Device Status Monitoring: Local Picture on a Global …• Device Monitoring content is new in ESM...
24
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Device Status Monitoring: Local Picture on a Global Scale Alexei Suvorov, Sr. Security Engineer
Transcript of Device Status Monitoring: Local Picture on a Global …• Device Monitoring content is new in ESM...
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Device Status Monitoring: Local Picture on a Global Scale Alexei Suvorov, Sr. Security Engineer
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
This is a rolling (up to three year) Roadmap and is subject to change without notice.
Forward-looking statements
This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
This is a rolling (up to three year) Roadmap and is subject to change without notice.
HP confidential information
This Roadmap contains HP Confidential Information. If you have a valid Confidential Disclosure Agreement with HP, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of 3 years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from HP and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with HP’s prior written approval.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Device Status Monitoring content
Included in the ESM next beta
Agenda
− Business need and use case − Definition of device − Connector component “Device Status
Monitoring” − Content architecture overview − Environment scenarios − Summary
This is a rolling (up to 3 year) roadmap and is subject to change without notice
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
X A
S F
A
@
H
B K O
W
+ =
3 8 $ X Q M
G
A C
# 6
5
V Z
T
@ O A $ @ L
1 M J
E & X
D E X S
N
+ %
4
% 3 N
D # 9
& 9 K
~
?
2 V F
R
7
P
\ U =
~
? H S W *
I L M R
K 8
P %
S T P
I
Use cases examples • Which Firewall is inactive? • Which Web Server is new? • Is a critical device inactive
for more than one hour?
HP ArcSight
HP ArcSight
HP ArcSight
HP ArcSight
HP ArcSight
Devices
Connectors
ESM
4
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
Definition: Device
Device is a unique combination of these five fields: • deviceHostName • deviceVendor • deviceProduct • deviceZone • customer
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Definition: Active or inactive
Device status • Active:
o connector received events from the device since last check
• Inactive o connector did not receive events from the device since last check
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
The “Device Status Monitoring” Connector feature
Device Status Monitoring (DSM) is a connector functionality
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Connector Device Status Events (agent:043) Connector Device Status internal event includes:
• Device Event Class ID = agent:043 • Device Vendor • Device Product • Device Address • Device Host Name • Event Count • Time stamp Last Event Received
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Content architecture overview
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Content architecture and design
• Device Monitoring content is new in ESM next beta • Part of the standard Arcsight Administration package
This is a rolling (up to 3 year) roadmap and is subject to change without notice
All product views are illustrations and might not represent actual product screens
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
Rules
Content architecture and design, continued
Query viewers
Active Lists
agent:043 events
Dashboards Reports
Queries
Content architecture and design, continued
Dashboards:
• All monitored devices • Critical monitored devices • Panels color-coded on
inactivity time
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Content architecture and design, continued
Reports: • Devices detected inactive - Last N Days • New devices detected - Last N Days Report example:
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Active lists 1. Monitored Devices All – populated automatically by rule 2. Monitored Devices Whitelist – populated manually 3. Monitored Devices Critical – populated with critical devices (entries copied over manually) 4. Critical Devices – used to import critical devices from a CSV file
Content architecture and design, continued
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Content architecture and design, continued
Rules • Тrigger on agent:043 events • Update active lists • Send email notification when device is inactive
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Environment scenarios
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Scenario 1
• Original Connector has Device Status Monitoring (DSM) enabled • agent:043 events from Original Connector sent to ESM
Original connector
agent:043
HP ArcSight
HP ArcSight
Device Connector ESM
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Scenario 2
• Connector parses IP addresses and host names of original devices • agent:043 events have information about original devices
Device Final device Connector ESM
HP ArcSight
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Summary
Events from devices
Connectors agent:043 events
ESM
X A
S F
A
@
H
B K O
W
+ =
3 8 $ X Q M
G
A C
# 6
5
V Z
T
@ O A $ @ L
1 M J
E & X
D E X S
N
+ %
4
% 3 N
D # 9
& 9 K
~
?
2 V F
R
7
P
\ U =
~
? H S W *
I L M R
K 8
P %
S T P
I
HP ArcSight
HP ArcSight
HP ArcSight
HP ArcSight
HP ArcSight
4
(!) Inactive device detected
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
Summary
Device Monitoring Content
• Distributed computing: stats gathered at Connectors, not ESM • Light: ESM does not process tons of base events • Efficient: minimum impact on ESM performance • Accurate: fully tested in multiple environments • User friendly: simple and easy to use • Scalable: new devices added automatically
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
For more information
Attend these sessions
• Session TB3069ID, HP ArcSight ESM 24/7
After the event
• Contact your sales rep • Visit the website at:
https://protect724.hp.com/community/arcsight
Your feedback is important to us. Please take a few minutes to complete the session survey.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session TT3079 Speaker Alexei Suvorov
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
