Secret Server HP ArcSight Integration Guide Table of Contents Meeting Information Security Compliance Mandates: Secret Server and ArcSight SIEM Integration... 1 The Secret Server Approach to Privileged Account Management:... 1 Risks and Benefits... 1 The Common Event Format... 2 Conclusion... 5 About Thycotic Software... 5 About Secret Server... 5 About ArcSight... 5
Page1 Meeting Information Security Compliance Mandates: Secret Server and ArcSight SIEM Integration Leveraging Secret Server event data with ArcSight SIEM solutions can give organizations deep insight into the use of privileged accounts (such as Windows local administrator, service or application accounts, UNIX root accounts, Cisco enable passwords, and more). Used together, these tools provide secure access to privileged accounts and provide greater visibility to meet compliance mandates and detect internal network threats. The Secret Server Approach to Privileged Account Management: Many environments that have strict Information Security policies also require methods to control and monitor access to privileged accounts. Enterprises often apply security policies such as physical access restrictions to hardware, network firewalls, appropriate-use guidelines, and user account restrictions. In the case of privileged accounts, access is more difficult to track and verify. Implementing privileged account management software such as Secret Server enables organizations to strictly control and track access. Enterprises that implement Secret Server gain the ability to grant or deny granular access to critical systems. When access is granted, use of that access is tracked based on a wide range of events. While alerting is a core feature within Secret Server, managing real-time events on the aggregate can be cumbersome. Leveraging ArcSight to manage these real-time events allows users to build customized risk analysis into their privileged account management policies. Mitigating internal privilege account threats helps organizations meet compliance requirements like Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA). Risks and Benefits Unmanaged privileged accounts often enjoy unchecked access across a wide array of systems, networks, and databases. Unmitigated top-level access, in the wrong hands, can be devastating to an organization. The potential for liability is not limited to internal data and productivity loss, but can include criminal and civil penalties for unauthorized disclosure of private or regulated information i. Implementing an enterprise-level privileged account management system (Secret Server) with a realtime event management system (ArcSight) allows organizations to mitigate risk. Critical systems can only be accessed by pre-defined users. IT Security Auditors are able to track access based on the needs Copyright 2012 Thycotic Software Ltd. Page 1 Revised: September 24, 2012
Page2 of the enterprise. Figure 1 depicts the general workflow around the relationship between these two technologies. Secret Server and ArcSight solution for privileged account monitoring and compliance. Thycotic Software Secret Server HP ArcSight SIEM Reporting Solution Access Privileged User Accounts Real-time Log File Data Activity Drill-down IT Security Auditor Reporting Customized Alerting Security Threat Prevention Figure 1: Privileged Users login to Secret Server. Usage of Secret Server is logged on many different data points. IT Security Auditors can build custom reports tracking not only usage habits but to also help enforce compliance requirements. Secret Server supports event tracking through the export of Common Event Format (CEF) data to ArcSight. ArcSight processes these events as they are received. Based on rules defined by organizations, a number of actions can be taken. These actions include alerting, security threat identification, and detailed activity drill-down options. These options allow enterprises to react quickly to potential threats. The Common Event Format The Common Event Format is a predefined format for sending events from a system for analysis on another system. Secret Server relays events related to privileged account access to ArcSight through the Common Event Format. ArcSight has multiple solutions for managing the forensic analysis of CEF data: ArcSight ESM and ArcSight Logger are two popular products capable of real-time event management. ArcSight has certified Secret Server for use with their Common Event Format analysis tool. As Secret Server develops new features and product enhancements, the application will be recertified by ArcSight to verify maximum compatibility and performance. Secret Server currently supports 44 different event types in CEF logging. In Figure 2, the ArcSight Web User Interface is displaying Secret Server Event examples. Copyright 2012 Thycotic Software Ltd. Page 2 Revised: September 24, 2012
Page3 Figure 2 Several examples of events and how they can be used to minimize risk are: [UNLIMITEDADMINISTRATOR ENABLE] Unlimited Administrator mode is an emergency-only feature that allows Secret Server Administrators to gain access to all Secret Server data in the case of a disaster recovery scenario. Enabling this feature will send this event to ArcSight and any unexpected events can be dealt with immediately. [SECRETTEMPLATE EDIT] Secret Templates are important because they control the rules for data saved in Secret Server. If a Secret Template has been modified without the knowledge of the organization, it could cause a variety of issues. For example, editing a template in Secret Server may mean that your organization s password policy is no longer meeting compliance requirements. Including this event in your ArcSight logs enables IT Security Auditors to know about unscheduled changes that can affect security/compliance policies. Copyright 2012 Thycotic Software Ltd. Page 3 Revised: September 24, 2012
Page4 An example of how events can be used together to indicate potential compliance issues: [USER ADDEDTOGROUP] used with [ROLE ASSIGNUSERORGROUP] This could be an issue where a user is added to a group and then the role permissions for that group are changed. In isolation, each event may seem harmless, but viewed together they could represent an issue. However, if ArcSight were logging and alerting these events, an IT Security Auditor would be made aware of a permissions change and could then investigate. Copyright 2012 Thycotic Software Ltd. Page 4 Revised: September 24, 2012
Page5 Conclusion Organizations that need to meet strict compliance requirements can implement privileged account management and real-time event analysis using Secret Server and ArcSight. Integrating these two products allows enterprises to both manage their privileged accounts and correlate and reduce security threats within a network. About Thycotic Software Thycotic Software, Ltd., a Washington DC-based company, is committed to providing password and AD group management solutions to IT administrators worldwide. With over 30,000 IT professionals using our IAM tools, Thycotic helps securely manage all credentials critical to an organization s operations. About Secret Server Secret Server is an enterprise password management tool that is used to store, distribute, monitor, and update privileged/shared account passwords in a central, web-based location. For more information, visit http://www.thycotic.com/products_secretserver_overview.html. About ArcSight ArcSight, an HP company, is a leading global provider of cyber-security and compliance solutions that protect organizations from enterprise threats and risks. Based on the market-leading SIEM offering, the ArcSight Enterprise Threat and Risk Management (ETRM) platform enables businesses and government agencies to proactively safeguard digital assets; comply with corporate and regulatory policy; and control the internal and external risks associated with cyber-theft, cyber-fraud, cyber-warfare and cyberespionage. For more information, visit http://www.hpenterprisesecurity.com/products/hp-arcsightsecurity-intelligence/. Note: Terminology used in this document is based on the SANS Glossary of Security Terms available at http://www.sans.org/security-resources/glossary-of-terms/ i Imation Compliance Heat Map http://www.databreaches.net/?p=25159 Copyright 2012 Thycotic Software Ltd. Page 5 Revised: September 24, 2012