration
7
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Configuring a use case
8
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Steps to build use cases
1.
2.
3.
4.
5.
6.
9
Problem statement
Define objectives
Identify data sources
Define thresholds
Identify the deliverables
Evaluate & refine as needed
1|2|3|4|5|6
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example use case
• Problem statement:
•
Identify unauthorized privileged user access to critical servers
• Define the objective:
Ensure we have the ability to identify when unauthorized access is:
•
•
•
•
•
•
10
Attempted
Succeeds
Occurs without authorization
Identify unusual behavior
Allow easy identification of other activities
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example use case
Identify the data sources:
Servers
Network devices
Other?
•
•
•
But also need to identify supporting data sources:
•
•
•
•
•
11
Who is an privileged user?
Can we identify them easily?
How can we identify if they are allowed / authorized or not?
Change control system? Change window?
Supporting network log data?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example use case
• Data source -> list
• Log data -> event
• Alert -> rule
• Consider supporting
information
•
•
•
12
Critical servers – asset list
Privileged users – external list
Default privileged user – external
list
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example use case
Define the thresholds
•
•
How to trigger rules?
What content to build out?
Where does the information go?
•
•
•
13
Individuals?
Team to process?
Tracking list?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example use case
Identify deliverables
•
•
•
•
•
•
•
•
•
•
14
Content to show
what we want
Dashboards
Reports
Alerts
How to use the data?
Dashboards
Investigation
Ease of use?
External data –
compliance
Audit information
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example use case
Evaluate and refine
•
•
•
•
•
15
How to improve?
Where to refine and get better?
What content can be extended?
• Focus on key data / log sources – better privileged user information
• Integrate automated data feeds – export / import
Improve data, quality and content
Add further capabilities on different log sources / systems
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Review of use case approach
Building Meaningful Use Cases
Formalized approach to understand what is required
Define, develop, build and use focused content
Process helps define what is needed:
•
•
•
•
•
•
Problem Statement
Define Objectives
Identify Data Sources
Define Thresholds
Identify the Deliverables
Evaluate & Refine as Needed
Assists in so many other areas
16
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Summary
Advanced
Malware
Server
Threat
Admin
Monitor
Monitor
Media
Intelligence
User
Perimeter
Monitoring
Monitoring
App
Third
Party
Insider
Network
Anomaly
Detection
Threat
Monitoring
Monitor
Baseline
Monitoring
17
Social
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Feed
Please give me your feedback
Session TB3057 Speaker Paul Brettle
Please fill out a survey.
Hand it to the door monitor on your way out.
Thank you for providing your feedback, which
helps us enhance content for future events.
18
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Related documents
Introduction to HP Information Governance
Introduction to HP Information Governance
N.Y.S. UNIVERSITY POLICE STATEMENT
N.Y.S. UNIVERSITY POLICE STATEMENT
HP ProLiant Scale-up Server Portfolio
HP ProLiant Scale-up Server Portfolio
Download
advertisement