Lieutenant Commander Lieutenant Commander
Lieutenant Commander
272 views

Сustomer reviews about the ESM Reputation Security Monitor? Would you like this product?

Hi all,

What does you think about the ESM Reputation Security Monitor?

Does you use it? 

How does it help you with detection of the Botnet, Spam, Spyware, or P2P?

Labels (1)
0 Likes
1 Reply
Fleet Admiral
Fleet Admiral

Firstly, take a look at the following articles:

 

https://community.microfocus.com/t5/Past-Protect-Event-Resources/RepSM-1-5-cornering-threats-with-scenarios/m-p/1584599#M250

https://community.microfocus.com/t5/Content-Solutions-and-CIPs-for/HPE-ArcSight-RepSM-Plus-1-6-Solution-Guide/ta-p/1584513

https://community.microfocus.com/t5/ArcSight-User-Discussions/Integrating-ArcSight-with-other-systems-getting-events-sending/td-p/1588263

 

I would suggest that using only one set of data for your threat intelligence isnt a great idea, mainly because you want to corroborate data and have better visibility into things, rather than just relying on just one vendor / provider. RepSM is pretty good and comes with some good verifiable data sources that are trusted and some final checks are done to make sure its at least partly OK. Additionally, it comes with supported content and rules for you to use out of the box, so its pretty simple and straightforward to use. Do I recommend it? Yes, but in the knowledge that I would strongly suggest that you have other sources too - maybe not integrated into ArcSight ESM, but threat intelligence is a sophisticated area and it really depends on what business you are in, what the risk levels are and so on.

How does it help with botnets, spam, spyware and p2p? Basically all of these systems and mechanisms require some sort of command and control or back-channel communications. Threat intelligence provides a data feed that is frequently updated and contains these categorized domains and IP addresses. Should you see communications or sequences that would give an indicator that say Spyware is installed on a bunch of laptops, you would see this in ESM - as long as you have some network log data such as firewalls, proxy or routing traffic. 

It is important to say that it WONT STOP THEM, as an SIEM is not an active tool unless you set it up to be. But you do get to see some indicators that support decision making processing. For example, you see some unusual activity on a workstation, but its not necessarily enough to indicate that its a major issue (brute force login attempts by the user, netwokr scanning etc). However, suddenly the workstation / laptop starts communicating to a command and control server for a botnet? Now thats getting serious and you can now act. It adds strength to the decisions.

However, DONT rely 100% on threat intelligence for your decision making though. Its good and some feeds are better than others, but its not perfect. Its a helper, an indicator and a supporting the process. But it is NOT the only indicator. Also, consider looking at other threat intelligence systems / providers too. Vendors like Anomali have great indication, content and have a lot of screening in place. There are other vendors too - but look for the value add, not the size of the data too - just because one list has 5 million entries and the other has 2m, doesnt mean one is better than the other one.

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.