Advanced correlation

scenarios
Javier Inclan, HP ESP Education - Global
Delivery Manager
Gary Whitsett, Technical Trainer
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Agenda
What is Skills on Demand?
Hands on activity demonstration
Questions and answers

2 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Skills on Demand

Building on the foundation

Formal training
Learn by Doing achieve a higher level of
competence
AESA
Practice Critical Activities ESM
Experiment in safe environment Administrator
Available Modules:
Analyst Skills on-demand
Incident Handling on Active Attacks
Hosted lab
Advanced Correlations Scenarios Advanced
Administrator Activities
Security and Authentication eMentor
Advanced Network and Asset Modeling

3 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Skills on Demand modules

Security analyst track ESM administrator track

Available now Available now
Incident handling on active attacks Advanced network and asset modeling
Building advanced correlation scenarios System health monitoring and troubleshooting

Available soon Available soon

Creating advanced data monitors Advanced connector configuration and
Creating content based on Network Model management
infrastructure Advanced database troubleshooting

4 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
 SKOD activity sample

Threat Intelligence Use Case

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Scenario

SOC must develop content to address a Threat Intelligence and

Damage Assessment use case
Company branches located in the following cities:
New York City, NY
Yonkers, NY
Santa Clara, CA
Each branch has typical security devices
Firewalls
IDS/IPS
Routers

6 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Threat intelligence use case

Use case definition

Malicious code becoming more difficult to detect
Anti-Virus products lack signatures
Malware directed by a controller (command control server)
Firewall Logs can be used to identify traffic
Known hosts for command control server utilized by common types of malware

7 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Threat intelligence activity

Create known server active list

CandC Servers
Field Based
IP Address
Obtain IP Addresses blocklists from Zeus Tracker
Populate CandC Servers Active List using Import CSV File

8 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
CandC servers active list (populated)

9 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Threat intelligence activity

Create Internal Active List

Bot Infected Systems
Tracks internal hosts communicating with IPs found in
CandC Servers Active List
Internal Host IP Address
Internal Host Name
Internal Host Zone
Populate using a Rule
Malware Communication Detected

10 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Malware communication detected rule

Rule conditions Rule aggregation

11 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Malware communication detected rule (contd)

Rule Actions

12 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Threat intelligence active channel

13 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Damage assessment use case

Use case definition

Assessing the damage of a malware infection is
complicated

Identify network assets accessed

Narrow focus for further assessment (Event Graph Data
Monitor)

14 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Event graph data monitor

Create a filter Create event graph data monitor

15 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Bot communications event graph

16 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
For more information

Attend these sessions After the event

1223 Pulling the triggers: when to Contact your sales rep
take action to ensure effective Visit the website at:
kill-chain rules http://www.hp.com/go/securityuni
versity

Your feedback is important to us. Please take a few minutes to complete the session survey.

17 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
 Security for the new reality

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.