1. Improving IR Workflow Using Risk-Based Escalation in HP ArcSight ESM MetaNet IVS @meta_net http://MetaNetIVS.com

2. What This Talk Is About We leveraged the power of ArcSight ESM to build advanced content which enables custom, risk-based, automated incident workflow. 2

3. Why Should You Care 3 Objectives: Show capability of ArcSight ESM as a platform Teach the audience to create uncommon use cases based on novel ideas Share our stories and practical experience

4. Larry Wichman Security Engineer, Kemper Anton Goncharov Principal, MetaNet IVS

5. The Customer 5 Diversified insurance holding company Individual and small business market

6. Customer Environment Feeds MS Windows Server McAfee AntiVirus CheckPoint Firewall Cisco ASA Snort IDS McAfee Web Gateway Foundstone Nessus Vulnerability Scanner ! EPS: 600 Cases per Day: 1-2 Enterprise Systems: 9000 Enterprise Users: 3000 ! Things We Like: Dashboards and drill downs Things We Dislike: ESM client is not appropriate for our management Querying multiple Active Lists at once 6

7. The Problem 7 Triggered Rules dont translate well into actionable events or Cases

8. The Idea 8 Low Risk (Severity Score 1) Medium Risk (Severity Score 2) High Risk (Severity Score 3) Indicator Examples AV: Malware Found and Cleaned Proxy: Blocked Outbound Connection FW: Outbound SSH Connection AV: Malware Found and Not Cleaned AV: File Infected Proxy: Blocked Connection (non-US) IDS: High Severity Alert Threat Intel: Connection to Known C&C Host AV: Buffer Overflow SIEM: Compromise Event to Vulnerable Asset 1 + 1 + 1 1 + 2 3

9. Solutions Provider 9 SIEM and Event Management Solutions Provider Heavy focus on HP ArcSight and Splunk solutions Based in San Francisco, CA Team members world-wide Custom SIEM tools and methodologies Experts in: Maintenance of challenging environments Complex integrations Distributed architectures Custom solutions for a variety of applications Services catered to customer needs Purveyors of Finely Crafted Analytics

10. THE SOLUTION

11. Logic Flow 11 Obligatory Confusing Chart. Point With Stick.

12. Content Overview 12 Filters Rules Active Lists Cases Reports

13. Content Detail 13 Risk Score 2pts+ Low Severity Filters Risk Score Set 1 Not Risk Score 1pt Not

14. Content Detail 14 Risk Score 2pts+ Low Severity Filters Risk Score 1pt Risk Score +1 Risk Score Set 1 Case Alert Case Notification

15. Content Detail 15 Risk Score 2pts+ Low Severity Filters Medium Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Not Not Risk Score +1 Case Alert Case Notification

16. Content Detail 16 Risk Score 2pts+ Low Severity Filters Medium Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Case Alert Case Notification Risk Score +1 Risk Score +2

17. Content Detail 17 Not Risk Score 2pts+ Low Severity Filters Medium Severity Filters High Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Risk Score Set 3 Case Alert Case Notification Risk Score +1 Risk Score +2 Not

18. Content Detail 18 Risk Score 2pts+ Low Severity Filters Medium Severity Filters High Severity Filters Risk Score Set 1 Risk Score Set 2 Risk Score 1pt Risk Score Set 3 Risk Score +3 Case Alert Case Notification Risk Score +1 Risk Score +2

19. Rule Example: Risk Score +2 19

20. THE RESULTS

21. Reduction In Generated Cases 21

22. Other Customizations: Workflow 22

23. Final Thoughts 1 1 1 1 3 1 1 2 2 1 1 1 1 1 3 1 1 1 1 2 3 1 1 23 Only systems reaching 3+ risk severity will trigger incident response 2 1 1 1

24. http://MetaNetIVS.com/downloads @meta_net Thank You