Cfir Homeri Security Presales - Central Eastern Europe & IsraelCfir.homeri@microfocus.com

The New ArcSight Architecture

User Cloud App Servers & Workloads

Network Endpoints IoT Physical

ARCSIGHT ENTERPRISE SECURITY MANAGER24x7 Real-time Monitoring & Correlation

UEBAUser Entity Behavior Analytics

ARCSIGHT LOGGERCompliance | Search |Retention

ARCSIGHT INVESTIGATEHunt | Investigation

SECURITY OPEN DATA PLATFORM

MANAGEMENT CENTERSuite Management & Administration

TRANSFORMATION HUBInformation delivery

SMART/FLEX CONNECTORSData Collection, Enrichment, and Normalization

CONTENTUnified | Actionable | Insight

WEB CONSOLEAccessible Monitoring & Platform Management

ArcSight ESM 7.2

Release Summary

Release Name: ArcSight ESM 7.2.0

GA Date: December 4, 2019

Gen10 Appliance GA Date: January 10, 2020

Key Themes: [Simple, Intelligent, Open, Converged (Sentinel, Interset, ArcSight), etc]

Release Highlights / What’s New?

1. Global Event ID

2. Rules Action

3. AutoPass licensing support and Event Ingestion Metrics

4. MITRE ATT&CK Dashboard

5. Default content available on installation

Global Event ID

ESM 7.2 includes the new Global Event ID feature. SODP assigns a unique event ID to each security event being ingested and distributed. That ID will stick with the event as it moves to and through ArcSight Logger, ESM, and Investigate.

Benefits to the Customer : Global Event ID will help customers track unique security events across their entire ArcSight ecosystem. They can quickly search for and verify that a specific event is the one they are looking for. This helps facilitate threat investigation and cross-portfolio event analysis.

Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event Id field in addition to the Event Id field.

GEIDs are generated using a GEID generator id. Generator id is specified during fresh install/upgrade and should ideally stay the same for the lifetime of the

product.

The generator id must be unique for each ArcSight product (e.g. connectors/ESM/Logger etc.) in an ArcSight deployment.

Events received by ESM from external sources (connectors/TH) should have the GEIDs set by the external source. Only connector version starting 7.12 onwards supports GEID in events.

Events generated internally by ESM (correlation events, audit events, monitor events etc.) will have their GEIDs set by ESM.

7

Global Event IDs

GEIDs can be viewed in Active Channels, Filter, Query Viewers etc.

All places where Security Event fields can be viewed.

Note that if the event source (connectors/TH) do not send events with GEID set, ESM will not set them.

Events archived in previous versions of ESM, prior to upgrade, will not have GEIDs set in them upon reactivation.

8

Global Event IDWhere GEIDs can be viewed

Improve concurrency of deferred rules action execution

Capture the result of external scripts

9

Rules Action Improvement

Multiple threads to handle rules deferred actions

Actions within one rule will be executed in sequence

Configure number of threads to process rules deferred actions.

In server.properties, rules.action.threads

10

Rules Action -- Improve the Concurrency

We save the result of executing rules actions in action event. E.g. ExecuteCommand:Success

The following are fields used to save result in action event:

Device Custom Number 1: Return value

Device Custom Number 2: Execution time

Device String 5: Console output – When there is an error in execution. Limit to 200 characters

11

Rules Action -- Capture the result of external scripts

Return value error code:

0: Success

1000: Invalid platform

1001: Exception in executing the script

Other value: Returned by script

If a script returns a non-zero value(error), there will be console output in device custom string 5.

12

Rules Action -- Capture the result of external scripts

13

Sample SlideIf you are seeking additional funding outside of the annual Portfolio Operation Planning process, state specifics

How many additional persons?

<provide count>

Other funding needs

<provide details>

Business Justification

Describe why this is necessary and should be considered while providing evidence of data to support request

What is scheduled rules?

Query historical events

Run at a specified time interval (hourly, daily, weekly)

Scheduled rules engine is a batch rules engine which filters historical events, generates correlation events and execute rules actions like real-time rules engine

14

Scheduled Rules

With the new licensing model, ESM generates a 45-day median report every day at 23:59:59 UTC

ESM maintains a history of average EPS, SEPS, MMEPS and license capacity.

The history of license usage is maintained in mysql database table arc_epd_stats.

15

45 – day EPS median report

EPD – Events Per Day is the total number of events generated in a twenty-four hour clock period.

SEPS – Sustained EPS is the “constant” Events Per Second that the system sustained within the twenty-four hour clock period. The formula used for this calculation is (EPD/((60*60)*24))

MMEPS – Utilizing the SEPS information recorded per day, the Moving Median value is calculated using a 45 day data set, and shifting the calculation window one day every twenty-four hours after the first 45 days.

Median is calculated by sorting SEPS over a 45 day range and taking the middle one or avg of middle two values (when even number of SEPS available).

16

Calculations

For days 1..45, there isn't enough SEPS collected yet to compute the MMEPS, so we display "approximate" MMEPS

on day 2, this would be the SEPS for day 1

on day 3, this would be the average of SEPS for day 1 and 2

on day 4, this would be the median SEPS for days 1..3

and so on until day 46 where there will be 45 days of SEPS, and a real MMEPS could be computed.

To distinguish the "approx." MMEPS from real MMEPS, the former are shown in gray, while the latter are shown in green/yellow/red.

Reference: https://wiki.arst.hpeswlab.net:8443/display/DEV/45-day+Moving+Median+EPS+Report+on+ACC

17

MMEPS Calculation

Stats page - https://<esm_host>:8443/www/ui-phoenix/com.arcsight.phoenix.PhoenixLauncher/#eventStatistics

CLI tool – exports to a CSV file - bin/arcsight licenseusageexporter

18

Accessing the report

License Metrics

ESM New Content for 7.2

Overview

New Default Content

MISP Model Import Connector

Threat Intelligence Platform

Security Threat Monitoring

MITRE Tagging

Integration Command

Updates to Existing Content

21

Agenda

22

What is MITRE ATT&CK ?

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

The MITRE ATT&CK™ includes 3 major components Matrices, Tactics Techniques

What:

Dashboard showing events that match the MITRE ATT&CK matrix.

Why:

Having content to tag MITRE ATT&CK use cases enables SOC to identify threats enterprise is facing.

Dashboard will provide visualization of threats identified in an intuitive way.

23

MITRE ATT&CK Dashboard

The Basics – The Pyramid of Pain

25

MITRE ATT&CK – Blueprint for Attack Tactic & Techniques

26

Visualization

Datasource

/All Active Lists/ArcSightFoundation/MITRE ATT&CK/Rules Triggered with Mitre ID

27

Details

MITRE ATT&CK Activity Dashboard with Drilldown

1) User selects “MITRE Activity” from the main dashboards2) Within the tree visualization, user selects a specific

technique.3) All real-time correlation rules related to that alert are

shown on the right, along with more MITRE-related information.

4) When clicked, a special channel opens up with *ONLY* those events related to the selected technique.

1 2

MITRE ATT&CK Activity DashboardA special visualization, showing a tree-view structure: MITRE ATT&CK tactics in the middle + techniques as the branches.

MITRE ATT&CK Activity Dashboard Drilldown Steps

1) User selects “MITRE Technique” from the main dashboard. E.g. “Brute Force”

2) All real-time correlation *rules* related to that alert are shown on the right, along with more MITRE-related information.

3) When clicked on a specific ‘rule’ (e.g. “Brute Force OS and Application Attempts”), a special channel opens up with *ONLY* those events related to that rule.

3

4

3

MITRE ATT&CK Activity Dashboard

MITRE ATT&CK Activity Dashboard with Drilldown

1) The special active channel opens up *ONLY* those special events related to the rule, associated with the chosen MITRE Technique: “Brute Force”

2) All other MITRE ATT&CK artifacts are displayed in the channel.

MITRE ATT&CK Activity Dashboard

MITRE ATT&CK Overview Dashboard

MITRE ATT&CK Matrix Overview Dashboard

MITRE ATT&CK-tagged correlated alerts/events and specific dashboards per MITRE Tactic and MITRE Technique ID are provided OOTB and as a downloadable MITRE ATT&CK Content Pack.

Content: MISP as a Threat Intelligence Feed

MISP - Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing, community driven platform

Has become invaluable platform for the NATO, Europian governments and CERTS

It is a threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

34

What is MISP?

35

New Model Import Connector for MISP has been developed.

Threat Intelligence Feed from MISP can be directly imported into ESM using this new MIC.

The new Threat Intelligence Platform content utilizes this MISP data

MISP as a Threat Intelligence Feed for ArcSight

5 x ESM Active ListsAlways up-to-date through MISP CRCL Model Import Connector.

Suspicious Email List @ ArcSight ESM

Suspicious Domain List @ ArcSight ESM

Suspicious Filehashes @ ArcSight ESM

Suspicious Full URL List @ ArcSight ESM

37

Design Overview

2 new packages – Security Threat Monitoring and Threat Intelligence Platform

Content:Threat Intelligence Platform

40

Threat Intelligence Platform (TIP) package detects security threats based on data feed from MISP which is collected by MIC.

It is possible for customer to import the feed from other source into ESM with the same format of active list.

Intelligence feed from MISP

41

Use cases for Threat Intelligence PlatformGlobal

VariablesRules

42

Reputation Data Overview

Content:Security Threat Monitoring

44

Security Threat Monitoring package detect attacks based on security logs from firewall, IDS/IPS, OS, proxy, scanner etc.

Use Cases

Rules

Use Cases for Security Threat Monitoring

Resources :

2 active channels

2 Dashboards

13 Rules

7 Data Monitors

13 Filters

3 Fieldsets

45

Example - Entity Monitoring

The MITRE Framework for ArcSight ESM are a bunch of ArcSightresources which monitor MITRE ATT&CK rules and it includes the following end user resources:

2 Dashboards

1 Active Channel

1 Integration Command

1 Report

46

MITRE ATT&CK Framework for ArcSight ESM

The MITRE Technique is Mapped to ArcSight Rules

47

MITRE ATT&CK Framework for ArcSight ESM

48

Examples : MITRE ATT&CK Overview Dashboard

49

Examples : MITRE ATT&CK Targets Overview Dashboard

Brute force

Exploit of remote service

2 Integration Commands

50

Integration Commands

Logger 7.0

24 TB of Event storage per Logger

New Search UI

Search based of event occurred time

EPS Licensing

Reporting:

Data Science – Ability to use Python’s Data Science/Predictive analytics capabilities with Reporting

Reporting on ArcSight Investigate – Investigate’s Vertica database can be added as a data source in Logger Reporting, allowing to create reports on Investigate Data.

IP to GeoMapping – Ability to convert IP address to Geo Location and create maps within Reports.

Out of the Box Content updates

Bonding/Trunking of NICs for Appliances

Gen 10

Peer search and reporting perf improvements (Internal Test Metrics Available!!!)52

Whats New

Why?

Need to collect more data, from more sources and retain in for more time.

Adding more Loggers is one solution.

Adding more storage to a logger is another solution.

53

24 TB of Storage

54

24 TB of Storage - Storage Group, Storage Volume

24 TB in Storage Volume.

12 TB for Default Storage Group and 5GB for Internal

Event Grid

Drag and Drop Columns

Resizable columns

Three types Events results Grid

Grid View

Raw Event View

Column View

Event Details

Hide/show null field values

Expand/collapse field categories

Event Comparison

Query Syntax Highlight

Open Filter and Saved Search

Field set selector55

UI Improvements – Search

56

New Search UI - Query with Syntax Highlight

57

New Search UI - Grid View

58

New Search UI - Grid + Raw Event View

59

New Search UI - Raw Event View

60

New Search UI - Event Details

61

New Search UI - Compare Events

62

Logger Gen 10 (Tentative GA – Jan 4th 2020)

DL 360 Gen 10 L7700 Spec

2 x Xeon-G 5118

2 x 12 core = 24 cores

12 x 16 GB = 192 GB RAM

10 GB NIC

2 port Ethernet

2 port SFP

4 x 10TB SAS 7.2K LFF = 40TB HDD

30 TB with RAID 5

24 TB of live Event Data

On Logger reporting, Python Data Science can be used to extract knowledge and gain insights form security data collected in Logger.

Python installed on OS (Redhat/CentOS) is used

Data Science Libraries included in Logger bits

scikit_learn, numpy, pandas, etc.

Turned off by default

Admin Guide Note to turn on Data Science

Python can be used for non data science aspects as well

63

Reporting – Data Science

Create Query object

MySQL / Logger search Query

Data Science Step

Python Script

Learning and predicting

Format/Other steps

Create Report

Grid

Chart

64

Data Science / Predictive Analytics

Data Science Engine component – while creating a reporting Query Object

Python Script of Data Science Engine component

Analyze firewall traffic based on port, and determine probability success for traffic to each port.

Compare future events to see if they conform to model. (i.e. if traffic on port 1234 is 90% fail, I need to pay attention to every success access attempt on that port)

66

Sample Data Science Usecase

67

Reporting on ArcSight Investigate

Configure Vertica

Create Query Object

Create Reports

Schedule

Publish

Export

Charts / Maps

Data Science

MaxMind Library is used for converting IP to Geo location.

Latest MaxMind is available with Logger 7.0

Context updates used by ESM will be used by Logger as well

Download Context update file from Entitlements portal

Logger Configuration -> Import Content

68

Reporting – IP to Geo

69

Report with IP to Geo – Recon Activity

Major rework of content after 4 years

100+ New Reports

Device Monitoring – OS, Anti-Virus, Networking, IDS-IPS, DGA, etc

Foundation – Intrusion, MITRE, Networking, Vulnerability, etc

OWASP

Cloud – CSA-Treacherous-12

8 New Dashboards

Malware Overview

DGA

MITRE

Attack and Suspicious Activity, etc.

70

Logger Out of the Box Content

71

OWASP\A 7 - Cross-Site Scripting\XXS Vulnerabilities(Top Events)

72

OWASP\A 2 - Broken Authentication\Broken Authentication Events (Signatures)

73

MITRE Events

74

MITRE - Radar Overview

75

DGA – Clients by Outgoing Bytes to DGA Domains

76

DGA Domains by Client IP Overview

Good for spotting DNS Tunneling only form the graph

77

DGA – Radar Overview

78

DGA Dashboard

Predefined Visualizations that use data from DNS connectors.

Thank You

@ Cfir.homeri@microfocus.com