WIXLIB

ESM 101Chapter 1: About ArcSight ESMdefine, based on the needs of your security operations center. For more about accessprivileges, see "Access Control Lists (ACLs)" on page 169.The following pages provide a detailed description the general user roles and thedefault User Group they correspond to.User roleDescriptionUser groupAdministrators are responsible for overseeing the installation of thesystem and maintaining overall system health.AdministratorsAdministrators install and configure the Manager, Console andAdministrator SmartConnectors, and integrate ESM with devices from multiple vendors.Administrators also conduct basic functionality tests to verify thatinstallation and configuration are complete.Administrators:lView ArcSight Status Monitors (ASMs)lMonitor Manager administration e-mailslAdd and maintain ESM users and permissionslMaintain the health of the Manager and data storelllUse the Packages and archive utilities to backup and support ManagerdeploymentsMonitor the health of SmartConnectors and the devices that report tothemDesign and maintain workflow infrastructureAdmins should have an in-depth knowledge of:lAdministration-related tools in the ConsolelSecurity policies and goalslAdministrative maintenance of network deviceslData storage maintenance and archivinglNetwork resource management and performanceMicro Focus ESM (7.3)Page 11 of 172

ESM 101Chapter 1: About ArcSight ESMUser roleDescriptionUser groupDefault UserGroups/AnalyzerAdministratorsAuthorAuthors (analyzer administrators) are responsible for developing usecases that address enterprise needs and goals. This role oversees thecontent that shapes the nature and direction of how investigation,historical analysis, and remediation are conducted in the securityoperations center.Authors:lllllIdentify and design use cases that address specific enterprise needsEvaluate existing standard content and use cases and adapt them tomeet enterprise goalsDevelop and test new correlation content and use cases using filters,rules, data monitors, active lists, and session listsDevelop and test new monitoring tools using active channels,dashboards, reports, and trendsDevelop and post knowledge base articles; develop Threat DetectorprofilesAuthors should have expert knowledge of:llOperatorSecurity policies and goalsConstructing effective content using ESM’s aggregation, Boolean logicand statistical analysis toolslDatabase query protocolslNetwork InfrastructureSecurity operations center operators are responsible for daily eventmonitoring and investigating incidents to a triage level. Operators observereal-time events and replay events using replay tools. They interpretevents with the Event Inspector, and respond to events with preset,automated actions. They also run reports and refer to Knowledge Basearticles.Default UserGroups/OperatorsOperators:lWatch active channels and dashboardslCreate annotations and create caseslForward events and cases to analysts for further investigationIf it is set up and configured, security center operators work with thelinkage between ESM and external incident reporting systems.security center operators should have a working knowledge of:lSecurity policies and goalslESM investigation tools: replay, event inspector, and viewslNotification workflow proceduresMicro Focus ESM (7.3)Page 12 of 172

ESM 101Chapter 1: About ArcSight ESMUser roleDescriptionUser groupAnalystSecurity analysts are responsible for specialized investigation andremediation when triggered into action by notifications from securitycenter operators. Analysts may also be operators, or they can bespecialists who respond to particular situations.Default e incidents using channels, event graphs, annotations,cases, and reportsRecommend and implement responsesSecurity analysts should have expert knowledge of:lSecurity policies and goalslEvent traffic patterns and device log outputlInvestigation, remediation, and reporting proceduresThe business user uses ESM to ascertain and communicate systemconditions to other stakeholders using metrics. Business users are oftenalso responsible for ensuring that regulatory compliance is met.BusinessUserSuper UserBusiness users most often interact with reports, dashboards,notifications, and cases using the ArcSight Console or ArcSightCommand Center.A super user wears many hats within the security operations center.Although the duties of every user role may overlap with others, the superuser has a high level of experience, and holds a senior security positionthat may encompass author, operator, and analysts roles.Default UserGroups/Operators orany customuser groupAdministratorsSuper Users:lAre experts in the security fieldlSet security policies and goalslConstruct effective content using aggregation, Boolean logic, andstatistical analysislWatch custom active channels and dashboards; investigate incidentslRecommend and implement responsesUser Paths Through ESMThe graphic below provides an overview of the general user paths through ESMdepending on your role in the organization, and which documentation you can refer tofor information about each.Micro Focus ESM (7.3)Page 13 of 172

ESM 101Chapter 1: About ArcSight ESMESM 101 is a starting place for anyone interested in using ESM. After the product isinstalled, all users have access to the online Help systems. The tasks associated witheach major user group are addressed by the rest of the ESM documentation suite.Micro Focus ESM (7.3)Page 14 of 172

Chapter 2: ArcSight Enterprise SecurityManagementESM delivers comprehensive enterprise security management, advanced analysis andinvestigation, and options for remediation and expanded solutions, that are ready toconfigure and use right out of the box.ESM normalizes and aggregates data from devices across your enterprise network,provides tools for advanced analysis and investigation, and offers options for automaticand workflow-managed remediation. ESM gives you a holistic view of the security statusof all relevant IT systems, and integrates security into your existing managementprocesses and workflows. ESM Enables Situational AwarenessESM AnatomySmartConnectorsArcSight ManagerCORR-EngineStorageUser InterfacesUse CasesInteractive DiscoveryThreat DetectorESM on an ApplianceLoggerArcSight SolutionsAbout Resources15171822232324242526262727ESM Enables Situational AwarenessLike the security system at a major art museum, your network security operation mustflawlessly protect objects of vital importance to your organization. At the art museum,security operations teams monitor, analyze, and investigate a continuous feed of data,including surveillance video, card reader logs, and tightly calibrated climate controls.One of the surveillance cameras detects a person testing a locked door. A card readerregisters a log-in from a janitor who only works one day a week. The humidity control inthe priceless painting collection wavered by a fraction of a percent. Are these isolatedevents, or part of a coordinated break-in attempt?Micro Focus ESM (7.3)Page 15 of 172

ESM 101Chapter 2: ArcSight Enterprise Security ManagementBeing able to correlate data from many different collection points and add logic, such aschecking whether it’s the janitor’s day to work, or whether the person checking thelocked door has done it before to this or other doors in the building, is vital to knowingwhen and how to act.ESM collects, normalizes, aggregates, and filters millions of events from thousands ofassets across your network into a manageable stream that is prioritized according torisk, vulnerabilities, and the criticality of the assets involved. These prioritized eventscan then be correlated, investigated, analyzed, and remediated using ESM tools, givingyou situational awareness and real-time incident response time.lllllCorrelation—Many interesting activities are often represented by more than one event.Correlation is a process that discovers the relationships between events, infers thesignificance of those relationships, prioritizes them, then provides a framework fortaking actions.Monitoring—Once events have been processed and correlated to pinpoint the mostcritical or potentially dangerous of them, ESM provides a variety of flexible monitoringtools that enable you to investigate and remediate potential threats before they candamage your network.Workflow—The workflow framework provides a customizable structure of escalationlevels to ensure that events of interest are escalated to the right people in the righttimeframe. This enables members of your team to do immediate investigations, makeinformed decisions, and take appropriate and timely action.Analysis—When events occur that require investigation, ESM provides an array ofinvestigative tools that enable members of your team to drill down into an event todiscover its details and connections, and to perform functions, such as NSlookup,Ping, PortInfo, Traceroute, WebSearch, and Whois.Reporting—Briefing others on the status of your network security is vital to all whohave a stake in the health of your network, including IT and security managers,executive management, and regulatory auditors. ESM’s reporting and trending toolscan be used to create versatile, multi-element reports that can focus on narrow topicsor report general system status, either manually or automatically, on a regularschedule.Micro Focus ESM (7.3)Page 16 of 172

ESM 101Chapter 2: ArcSight Enterprise Security ManagementMicro Focus offers on-demand, ready-made security solutions for ESM that you canimplement as-is, or you can build your own solutions customized for your environmentusing ESM’s advanced correlation tools.ESM AnatomyESM uses SmartConnectors to gather event data from your network. SmartConnectorstranslate event data from devices into a normalized schema that becomes the startingpoint for correlation.The Manager processes and stores event data in the CORR-Engine. Users monitorevents using ArcSight Console or the ArcSight Command Center, which can runreports, develop resources, perform investigation and system administration. ESM’sbasic architecture becomes a framework for additional ArcSight products that manageevent flow, facilitate event analysis, and provide security alerts and incident response.Micro Focus ESM (7.3)Page 17 of 172

ESM 101Chapter 2: ArcSight Enterprise Security ManagementThe topics that follow describe ESM’s basic components and products that enhance itsfeatures.SmartConnectorsSmartConnectors are the interface to the objects on your network that generatecorrelation-relevant event data. After collecting event data from network nodes, theynormalize the data in two ways: normalizing values (such as severity, priority, and timezone) into a common format, and normalizing the data structure into a common schema.SmartConnectors can then filter and aggregate events to reduce the volume of eventsMicro Focus ESM (7.3)Page 18 of 172

ESM 101Chapter 2: ArcSight Enterprise Security Managementsent to the Manager, which increases ESM’s efficiency and accuracy, and reducesevent processing time.SmartConnectors enable you to execute commands on the local host, such asinstructing a scanner to run a scan. SmartConnectors also add information to the datathey gather, such as looking up IP and/or host names in order to resolve IP/host namelookup at the Manager.SmartConnectors perform the following functions:lllllllCollect all the data you need from a source device, so you do not have to go back tothe device during an investigation or audit.Save network bandwidth and storage space by filtering out data you know will not beneeded for analysis.Parse individual events and normalize them into a common schema (format) for useby ESM.Aggregate events to reduce the quantity of events sent to the Manager.Categorize events using a common, human-readable format. This saves you fromhaving to be an expert in reading the output from a myriad of devices from multiplevendors, and makes it easier to use those event categories to build filters, rules,reports, and data monitors.Pass events to the Manager after they have been processed.Depending on the network node, some SmartConnectors can also instruct the deviceto issue commands to devices. These actions can be executed manually or throughautomated actions from rules and some data monitors.Microfocus releases new and updated ArcSight SmartConnectors regularly.ArcSight Management CenterArcSight Management Center (ArcMC) is a hardware solution that hosts theSmartConnectors you need in a single device with a web-based user interface forcentralized management.ArcMC offers unified control of SmartConnectors on the appliance itself, remoteArcMCs, and software-based SmartConnector installed on remote hosts.The ArcSight Management Center:lllSupports bulk operations across all SmartConnectors and is ideal in ArcSightdeployments with a large number of SmartConnectorsProvides a SmartConnector management facility in Logger-only environmentsProvides a single interface through which to configure, monitor, tune, and updateSmartConnectorsMicro Focus ESM (7.3)Page 19 of 172

ESM 101Chapter 2: ArcSight Enterprise Security ManagementArcSight Management Center does not affect working SmartConnectors unless it isused to change their configuration.ArcSight Management Center is an ideal solution when connectors target multipleheterogeneous destinations (for example, when Logger is deployed along with ESM), inan Logger-only environment, or when a large number of SmartConnectors are involved,such as in a MSSP deployment.Supported Data SourcesESM collects output from data sources like network nodes, intrusion detection andprevention systems, vulnerability assessment tools, firewalls, anti-virus and anti-spamtools, encryption tools, application audit logs, and physical security logs.The graphic below shows the common network security data sources that ESM supportsand ways you can analyze their output in ESM.Micro Focus ESM (7.3)Page 20 of 172

ESM 101Chapter 2: ArcSight Enterprise Security ManagementFor a complete list of SmartConnector products ESM see the ESM documentation page.Click the product documentation link, select ArcSight Connectors Documentation, andselect the linkk to the SmartConnector configuration guide of interest.SmartConnectors can be installed directly on devices or separately on SmartConnectordedicated servers, depending on the network node reporting to them. TheSmartConnector can be co-hosted on the device if the device is a general-purposecomputer and its function is all software-based, such as ISS RealSecure, Snort, and soon. For embedded data sources, such as most Cisco devices, and Nokia Checkpointfirewall appliances, co-hosting on the device is not an option. To learn more aboutdeployment options, see the ArcSight ESM Installation and Configuration Guide.During configuration, a SmartConnector is registered to an ArcSight Manager, thecentral server component of the ESM solution, and configured with characteristicsunique to the devices it reports on and the business needs of your network. By default,Micro Focus ESM (7.3)Page 21 of 172

ESM 101Chapter 2: ArcSight Enterprise Security ManagementSmartConnectors maintain a heartbeat with the Manager every 10 seconds. TheManager sends back any commands or configuration updates it has for theSmartConnector. The SmartConnector sends new event data to the Manager in batchesof 100 events, or once every second, whichever comes first. The time and event countintervals are all configurable.FlexConnectorThe FlexConnector framework is a software development kit (SDK) that enables you tocreate your own SmartConnector tailored to the nodes on your network and theirspecific event data.FlexConnector types include file reader, regular expression file reader, time-baseddatabase reader, syslog, and Simple Network Management Protocol (SNMP) readers.For more information about FlexConnectors and how to use them, contact your ArcSightcustomer service representative.Forwarding ConnectorThe Forwarding Connectors forward events between multiple Managers in ahierarchical ESM deployment, and/or to one or more Logger deployments. For moreabout the Forwarding Connector, see the Connector Configuration Guide for ArcSightForwarding Connector.ArcSight ManagerThe ArcSight Manager is the heart of the solution. It is a Java-based server that drivesanalysis, workflow, and services. It also correlates output from a wide variety of securitysystems.The Manager writes events to the CORR-Engine as they stream into the system. Itsimultaneously processes them through the correlation engine, which evaluates eachevent with network model and vulnerability information to develop real-time threatsummaries.ESM comes with default configurations and standard foundation use cases consisting offilters, rules, reports, data monitors, dashboards, and network models that make ESMready to use upon installation. You can also design the entire process that the Managerdrives, from detection, to correlation, to escalation. The ArcSight Professional Servicesdepartment is available to help with this design and setup.Micro Focus ESM (7.3)Page 22 of 172

ESM 101Chapter 2: ArcSight Enterprise Security ManagementCORR-EngineStorageThe Correlation Optimized Retention and Retrieval (CORR) Engine is a proprietary datastorage and retrieval framework that receives and processes events at high rates, andperforms high-speed searches.For more about CORR-Engine, see "CORR-Engine" on page 112.User InterfacesESM provides the following interfaces depending on your role and the tasks you need toperform:lArcSight Command CenterlArcSight ConsoleThe ArcSight Command CenterThe ArcSight Command Center provides a streamlined interface fo

ScheduledJobsManager 109 ArcSightThreatDetector 109 ThreatDetectorOutput:SnapshotsandPatterns 110 Chapter10:CORR-Engine 112 CORR-EngineEventStorage 112