ArcSight priority formula

Transcription

1 ArcSight priority formula Fred Thiele, Managing Principal, South #HPProtect

2 Our journey The priority formula Let s understand the ins and outs Look at some examples Take advantage of our new knowledge The priority formula is the most misunderstood and underutilized feature in ArcSight! 2

3 How often have we all seen this 3

4 Priority formula The basics The priority formula is applied to every single event ingested into ArcSight Base events, correlation events and internal events everything is evaluated the same Priority is made up of 4 parts Relevance Model Confidence Severity Criticality Fully customisable XML file defines the priority formula (ThreatLevelFormula.xml) 4

5 agentseverity 5

6 Relevance (R) How applicable is the attack against the target host? Effect Requirement Relevance provides full or partial support for incoming agentseverity Heavily dependent on port and vulnerability scanning data Factors Default Value 10 Port Scan? -5 Vuln Scan? -5 Port Open? +5 Is Vuln? +5 Possible values 10 Highly Relevant 5 Partially Relevant 0 Irrelevant 6

7 Model Confidence (MC) How much do we know about an asset? Effect Requirement Moderates effect of Relevance on Priority Heavily dependent on assets, ports and vulnerability data Factors Asset Port Vuln Asset Port Vuln Asset Port Vuln Asset Port Vuln Asset Port Vuln Output Model confidence is combined with Relevance to become Model Confidence and Relevance (MCR). 7

8 Model Confidence and Relevance (MCR) What is the likelihood the given event is applicable to our environment? Effect Requirement Dampens effect of agentseverity if Relevance < 10 Model Confidence and Relevance Factors Relevance (Relevance + MC) ((Relevance * MC) / 10) Output A percentage that moderates effect of Relevance on Priority if Relevance is < 10. 8

9 Severity (S) How suspicious is the attacker and/or target? Have I seen them before? Effect Requirement Adds a maximum of 30% to agentseverity [ 1+S * (3/100) ] (cumulative) Proper utilization of system lists Factors (system lists) Recon Suspicious Comp d Hostile Infiltrator s +1(103%) +3 (109%) +3 (109%) +5 (115%) +6 (118%) Output System severity lists are a huge benefit to your information security analysts! Utilize these lists in your analysts workflow and rules. 9

10 Criticality (C) How does your business view this asset? Effect Requirement Adds or removes support for agentseverity +/- 20% Proper utilization of system categories Factors (system cat.) Unknown Very Low Low Medium High Very High 0 (20%) 2 (40%) 4 (60%) 6 (80%) 8 (100%) 10 (120%) Pro tip Know the business value of your assets! 10

11 Priority formula Model Confidence & Relevance (MCR) Severity (S) Criticality (C) agentseverity R S * 3 C 8 * * 1+ * 1+ * 20% = ( R + MC) R * MC Priority % Vulnerability Threat Impact 11

12 Examples

13 Priority guidelines General rules of thumb to follow Numbers 0-10 are fed to an algorithm to produce a factor The end result is a percentage to multiply agentseverity against If Model Confidence is 0, Relevance has no effect on Priority Means, by default MCR has no effect on Priority If Relevance is 0, Priority is always 0 Criticality drags down Priority until Criticality hits 8 (High) 13

14 Baseline agentseverity Unknown 2 Low 4 Medium 6 High 9 Very-High 10 Why is Priority!= agentseverity? 14

15 Asset in Asset DB Relevance = 10 Is port scanned/is port open? (0) Is vscanned/has vuln? (0) Model Confidence = 4 Asset in DB (+4) 15

16 Scanned asset Port 80 open Relevance (10 5 = 5) Is port scanned/open? (-5) Is vscanned (0) 16

17 Scanned asset attack against Port 80 Relevance ( = 10) Is port scanned (-5) Is port open (+5) Is vscanned (0) 17

18 What s the difference? Baseline Port scanned + attack against open port 18

19 Importance of network modelling Knowing your network saves time and enables risk-based decision making Very-High Asset Criticality Very-Low Asset Criticality Recon + Suspicious + Hostile Recon + Suspicious Scanned; non-open port Asset in Database 19 Very-High Asset Criticality Very-Low Asset Criticality Recon + Suspicious + Hostile Recon + Suspicious Recon Scanned; non-open port Asset in Database

20 Effects of formula on priority in summary agentseverity MCR Low Crit/Sev (.84) Mid Crit/Sev (1.08) High Crit/Sev (1.35)

21 In practice

22 Where to start Asset data is critical; have a plan to get it into ArcSight! Start small and utilize vulnerability scanning Define a set of network ranges internally (zones) Vulnerability scan those ranges Import vulnerability scan using a supported vulnerability scan connector Make sure to associate the vscan connector with the correct network/customer! Assets will auto-create within zones and be tagged with open ports Enable your analysts Implement a processes to enable analysts to add attackers to system lists Enable analysts to define critical assets (e.g., Tagging assets with categories) 22

23 Expand the scope of the model Once you have the basics, expand your scope Auto-update network model Define source(s) of truth Aggregate weekly Transform aggregate to ArcSight language Import/update network model for the latest and greatest Utilize automated tools UCMDB (HP) and RedSeal work really well Export data to CSV, script a transform, import to ArcSight 23

24 Get fancy Default priority formula may not be suited to everyone Fully customisable /opt/arcsight/manager/config/server/threatlevelformula.xml Priority formula is just an XML file Documented in the online help Powerful markup Pro tips If you have deleted the system lists, just recreate the lists and modify the ThreatLevelFormula Additional items can be added to XML file with very little configuration Vulnerability mappings are highly dependent on context updates! Utilise Risk Insight for additional dashboards in the SOC 24

25 Risk Insight Visualise priority Pre-built dashboards and metrics Utilises the Priority Formula and Network Model Integrates with ArcSight Command Centre Intended for utilisation in Security Operations Makes for great executive dashboards! 25

26 For more information Attend these sessions TB3153, Improving IR Workflow in HP ArcSight using riskbased escalation TT3062 Reduce security analysis time from hours to minutes Visit these demos DEMO3525 Find threats with HP ArcSight ESM After the event Contact your sales rep Your feedback is important to us. Please take a few minutes to complete the session survey. 26

27 Please give me your feedback Session TB3593 Speaker Fred Thiele Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 27

28 Thank you

29