I recently came across a blog post on MyDLP's website regarding sending CEF messages directly to a Logger from the open source product. I was not familiar with MyDLP before I stumbled across the post nor I have taken the time to try and deploy it in my lab to test the integration. I have not been able to find out much information about the product or the people behind it, Medra Teknoloji Ltd, from any 3rd party sources either.
I do not believe the community edition of the product will send syslog CEF events. You will need the commercial paid enterprise version to send events to ArcSight. Although I think there is a trial license of the enterprise version so it would be possible to see the quality of the events and the parsing in a proof-of-concept before committing to purchase the product. The blog post has a screen shot of a Logger search of UDP events that shows some of the information gleened from MyDLP. Every event has the same information in the Name field - "Check MyDLP Logs using management console for details." So that doesn't seem too exciting. The screen shot was also helpful in another way too. This is how I figured out the name of the company behind MyDLP, Medra Teknoloji Ltd, since their name is not mentioned anywhere on the MyDLP website or Wikipedia page. Their name shows up in the Device Vendor field.
Please note that their instructions on the MyDLP blog are for sending the events directly to a Logger verses to a syslog SmartConnector. Either way it is just a simple syslog send / receive setup.
Besides ArcSight, there are also instructions on their site for AlienVault / OSSIM integration and a video on YouTube.
Tuesday, December 31, 2013
Monday, December 16, 2013
ForeScout and Bromium Team Up for Integration
ForeScout and Bromium have announced integration of their products to fight advanced malware attacks. The announcement describes that the integration of the two solutions will provide the capability for Bromium to alert ForeScout's CounterACT in real-time if an endpoint has an advanced malware infection. ForeScout will be able to deploy its robust automation response capabilities to send an alert to an administrator as well as the end-user and can prevent the spread of the malware by quarantining the infected endpoint, for example. In addition, when CounterACT detects an endpoint without a Bromium vSentry agent installed, it is capable of the deploying the agent on devices that it will determine meet the hardware and BIOS requirements.
To add my own additional points regarding SIEM's, since ForeScout and ArcSight already have a very deep integration, the leading SIEM can be the brains of this combined solution. First, ArcSight can gather all the information about all the endpoints that ForeScout will discover on the network including those with and without the Bromium vSentry agent. This information can be stored as part of an organization's on-going compliance status and historical record. Second, ArcSight can decide what to do about the devices that do not have have the Bromium agent installed and instruct ForeScout to take action. Content can be built in ArcSight about identifying and tracking those devices that do not conform to the organization's Bromium compliance standard and how to respond through ForeScout. Third, ArcSight can retain the information about the infected machines for further analysis as well as instruct ForeScout and other products such as TippingPoint what to do in response to that infection. Last, by combining information received from all logging sources such as anti-virus, ArcSight can provide further insight to the devices that are infected or those that do not have the Bromium agent installed.
To add my own additional points regarding SIEM's, since ForeScout and ArcSight already have a very deep integration, the leading SIEM can be the brains of this combined solution. First, ArcSight can gather all the information about all the endpoints that ForeScout will discover on the network including those with and without the Bromium vSentry agent. This information can be stored as part of an organization's on-going compliance status and historical record. Second, ArcSight can decide what to do about the devices that do not have have the Bromium agent installed and instruct ForeScout to take action. Content can be built in ArcSight about identifying and tracking those devices that do not conform to the organization's Bromium compliance standard and how to respond through ForeScout. Third, ArcSight can retain the information about the infected machines for further analysis as well as instruct ForeScout and other products such as TippingPoint what to do in response to that infection. Last, by combining information received from all logging sources such as anti-virus, ArcSight can provide further insight to the devices that are infected or those that do not have the Bromium agent installed.
Sunday, September 1, 2013
Symantec is getting out of the SIEM business.
As of 9/2/2013, Symantec is discontinuing new sales of its SIEM product - Symantec Security Information Manager (SSIM).
Read the press release here.
Symantec will not only be continuing support for just 4 years (instead of the more typical 5) but it will only provide hot fixes, security patches and maintenance packs. The current release, 4.8.1, will be the last. And the key point from the press release is..."Symantec will provide bug fixes on existing collectors only. No new collectors will be added beyond those provided in the recent 4.8.1 release." Ouch, no new connectors. How will the SIEM continue to support new products like Windows 2012 during this wind-down "time [that] will enable customers to execute a graceful migration to an alternative solution?"
It is relatively painless to transition from Symantec to ArcSight by integrating the two SIEMs into a temporary single solution though. Perhaps in the future I will have a chance to write about it here.
Thursday, July 4, 2013
ArcSight and ForeScout Integration
HP's ArcSight platform is the leading SIEM solution on the market. There are many SIEMs (security incident and event management) solutions besides ArcSight - RSA EnVision, Q1 Labs, McAfee ESM (formerly Nitro), and LogRhythm, to name just a few. This is a crowded field. One of the differentiating factors for ArcSight is its Action Connectors. These are connectors (or collectors in other manufacturers' terms) that not only collect and send event logs to the ArcSight Manager like a typical event management solution but are also able to receive a command from the ArcSight SIEM in order to perform an action. These commands sent by the ArcSight SIEM can be an automated response to an event or group of events that are received or generated manually by the SOC operator.
In this blog focused on ArcSight, SIEMs and Big Data, I will periodically highlight and discuss these ArcSight Action Connectors and other 3rd party solutions that integrate with ArcSight.
The first solution that I will be discussing that integrates deeply with ArcSight is ForeScout CounterACT. As a professional SIEM consultant, I have spent more time integrating Forescout with ArcSight than any other product. I often refer to CounterACT as the Swiss Army Knife of the networking security world. It is a NAC solution first of all but it is also an internal IDS, scanner, BYOD platform, guest wireless portal, MDM solution, honey pot, policy and compliance enforcer among other things. It does all of this without a client device agent. In summary, it will find every device on your network, tell you what it is, control network access and allow you to enforce your policies regarding all the devices. It is a true ArcSight Action Connector. This means it is a certified ArcSight technology solution that offers bi-directional integration with ArcSight. It can send event information to the ArcSight solution as well as receive commands from ArcSight and act upon those commands.
ForeScout CounterACT runs as a VM or appliance. ForeScout has plug-in modules that you add to the CounterACT software typically to integrate with 3rd party products such as McAfee EPo or ArcSight. For ArcSight, you actually have two plug-in module options - a generic SIEM plug-in and an ArcSight specific SIEM plug-in. I install both plug-ins with every integration and often prefer the generic SIEM plug-in to send events to ArcSight. Without going into too much detail here, I just prefer the event mapping of the generic SIEM plug-in. The ArcSight specific plug-in installs an entire CEF SmartConnector in ForeScout. Thus you can send events directly to an ESM / Express or Logger. This is only product that I can think of that has ArcSight SmartConnector software built into it (once you install their plug-in). The generic SIEM plug-in requires that you send the events to your syslog SmartConnector first. You will need the ArcSight specific SIEM plug-in to receive Action commands from ArcSight.
What events do you send to ArcSight from CounterACT? First, you can send the ForeScout policy status of devices to ArcSight. For example, the first policy I like to send is anti-virus status. Typically in CounterACT, you create a policy to determine the AV status of all the devices connected to the network. You configure four possible states of AV compliance - which devices has the standard AV installed and is up to date with signatures, which devices have AV installed but signatures are out of date, AV is installed but not running, and finally AV is not installed. In CounterACT, you create an Action in the AV policy section to forward this information to ArcSight. In CounterACT, you create an Action that sends this policy information about each device to the ArcSight Manager. Each device compliance status will come to the Manager as a single event. Depending on the plug-in you are using this information can be customized in a number of ways. You can set the frequency of time that this information is provided to ArcSight - once when CounterACT determines the status or there is a change, every hour, once a day, etc. I like to do every two hours. So CounterACT will send the AV status of every device once every two hours. I configure two hours since the default of Active Channels time window, if you build it from a filter, is two hours. So I know my AC will always have events in it. You can add more information about a device as additional events to ArcSight. Remember, ForeScout will find all the information about all your connected devices through its interrogation techniques that it possibly can. So, continuing with the AV compliance example, lets say you want to know the current user and the NIC card (goofy example but I use it all the time for demo purposes because every device has one) of all the devices that do not meet your AV policy. So for those devices that are out-of-date, not running, or do not have AV installed, you can configure CounterACT to send ArcSight the current username of the user logged into it, if any, and the NIC manufacturer of the device. This additional information would come as separate events typically. So within a few minutes you can have ArcSight content displaying all the devices that have an issue with your AV policy, who the users are and what brand of NIC card is installed in that device. Lastly, you can also send threat information to ArcSight. So if CounterACT has determiend a device is a threat you can pass that information onto ArcSight in the form of a single event. Overall, there is a lot of information that you can send to ArcSight and thus a lot of amazing content you can develop from it. Information that is difficult or impossible to get into ArcSight otherwise - MAC address of every device, current user logged in, Windows patch status, number of Andriod phones on the wireless network, etc. ForeScout will provide that to ArcSight on an on-going basis.
So I have, briefly, described what information ForeScout can find and send onto ArcSight. Now, what can ArcSight send to CounterACT? ArcSight can send Action commands to CounterACT. Again continuing with the AV example, lets say you create a Rule that fires off if an event comes into ArcSight about a Windows device that doesn't have AV installed. The Rule can send a Connector command to CounterACT with a single word such as "Quarantine" or "Remediate" along with the offender's IP address. You configure CounterACT that if it receives that word from ArcSight to perform an Action to that accompanying IP address. So if it hears "Quarantine", CounterACT will instruct the appropriate Cisco switch to place that offending device in the Quarantine VLAN, protecting the rest of the network from its non-compliant status. Or if you prefer "Remediate" as our key word - have ForeScout send the offending user and their device to a captive web portal instructing them to download and install the AV software before they can use the public Internet. Your ArcSight Rule could also have the added dimension of sending an email to your Help Desk informing them that the automated ArcSight-ForeScout team just took action against a non-compliant device on the network and that support personnel may need to follow-up.
This is just a brief description of the capabilities of ArcSight and ForeScout and their integration. It is really just the beginning of some amazing integration and content that can be developed. The name of the game is deep dymanic content and automation. This is the first in my series on ArcSight integration products; I am starting with ForeScout because I haven't worked with any combination that is better than this pair.
A word or two of caution - all documentation on the arcSight forum site, Protect724 is very outdated. Do not waste your time trying to use it.
For some further information there is a video on YouTube here. To have my company provide or integrate the solution described in this blog post anywhere in the U.S. contact me at ghedge[at]castleventures.com.
In this blog focused on ArcSight, SIEMs and Big Data, I will periodically highlight and discuss these ArcSight Action Connectors and other 3rd party solutions that integrate with ArcSight.
The first solution that I will be discussing that integrates deeply with ArcSight is ForeScout CounterACT. As a professional SIEM consultant, I have spent more time integrating Forescout with ArcSight than any other product. I often refer to CounterACT as the Swiss Army Knife of the networking security world. It is a NAC solution first of all but it is also an internal IDS, scanner, BYOD platform, guest wireless portal, MDM solution, honey pot, policy and compliance enforcer among other things. It does all of this without a client device agent. In summary, it will find every device on your network, tell you what it is, control network access and allow you to enforce your policies regarding all the devices. It is a true ArcSight Action Connector. This means it is a certified ArcSight technology solution that offers bi-directional integration with ArcSight. It can send event information to the ArcSight solution as well as receive commands from ArcSight and act upon those commands.
ForeScout CounterACT runs as a VM or appliance. ForeScout has plug-in modules that you add to the CounterACT software typically to integrate with 3rd party products such as McAfee EPo or ArcSight. For ArcSight, you actually have two plug-in module options - a generic SIEM plug-in and an ArcSight specific SIEM plug-in. I install both plug-ins with every integration and often prefer the generic SIEM plug-in to send events to ArcSight. Without going into too much detail here, I just prefer the event mapping of the generic SIEM plug-in. The ArcSight specific plug-in installs an entire CEF SmartConnector in ForeScout. Thus you can send events directly to an ESM / Express or Logger. This is only product that I can think of that has ArcSight SmartConnector software built into it (once you install their plug-in). The generic SIEM plug-in requires that you send the events to your syslog SmartConnector first. You will need the ArcSight specific SIEM plug-in to receive Action commands from ArcSight.
What events do you send to ArcSight from CounterACT? First, you can send the ForeScout policy status of devices to ArcSight. For example, the first policy I like to send is anti-virus status. Typically in CounterACT, you create a policy to determine the AV status of all the devices connected to the network. You configure four possible states of AV compliance - which devices has the standard AV installed and is up to date with signatures, which devices have AV installed but signatures are out of date, AV is installed but not running, and finally AV is not installed. In CounterACT, you create an Action in the AV policy section to forward this information to ArcSight. In CounterACT, you create an Action that sends this policy information about each device to the ArcSight Manager. Each device compliance status will come to the Manager as a single event. Depending on the plug-in you are using this information can be customized in a number of ways. You can set the frequency of time that this information is provided to ArcSight - once when CounterACT determines the status or there is a change, every hour, once a day, etc. I like to do every two hours. So CounterACT will send the AV status of every device once every two hours. I configure two hours since the default of Active Channels time window, if you build it from a filter, is two hours. So I know my AC will always have events in it. You can add more information about a device as additional events to ArcSight. Remember, ForeScout will find all the information about all your connected devices through its interrogation techniques that it possibly can. So, continuing with the AV compliance example, lets say you want to know the current user and the NIC card (goofy example but I use it all the time for demo purposes because every device has one) of all the devices that do not meet your AV policy. So for those devices that are out-of-date, not running, or do not have AV installed, you can configure CounterACT to send ArcSight the current username of the user logged into it, if any, and the NIC manufacturer of the device. This additional information would come as separate events typically. So within a few minutes you can have ArcSight content displaying all the devices that have an issue with your AV policy, who the users are and what brand of NIC card is installed in that device. Lastly, you can also send threat information to ArcSight. So if CounterACT has determiend a device is a threat you can pass that information onto ArcSight in the form of a single event. Overall, there is a lot of information that you can send to ArcSight and thus a lot of amazing content you can develop from it. Information that is difficult or impossible to get into ArcSight otherwise - MAC address of every device, current user logged in, Windows patch status, number of Andriod phones on the wireless network, etc. ForeScout will provide that to ArcSight on an on-going basis.
So I have, briefly, described what information ForeScout can find and send onto ArcSight. Now, what can ArcSight send to CounterACT? ArcSight can send Action commands to CounterACT. Again continuing with the AV example, lets say you create a Rule that fires off if an event comes into ArcSight about a Windows device that doesn't have AV installed. The Rule can send a Connector command to CounterACT with a single word such as "Quarantine" or "Remediate" along with the offender's IP address. You configure CounterACT that if it receives that word from ArcSight to perform an Action to that accompanying IP address. So if it hears "Quarantine", CounterACT will instruct the appropriate Cisco switch to place that offending device in the Quarantine VLAN, protecting the rest of the network from its non-compliant status. Or if you prefer "Remediate" as our key word - have ForeScout send the offending user and their device to a captive web portal instructing them to download and install the AV software before they can use the public Internet. Your ArcSight Rule could also have the added dimension of sending an email to your Help Desk informing them that the automated ArcSight-ForeScout team just took action against a non-compliant device on the network and that support personnel may need to follow-up.
This is just a brief description of the capabilities of ArcSight and ForeScout and their integration. It is really just the beginning of some amazing integration and content that can be developed. The name of the game is deep dymanic content and automation. This is the first in my series on ArcSight integration products; I am starting with ForeScout because I haven't worked with any combination that is better than this pair.
A word or two of caution - all documentation on the arcSight forum site, Protect724 is very outdated. Do not waste your time trying to use it.
For some further information there is a video on YouTube here. To have my company provide or integrate the solution described in this blog post anywhere in the U.S. contact me at ghedge[at]castleventures.com.
Subscribe to:
Comments (Atom)