Keen observer
The IT infrastructure of modern enterprises is becoming more complex day by day. Many systems generate a huge amount of information that needs to be processed and analyzed, including for real and potential security threats. You can hire a dozen or two administrators, but it is much cheaper and more efficient to install a SIEM system that can collect data from many sources, analyze it and report possible risks and vulnerabilities in the corporate IT infrastructure. In addition, it helps prevent cybercrime related to fraud, theft of information and other incidents.
According to the Gartner analytical agency, for several years one of the undisputed leaders in the global market for SIEM solutions is Arcewight by Hewlett Packard Enterprise. This product, originally developed for the needs of US law enforcement agencies, was later allowed to be used by commercial enterprises. ArcSight was founded in 2000, and in 2010 it was acquired by HP, which is developing the ArcSight solution, promoting it in the markets of the United States, Europe and other countries. In Russia, it appeared back in 2007. Since then, about 400 projects have been implemented for the implementation of the system, for which the FSTEC has recently provided the NDV 4 certificate, which guarantees the absence of undeclared capabilities. This means that ArcSight can now be used in projects for the protection of PDN and the protection of AIS that do not contain a state secret. HPE ArcSight’s capabilities in gathering, analyzing, and visualizing information security events are well known to Russian organizations; in addition, around this solution, an extensive partner network of system integrators has been formed, successfully implementing ArcSight implementation projects.
HP's successor to Hewlett Packard Enterprise continues to develop ArcSight, improving existing components and developing new ones. One of the new products - ArcSight User Behavior Analytics - reveals anomalies based on the analysis of user behavior and complements the traditional correlation, which is the basic function of ArcSight. The traditional correlation mechanism works on the basis of rules that fix user abnormal actions. When an incident is detected, it either notifies the IB administrator, or automatically performs the specified operation: runs the script, blocks the user, etc. In addition, the behavioral mechanism User Behavior Analytics reports incidents, the schema and features of which are not yet known to administrators.
')
In developing User Behavior Analytics, the principle of self-learning was used on the daily activities of users. In the future, activity that does not fit into the profile of normal behavior is recorded as suspicious in accordance with the calculated risk level. An example of this behavior is the change in the usual actions of the user, who, sending on ordinary days no more than a dozen emails, suddenly sent 100 or 1000 messages. An individual behavioral profile is automatically generated for User in User Behavior Analytics, and when it goes beyond its scope, the system sends a corresponding signal. This approach simplifies the work of IS administrators, allowing them to respond only to important incidents and events.
Another new solution on the HPE ArcSight platform is DNS Malware Analytics. It analyzes DNS traffic and provides full visibility of the IT infrastructure, which helps to identify network vulnerabilities even before attackers take advantage of them. The idea of ​​analyzing DNS traffic in order to detect malicious activity originated in the research division of HP Labs four years ago, and the solution created by its specialists has been tested by HP for a year and a half, searching for infected machines that have been controlled by intruders. A complex heterogeneous network and a huge number of employees — in such difficult conditions, HPE ArcSight DNS Malware Analytics was field tested.
Today this solution is also available to Russian customers. The principle of its operation is the following: an infected machine is trying to download or transfer something outside the corporate network; these actions trigger negative behavior profiles, and information security administrators are notified of what is happening, including the type of malicious Trojan that infects a specific computer. Since the system only analyzes DNS traffic, it easily integrates with any networks, and it is not necessary to purchase expensive network equipment. As a rule, traditional means of protection protect the perimeter of the network (DMZ), but not all infected traffic goes beyond it, because an employee working on his laptop can be anywhere (at home, at the airport, in a cafe, etc.) . DNS traffic analysis allows you to identify and secure the corporate network from such infected devices. Finally, DNS traffic is easier to aggregate: it is enough to configure the infrastructure so that a copy of the traffic is concentrated in a specific place. HPE will ensure the correct operation and updating of signatures denoting the infection of DNS traffic.
HPE ArcSight developers track the latest market trends and changes in customer preferences. Every year in the US, world conferences of users of ArcSight are held, where they discuss wishes for the implementation of new features, as well as announce new modules and functions. With the same regularity, such user conferences are held in Moscow. Of particular interest in the selection of reports are projects that, when implemented with the help of ArcSight, were able to solve complex or non-trivial tasks in the field of information security.
In addition to the story about the new components of HPE ArcSight, I would like to recall the key pillars of the solution. First of all, it is the Security Data Platform - a set of functions responsible for collecting and classifying events, as well as their storage and archiving. The product, along with connectors that perform remote event gathering, includes a logger that provides them for storage, regular search and analysis, as well as a free Management Center that updates connectors, backs up the entire infrastructure for event collection, and monitors. Such opportunities are suitable for those customers who need to receive information about IS incidents not in real time, but in the form of reports for a week, month, etc. The Security Data Platform is licensed by the amount of processed data, that is, received by connectors from the customer's devices. Today, the connectors that are part of the Security Data Platform support over 350 different information systems from different manufacturers as event sources, but using the free SDK, customers or partners can write such a connector for any system themselves. The SDP module is a full-fledged product; therefore, enterprises that do not need additional capabilities acquire only it.
Another basic component of ArcSight, Enterprise Security Manager, monitors information security events in real time. This component is necessary for those who need an immediate response to incidents. Enterprise Security Manager is licensed based on the number of events processed in a second of time. The minimum license threshold is 250 events per second. For comparison, it is enough to note that the company Hewlett Packard Enterprise handles 40-50 thousand events per second. Inside the ESM is the Threat Detector module, which detects threats not by pre-programmed signatures, but based on the analysis of unusual behavior and repeated activity of users or applications. For representatives of medium or small business, a special edition of ArcSight ESM Express is offered - also a completely independent product. It differs from the “large” ESM, perhaps, only in the absence of several functions, such as, for example, support for a fault-tolerant cluster.
Finally, ArcSight Threat Central, an online threat knowledge database, allows you to share information about how to detect and eliminate them, and the MarketPlace portal contains rules and signs of identified threats (security packages) and additional applications. HPE developers hope that the company's partners will also join the formation of such security packages and the creation of additional applications.
Of course, all the problems in the field of information security, both external and internal, are primarily caused by the human factor. Moreover, this may not be a malicious action, but a simple inattention and disregard of the rules and regulations. Often, the staff of the information security departments do not pay special attention to small incidents until the emergency happens. At the same time, SIEM solutions, such as HPE ArcSight, on the one hand, help to keep the situation under control, and on the other hand, they promptly inform about potential problems that, if not paid attention to them, can lead to disastrous consequences.
According to the Gartner analytical agency, for several years one of the undisputed leaders in the global market for SIEM solutions is Arcewight by Hewlett Packard Enterprise. This product, originally developed for the needs of US law enforcement agencies, was later allowed to be used by commercial enterprises. ArcSight was founded in 2000, and in 2010 it was acquired by HP, which is developing the ArcSight solution, promoting it in the markets of the United States, Europe and other countries. In Russia, it appeared back in 2007. Since then, about 400 projects have been implemented for the implementation of the system, for which the FSTEC has recently provided the NDV 4 certificate, which guarantees the absence of undeclared capabilities. This means that ArcSight can now be used in projects for the protection of PDN and the protection of AIS that do not contain a state secret. HPE ArcSight’s capabilities in gathering, analyzing, and visualizing information security events are well known to Russian organizations; in addition, around this solution, an extensive partner network of system integrators has been formed, successfully implementing ArcSight implementation projects.
HP's successor to Hewlett Packard Enterprise continues to develop ArcSight, improving existing components and developing new ones. One of the new products - ArcSight User Behavior Analytics - reveals anomalies based on the analysis of user behavior and complements the traditional correlation, which is the basic function of ArcSight. The traditional correlation mechanism works on the basis of rules that fix user abnormal actions. When an incident is detected, it either notifies the IB administrator, or automatically performs the specified operation: runs the script, blocks the user, etc. In addition, the behavioral mechanism User Behavior Analytics reports incidents, the schema and features of which are not yet known to administrators.
')
In developing User Behavior Analytics, the principle of self-learning was used on the daily activities of users. In the future, activity that does not fit into the profile of normal behavior is recorded as suspicious in accordance with the calculated risk level. An example of this behavior is the change in the usual actions of the user, who, sending on ordinary days no more than a dozen emails, suddenly sent 100 or 1000 messages. An individual behavioral profile is automatically generated for User in User Behavior Analytics, and when it goes beyond its scope, the system sends a corresponding signal. This approach simplifies the work of IS administrators, allowing them to respond only to important incidents and events.
Another new solution on the HPE ArcSight platform is DNS Malware Analytics. It analyzes DNS traffic and provides full visibility of the IT infrastructure, which helps to identify network vulnerabilities even before attackers take advantage of them. The idea of ​​analyzing DNS traffic in order to detect malicious activity originated in the research division of HP Labs four years ago, and the solution created by its specialists has been tested by HP for a year and a half, searching for infected machines that have been controlled by intruders. A complex heterogeneous network and a huge number of employees — in such difficult conditions, HPE ArcSight DNS Malware Analytics was field tested.
Today this solution is also available to Russian customers. The principle of its operation is the following: an infected machine is trying to download or transfer something outside the corporate network; these actions trigger negative behavior profiles, and information security administrators are notified of what is happening, including the type of malicious Trojan that infects a specific computer. Since the system only analyzes DNS traffic, it easily integrates with any networks, and it is not necessary to purchase expensive network equipment. As a rule, traditional means of protection protect the perimeter of the network (DMZ), but not all infected traffic goes beyond it, because an employee working on his laptop can be anywhere (at home, at the airport, in a cafe, etc.) . DNS traffic analysis allows you to identify and secure the corporate network from such infected devices. Finally, DNS traffic is easier to aggregate: it is enough to configure the infrastructure so that a copy of the traffic is concentrated in a specific place. HPE will ensure the correct operation and updating of signatures denoting the infection of DNS traffic.
HPE ArcSight developers track the latest market trends and changes in customer preferences. Every year in the US, world conferences of users of ArcSight are held, where they discuss wishes for the implementation of new features, as well as announce new modules and functions. With the same regularity, such user conferences are held in Moscow. Of particular interest in the selection of reports are projects that, when implemented with the help of ArcSight, were able to solve complex or non-trivial tasks in the field of information security.
In addition to the story about the new components of HPE ArcSight, I would like to recall the key pillars of the solution. First of all, it is the Security Data Platform - a set of functions responsible for collecting and classifying events, as well as their storage and archiving. The product, along with connectors that perform remote event gathering, includes a logger that provides them for storage, regular search and analysis, as well as a free Management Center that updates connectors, backs up the entire infrastructure for event collection, and monitors. Such opportunities are suitable for those customers who need to receive information about IS incidents not in real time, but in the form of reports for a week, month, etc. The Security Data Platform is licensed by the amount of processed data, that is, received by connectors from the customer's devices. Today, the connectors that are part of the Security Data Platform support over 350 different information systems from different manufacturers as event sources, but using the free SDK, customers or partners can write such a connector for any system themselves. The SDP module is a full-fledged product; therefore, enterprises that do not need additional capabilities acquire only it.
Another basic component of ArcSight, Enterprise Security Manager, monitors information security events in real time. This component is necessary for those who need an immediate response to incidents. Enterprise Security Manager is licensed based on the number of events processed in a second of time. The minimum license threshold is 250 events per second. For comparison, it is enough to note that the company Hewlett Packard Enterprise handles 40-50 thousand events per second. Inside the ESM is the Threat Detector module, which detects threats not by pre-programmed signatures, but based on the analysis of unusual behavior and repeated activity of users or applications. For representatives of medium or small business, a special edition of ArcSight ESM Express is offered - also a completely independent product. It differs from the “large” ESM, perhaps, only in the absence of several functions, such as, for example, support for a fault-tolerant cluster.
Finally, ArcSight Threat Central, an online threat knowledge database, allows you to share information about how to detect and eliminate them, and the MarketPlace portal contains rules and signs of identified threats (security packages) and additional applications. HPE developers hope that the company's partners will also join the formation of such security packages and the creation of additional applications.
Of course, all the problems in the field of information security, both external and internal, are primarily caused by the human factor. Moreover, this may not be a malicious action, but a simple inattention and disregard of the rules and regulations. Often, the staff of the information security departments do not pay special attention to small incidents until the emergency happens. At the same time, SIEM solutions, such as HPE ArcSight, on the one hand, help to keep the situation under control, and on the other hand, they promptly inform about potential problems that, if not paid attention to them, can lead to disastrous consequences.
Source: https://habr.com/ru/post/309988/
All Articles