This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Creating custom threat reporting with HP ArcSight Eric Itangata, Taras Kachouba Analyst Security Operations, Global Risk and Security Diebold
AGENDA
⤹ Overview ⤹ Industry Threat Reports ⤹ The Need ⤹ Content ⤹ Building Your Report ❓ Q&A
Industry Threat Reports
• There are a number of valuable resources in the industry that provide threat information and predictions
• Most notable, Verizon's DBIR, Symantec's ISTR, and Websense’s Threat Report
INDUSTRY THREAT REPORTS
• These provide good information on the state of
threats in the industry, but may not be specific to
your organization or industry
• Every organization should be aware of what
threats affect them specifically on a daily basis.
What trends are affecting you?
The Need… • You want to be able to tell
management specific
information
• Chances are they have
read the industry reports
• It is important to stay
abreast of not only the
threat landscape, but also
how it impacts you
KEY INFORMATION
• This is going to be what is important to you, your management, and your organization.
• Some key information is: • Malware outbreaks • DDoS attacks • Malicious connection attempts • Bad Actors (internal and external) • Top IDS alerts • Top firewall blocks • Top internal talkers • Phishing
Where to Start
• Once you identify what you want to include in
your report, now you need to gather this
information
• This information can come from a number of
sources, but the best source to use is your
ArcSight platform
Baselines • You need to have a good
understanding of your
network to what is normal
activity
• ArcSight comes with a large
volume of pre loaded
content
• Some of this content needs
to be tweaked for your
environment
Device Reporting
• The information from your threat report will come from a number of devices
• Firewalls, IDS/IPS, WAF, IIS, etc. will provide good detail from external threats
• AV, HIPS, DLP agent information, etc. provide information on endpoint events
• Windows/Linux event logs, DLP, proxy, etc. devices are good sources for brute
force attacks, data exfiltration, user activity threats
• Database security devices are good sources of potential data compromise