Vous êtes sur la page 1sur 20

ArcSight SIEM and

data privacy best practices


Frank Lange, Sr. Sales Engineer

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

A StreetView example

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Data privacy in the SIEM world


National data protection laws
Data privacy guidelines
Workers council requirements

Use cases:
Protect user related data - still do correlation
Prevent the forwarding of specific events outside of
a legal entity still retain them locally

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Elements we will talk about

ESM/Express

ArcSight
Connector

Logger

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Connector

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Connector obfuscation configuration


Destination specific
setting in <agentID.xml>

One or many fields


Uses md5 hash algorithm
One way operation
High performance

.\current\user\agent\3nOjT4xEBABCBuS8G8BXhnw==.xml

<Config
AgentId="3nOjT4xEBABCBuS8G8BXhnw==
...
<Setting
ProcessingSettings.fieldstoobfuscate=
"attackerUserName,targetUserName/>
...
</Config>

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Connector obfuscation ESM console view

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express role-based access

Access Control Lists (ACL) based on User Groups with inheritance


9

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express I. FieldSets
FieldSet
A number of fields in specific order
ActiveChannel allows default FieldSet
Adhoc customizable (Add/Remove Column)

10

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express II. Event Filter


Restricts access to a subset of events
Based on standard Filters
Enforced on User Group level
Transparent to the user

11

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express III. Actors

12

IdentityView
Granular restriction via ACL
Restriction on all Actors/a Domain/Types
Allows Mixed Mode

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ESM/Express III. Actors

Not an all-or-nothing option, allows view of Actor data based on membership level
13

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Logger

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Logger Search Group Filter


Restricts access to a subset of events only

15

Restriction based on user group membership


transparent to the Logger user
RegEx filters
Applies on peer Loggers
Performance on RegEx speed

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

All together

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

A powerful mix example scenario

ESM/Express

ArcSight

Only obfuscated events to ESM


Special User with Logger
Integration Command can
search for unobfuscated data
on remote Logger within ESM
Search
console

Connector

Destination specific
obfuscation

17

Logger

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Only special user is allowed


to access unobfuscated data
on Logger

Summary
Multi-layer approach
Impact on SIEM design
Correlation and data privacy at the
same time
Like a StreetView for SIEM

18

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security for the new reality


Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.