Whitepaper

ArcSight EnterpriseView
Monitoring Enterprise-wide Business Risk
Research 008-013009-03

ArcSight, Inc.

5 Results Way, Cupertino, CA 95014, USA www.arcsight.com info@arcsight.com

Corporate Headquarters: 1-888-415-ARST EMEA Headquarters: +44 870 351 6510 Asia Pac Headquarters: 852 2166 8302

Whitepaper: ArcSight EnterpriseView

Overview
This paper presents ArcSight EnterpriseView, a solution designed to help customers understand who is on the network, what data they are seeing, and which actions they are taking with that data. While doing so, EnterpriseView provides the context to understand whether the business faces additional risk of data loss, compliance breach, or fraud. ArcSight EnterpriseView was created to help organizations better understand their business and security risk by connecting the dots across the many activities that occur during normal business operations. Many companies look to Security Information and Event Management (SIEM) technologies to correlate activity and detect network threats. EnterpriseView raises the bar by applying real-time correlation and analysis to a much broader level of business information. To better understand the drivers behind EnterpriseView, consider the evolution of security information and event management.

Background SIEM and Modern Threats

Over the past decade, adoption of SIEM technologies has followed several phases.

Phase 1 - Secure the Perimeter Initially, SIEM was deployed to monitor network perimeter security devices. Most new SIEM installations today begin this way as well. The SIEM is deployed to ensure that firewalls, IDS/IPS, and VPNs are working correctly, blocking external threats such as worms, bots, etc. In addition, if malware does get through the firewall, the SIEM can help administrators determine the extent of the infection and which machines need quarantining or rebuild. Phase 2 - Defend the Network After ensuring that the perimeter is secure, organizations typically move on to the internal network, i.e. servers and desktops. Typical analysis at this level involves monitoring to ensure that systems have the latest security patches or anti-virus updates. Again, the goal is to monitor to ensure that threat prevention products are working correctly. And again, if these products miss a threat (for example, if an employee gets a virus on his laptop while surfing the web over the weekend, then plugs in to the corporate network on Monday morning), SIEM products help the IT administrators determine which products need repair or rebuilding.
While these scenarios have been quite common for many years, changes in the business and technology environment are driving customers to reconsider their notions of security monitoring.

Whats Changing Organizations of almost all sizes and industries now struggle with these changes:
More Transactions Online Electronic banking, payment services such as PayPal, self-service wire transfer and selfservice stock trading are just a few of the electronic transaction services now widely used by consumers. As a result, more transactions are electronic than ever before, which creates more payment and financial information at risk of a breach. More Mergers and Acquisitions Mergers bring new systems, new users, and more points where information can fall through the cracks, and therefore open up new threats. For example, when two large organizations are integrated, it takes time to rationalize the user communities, and existing systems may not recognize the merged users. In the confusion, it is much easier for a malicious insider to take sensitive data without detection.

ArcSight 1

Whitepaper: ArcSight EnterpriseView

More Layoffs In a recent survey1, 71% of IT administrators responded that they would take sensitive information, if they knew they would be laid off. Though this figure is likely too high, it highlights the risk of key users retaliating to loss of employment by stealing data. As economic conditions worsen, this risk only rises. More Outsourcing As more business functions are outsourced to partner organizations, the trusted outsider, i.e. a non-employee who has access to a companys internal systems, becomes more common. IT departments must balance the need to trust partner organizations against risk to the business. More SaaS Finally, architectures that deliver applications as hosted services are becoming very common. As a result, a corporation may no longer control the operations, access, and data of its critical applications. This has implications for security monitoring. The result of the above changes is a need for a new security and risk monitoring platform. A recent study by McAfee indicates that businesses are at risk of losing billions2 due to data breach or theft. An effective solution to the risks posed by the modern IT operating environment must secure the perimeter and defend the network against malware and hackers, while also protecting against fraud, data breaches, and risky actions by trusted users. This is a threat to the business and requires new types of analysis.

Some Examples
To highlight the risks that organizations must manage, given the changes described above, consider the following scenarios:

Privileged User Monitoring Organizations will spend billions of dollars on identity management products this year. Despite that expense, most companies cannot answer the question, What did my DBAs do last week? That is because the answer requires not only the user and role management of an IdM solution, but also the activity collection and correlation of a SIEM solution. For example, the answer might require all DBA user account IDs, as well as badge entries into company buildings, emails sent, database queries executed, files saved to USB drives, files opened on the file system, web activity, etc. By connecting identity information with role information and also with activity information, a complete picture emerges. As a result, risky activity by privileged users becomes easier to identify and prevent.

What did my DBAs do last week?

Database Queries Badge Swipes USB Files Saved

Users

VPN Logins Files Accessed Emails Sent

Directories

Roles

Screen Prints Web Surfing Hosted Apps

Identity Management Systems

Sensitive Data Protection Products such as data leakage prevention (DLP) and database activity monitoring (DAM) are often purchased to detect unusual activities around confidential data. However, each product is focused at a specific area (e.g. the companys relational databases) and is likely not able to tie together activities that occur enterprise wide. For example, a user might query a database for customers social security numbers (database), save the results to a file on the network (file system), copy the file to a local
1 ComputerWorld (www.computerworld.com) , December 2, 2008 2 Unsecured Economies: Protecting Vital Information, McAfee January 2009

ArcSight 2

Whitepaper: ArcSight EnterpriseView

USB drive (desktop), or email it to a Hotmail account (web gateway). Even worse, a large organization may have deployed an entirely different data monitoring product at each of these points. A useful solution would correlate activities at each of these points, as well as with activities occurring elsewhere. As a result, detecting unauthorized activity that will cause a data breach happens early, before the information is lost.

Fraud Detection Online banking is popular with banks as well as customers, due to lower costs and faster response. Unfortunately, online fraud is rising as fast as online banking. The most common scenario is some form of account takeover, often via phishing. The customers account is compromised, and a hacker transfers the money out before the problem is detected. By the time the customer complains, the money is gone. However, fraudulent activity can often be detected by correlating account information and activity and comparing it to historical data. For example, is the customer wiring out an unusually large amount of money? Was this account set up only recently? Is it a single-custody account (only one signature required)? Has the security information or max wire amount been changed recently? Connecting these bits of information can give a firm time to identify and block fraudulent transactions. Shared Account Control A common IT security problem involves shared administrative accounts, either in server operating systems or in legacy custom applications. Multiple users share an admin account and password to login and execute transactions. For example, these may be adding new users or executing trades. In either case, the organization cannot control usage, since it can not determine who exactly is using the shared account. An effective solution uses correlation of user domain accounts, IP addresses, and shared accounts to determine who logged into the shared application at any particular time. As a result, the organization can demonstrate controls over access to key internal systems.

ADMIN/PaS$word

LOGIN

IP: 10.0.0.4 ADMIN/PaS$word IP: 10.0.0.5

12/4/08 10:05 AM windows: fbarnes OP: 10.0.0.5 App: Finance User ID: ADMIN

jsmith

fbarnes
12/5/08 11:15 AM windows: jsmith OP: 10.0.0.4 App: Finance User ID: ADMIN

EnterpriseView Defined
EnterpriseView is an application that extends ArcSight ESM, a market-leading event correlation solution designed to monitor network security event information. By leveraging key functions in ESM and extending them into the area of user monitoring, sensitive data protection, fraud detection, and risk management, EnterpriseView provides a new type of real-time event monitoring. The examples described above are handled via built-in components within EnterpriseView.

Key EnterpriseView components include:

User Model Framework ArcSight ESM operates based on an Asset Model that defines network assets, their classifications, zones, criticality, etc. EnterpriseView operates on a User Model that allows sophisticated correlation and analysis of users, in the same way that ESM correlates network asset activity. The User Model enables direct correlation of key attributes such as user role, department, etc. IdentitySync Adapters IdentitySync adapters connect to user identity stores, such as directories and identity management solutions, and synchronize users identity and role information into the EnterpriseView User Model. As this information changes in the corporate systems, the adapters automatically update the User Model. IdentitySync adapters are very useful, as they allow EnterpriseView to detect role violations and access violations. For example, if a user account is terminated in the corporate IdM system, IdentitySync adapters will update EnterpriseView and enable it to fire an alert if the terminated user accesses a local server. The sync process happens automatically, including recovery after a directory failure.

ArcSight 3

Whitepaper: ArcSight EnterpriseView

Role Violation Monitoring EnterpriseView includes built-in rules and reports for detecting role violations, according to company policy. For example, the system can auto-detect when a sales rep accesses files on the finance server, and alert in real-time. If any users role changes in the corporate IdM system, the IdentitySync adapters will update EnterpriseView within seconds, so that role violation rules always operate on up-to-date information.

Access Oracle Financials App

OKAY
Sales Admin
Open Excel Sheets on Finance File Server

NOT OKAY

Finance Dept. File Server

Unique ID Mapping A typical employee has multiple account IDs: Windows domain ID, email ID, VPN ID, application IDs, badge, etc. It is difficult to get a full view of user activity without tying these IDs and the related activity logs together. EnterpriseView contains a component for mapping multiple accounts to a single master ID (designated by each customer). It then collects all activity across all of a users accounts and rolls the activity up to the user level.

ArcSight 4

Whitepaper: ArcSight EnterpriseView

Activity Profiling By examining historical log data, EnterpriseView can determine unusual activities for a particular user, relative to previous behavior or to other users in the same role. When these profiles are created, EnterpriseView can then auto-generate new rules to detect unusual behavior in the future. As a result, it becomes easier to prevent unauthorized behavior and to evaluate user activity relative to corporate policy. DLP Rules Companies are increasingly buying data leakage prevention (DLP) products to help identify risky activities around their sensitive data. DLP products often generate many false positives, and even in broad deployments there are multiple points on the network where DLP products can not reach. EnterpriseView contains built-in rules to correlate verdicts from DLP products with database security products, Web gateways, email gateways, and other products to filter out false positives and detect true risks of data loss. Fraud Detection Rules EnterpriseView provides visibility into both internal and external activity. A very common risk is fraud, typically from account takeover. EnterpriseView contains a broad set of predefined fraud detection rules, created by working with leading financial institutions. One organization detected nearly $1 million worth of potential wire transfer fraud within two weeks of deploying EnterpriseView. The common framework components in EnterpriseView can be applied to both insider-threat and external hacker scenarios. Auto-Escalation Watchlists A key component within EnterpriseView, used for both internal and external threat monitoring, is automatic escalation of user watchlists. Based on a variety of pre-built or customer-defined rules, EnterpriseView can move certain users through multiple watchlists. One set of actions might place 1,000 out of 50,000 employees on a suspicious list. Additional actions might move 5 of those suspicious users onto a malicious list. As a result, security administrators can focus attention on those users who may bring the biggest risks to the business.

EnterpriseView Ecosystem
While EnterpriseView is an excellent platform for real-time business event monitoring and analysis, it must also fit well into the typical IT architecture. To improve integration with complimentary technologies, EnterpriseView also supports an ecosystem of partner products. These have been pre-integrated either via a specialized adapter or Common Event Format (CEF) output. EnterpriseView can accept events from partner products and also provides prebuilt rules and reports for correlating partner data. Partners fall into one of three groups: IdentityView Partners These partners specialize in one or more aspects of identity management. IdentityView partners include Oracle, Sun, Microsoft, and Aveksa. DataView Partners These partners specialize in one or more aspects of data monitoring, typically via DLP or database activity monitoring (DAM) products. DataView partners include McAfee (Reconnex), Fidelis, Guardium, Imperva, Secerno and Sentrigo. AppView Partners These partners specialize in one or more aspects of application monitoring, to make sense of transactions and application activity. AppView partners include Radware and Greenlight Technologies.
DataView Partners IdentityView Partners AppView Partners

EnterpriseView

ArcSight 5

Whitepaper: ArcSight EnterpriseView

Why ArcSight
As the market-share leader in event management, ArcSight is uniquely positioned to deliver real-time enterprise event monitoring to leading public and commercial organizations. ArcSight helps nearly two thousand of the worlds most demanding organizations protect their networks and monitor compliance. EnterpriseView builds from years of experience at ArcSight and extends the ArcSight architecture into new areas. Customers benefit by leveraging the investment they have already made in data collection, analysis, correlation, and reporting. The future-proof architecture of the ArcSight SIEM Platform allows customers to swap vendor products without losing the ability to monitor the network. With EnterpriseView, customers can similarly evolve their identity, data, and application infrastructures without losing the ability to monitor the business. The success of ArcSight in the SIEM market comes from our ability to support customer needs, both today and in the future.

Summary
A challenging economic environment increases the risks of loss due to fraud and theft of data. There is more sensitive data online than ever before and more paths to access it. Securing the business in such an environment requires new solutions that leverage and integrate a variety of security technologies. ArcSight EnterpriseView is such a solution. It builds on the proven data collection and correlation strengths of the ArcSight SIEM Platform, while also extending that platform to new types of monitoring. EnterpriseView integrates the capabilities of data leakage protection products, database activity monitoring products, identity management and directory products, as well as web gateways, application firewalls and transaction monitoring solutions. EnterpriseView fills in the visibility gaps across these other useful technologies, while correlating user actions across them. Early phases of SIEM typically focus on securing the perimeter and defending the network. By adding monitoring of key users, confidential information, and critical applications, EnterpriseView brings the third and most useful phase, allowing organizations to protect the business, i.e. those assets that are valuable and difficult to replace. Some customers have identified and prevented fraud within the first week of deploying EnterpriseView. Others have used EnterpriseView to extend the life of existing legacy applications, by layering in application monitoring in lieu of new access control systems.

To learn more, contact ArcSight at: info@arcsight.com or 1-888-415-ARST

2009 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

ArcSight 6