ArcSight priority formula
Transcript of ArcSight priority formula
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ArcSight priority formula Fred Thiele, Managing Principal, South Pacific
@fgthiele #HPProtect
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
Our journey
The priority formula Let’s understand the ins and outs Look at some examples Take advantage of our new knowledge The priority formula is the most misunderstood and underutilized feature in ArcSight!
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
How often have we all seen this…
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
The basics
Priority formula
The priority formula is applied to every single event ingested into ArcSight Base events, correlation events and internal events – everything is evaluated the same Priority is made up of 4 parts • Relevance • Model Confidence • Severity • Criticality Fully customisable XML file defines the priority formula (ThreatLevelFormula.xml)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
agentSeverity
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
How applicable is the attack against the target host?
Relevance (R)
Relevance provides full or partial support for incoming agentSeverity Effect
Heavily dependent on port and vulnerability scanning data Requirement
Factors 10
Default Value Port Scan?
-5
Vuln Scan?
-5
Port Open?
+5
Is Vuln?
+5
10 Highly Relevant
5 Partially Relevant
0 Irrelevant
Possible values
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
How much do we know about an asset?
Model Confidence (MC)
Moderates effect of Relevance on Priority Effect
Heavily dependent on assets, ports and vulnerability data Requirement
Factors
Output Model confidence is combined with Relevance to become Model Confidence and Relevance (MCR).
0
Asset Port Vuln
4
Asset Port Vuln
8
Asset Port Vuln
8
Asset Port Vuln
10
Asset Port Vuln
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
What is the likelihood the given event is applicable to our environment?
Model Confidence and Relevance (MCR)
Dampens effect of agentSeverity if Relevance < 10 Effect
Model Confidence and Relevance Requirement
Factors
Output A percentage that moderates effect of Relevance on Priority if Relevance is < 10.
Relevance
(Relevance + MC) – ((Relevance * MC) / 10)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
How suspicious is the attacker and/or target? Have I seen them before?
Severity (S)
Adds a maximum of 30% to agentSeverity [ 1+S * (3/100) ] (cumulative) Effect
Proper utilization of system lists Requirement
Factors (system lists)
Output System severity lists are a huge benefit to your information security analysts! Utilize these lists in your analysts’ workflow and rules.
+1(103%)
Recon
+3 (109%)
Suspicious
+3 (109%)
Comp’d
+5 (115%)
Hostile
+6 (118%)
Infiltrators
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
How does your business view this asset?
Criticality (C)
Adds or removes support for agentSeverity +/- 20% Effect
Proper utilization of system categories Requirement
Factors (system cat.)
Pro tip Know the business value of your assets!
0 (20%)
Unknown
2 (40%)
Very Low
4 (60%)
Low
6 (80%)
Medium
8 (100%)
High
10 (120%)
Very High
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Priority formula
R
( R + MC) – R * MC 10
Severity (S) Criticality (C)
C – 8
10
1+
Model Confidence & Relevance (MCR)
* *
% 1.00 - 1.30 .84 – 1.04 Vulnerability Threat Impact
S * 3
100
1+
agen
tSev
erity
Prio
rity
* = *
20%
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Examples
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
General rules of thumb to follow
Priority guidelines
Numbers 0-10 are fed to an algorithm to produce a factor • The end result is a percentage to multiply agentSeverity against If Model Confidence is 0, Relevance has no effect on Priority • Means, by default MCR has no effect on Priority If Relevance is 0, Priority is always 0 Criticality drags down Priority until Criticality hits 8 (High)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Baseline
agentSeverity • Unknown – 2 • Low – 4 • Medium – 6 • High – 9 • Very-High – 10
Why is Priority != agentSeverity?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Asset in Asset DB Relevance = 10 • Is port scanned/is port open? (0) • Is vscanned/has vuln? (0) Model Confidence = 4 • Asset in DB (+4)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Scanned asset – Port 80 open Relevance (10 – 5 = 5) • Is port scanned/open? (-5) • Is vscanned (0)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Scanned asset – attack against Port 80 Relevance (10 – 5 + 5 = 10) • Is port scanned (-5) • Is port open (+5) • Is vscanned (0)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
What’s the difference? Baseline
Port scanned + attack against open port
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Knowing your network saves time and enables risk-based decision making
Importance of network modelling
Asset in Database Scanned; non-open port Recon + Suspicious Recon + Suspicious + Hostile Very-Low Asset Criticality Very-High Asset Criticality
Asset in Database Scanned; non-open port Recon
Recon + Suspicious + Hostile Very-Low Asset Criticality Very-High Asset Criticality
Recon + Suspicious
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Effects of formula on priority – in summary
MCR 0.50 0.71 1.00 0.50 0.71 1.00 0.50 0.71 1.00 Low Crit/Sev (.84) Mid Crit/Sev (1.08) High Crit/Sev (1.35)
agen
tSev
erity
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 2 1 1 2 2 1 2 2 2 2 3 2 2 3 3 2 2 3 2 3 4 3 3 5 4 2 3 4 3 4 5 3 4 6 5 3 3 5 3 4 6 4 5 7 6 3 4 6 4 5 7 5 6 9 7 3 5 6 4 6 8 5 7 10 8 4 5 7 5 7 9 6 8 10 9 4 6 8 5 7 10 7 9 10
10 5 6 9 6 8 10 7 9 10
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
In practice
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Asset data is critical; have a plan to get it into ArcSight!
Where to start
Start small and utilize vulnerability scanning • Define a set of network ranges internally (zones) • Vulnerability scan those ranges • Import vulnerability scan using a supported vulnerability scan connector • Make sure to associate the vscan connector with the correct network/customer! • Assets will auto-create within zones and be tagged with open ports Enable your analysts • Implement a processes to enable analysts to add attackers to system lists • Enable analysts to define critical assets (e.G., Tagging assets with categories)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
Once you have the basics, expand your scope
Expand the scope of the model
Auto-update network model • Define source(s) of truth • Aggregate weekly • Transform aggregate to ArcSight language • Import/update network model for the latest and greatest Utilize automated tools • UCMDB (HP) and RedSeal work really well • Export data to CSV, script a transform, import to ArcSight
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
Default priority formula may not be suited to everyone
Get fancy
Fully customisable • /opt/arcsight/manager/config/server/ThreatLevelFormula.xml • Priority formula is just an XML file • Documented in the online help • Powerful markup Pro tips • If you have deleted the system lists, just recreate the lists and modify the ThreatLevelFormula • Additional items can be added to XML file with very little configuration • Vulnerability mappings are highly dependent on context updates! • Utilise Risk Insight for additional dashboards in the SOC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
Risk Insight
• Pre-built dashboards and metrics • Utilises the Priority Formula and Network Model • Integrates with ArcSight Command Centre • Intended for utilisation in Security Operations • Makes for great executive dashboards!
Visualise priority
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
For more information
Attend these sessions
• TB3153, Improving IR Workflow in HP ArcSight using risk-based escalation
• TT3062 – Reduce security analysis time from hours to minutes…
Visit these demos
• DEMO3525 – Find threats with HP ArcSight ESM
After the event
• Contact your sales rep • www.hpenterprisesecurity.com
Your feedback is important to us. Please take a few minutes to complete the session survey.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session TB3593 Speaker Fred Thiele
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you