ronbrown1981 Absent Member.
Absent Member.
590 views

Typical Use Cases when collecting Firewall and IPS logs

Hello all,

We are currently having our IPS logs monitored by a 3rd party, but only IPS is being monitored with them, and no other type of logs, including Firewall.  I am attempting to make the case to my management that it is a good idea to have IPS/IDS logs in Arcsight in order to correlate with Firewall logs and Windows logs etc to have the best threat detection capability.

What are some examples that you all have used of Use cases that combine Firewall with IPS or Windows with IPS logs etc for best threat detection?  Thanks.

0 Likes
Reply
4 Replies
implementation Absent Member.
Absent Member.

Re: Typical Use Cases when collecting Firewall and IPS logs

When putting in paper the above co-relation looks good for detection of attacked bypassed through one security device but when applied in practice in arcsight the rules gives lot of partial matches.For exp a packet allowed by firewall and blocked by IPS with some other vector like critical signature hitting critical device taxes the manager a lot.but you can do a lot of vpn and firewall based co-relation.

recent or critical Vulnerabilities could be co-related with the ips & Win or Unix servers.Only these rules we were able to create on ESM for now.I am pretty new to arcsight gurus here should be able to throw some light on this.

0 Likes
Reply
ronbrown1981 Absent Member.
Absent Member.

Re: Typical Use Cases when collecting Firewall and IPS logs

Thanks Rahul, I appreciate the input. 

I'd appreciate any guidance from Arcsight gurus as well concerning this who have maybe used this type of correlation more in depth.  Thanks.

0 Likes
Reply
katzmandu1 Absent Member.
Absent Member.

Re: Typical Use Cases when collecting Firewall and IPS logs

There are a few things that come to mind...

With firewall logs only you can take advantage of the ArcOSI/Threatstream content. This is useful because it can show you if internal systems are infected with malware that your AV hasn't caught yet, since you're tracking network connections that "phone home" to botnet command and control servers (potentially.)

Even with massaging some of the stock/default ArcSight content you can get further with more event sources. A potentially malicious host on the inside may trip both the firewall and IPS at the same time, and with a rule you can look for the possibility of both events in a short timespan and alert on that condition.

Part of what ESM allows you to do is have a single pane of glass. You don't always need to have two or five different pieces of data to trigger one alert, you can have a single, high-priority event trigger an alert. The trick is you're now doing your event management and alerting through ONE system (ESM) instead of several different ones (AV, IPS/IDS, Firewalls, etc.)

0 Likes
Reply
prasmussen Absent Member.
Absent Member.

Re: Typical Use Cases when collecting Firewall and IPS logs

I really recommend you get your FW and IDS logs together in one place.  If you are doing time based investigations, its very handy to have everything that happened on IP x.x.x.x  over time period Y show in one list.  It helps drive curiosity about what else happened at that time.

The warning is that it can lead you down the garden path if you dont get some details included and read right.  For example, seeing IDS alerts about Conficker can be very alarming, until you realize its outside sourced with no reply, meaning it was really just a scan, no consequence without recent return traffic .   I've had several panics like that in my time. 

I'd love to get more of the BadHarvest/Threatstream data as a 3rd point of data so I can tell when we are talking to known bad guys, and seeing instantly if they got anywhere past the outside firewall.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.