Saturday, June 9, 2012

Tackling ArcSight Express Configuration

The ArcSight SIEM platform is extremely powerful and capable of correlating an amazing amount of information. This information can overwhelm some people in getting starting to get value out of the solution. Here are some general thoughts on how to approach this challenge.
  1. Decide on what use cases you want like to implement first. Try proceeding one use case (I am using the term generically not in the ArcSight specific way) at a time so that you are not trying to boil the ocean.
  2. Decide what event sources are necessary for that use case to be sent to Express / ESM.
  3. Configure the SmartConnector software to send all of the data from those devices to the Logger or straight to Express depending on your architecture.
  4. When the events are sent to Express set up an Active Channel and review the event types that you are getting from those sources and determine:
    • What is irrelevant and filter them out on the connector and/or logger.
    • Figure out what is just as useful if you aggregate them and set up aggregation rules on the connector (Firewall connections for example).
  5. Check those event sources are categorized correctly and can utilize the standard content from ArcSight.
  6. Now that filtering and aggregation is in place for those event sources, work on rules and content to deal with that use case.
When you are correctly dealing with the security issues handled by that use case, then move on to the next use case and repeat the process.

No comments:

Post a Comment