Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Problem it solves
ArcSight
Queued
SOC triage
Active
channel(s)
Level 1
Work can flow between different users with different roles thus
ensuring continuous investigations with escalating levels of
complexity and reducing the likelihood of duplicating effort.
Features
Steps (called stages) that make up a collaborative workflow
used by security operations analysts
Level 1
investigating
Active
channel(s)
Level 2
SOC case
created
False positive
no action
Event
triage
Level 2
escalation
Level 2
investigating
Event
triage
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ArcSight
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ArcSight
ArcSight
Individual channels
ArcSight
Shared channel
ArcSight
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SOC metrics
Stakeholder escalation
Ownership
Route cases to SOC sub-groups
Engineering
Level 2 Analysts
Eliminates case management
by folder structure
SOC feedback loop
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Web console
Two way communication
Event logs
Feedback loop
Resource Strings
Controls values of the dropdown boxes, and data labels
Label Strings
Controls the labels of tabs, tables, and headers
Case Properties
Determines attributes of cases written to ArcSight events
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
10
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
11
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Lessons learned
Plan ahead!
Who are SOC stakeholders?
How will the SOC use ArcSight cases?
How are you going to use cases internally?
Filter requests/engineering feedback
Metrics
What metrics do you need to generate?
How do you categorize your incidents?
Development plan
Use a development or backup system
Schedule and communicate changes
12
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Software Pavilion
Your feedback is important to us. Please take a few minutes to complete the session survey.
13
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.