Highlighted
scott.conlon@hp Absent Member.
Absent Member.
1298 views

Logs protected within ESM Manager CORRe

Hi all,

For an audit happening at my workplace I need to find something documented that describes how logs are protected from being tampered with, within CORRe storage.

Can someone point me to something that may exist?

My understanding is that they are stored within the Manager's CORR-engine in a MYSQL database. They're also stored in a custom engine.

I need something that documents this.

Thanks

Labels (1)
0 Likes
2 Replies
anton.kuzmin@hp1 Absent Member.
Absent Member.

Re: Logs protected within ESM Manager CORRe

There exists a technical whitepaper which discusses the auditing quality and features that make up the ArcSight SIEM solution.

It begins at a higher level, discussing concepts and the compliance / standards to which the product was designed.

As you read further, there is supplementary detail on the handling of events from the connector through to the database, including information about encryption.
The document is currently available here:
https://www.protect724.hpe.com/docs/DOC-12337 and as well
privacy best practices
https://www.protect724.hpe.com/docs/DOC-13388.

This may or may not provide the level of information that you require.

0 Likes
muharem.dervise Absent Member.
Absent Member.

Re: Logs protected within ESM Manager CORRe

Hello Scott,

ArcSight has been heavily tested by the craziest security organizations and intelligence agencies many times.

HP ArcSight Express/ESM

Confidentiality -The HP ArcSight Express/ESM Manager is already secured and hardened at the application layer.

The customer would be responsible for implementing standard OS best practices to secure the Event and user data.

HP ArcSight Express/ESM only permits encrypted connections to the application via SSL.

HP ArcSight uses its own, built-in authentication by default but also supports third- party authentication mechanisms, such as RADIUS Authentication, Microsoft® Active Directory, two-factor authentication or a custom JAAS plug-in configuration.

Access to Express/ESM requires authentication and utilizes group permissions to dictate access granularity. Since the software is installed on customer managed servers, the customer must provide the necessary access control and permissions of the underlying file system.

Integrity—Since the event data is read and correlated in memory in Express/ESM while the data is in transit, there is no effect on correlated events from tampering with the base events in the database.

Here are some supporting documentation and information:

This document would have all information which would possibly satisfy all your auditors:

Technical Whitepaper: HP ArcSight Audit Quality SIEM Solution (Data integrity):

https://www.protect724.hpe.com/docs/DOC-12337

ArcSight Protocol Information and Hardening:

https://www.protect724.hpe.com/docs/DOC-11964

All passwords are salted and hashed:

https://softwaresupport.hpe.com/km/KM1271936

ArcSight data privacy best practices:

https://www.protect724.hpe.com/docs/DOC-13388

Regards,

Muharem

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.