HP ArcSight SIEM And Data Privacy Best Practices
1y ago
28 Views
1 Downloads
1.30 MB
37 Pages
Report/dmca
Download PDF

Transcription

HP ArcSight SIEM anddata privacy best practicesJeff Northrop, CTOInternational Association of PrivacyProfessionalsjeff@jnorthrop.meFrank Lange, Dipl.-Winf., CISSP, CEHArcSight Security Architectfrank.lange@hp.com Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Privacy is a data security issueJeff Northrop, CTOInternational Association of Privacy Professionalsjeff@jnorthrop.me Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Consumers Care About Privacy3

Privacy: Top Issue Around the WorldThe Web We Want Project (https://webwewant.mozilla.org)4

Privacy: Top Issue Around the WorldThe Web We Want Project (https://webwewant.mozilla.org)5

Privacy: A Competitive DifferentiatorMicrosoft’s Scroogled (http://scroogled.com)6

Privacy: A Value PropositionFacebook’s anonymous login, privacy dinosaur, enhanced controls, etc.7

Privacy: The Main Value PropositionSilent Circle Blackphone (https://www.blackphone.ch)8

Consumers Care About Privacy9

Notice and Consent Does Not WorkReport to the President: Big Data and Privacy (http://www.whitehouse.gov)"Notice and consent is the practice of requiring individuals to givepositive consent to the personal data collection practices of eachindividual app, program, or web service. Only in some fantasyworld do users actually read these notices and understand theirimplications before clicking to indicate their consent.”- President’s Council of Advisors on Science and Technology10

Regulators RespondFTC Chairwoman vows to sue companies that collect large amounts of data and misuse it11

Regulators RespondStatistics to consider Of the top 10 privacy lawsuits in history, 2013 registered 4 of them. Source: Jay Cline Among the 130 “significant” Safe Harbor enforcement actions since 1999, 60% wereafter 2011. Source: Jay Cline Among the 50 data security cases since 2000, half came after 2010. The FTC hadbegun to deliberately strengthen its foray into holding businesses accountable forspecific data security inadequacies through its unfairness power. Source: IAPP Prior to 2011 the FTC brought 3 legal actions/year for violations of consumers’privacy rights, or those that misled consumers by failing to maintain security forsensitive information. Between 2011 and 2013 there were 5 such cases/year.Source: FTC12

FTC’s Authority Is Tested in CourtWyndham case provides a benchmark moment FTC has settled with dozens of companies over accusations of being “unfair,”Wydham was the first not to settle out of court. Wyndham suffered a breach of more than 500k records including credit cardinformation. The FTC complaint charged, “the security practices were unfairand violated the FTC Act” due to “Wyndham’s inadequate securityprocedures.” In motion to dismiss Wyndham set first court testing case of ”FTC authority togo after ‘unfairness’” FTC prevailed in a district court ruling. Game changer13

Regulators Respond GloballyGreater enforcement in Europe, and 100 other countries14

The Future Is Now: Enterprise Is AccountablePrivacy risk mitigation requires more than compliance with applicable laws a regulations15

You Need to Know your DataData security needs to play key role in mitigating privacy risk16

Data privacy in the SIEM worldFrank Lange, Dipl.-Winf., CISSP, CEHArcSight Security Architectfrank.lange@hp.com Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

A StreetView example18 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Elements we will talk aboutHP ArcSightESM/ ExpressHP ArcSightConnectorHP ArcSightLogger19 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Connector Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Connector obfuscation - configurationDestination specific settingin agentID.xml One or many fields Uses hash algorithm MD5 SHA256 (FIPS) One way operation High G8BXhnw .xml ConfigAgentId "3nOjT4xEBABCBuS8G8BXhnw “. SettingProcessingSettings.fieldstoobfuscate "attackerUserName,targetUserName“/ . /Config Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Connector obfuscation – ESM console view22 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express – role-based accessAccess Control Lists (ACL) based on user groups with inheritance24 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express – I. FieldSetsFieldSet A number of fields in specific order ActiveChannel allows default FieldSet Adhoc customizable (Add/Remove Column)25 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express – II. Event FilterRestricts access to a subset of events Based on standard Filters Enforced on User Group level Transparent to the user26 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express – III. Actors IdentityView Granular restriction via ACL Restriction on all Actors / a Domain / Types Allows Mixed Mode27 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express – III. ActorsNot an all-or-nothing option, allows view of actor data based on membership level28 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Logger Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Logger – Search Group FilterRestricts access to a subset of events only Restriction based on user group membership transparent to the Logger user RegEx filters Applies on peer Loggers Performance on RegEx speed30 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

All together Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

A powerful mix – example scenarioHP ArcSightESM/ ExpressHP ArcSightsearchConnectorDestination specificobfuscation32 Only obfuscated events to ESM Special User with LoggerIntegration Command cansearch for unobfuscated dataon remote Logger within ESMconsoleHP ArcSightLogger Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Only special user is allowedto access unobfuscated dataon Logger

SummaryMulti-layer approachImpact on SIEM designCorrelation and data privacy at the same timeLike a StreetView for SIEM33 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Tonight’s party@ NewseumEnjoy food, drinks, company, and aprivate concert by Counting CrowsTime7:00 – 10: 00 pmShuttles run betweenhotel’s Porte Cochere(Terrace Level, byregistration) and Newseumfrom 6:30 - 10:00 pmQuestions?Please visit the Info Desk byregistration34 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Please give me your feedbackSession TB2990 Speaker Jeff Northrop and Frank LangePlease fill out a survey.Hand it to the door monitor on your way out.Thank you for providing your feedback, whichhelps us enhance content for future events.35 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP ArcSight . HP ArcSight . Connector . HP. ArcSight . Destination specific obfuscation. search Only obfuscated events to ESM Special User with Logger Integration Command can search for unobfuscated data on remote Logger within ESM console Only special user is allowed to access unobfuscated data on Logger

Related Books

HP ArcSight Data Platform - WatchGuard

HP ArcSight Data Platform - WatchGuard

LEPIDE SIEM INTEGRATION Lepide SIEM Integration

LEPIDE SIEM INTEGRATION Lepide SIEM Integration

Focusing on SIEM Integration: A 6 Point SIEM Solution Evaluation Checklist

Focusing on SIEM Integration: A 6 Point SIEM Solution Evaluation Checklist

6 Point SIEM Solution Evaluation Checklist

6 Point SIEM Solution Evaluation Checklist

Micro Focus ArcSight: Protecting Security Analytics with an Audit .

Micro Focus ArcSight: Protecting Security Analytics with an Audit .

SIEM: Keeping Pace with Big Security Data

SIEM: Keeping Pace with Big Security Data

WHITE PAPER SIEM: Crash and Burn or Evolution? You Decide.

WHITE PAPER SIEM: Crash and Burn or Evolution? You Decide.

Integrating Observeit With Hp a Sight Cef

Integrating Observeit With Hp a Sight Cef

The ESSENTIAL GUIDE TO SIEM - Exabeam

The ESSENTIAL GUIDE TO SIEM - Exabeam

IBM Security QRadar SIEM Users Guide

IBM Security QRadar SIEM Users Guide

IBM Security QRadar SIEM Installation Guide

IBM Security QRadar SIEM Installation Guide

PopularTags

Recent Views