![Page 1: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/1.jpg)
![Page 2: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/2.jpg)
–
–
–
–
![Page 3: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/3.jpg)
Confidential - Proficio, Inc
Tips and Tricks for MSSPs Leveraging ArcSight ESM to Win Proof of Concepts
…“Make ArcSight Great Again” Was Not Approved as a Title to this Presentation
![Page 4: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/4.jpg)
Confidential - Proficio, Inc
Bryan BorraSOC and SIEM Director
Bryan manages the SIEM and SOC teams at Proficio. Previously worked at SAIC / Leidos / McAfee. He’s nicknamed “SIEM Destroyer” for creating the wrong content at the wrong time for a few SIEM instances.
Jordan KnoppSIEM Content Engineer
Jordan leads the development of SIEM content for several key contracts for Proficio’s ProSOC Services. He also currently serves as Proficio’s in-house machine learning solution.
Tristan ReedSIEM Content Engineer
Tristan leads the development of SIEM monitoring solutions for several products. He has recently been engaged in monitoring cloud platforms and specializes in bricking IoT devices to be used in demos.
ProficioSouthern California +Singapore based MSSP
Proficio is an award-winning MSSP that leverages HPE ArcSightESM to provide a multitenant SIEM-as-a-Service offering along with 24x7 SOC monitoring (ProSOC).
Introducing the Speakers
4
![Page 5: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/5.jpg)
Confidential - Proficio, Inc
Agenda
5
Introduce common problems we encounter as an MSSP
Detail solutions to these issues, including:
1. Running efficient reports
2. Deploying effective content architecture
3. Monitoring new cloud data sources
![Page 6: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/6.jpg)
Confidential - Proficio, Inc
Reports: Modern Visuals
6
![Page 7: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/7.jpg)
Confidential - Proficio, Inc
Reports: What We See
7
![Page 8: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/8.jpg)
Confidential - Proficio, Inc
Reports: What Our Customers Told Us
8
![Page 9: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/9.jpg)
Confidential - Proficio, Inc
Concurrently Running Reports Limit
9
Limit of 5 “NumberOfReportsCurrentlyQueryingDB”
Ref:
/All Dashboards/ArcSight Administration/ESM/System Health/Resources/Reporting/Report Details
![Page 10: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/10.jpg)
Confidential - Proficio, Inc
Reports: What We Asked Ourselves
10
![Page 11: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/11.jpg)
Confidential - Proficio, Inc
Reports Requirements as an MSSP
11
Run hundreds of reports on a weekly basis
Have customized templates for branding and client
Be able to provide SIEM-as-a-service around reporting
Never overload the reporting engine
![Page 12: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/12.jpg)
Confidential - Proficio, Inc
Reports Templates: Header / Footer
12
Toggling the header and footer
bubble will change the view of the
whole template but only affect…
![Page 13: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/13.jpg)
Confidential - Proficio, Inc
Reports Templates
13
Easy Hex Picker:
http://www.ginifab.com/feeds/pms/pms_color_in_image.php
Respond
Select “Properties” on any chart
control and then select
“advanced” on the “Chart” tab
![Page 14: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/14.jpg)
Confidential - Proficio, Inc
Reports Templates
14
![Page 15: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/15.jpg)
Confidential - Proficio, Inc
Reports: Trends and Active Lists
15
Higher EPS as an MSSP, lower report performance
SIEM-as-Service issues
Demand for monthly and weekly reports
Overload on scheduled reports for Fridays and Mondays
![Page 16: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/16.jpg)
Confidential - Proficio, Inc
Reports: Trends Versus Active Lists
16
Trends Active Lists
Less than 1,000,000 in a month
Usually have to schedule hourly
Can go back on historical data
Delays on collection by hour / day
More trend failures
Harder to setup than lists
Advantage of aggregation
Less than 100,000 events in a month
Driven by simple rules
Real-time as events are collected
Rules can trigger on repetition
Advantages of keys and value fields
TTLs are straightforward management
Sessions lists…what are those?
![Page 17: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/17.jpg)
Confidential - Proficio, Inc
Reports: Common Reports
17
Trends Active Lists
IDPS events of interest
Antivirus events
Event collection statistics
Webfilter event statistics
Windows account logon failures
Windows group changes
Windows account lockouts
Firewall admin commands
Windows user account modifications
Special security devices
![Page 18: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/18.jpg)
Confidential - Proficio, Inc
Sample Active List / Trend Setup
18
Rule Action: Add to List
Add to Reporting List
Schedule Hourly Trend
Gather Reporting Trend
Sample: Windows Group Changes
Sample: IDPS Events of Interest
![Page 19: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/19.jpg)
Confidential - Proficio, Inc
Reports: Common Reports
19
1. IPS Summary
2. Windows Failed Logons
3. Firewall Command Summary
4. Blacklisted IP Correlation
![Page 20: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/20.jpg)
Confidential - Proficio, Inc
Reports: Special Reports
20
1. CrowdStrike Summary 2. DARKTRACE Summary
3. Cylance Summary
![Page 21: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/21.jpg)
Confidential - Proficio, Inc
Reports: Portal Reporting Solution
21
Choose Report Time Choose PresentationChoose Recipients
![Page 22: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/22.jpg)
Confidential - Proficio, Inc
Reports: Portal Reporting Solution
22
![Page 23: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/23.jpg)
Confidential - Proficio, Inc
Content Architecture
23
Rule management
Designing rules for scalability
Additional correlation layers
![Page 24: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/24.jpg)
Confidential - Proficio, Inc
Thinking Ahead
24
![Page 25: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/25.jpg)
Confidential - Proficio, Inc
Thinking Ahead
25
![Page 26: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/26.jpg)
Confidential - Proficio, Inc
Rule Management
Requirements:
Accommodate blanket changes to multiple rules
Rules should be easily readable
Minimize complexity creep
Achievable through layers of abstraction
26
![Page 27: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/27.jpg)
Confidential - Proficio, Inc
AV Critical Threat Detected
IDS Spyware Detected
Vulnerability Scanning
Destination IP Watchlist
Super APT Zero Day
…etc.
Additional Correlation Layer: Overview
27
Base / Aggregated Events
Notification Rule
Rule Action: Send Notification
Rule Action: Create Case
Checks Whitelists
Checks destination
![Page 28: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/28.jpg)
Confidential - Proficio, Inc
Advantages of Correlation Layering
Easier to manage Changes can be applied at a higher level
Akin to CSS for HTML
Easier to maintain Reduces clutter by distributing additional conditions
Low impact Efficient conditions easy to create
28
![Page 29: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/29.jpg)
Confidential - Proficio, Inc
Managing Rules
29
Rule Actions
![Page 30: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/30.jpg)
Confidential - Proficio, Inc
Conditions at Higher Correlation Layer
Efficient conditions:
1. Set unique value as an action in lower corr. rules
2. Type = Correlation
30
Lower level rule action
Ref “All operators are not created equal”:
https://www.protect724.hpe.com/docs/DOC-11160
![Page 31: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/31.jpg)
Confidential - Proficio, Inc
Conditions at Higher Correlation Layer
Using filters:
1. Filters have a smaller performance impact in this layer
2. Filter names provide built-in documentation
31
![Page 32: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/32.jpg)
Confidential - Proficio, Inc
Correlation Layering
32
Independent Rules Additional Correlation Layer
Changes applied individually to each rule Most changes applied only on one rule
Difficult to annotate Annotation through filters
Increasingly complex/inefficient Very efficient
![Page 33: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/33.jpg)
Confidential - Proficio, Inc
Effects of Correlation Layering
Before
33
After
![Page 34: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/34.jpg)
Confidential - Proficio, Inc
Monitoring the Cloud: Sales Perspective
34
![Page 35: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/35.jpg)
Confidential - Proficio, Inc
Monitoring the Cloud
35
Cloud Computing Services
Adapting Your View to IaaS
Building Use Cases
![Page 36: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/36.jpg)
Confidential - Proficio, Inc
Cloud Computing Services
IaaS PaaS SaaS
36
![Page 37: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/37.jpg)
Confidential - Proficio, Inc
Adapting Your View To IaaS
37
Same requirements for assets in the cloud
Monitoring infrastructure (as a service)
Amazon Web Services Infrastructure Traditional View
Security GroupsFirewall Policies
VPC Flow Firewall Traffic
AWS API Calls (CloudTrail) Infrastructure Management
Instances, Images, and Snapshots Logical Infrastructure Hosting Assets
![Page 38: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/38.jpg)
Confidential - Proficio, Inc
Building Use Cases (AWS)
38
Identify available data sources
Implement business context modeling
Identifying possible attack vectors
Identifying malicious activity
![Page 39: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/39.jpg)
Confidential - Proficio, Inc
Identify Data Sources (AWS)
39
Leverage Existing Audit Capabilities
AWS
CloudTrail
Amazon
CloudWatch
Identify Assets of Security Interest
Compute Storage Database Networking
Amazon
EC2
AMI
instances
Amazon
S3
snapshot
bucket
Amazon
DynamoDB
Amazon
RDS
Amazon
Redshift
Amazon
VPC
flow logs
VPN
gateway
![Page 40: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/40.jpg)
Confidential - Proficio, Inc
Implement Business Context Modeling
40
1. Regular maintenance schedules (creating snapshots)
2. Authorized schedule for AWS account access
3. Typical locations (source addresses) for AWS access
4. Whitelist roles for 3rd party AWS accounts (e.g. CloudTrek)
![Page 41: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/41.jpg)
Confidential - Proficio, Inc
Identify Potential Attack Vectors (AWS)
41
Vulnerable Web Services in EC2 Instance Example: Server Side Request Forgeries to Meta-Data Server
Spear Phishing An AWS developer’s credentials stolen via malicious email
Unprotected Access Keys A developer hard coded credentials in a publicly accessible
repository like GitHub
![Page 42: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/42.jpg)
Confidential - Proficio, Inc
Identifying Events of Security Interest
42
Modifications to Security Groups
Creating Snapshots / Loading into Volumes
Running New Instances
User Policies
![Page 43: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/43.jpg)
Confidential - Proficio, Inc
Questions?
43
![Page 44: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/44.jpg)
Confidential - Proficio, Inc 44
www.Proficio.com
![Page 45: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/45.jpg)
–
–
–
–
![Page 46: Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof of concepts](https://reader035.vdocument.in/reader035/viewer/2022081723/586fb3131a28abe57d8b6b0d/html5/thumbnails/46.jpg)
Thank you
46