Security  Integration  Splunk  and  ArcSight

Data  Integration  for  IT  security

Wednesday  14th  January  2015  IT  Analytics’15

Agenda

› Welcome  –  Ray  Bruni  › Eric  Blavier  –  Splunk  &  Nexthink  › Mostafa  Soliman  –  ArcSight  &  Nexthink

Splunk  and  NexthinkWelcome  Eric

Introduction

› Eric  Blavier  • work  for  Nexthink  since  2005  -­‐    • IT  security  specialist  • Security  projects  using  Nexthink  • financial  institutions  • industry  • governements  • military  • Europe  /  US  /  Asia  

Nexthink  security  metrics

› Nexthink  V5  • generates  ~200  datapoints  • ~50%  are  in  real-­‐time  

› Security  metrics  • Nexthink  Security  Solution  Pack  (NSSP)  

• Security  Cockpit  • Web&Cloud

NSSP  V5› Specific  set  of  out-­‐of-­‐the-­‐box  investigations  for  Endpoint  Security

o Dynamic  inventory  o Unauthorized  applications  o Identity  &  access  management  o Vulnerability  management  &  protection  o Secure  network  configuration  o Indicators  of  compromise

NSSP  Web&Cloud

› Specific  set  of  out-­‐of-­‐the-­‐box  investigations  for  Web  &  Security  (through  Nexthink  Library)

Splunk

› Splunk  • Collect  and  index  many  machine-­‐generated  data  from  many  source  or  location  in  real  time  

• Correlate  events  spanning  many  diverse  data  sources  • Can  be  used  as  a  Security  Information  and  Event  Management  (SIEM)

Nexthink  DATA

Data  integration

› Nexthink  Engine  -­‐>  Splunk  • Using  NXQL  2.0  direct  Web  API  • direct  access  to  Nexthink  Engine  Database  

• https://demo.nexthink.com:1671/2/query?query=(select%20(id%20name%20last_seen)%20(from%20device%20(with%20device_activity%20(between%20now-­‐7d%20now))))%20&format=csv  

• new  Nexthink  Query  Language  Web  interface

Data  integration

› Adding  Data  in  Splunk  curl  https://<Engine_IP>:1671/2/query?query=NXT_Investigation

update  Data  interval

SIEM› Security  information  and  event  management  system  • collects  real-­‐time  data  from  IT  infrastructure  • analyzes,  correlates  and  provides  reporting  to  further  a  responsive  action  

• provides  a  clear  insight  into  the  security  posture  of  a  company  

› Need  notable  eventsand  behavior  from  ENDPOINTS (Nexthink)

Security  dashboard

› Security  posture  • high  level  insight  of  «notable  events»  across  many  security  domains  

• Example  of  notable  security  events  from  Nexthink  • Endpoint  

• Host(s)  with  multiple  infections  • Critical  priority  Host(s)  with  malware  detected  

• Access  • Insecure  or  cleartext  authentication  access  detected  • Default  Account  activity  detected

Nexthink  &  Splunk

Nexthink  NSSP  investigations

Nexthink  &  Splunk

Nexthink  NSSP  investigations

Get  details  with  Nexthink  Finder

ArcSight  and  NexthinkWelcome  Mostafa

www.mannai.com

from Dedication to Excellence ….

The  Next  Big  Thing:    A  case  study  in  utilizing  End-­‐User  Real-­‐Time  Analytics  tools  in  the  SOC

Mostafa Soliman – Mannai Trading Company

www.mannai.com

✓ Mostafa Soliman (mostafa.soliman@mannai.com.qa) ✓ Home: Alexandria, Egypt ✓ Nexthink Consultant since 2011 ✓ ArcSight Consultant since 2012 ✓ Senior Security Consultant based in Doha, Qatar since 2011 ✓ Presented HP-ArcSight & Nexthink integration in HP Protect 2014

(Washington D.C.)

Introduction

www.mannai.com

Who is Mannai?

www.mannai.com

Who is Mannai?

www.mannai.com

Where is Mannai?

www.mannai.com

Where is Mannai?

www.mannai.com

Where is Mannai?

www.mannai.com

Design, Consultancy, Implementation, Testing, and Support Services

for

What do we do?

OperationsAnalyticsSecurity

www.mannai.com

Mannai Security Solutions Partners

www.mannai.com

Endpoint Monitoring with ArcSight

Challenge:

• Endpoints are the entry point for most of the threats to the organization.

• Security & event logs do not always contain meaningful information.

• Some custom monitoring can be done using scripts on endpoints however this doesn’t detect all endpoint or end-user activities and requires high maintenance.

Conclusion:

• Endpoints are always a blind spot for ArcSight. • Leverage ArcSight by integrating it with endpoint monitoring.

www.mannai.com

Nexthink + ArcSight

Nexthink and ArcSight Integration enhances detecting and investigating endpoint anomalies.

www.mannai.com

Nexthink Data in ArcSight

www.mannai.com

Integration Use Cases

✓ Endpoints with malicious behavior. ✓ Endpoints running files from removable drive. ✓ Endpoints bypassing the proxy to connect to the Internet. ✓ Endpoints doing port scans. ✓ Endpoints accessing well known malicious URLs. ✓ Endpoints with disabled and/or out-of-date antivirus. ✓ Endpoints using Internet broadband connections. ✓ Endpoints executing non-compliant software (IM, P2P, …etc.)

www.mannai.com

Q & A

Remember

› Integration  • Push  and/or  Pull  • APIs,  Email,  Syslog  

› Extend,  Enhance,  and  Compliment  • Data  • Analyze  • Visualize

Thank  You!For  more  information  

Contact  your  partner  or  sales  rep