Protect Session B10039 ArcSight Activate Threat Intelligence Packages

Size: px

Start display at page:

Download "Protect Session B10039 ArcSight Activate Threat Intelligence Packages"

Kelley Clarke
5 years ago
Views:

1 Protect Session B10039 ArcSight Activate Threat Intelligence Packages Time to stop reinventing the wheel Prepared by SEMplicity & HPE George A. Boitano gboitano@semplicityinc.com Yun Peng yunp@hpe.com

2 Overview Session: Speakers: George A. Boitano, SEMplicity Inc. Yun Peng, HPE Use the mobile app: 1. Access My schedule 2. Click on this session 3. Go to Rate & review If the session is not on your schedule, access it via the session scheduler, click on it, and go to Rate & review. Or use the hard copy surveys Thank you for providing your feedback, which helps us enhance content for future events. 2

3 Overview Activate Review The Data Fusion Model Activate LifeCycle Applicability to Threat Intelligence Activate Threat Intelligence Model Objectives Implementation The Collective Intelligence Framework Threat Intelligence Level 1: Warnings and Indicators Threat Intelligence Level 2: Situational Awareness Where to from here? 3

4 ArcSight Activate Overview 4

5 Activate Essentials: The Model 5

6 Activate Essentials: The Lifecycle 6

7 Activate Threat Intelligence Objectives Level 0: Ingest all forms of Threat Intelligence Process data from any number of sources: open source, proprietary, governmental, etc. Process data in any format: csv, XML, STIX, HTML, Flat File, web services, etc. Normalize data to 20+ standard fields in Activate Threat Intel Schema Level 1: Populate Threat Model Model is several Active Lists conforming to Activate Threat Intel Schema Also show summary information on Threat Model activity Level 2: Contextualize Events Enrich incoming and correlated events with data from Threat Model Level 3: Track State Mark assets based on threat activity Report on threat activity across assets 7

8 Prior Art for ArcSight Threat Intelligence Subscription Services: Threat Central, ThreatStream, ISS Open Source: 60+ sites offering free Threat Intelligence Government intelligence, distributed to certain clients Industry-specific intelligence shared with certain verticals Homegrown intelligence derived from internal events All using their own FlexConnectors, ESM Content, etc. This is the problem Activate is designed to solve Standardize on a common schema and ESM content; Provide common framework for sharing content and intelligence; Stop reinventing the wheel for each company, each industry, each individual threat feed. 8

9 Populating the Threat Model 9

10 Activate Threat Model Architecture Intel Sources Open Source Industry / Governmental Derived Internally Subscription Other? Protocols: http ftp flat file odbc/jdbc web services Formats: csv fixed column report STIX/TAXI XML JSON CIF yml config files Elastic Search Ubuntu TLS 14 Malicious Indicator csv files: bad IPV4s, bad IPv6s bad URLs, bad s bad userids, bad filehashes CIF Event Rules ArcSight CIF FlexConnector Malicious Indicator Lists ArcSight ESM 10

11 Collective Intelligence Framework (CIF) History Open Source Project Part of CSIRTGadgets Founded active community Implementation Runs on Ubuntu 14 LTS Uses ElasticSearch Current release (2.0, massive-octo-spice) implemented in Perl Next release (3.0, bearded-avenger) due in about 1 year, re-coded in Python For more info

12 CIF: Strengths and Weaknesses Strengths: open source handles all formats handles all protocols Standardizes on STIX-like schema easy intel source config w/yml very easy one-line install consolidates threat intel data into feeds via line command runs as a daemon with configurable poll intervals easily customized and expanded Weaknesses: open source one-line install doesn t always work due to dependency changes error handling and error messages not great documentation about average for open source requires a lot of disk storage for ElasticSearch 12

13 CIF Samples EasyButton Install Sample YML config file for a threat intel source Sample line commands to create CSVs for FlexConnector 13

14 CIF yml Activate Content ymlconfiguration files: Each file contains configuration for one or more open source sites Configurations within a yml file may inherit attributes It is is relatively easy to create new yml configuration for new or custom threat intelligence Regex parsing of feeds is implemented Support for corporate proxies CIF as delivered contains config for ~25 popular open source feeds The Activate L1 content delivers configuration for an additional 25 feeds now, all major open source feeds are covered Each source has its own configurable confidence score, used to resolve collisions with other feeds Periodic harvest of each source configurable in CIF Data from each source is normalized into CIF schema. 14

15 The CIF FlexConnector & ESM Content Reads csv output from cif --feed command as scheduled cron jobs: Multi Folder File Follower Separate csv files for malicious ipv4s, ipv6s, s, hashes, users Formats SmartMessage and sends to ESM devicevendor=cif deviceproduct=threat Intel Rules populate active lists with fields from these events, thus building the threat model Global variables extract data from these lists to detect malicious activity and enrich events Dashboards display and monitor threat model activity 15

16 Threat Model Activity Dashboard 16

17 Threat Model Malicious IP List Drilldown 17

18 Threat Intel L1 Global Variables Determine if an indicator is malicious: IPv4, IPv6 URL or Domain To be implemented: , hash, user Problem with URLs/Domains: List: mybadurl.google.com Event: steve.mybadurl.google.com Result: InActivateList performs string compare, returns False, which is incorrect Solution: Global Variables to perform malicious URL lookups Given mybadurl.google.com in malicious list and steve.mybadurl.google.com in sourcehostname, variable InMalciousUrlList returns True, which is correct Other variables extract data from these Active Lists to enrich events: Source Severity Confidence Date first observed in wild Over 16 other fields! 18

19 Using the Threat Model 19

20 This is a rolling (up to 3 year) roadmap and is subject to change without notice Threat Intelligence Packages Activate Base (required) L1-Threat Intelligence - Indicators and Warnings Suspicious active lists Rules to populate suspicious lists Variables to retrieve suspicious data L2-Threat Intelligence - Situational Awareness Rules to detect events/attacks from suspicious list Dashboards/Reports/Active channels Product packages, such as Threat Central

21 This is a rolling (up to 3 year) roadmap and is subject to change without notice Alerts to Detect Suspicious Activities Command and control Dangerous Browsing DNS Queries Phishing Reconnaissance Internal Assets Found in Reputation Data Anonymization

22 This is a rolling (up to 3 year) roadmap and is subject to change without notice Threat Intelligence Alerts

23 This is a rolling (up to 3 year) roadmap and is subject to change without notice Threat Intelligence Activity Overview

24 This is a rolling (up to 3 year) roadmap and is subject to change without notice Reputation Address Data Overview

25 This is a rolling (up to 3 year) roadmap and is subject to change without notice Report of Threat Intelligence Alerts

26 Roadmap Improve collision logic in CIF Improve error handling in CIF Beaded-Avenger release Place Public CIF server in Cloud? 26

27 Anyone Interested? Your Site! CIF SEMplicity Cloud CSV Files Syslog or SmartMessage Connector ArcSight CIF FlexConnector CIF Event Rules Malicious Indicator Lists ArcSight ESM 27

28 Thanks you for coming! Session B10039 For more information, please feel free to contact: George A. Boitano Yun Peng

Asset and network modeling in HP ArcSight ESM and Express

Asset and network modeling in HP ArcSight ESM and Express Till Jäger, CISSP, CEH EMEA ArcSight Architect, HP ESP Agenda Overview Walkthrough of asset modeling in ArcSight ESM More inside info about the