Not applicable
1538 views

Request for comment – Starter Use-cases

Hi – We are trying to come up with a top-ten use-case guide mainly for new customers or even current customers that are looking for a little more direction. We have broken the focus areas down into the following categories: General Security, Compliance-Regulatory, Compliance-Corporate Policy, Insider Threat, Operations, Application / Service Monitoring. Please see the document attached to this thread for the initial list that we came up with. The feedback that we are looking for is whether or not these are the type of use-cases that “you” our customers feel are relevant and appropriate for customers who are just starting to use ArcSight. Any comments or additional use-cases are greatly appreciated. Thanks Customer Success Organization
5 Replies
Admiral
Admiral

Hi, Excellent initiative. Document looks good and your customers definitely need this kind of guidance. I would also suggest : In corporate policy : VOIP detection Web Anonymizer use Security : Top data senders Insider threat : Encrypted connection towards outside ( except HTTPS ) GCA
Absent Member.
Absent Member.

[QUOTE=GCA] Top data senders Encrypted connection towards outside ( except HTTPS ) GCA[/QUOTE] Do you mean ignore HTTPS traffic? I'd be careful with this one because it's easy to run SFTP over port 443 and send data out of the company. I guess it depends how well your security products can classify traffic. Top data senders is definitely a good one.
0 Likes
Absent Member.
Absent Member.

[QUOTE=colby_derodeff]Any comments or additional use-cases are greatly appreciated.[/QUOTE] It's a good start, but I think it needs more detail. Do I need to review every failed logon for any system in the company? Should I set thresholds for this? How do I determine when it's an accident, and when it's something worthy of investigation? Do I monitor every event produced by someone with admin access. Can this be broken down so that I'm only monitoring a more specific list of actions performed by an admin?
0 Likes
Admiral
Admiral

 

Do you mean ignore HTTPS traffic? I'd be careful with this one because it's easy to run SFTP over port 443 and send data out of the company. I guess it depends how well your security products can classify traffic.

Of course you can use HTTPS to do a lot of nasty stuff but, on the other hand, it's also the only encrypted legitimate traffic to outside in most companies. So the idea is to avoid getting information related to "true" https in this UC. Obviously, if a user is trying to use this channel for another purpose, this information should appear in the UC.

 

It's a good start, but I think it needs more detail

More generally, the problem with "standard" UC is that it can be very difficult to understand clearly what the UC is doing. I cannot trust a UC I don't understand because it can lead to wrong result interpretation. So it would be good to have more detailed explanations regarding the way each UC is supposed to work, at least from a conceptual point of view. I also suggest to try to keep the output as low as possible. The main problem we are facing is the number of events to manage so let's try to get only relevant information without being flooded by useless information. I think it's better to create several very restrictive ways of detection for the same UC than having a single one which will have to be very generic to be sure to get all the relevant information we are looking for. What's the point of getting 10 interesting events if they are lost in a bunch of 1000 useless ones ? GCA
0 Likes
Absent Member.
Absent Member.

Colby, I just ran across this. We are very interested in application monitoring. specifically, how do we monitor many servers (especially windows servers) and what is happening on the O/S and Applications that reside on these servers. There isn't an easy way in large environments to specifically determine who is on the network (via AD, if you are spread-out world-wide). How do you monitor what actions an application(s) and O/S is undertaking for many, many servers, collect and then bring to ArcSight?
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.