Tuning HP ArcSight ESM prioritization

Transcription

1 Tuning HP ArcSight ESM prioritization Beirne Konarski, Principal Consultant #HPProtect

2 Priority What does the priority score mean? The priority helps you determine which events are most important to act on This is not necessarily a measure of how bad an event is. If you are not going to investigate the event, give it a lower priority The value ranges from zero to ten, with ten being the most important. Priority is only loosely tuned out of the box because ESM needs information about: Your network What threats you feel are important 3

3 Priority components Device severity Agent severity Asset criticality Severity Model confidence/ relevance How bad the vendor of the event source considers the event to be The device severity normalized into low, medium, high, and very-high How important the target system is How bad is the attacker s reputation? Has the target been compromised? Priority = Agent Severity * AC multiplier * Sev multiplier * MCR multiplier Is the target vulnerable to the attack? 4

4 Device severity What does the device severity mean? The device severity tells you how serious the creator of the event thought it was No standard format Low, medium, high 0, 1, 2, 3 INFO, EMERG, ERR 5

5 Tuning the device severity How can I make the device severity more accurate? The device severity can only be adjusted at the source of the events IDSs and IPSs may allow you to adjust the severity of an event In general it is not practical to adjust the Device Severity It requires people who are often members of other teams to make adjustments for you There may not be an easy way to adjust the severity on the source It is much easier to adjust the Agent Severity instead 6

6 Agent severity What does the agent severity mean? The agent severity tells you how serious the creator of the event thought it was, in a normalized form Low, medium, high, very-high, unknown Set by the SmartConnector or Rule Engine Can be overridden from ESM or the Connector Appliance Adjusting it from the default can raise or lower the priority Tuning the agent severity: Has the greatest effect for the most events and Is the easiest tuning step to do 7

7 Agent severity values Agent severity Numeric value Unknown 2 Low 4 Medium 6 High 8 Very high 10 8

8 Tuning the agent severity How can I make the agent severity more accurate? The agent severity can be adjusted at SmartConnector or in Rule Actions Base or aggregated events 1. Check the current setting 9

9 Tuning the agent severity (continued) 2. Go to the Default->Filters tab for the connector for the events and add a condition for the new severity level 10

10 Tuning the agent severity (continued) Agent Severity after the filter change : 11

11 Tuning the agent severity (continued) Rules When creating new rules make sure you set the agent severity to help prioritize the correlation events The default value is high, but it is still good to set it to show that the value was intended You can also override the agent severity of existing rules 12

12 Asset criticality What does the asset criticality mean? The asset criticality tells you how concerned you are about attacks to the target Very low, low, medium, high, very high, unknown Set as an asset category 13

13 Asset criticality values Asset criticality Numeric value Effect on priority Unknown 0-16% Very Low 2-12% Low 4-8% Medium 6-4% High 8 No change Very High 10 +4% 14

14 Checking the asset criticality How do I see what the asset criticality was for an event? Right-click on the event and select Debug Event Priority 15

15 Tuning the asset criticality How can I make the asset criticality more accurate? Set the criticality when creating assets You can also assign the asset criticality when importing assets via the Asset File Import Connector. 16

16 Severity What does the severity mean? Severity tells you how much how much trouble the attacker has caused and if the target is compromised The attacker is on one of these active lists Infiltrators list Hostile list Suspicious list Reconnaissance list The target is on the compromised list Note that severity has no relation to agent severity or device severity. 17

17 Severity values Severity is the sum of points from the following active lists, up to 10. Endpoint Active list Points Attacker Reconnaissance list 1 Attacker Suspicious list 3 Attacker Hostile list 5 Attacker Infiltrators list 6 Target Compromised list 3 18

18 Severity effects on priority Severity Effect on priority 0 0% Severity can increase the priority up to 30% but not decrease it 1 +3% 2 N/A 3 +9% 4 +12% 5 +15% 6 +18% 7 +21% 8 +24% 9 +27% % 19

19 Tuning the severity How can I make the severity more accurate? Tune the rules that lead to events being added to the threat tracking lists Example: Tuning the brute force logins Exclude attackers coming from authentication servers, because we cannot see the actual source We will catch the excluded attacks from authentication server logs where we can see the true source 20

20 Tuning the severity (continued) How can I make the severity more accurate? The severity for events from attacker increased from 3 to 8 after a compromise - attempt event 21

21 Tuning the severity (continued) How can I make the severity more accurate? Using the Debug Event Priority feature of ESM 6.5, we see that before the Compromise - Attempt event the only factor for Severity was the compromised target 22

22 Tuning the severity (continued) How can I make the severity more accurate? After the Compromise - Attempt event the Severity had increased to 8 due to the attacker being on the hostile list 23

23 Tuning the severity (continued) How can I make the severity more accurate? A Brute Force Login caused the compromise. Say that is an authentication server. We will modify the rule so it does not fire if the attacker is an authentication server. Afterwards remove from the Hostile List. 24

24 Tuning the severity (continued) How can I make the severity more accurate? Tuning the severity in your own rules When creating rules, make sure you set the category significance. Values like /hostile, /suspicious, and /reconnaissance will allow rules to fire that will add the addresses to the appropriate lists. 25

25 Model confidence What does model confidence mean? Model confidence tells you how much you know about the target Does the target have an asset defined? Has the target been scanned for open ports? Has the target been scanned for vulnerabilities? Model confidence is combined with the relevance score to adjust the priority 26

26 Model confidence values Model confidence can be set to 0, 4, 8, or 10 Target knowledge Effect on model confidence Is an asset +4 Scanned for open ports +4 Scanned for vulnerabilities +4 The values added to the model confidence may be lower if asset aging and AmortizeScan are enabled 27

27 Tuning the model confidence How can I make the model confidence more accurate? Create assets. This raises the model confidence to 4. Note, however, that this has no effect on the priority by itself unless scanning has also been done. If you include the asset criticality, though, the priority will be more accurate Scan for open ports Scan for vulnerabilities Set up asset aging 28

28 Relevance What does relevance mean? Relevance tells you if the attack could have succeeded Is the target port open on the target system? Is the target system vulnerable to the exploit? Mainly used for IDS events If any information is missing Relevance assumes the worst Relevance can decrease the priority but never raise it 29

29 Relevance values Relevance can be set to 0, 5, or based on target port Target Port is undefined in event Target has not been scanned for open ports Target Port is open +5 based on vulnerability Event does not have an associated exploit code Target has not been scanned for vulnerabilities Target is vulnerable to the exploit 30

30 Tuning the relevance How can I make the relevance more accurate? Scan for open ports Scan for vulnerabilities Install the monthly context updates to get current vulnerability codes 31

31 Model confidence and relevance example A drop event with model confidence of 10 and a relevance of 5 32

32 Model confidence and relevance example (cont.) A drop event with model confidence of 10 and a relevance of 5 Debug Event Priority shows that the Target Port is closed and the event does not have vulnerability information, leading to a Relevance of 5. 33

33 MCR effects on priority MCR is a combination of the model confidence and relevance. Model confidence Relevance 0 * 0% Effect on priority * 0-100% * 10 0% % % % % % % % 34

34 The easiest ways to tune the priority How do I get started tuning the priority? Set the agent severity and category significance in rules Set the agent severity in connector filters Apply content updates to get the current category significance Model assets and include the asset criticality Tune rules that write to threat modeling lists Vulnerability scanning Apply Context updates to get current exploit codes for IDS events and vulnerabilities Configure asset aging Make daily Top 10 reports for high-priority events and tune down as needed 35

35 For more information Attend these sessions TB3111, Flight of the flightless bumblebee: Use cases created because no one said we couldn't TB3009, Use cases to content TB3264, Advanced malware detection through threat intelligence Visit these demos ArcSight ESM/Express Activate Framework After the event Contact your sales rep 36

36 Tonight s Newseum Enjoy food, drinks, company, and a private concert by Counting Crows Time 7:00 10: 00 pm Shuttles run between hotel s Porte Cochere (Terrace Level, by registration) and Newseum from 6:30-10:00 pm Questions? Please visit the Info Desk by registration 37

37 Please give me your feedback Session TT3146 Speaker Beirne Konarski Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 38

38 Thank you

39