HP's ArcSight platform is the leading SIEM solution on the market. There are many SIEMs (security incident and event management) solutions besides ArcSight - RSA EnVision, Q1 Labs, McAfee ESM (formerly Nitro), and LogRhythm, to name just a few. This is a crowded field. One of the differentiating factors for ArcSight is its Action Connectors. These are connectors (or collectors in other manufacturers' terms) that not only collect and send event logs to the ArcSight Manager like a typical event management solution but are also able to receive a command from the ArcSight SIEM in order to perform an action. These commands sent by the ArcSight SIEM can be an automated response to an event or group of events that are received or generated manually by the SOC operator.
In this blog focused on ArcSight, SIEMs and Big Data, I will periodically highlight and discuss these ArcSight Action Connectors and other 3rd party solutions that integrate with ArcSight.
The first solution that I will be discussing that integrates deeply with ArcSight is ForeScout CounterACT. As a professional SIEM consultant, I have spent more time integrating Forescout with ArcSight than any other product. I often refer to CounterACT as the Swiss Army Knife of the networking security world. It is a NAC solution first of all but it is also an internal IDS, scanner, BYOD platform, guest wireless portal, MDM solution, honey pot, policy and compliance enforcer among other things. It does all of this without a client device agent. In summary, it will find every device on your network, tell you what it is, control network access and allow you to enforce your policies regarding all the devices. It is a true ArcSight Action Connector. This means it is a certified ArcSight technology solution that offers bi-directional integration with ArcSight. It can send event information to the ArcSight solution as well as receive commands from ArcSight and act upon those commands.
ForeScout CounterACT runs as a VM or appliance. ForeScout has plug-in modules that you add to the CounterACT software typically to integrate with 3rd party products such as McAfee EPo or ArcSight. For ArcSight, you actually have two plug-in module options - a generic SIEM plug-in and an ArcSight specific SIEM plug-in. I install both plug-ins with every integration and often prefer the generic SIEM plug-in to send events to ArcSight. Without going into too much detail here, I just prefer the event mapping of the generic SIEM plug-in. The ArcSight specific plug-in installs an entire CEF SmartConnector in ForeScout. Thus you can send events directly to an ESM / Express or Logger. This is only product that I can think of that has ArcSight SmartConnector software built into it (once you install their plug-in). The generic SIEM plug-in requires that you send the events to your syslog SmartConnector first. You will need the ArcSight specific SIEM plug-in to receive Action commands from ArcSight.
What events do you send to ArcSight from CounterACT? First, you can send the ForeScout policy status of devices to ArcSight. For example, the first policy I like to send is anti-virus status. Typically in CounterACT, you create a policy to determine the AV status of all the devices connected to the network. You configure four possible states of AV compliance - which devices has the standard AV installed and is up to date with signatures, which devices have AV installed but signatures are out of date, AV is installed but not running, and finally AV is not installed. In CounterACT, you create an Action in the AV policy section to forward this information to ArcSight. In CounterACT, you create an Action that sends this policy information about each device to the ArcSight Manager. Each device compliance status will come to the Manager as a single event. Depending on the plug-in you are using this information can be customized in a number of ways. You can set the frequency of time that this information is provided to ArcSight - once when CounterACT determines the status or there is a change, every hour, once a day, etc. I like to do every two hours. So CounterACT will send the AV status of every device once every two hours. I configure two hours since the default of Active Channels time window, if you build it from a filter, is two hours. So I know my AC will always have events in it. You can add more information about a device as additional events to ArcSight. Remember, ForeScout will find all the information about all your connected devices through its interrogation techniques that it possibly can. So, continuing with the AV compliance example, lets say you want to know the current user and the NIC card (goofy example but I use it all the time for demo purposes because every device has one) of all the devices that do not meet your AV policy. So for those devices that are out-of-date, not running, or do not have AV installed, you can configure CounterACT to send ArcSight the current username of the user logged into it, if any, and the NIC manufacturer of the device. This additional information would come as separate events typically. So within a few minutes you can have ArcSight content displaying all the devices that have an issue with your AV policy, who the users are and what brand of NIC card is installed in that device. Lastly, you can also send threat information to ArcSight. So if CounterACT has determiend a device is a threat you can pass that information onto ArcSight in the form of a single event. Overall, there is a lot of information that you can send to ArcSight and thus a lot of amazing content you can develop from it. Information that is difficult or impossible to get into ArcSight otherwise - MAC address of every device, current user logged in, Windows patch status, number of Andriod phones on the wireless network, etc. ForeScout will provide that to ArcSight on an on-going basis.
So I have, briefly, described what information ForeScout can find and send onto ArcSight. Now, what can ArcSight send to CounterACT? ArcSight can send Action commands to CounterACT. Again continuing with the AV example, lets say you create a Rule that fires off if an event comes into ArcSight about a Windows device that doesn't have AV installed. The Rule can send a Connector command to CounterACT with a single word such as "Quarantine" or "Remediate" along with the offender's IP address. You configure CounterACT that if it receives that word from ArcSight to perform an Action to that accompanying IP address. So if it hears "Quarantine", CounterACT will instruct the appropriate Cisco switch to place that offending device in the Quarantine VLAN, protecting the rest of the network from its non-compliant status. Or if you prefer "Remediate" as our key word - have ForeScout send the offending user and their device to a captive web portal instructing them to download and install the AV software before they can use the public Internet. Your ArcSight Rule could also have the added dimension of sending an email to your Help Desk informing them that the automated ArcSight-ForeScout team just took action against a non-compliant device on the network and that support personnel may need to follow-up.
This is just a brief description of the capabilities of ArcSight and ForeScout and their integration. It is really just the beginning of some amazing integration and content that can be developed. The name of the game is deep dymanic content and automation. This is the first in my series on ArcSight integration products; I am starting with ForeScout because I haven't worked with any combination that is better than this pair.
A word or two of caution - all documentation on the arcSight forum site, Protect724 is very outdated. Do not waste your time trying to use it.
For some further information there is a video on YouTube here. To have my company provide or integrate the solution described in this blog post anywhere in the U.S. contact me at ghedge[at]castleventures.com.
