ArcSight SIEM Partner Guide
ArcSight SIEM Partner Guide
ArcSight SIEM Partner Guide
Revision: H2CY10
Related Documents
Before reading this guide Design Overview
Design Guides
Deployment Guides
Supplemental Guides
Design Overview
Table of Contents
Cisco SBA for Large AgenciesBorderless Networks.. . . . . . . . . . . . . . . . . . . 1 Agency Benets.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Technology Partner Solution Overview .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Deploying ArcSight Express.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Collecting Logs, Events, and Correlated Events. . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Generating Reports.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Maintaining the SIEMSolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Common TroubleshootingTips.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Example of a Day Zero Attack (Malware-Infected Customer Network).. . 17 Products Veried with Cisco SBA .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Appendix A: SBAforLargeAgenciesDocumentSystem.. . . . . . . . . . . . . . . . 19
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO. Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and gures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco Unied Communications SRND (Based on Cisco Unied Communications Manager 7.x) 2010 Cisco Systems, Inc. All rights reserved.
Table of Contents
Agency Benets
Agency networks are growing rapidly in size and complexity, linked with suppliers, customers, and operational partners. The network perimeter has dissolved and the notion of external versus internal threats has blurred. As a result, agencies became increasingly focused on correlating network activity with user activity monitoring in the context of transactions on critical assets. Agencies are looking for a mission-critical IT and security operations solution that provides the agency-wide threat management, real-time correlation/response, and flexible monitoring and reporting capabilities to meet their rigorous regulatory compliance needs. ArcSight, a leader in SIEM, provides solutions that serve as the mission control center for real-time agency-wide threat management, compliance reporting and automated network response. The ArcSight EnterpriseView for Cisco application adds powerful predefined content (correlation rules, dashboards and reports) that allows customers to monitor activity, configuration changes, availability, and threats across their Cisco infrastructure. In addition, this application correlates alerts from Cisco infrastructure with security events from rest of the agency, and provides a comprehensive risk and threat management solution to meet regulatory compliance needs.
Faster ROI for Security and IT-Operations and Reduced Compliance Risk
Compliments Cisco Security MARS deployments by adding compliance reporting and support for event logging from multiple vendors Provides a cost-effective long term storage for log data to investigate faults for IT operations Streamlines compliance process for various corporate regulations, such as Sarbanes-Oxley, PCI, HIPAA, SB1386, and Basel II.
Agency Benefits
same monitoring infrastructure (ArcSight SmartConnectors) to capture, normalize, and categorize events and logs from Cisco networking and security devices.
ArcSight ESM
ArcSight ESM protects demanding private and public organizations throughout the world. Using its broad log data collection capability, combined with its powerful event correlation engine, ArcSight ESM can detect sophisticated threats crossing multiple types of security products. ArcSight ESM extends the reach of Cisco threat management and response, by performing sophisticated event correlation of Cisco network events and alerts with a broader set of agency-wide event-sources (systems, databases, and applications). As a result, customers can detect threats in time to take effective action.
ArcSight Logger
ArcSight Logger provides cost-effective long term log management and storage, as well as automated compliance reporting. By storing up to 42 TB of log data on a single appliance while supporting search speeds of millions of events per second across structured and unstructured data. ArcSight Logger brings a flexible means of storing event data from Cisco networking devices for years. ArcSight Logger supports automated reporting for SOX, PCI DSS, NERC and other regulations, integrating Cisco Security MARS data with other agency information.
ArcSight Express
ArcSight Express includes the industry leading real-time correlation and log management technologies from ESM and Logger, in one pre-packaged easy-to-use SIEM solution for the mid-market. Express is referred to as the security expert in a box, and has several built-in correlation rules, dashboards, and compliance reports. ArcSight Express provides a rapidly deployable, low cost mid-market solution for monitoring Cisco infrastructure.
Table 1. Comparison of ArcSight SIEM Products ArcSight ESM Description No of Users (Admin) Events Per Second Real-time Event Correlation and Reporting Unlimited 15K/instance Linearly scalable ArcSight Logger Long-term Event Logging and Reporting Unlimited 100K/instance Linearly scalable ArcSight Express Event Correlation and Logging for SMB Unlimited 5K/instance Linearly scalable
3. Select whether you would like to forward events to the ArcSight Storage Appliance for long term storage
4. Enter host name or IP address of the ArcSight Storage appliance and the name of the SmartMessage Receiver created on the ArcSight Storage Appliance.
Figure 4. ArcSight Console Showing a List of Cisco SmartConnectors Registered with ArcSight ESM
10
Use Case Cisco Generic Intrusion Prevention System (IPS) Cisco Adaptive Security Appliance (ASA) Cisco IPS Sensor
Description The Cisco Generic IPS use case provides reports and dashboards based on alerts generated by any Cisco IDS/IPS devices or modules. The Cisco ASA use case provides firewall information based on events reported by Cisco ASA 5500 Series Adaptive Security Appliances. The Cisco IPS Sensor use case provides event statistics and configuration changes reported by Cisco IPS sensors such as the Cisco IPS 4200 Series appliance, Cisco Catalyst 6500 series Intrusion Detection System Services Module (IDSM), and Cisco ASA Advanced Inspection and Prevention Security Services Module (AIP-SSM). The Cisco IOS IPS use case provides event statistics and configuration change information reported by Cisco IOS IPS devices present in your network.
Cisco IronPort Email The Cisco IronPort Email Security Appliance use Security Appliance case identifies and provides web traffic informa(ESA) tion based on events reported by Email Security Appliances present in your network. Cisco IronPort Web Security Appliance (WSA) Cisco Network The Cisco IronPort Web Security Appliance use case identifies and provides web traffic information based on events reported by Web Security Appliances present in your network. The Cisco Network use case identifies and provides information based on events reported by Cisco network equipment.
Cisco Cross-Device The Cisco Cross-Device use case provides information about logins, configuration changes, and bandwidth consumption across all Cisco devices in your environment. Cisco Generic Firewall The Cisco Generic Firewall use case identifies and provides firewall information based on events reported by any Cisco firewall device or module in your network.
11
Following are some sample screen shots for Cisco Generic Firewall use cases. Figure 5. ArcSight Dashboard for Cisco Generic Firewall events
12
Generating Reports
The ArcSight Solution Guide: Cisco Insight Package v1.0 describes the several pre-packaged reports that can be used to track logins, configuration changes, and other events involving Cisco devices in your environment. The following table lists the information presentation and data processing resources that support the Cisco Overview use cases in the ArcSight Solution Guide. Cisco Resource Overview of Cisco Configuration Changes Overview Report Description Displays summary information on configuration changes to Cisco devices such as the change count per day, per hour, top affected device, and top involved users. Displays summary information about top allowed systems reported by Cisco firewall devices in the last 24 hours such as the top inbound (or outbound) sources and destinations. Displays summary information about top denied systems reported by Cisco firewall devices in the last 24 hours such as the top inbound (or outbound) blocked sources and destinations. Displays summary information on login attempts recorded by Cisco devices such as the top successful and failed login sources and destinations. Displays summary information on login attempts recorded by Cisco devices such as the attempt count per day, per product, top users with successful and failed logins.
Overview Report Description Displays summary information about alerts reported by Cisco IPS devices in the last 24 hours such as alerts per day, the top alerts, top attackers and targets involved.
Cisco Firewall Overview Trend and Displays summary information on Port firewall events from Cisco devices such as the inbound (or outbound) connections per day, top inbound (or outbound) blocked ports. The following figure shows a sample pre-defined report for Cisco Firewall activity. Figure 7. ArcSight trend reports on Cisco Firewall activity
Generating Reports
13
With the ArcSight Compliance Insight Packages for various regulations (e.g. SOX, PCI, IT Governance) on ArcSight ESM or Express, customers can get pre-defined Compliance Reports for those regulations. Here is a sample compliance report for Sarbanes-Oxley (SOX). Figure 8. ArcSight Compliance Reports Sarbanes-Oxley
Generating Reports
14
15
Common TroubleshootingTips
These troubleshooting steps help to diagnose and correct problems with getting Cisco events to be consumed and processed by ArcSight. Please refer to the ArcSight Administrator Guides for Arcsight ESM, Logger, and Express, to help with the ArcSight platform-specific trouble shooting.
My device is on the list of supported products, but it does not appear in the SmartConnector Conguration Wizard.
Your device is likely served by a syslog sub-connector of either file, pipe, or daemon type.
16
2. Take a snapshot of qualifying event activity from current or historical events, and choose Discover Patterns .
3. The resulting pattern tree displays the transactional relationship of the attack patterns. Right-clicking on a specific cell in the tree allows you to further investigate (e.g. show event graph), or automatically create a rule to mitigate the threat if it is persistent. Both ArcSight Express and ESM has the Pattern Discovery feature available to detect, further investigate and rapidly respond to unknown (zero-day) attacks.
17
18
Appendix A: SBAforLargeAgenciesDocumentSystem
Design Guides
Deployment Guides
Supplemental Guides
Design Overview
Appendix A
19
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
C07-640734-00 12/10