ArcSight SIEM Partner Guide

February 2012 Series

PrefaceFebruary 2012 Series

Preface

Who Should Read This GuideThis Cisco® Smart Business Architecture (SBA) guide is for people who fill a variety of roles:

• Systemsengineerswhoneedstandardproceduresforimplementingsolutions

• ProjectmanagerswhocreatestatementsofworkforCiscoSBAimplementations

• Salespartnerswhosellnewtechnologyorwhocreateimplementationdocumentation

• Trainerswhoneedmaterialforclassroominstructionoron-the-jobtraining

In general, you can also use Cisco SBA guides to improve consistency among engineers and deployments, as well as to improve scoping and costingofdeploymentjobs.

Release SeriesCiscostrivestoupdateandenhanceSBAguidesonaregularbasis.Aswedevelop a new series of SBA guides, we test them together, as a complete system.ToensurethemutualcompatibilityofdesignsinCiscoSBAguides,youshoulduseguidesthatbelongtothesameseries.

All Cisco SBA guides include the series name on the cover and at the bottomleftofeachpage.Wenametheseriesforthemonthandyearthatwerelease them, as follows:

month year Series

For example, the series of guides that we released in August 2011 are the“August2011Series”.

You can find the most recent series of SBA guides at the following sites:

Customer access: http://www.cisco.com/go/sba

Partner access: http://www.cisco.com/go/sbachannel

How to Read CommandsMany Cisco SBA guides provide specific details about how to configure CisconetworkdevicesthatrunCiscoIOS,CiscoNX-OS,orotheroperatingsystemsthatyouconfigureatacommand-lineinterface(CLI).Thissectiondescribestheconventionsusedtospecifycommandsthatyoumustenter.

CommandstoenterataCLIappearasfollows:

configure terminal

Commands that specify a value for a variable appear as follows:

ntp server 10.10.48.17

Commands with variables that you must define appear as follows:

class-map [highest class name]

Commands shown in an interactive example, such as a script or when the command prompt is included, appear as follows:

Router# enable

Longcommandsthatlinewrapareunderlined.Enterthemasonecommand:

wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100

Noteworthypartsofsystemoutputordeviceconfigurationfilesappearhighlighted, as follows:

interface Vlan64 ip address 10.5.204.5 255.255.255.0

Comments and QuestionsIfyouwouldliketocommentonaguideoraskquestions,pleaseusetheforum at the bottom of one of the following sites:

Customer access: http://www.cisco.com/go/sba

Partner access: http://www.cisco.com/go/sbachannel

AnRSSfeedisavailableifyouwouldliketobenotifiedwhennewcommentsareposted.

Table of ContentsFebruary 2012 Series

ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.

AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)

©2012CiscoSystems,Inc.Allrightsreserved.

February 2012 Series

Table of Contents

What’s In This SBA Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Cisco Smart Business Architecture Borderless Networks for Enterprise .2

Business Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Technology Partner Solution Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Deploying ArcSight Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Collecting Logs, Events, and Correlated Events . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Maintaining the SIEM Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Common Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Example of a Day Zero Attack (Malware-Infected Customer Network) . . .18

Products Verified with Cisco Smart Business Architecture . . . . . . . . . . . . . .19

1What’sInThisSBAGuideFebruary 2012 Series

What’sInThisSBAGuide

About SBACiscoSBAhelpsyoudesignandquicklydeployafull-servicebusinessnetwork.ACiscoSBAdeploymentisprescriptive,out-of-the-box,scalable,andflexible.

CiscoSBAincorporatesLAN,WAN,wireless,security,datacenter,applicationoptimization, and unified communication technologies—tested together as a completesystem.Thiscomponent-levelapproachsimplifiessystemintegrationof multiple technologies, allowing you to select solutions that solve your organization’sproblems—withoutworryingaboutthetechnicalcomplexity.

For more information, see the How to Get Started with Cisco SBA document: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/SBA_Getting_Started.pdf

About This GuideThis additional deployment guide includes the following sections:

• Business Overview—Thechallengethatyourorganizationfaces.Businessdecisionmakerscanusethissectiontounderstandtherel-evanceofthesolutiontotheirorganizations’operations.

• Technology Overview—HowCiscosolvesthechallenge.Technicaldecisionmakerscanusethissectiontounderstandhowthesolutionworks.

• Deployment Details—Step-by-stepinstructionsforimplementingthesolution.Systemsengineerscanusethissectiontogetthesolutionupandrunningquicklyandreliably.

Thisguidepresumesthatyouhavereadtheprerequisitesguides,asshownontheRoutetoSuccessbelow.

Route to SuccessTo ensure your success when implementing the designs in this guide, you should read any guides that this guide depends upon—shown to the left ofthisguideontherouteabove.Anyguidesthatdependuponthisguideareshowntotherightofthisguide.

For customer access to all guides: http://www.cisco.com/go/sba For partner access: http://www.cisco.com/go/sbachannel

Design Overview Internet EdgeDeployment Guide

Cisco SIEMDeployment Guide

ArcSight SIEMPartner Guide

ENT BN

You are HerePrerequisite Guides

2CiscoSmartBusinessArchitectureBorderlessNetworksforEnterpriseFebruary 2012 Series

Cisco Smart Business Architecture Borderless NetworksforEnterprise

TheCiscoSmartBusinessArchitecture—BorderlessNetworksforEnterpriseOrganizationsofferspartnersandcustomersvaluablenetworkdesign and deployment best practices; helping organizations deliver superiorend-userexperiencethatincludeswitching,routing,securityandwireless technologies combined with the comprehensive management capabilitiesfortheentiresystem.Customerscanusetheguidanceprovidedin the architecture and deployment guides to maximize the value of their Cisconetworkinasimple,fast,affordable,scalableandflexiblemanner.

The modular design of the architecture means that technologies can be addedwhentheorganizationisreadytodeploythem.ThearchitecturealsoprovidesCisco-testedconfigurationsandtopologiesthatCCNA-levelengineers can use for design and installation, and to support organizational needs.

Cisco offers a number of options to provide security management capabili-ties.ThisguideisfocusedonourpartnershipwithArcSightandintegrationwith their products to provide a comprehensive Security Information and EventManagement(SIEM)solution.

ArcSight Connectors (Smart Connectors) collect event data from Cisco networkdevices.Theycannormalize,categorize,andaggregateeventdata,and securely and efficiently deliver events to ArcSight ESM or ArcSight Express(whichcombinesArcSightLoggerandESMfunctionsforsmallerinstallations).ArcSightConsoleprovidestheenterprisedashboardforthesecurityoperationscenter(SOC).ArcSightweb-basedconsolescanbeused for IT operations staff for searching through archived log data and generating compliance reports

3CiscoSmartBusinessArchitectureBorderlessNetworksforEnterpriseFebruary 2012 Series

Figure 1 - ArcSight Integrated into Smart Business Architecture—Borderless Networks for Enterprise Organizations

4Business BenefitsFebruary 2012 Series

BusinessBenefits

Networksaregrowingrapidlyinsizeandcomplexity,linkedwithsuppliers,customers,andbusinesspartners.Thenetworkperimeterhasdissolvedandthenotionofexternalversusinternalthreatshasblurred.Asaresult,organiza-tionsbecameincreasinglyfocusedoncorrelatingnetworkactivitywithuseractivitymonitoringinthecontextbusinesstransactionsoncriticalassets.

Customersarelookingforamission-criticalITandsecurityoperationssolutionthatprovidestheenterprise-widethreatmanagement,real-timecorrelation/response, and flexible monitoring and reporting capabilities to meettheirrigorousregulatorycomplianceneeds.

ArcSight, a leader in SIEM, provides solutions that serve as the mission controlcenterforreal-timeenterprise-widethreatmanagement,compliancereportingandautomatednetworkresponse.

TheArcSightEnterpriseViewforCiscoapplicationaddspowerfulpre-defined content (correlation rules, dashboards and reports) that allows customers to monitor activity, configuration changes, availability, and threats acrosstheirCiscoinfrastructure.Inaddition,thisapplicationcorrelatesalerts from Cisco infrastructure with security events from rest of the enter-prise,andprovidesacomprehensiveenterpriseriskandthreatmanagementsolutiontomeetregulatorycomplianceneeds.

Next Generation Enterprise Risk and Threat Management Solution• HelpssecurityoperationskeeppaceinmonitoringCisconetworks

• Correlatesidentityinformationfrommultiplesources,withreputationdata from Cisco SensorBase improves accuracy on security alerts

• Enablescomprehensivevisibility,monitoringandreportingacrossCiscoproduct portfolio

Customized Event Correlation, Response, and Reporting for Cisco Infrastructure• ProvidesCiscospecificcontent(rules,reports,dashboards)forrapidreturnoninvestment(ROI)withArcSightEnterpriseViewforCisco

• Collectsandcorrelateseventsfromhundredsofnon-Ciscoproducts,and allows you to rapidly respond to enterprise threats

• Proactivelyminimizesoreliminatesenterprisevulnerabilitiesthatcouldimpactthebusiness.

Faster ROI for Security and IT-Operations and Reduced Compliance Risk• ComplimentsCiscoSecurityMARSdeploymentsbyaddingcompliance

reporting and support for event logging from multiple vendors

• Providesacost-effectivelongtermstorageforlogdatatoinvestigatefaults for IT operations

• Streamlinescomplianceprocessforvariouscorporateregulations,suchasSarbanes-Oxley,PCI,HIPAA,SB1386,andBaselII.

5TechnologyPartnerSolutionOverviewFebruary 2012 Series

Technology Partner SolutionOverview

ArcSight EnterpriseView for CiscoArcSightEnterpriseViewforCiscoprovidespowerfulpre-definedcontent(correlation rules, dashboards and reports) that allows customers to monitor activity, configuration changes, availability, and threats across their Cisco infrastructure.Thisapplication(contentpack)runsonexistingArcSightSIEM platform installations and depends on SmartConnectors for the Cisco devicestobeinstalledandconfiguredappropriately.

Figure 2 - The ArcSight SIEM Architecture

ArcSight SIEM PlatformTheArcSightSIEMPlatformisanaward-winningsetofproductsformoni-toringenterprisethreatandrisk.Mostcorporatenetworksareeffectivelyborderless; external systems and users access internal systems and data aspartofnormaloperations.Inaborderlessenvironment,acomprehensivemonitoring platform brings security and visibility without impacting flexible businessoperations.AllArcSightSIEMplatformproductslistedbelow

leverage the same monitoring infrastructure (ArcSight SmartConnectors) to capture,normalize,andcategorizeeventsandlogsfromCisconetworkingandsecuritydevices.

ArcSight ESMArcSight ESM protects demanding private and public organizations through-outtheworld.Usingitsbroadlogdatacollectioncapability,combinedwithits powerful event correlation engine, ArcSight ESM can detect sophisticated threatscrossingmultipletypesofsecurityproducts.ArcSightESMextendsthe reach of Cisco threat management and response, by performing sophis-ticatedeventcorrelationofCisconetworkeventsandalertswithabroadersetofenterprise-wideevent-sources(systems,databases,andapplications).Asaresult,customerscandetectthreatsintimetotakeeffectiveaction.

ArcSight LoggerArcSightLoggerprovidescost-effectivelongtermlogmanagementandstorage,aswellasautomatedcompliancereporting.Bystoringupto42TBof log data on a single appliance while supporting search speeds of millions ofeventspersecondacrossstructuredandunstructureddata.ArcSightLoggerbringsaflexiblemeansofstoringeventdatafromCisconetworkingdevicesforyears.ArcSightLoggersupportsautomatedreportingforSOX,PCIDSS,NERCandotherregulations,integratingCiscoSecurityMARSdatawithotherenterpriseinformation.

ArcSight ExpressArcSightExpressincludestheindustryleadingreal-timecorrelationandlogmanagementtechnologiesfromESMandLogger,inonepre-packagedeasy-to-useSIEMsolutionforthemid-market.Expressisreferredtoasthe“securityexpertinabox”,andhasseveralbuilt-incorrelationrules,dashboards,andcompliancereports.ArcSightExpressprovidesarapidlydeployable,lowcostmid-marketsolutionformonitoringCiscoinfrastructure.

ArcSight SmartConnectorsArcSightSmartConnectorscollecteventdatafromnetworkdevices,andthey normalize the data structure into common schema, add severity, priority,andtimezone.SmartConnectorscanoptionallyfilteroutdatathatyouknowisnotneededforanalysis,savingnetworkbandwidthandstoragespace.Itcanaggregateeventstoreducethequantityofeventsofthesametype,thusimprovingefficiency.Itcancategorizeeventsusingthecommon,human-readableformats,makingiteasiertousethoseeventstobuildfilters,rules,andreports.

6TechnologyPartnerSolutionOverviewFebruary 2012 Series

Table 1 - Comparison of ArcSight SIEM Products

ArcSight ESM ArcSight Logger ArcSight Express

Description Real-timeEventCorrelationandReporting Long-termEventLoggingandReporting EventCorrelationandLoggingforSMB

NoofUsers(Admin) Unlimited Unlimited Unlimited

Events Per Second 15K/instanceLinearlyscalable 100K/instanceLinearlyscalable 5K/instanceLinearlyscalable

7DeployingArcSightExpressFebruary 2012 Series

DeployingArcSightExpress

Following is a brief overview of steps to for set up a Cisco device to send syslog messages to an ArcSight SmartConnector platform, and set up ArcSight SmartConnector to send normalized and categorized Cisco events toanyofthefollowingdestinations:ArcSightESMManager,ArcSightLogger,orArcSightExpress.RefertotheArcSightSmartConnectorConfigurationGuideforthespecificCiscodeviceforthedetailedsetupinformation.

Setup Cisco Device1. ConfigureLogSubscriptiononCiscodevice—typeofinformation

recorded and log format

2. ConfiguretheLogRetrievalmethod—howlogsaretransferredtoArcSight Connector

Setup ArcSight SmartConnector1. DownloadSmartConnectorfromArcSightsupportwebsiteforyour

specific Cisco device

2. Run SmartConnector Installer

– Choose install folder and Install Set

– Selectdestinationofevents:Manager,Logger

– Select destination hostname/port

– Enter ArcSight admin username and password

8DeployingArcSightExpressFebruary 2012 Series

ArcSight Express ConfigurationThis section provides a brief overview of steps to for set up ArcSight Express(“SIEMinabox”)apre-packagedproductbundleforsmallandmediumbusinesses,composedoftwoappliances.Itinvolvessettingupthefollowing.RefertotheConfiguration Guide: ArcSight Express for more details.

• ArcSight Express: appliance #1 includes:

– ArcSight Manager

– ArcSight Forwarding Connector

– ArcSightWeb(UI)

• ArcSight Storage: appliance #2 includes:

– ArcSightLogger

– Long-termdatastorage

– ArcSight Connector Manager

Figure 3 - ArcSight Express Deployment Overview

Configure ArcSight Storage Appliance #2 First1. Definestoragevolume:whereArcSightStorageAppliancestoresevent

data

2. Create storage groups: apply retention policies for storage volumes

3. ConfigureNetworkTimeProtocol(NTP)forprecisetime-stampingofevents (highly recommended)

4. Indexing (optional): use default indexing options for better perfor-mance.Reboot.

5. Create SmartMessage receivers: to listen on events

Configure ArcSight Express Appliance #1 Next1. ConfigureOracleEnterpriseLinux

2. Configure ArcSight Express software components

9DeployingArcSightExpressFebruary 2012 Series

3. SelectwhetheryouwouldliketoforwardeventstotheArcSightStorage Appliance for long term storage

4. Enter host name or IP address of the ArcSight Storage appliance and the name of the SmartMessage Receiver created on the ArcSight StorageAppliance.

RefertotheArcSightExpressConfigurationGuideformoredetails.

Install the ArcSight ConsoleArcSight Console is the primary user interface for performing administrative tasksonArcSightExpress.

1. Install and configure ArcSight Console, and set up connection to ArcSight Manager

2. Create administrative users in ArcSight Express

10DeployingArcSightExpressFebruary 2012 Series

Configure all Cisco SmartConnectors centrally from Connector ManagerYou can use the Cisco SmartConnectors that are local to the ArcSight Expressappliance.YoucanalsocentrallymanagemultipleremoteCiscoSmartConnectorsfromtheConnectorManageronthisappliance.RefertotheArcSightExpressConfigurationGuideformoredetails.

For large enterprises, ArcSight Express appliances can be replaced by the following two separate ArcSight products for highly scalable and sophis-ticated event correlation for security operations, and logging for IT opera-tions.Formoredetailsrefertotheinstallationandconfigurationdocumentsoftherespectiveproductslistedbelow.

• ArcSight ESM:softwarepackageincludesthefollowing.RefertotheInstallation and Configuration Guide: ArcSight ESM,

– ArcSight Manager

– ArcSightDatabase

– ArcSightConsoleand/orArcSightWeb

• ArcSight Logger: applianceincludesthefollowing.RefertotheArcSight Logger Getting Started Guide, and the Installation chapter in the ArcSight Logger Administrator’s Guide.

– ArcSightLogger

– Long-termdatastorage—SAN,StorageVolume,StorageGroups

Figure 4 - ArcSight Console Showing a List of Cisco SmartConnectors Registered with ArcSight ESM

11DeployingArcSightExpressFebruary 2012 Series

Install ArcSight EnterpriseView for Cisco Solution Package1. DownloadtheEnterpriseViewforCiscopackagefromArcsightsoftware

download site (https://software.arcsight.com/)

2. LogintoArcSightExpressConsoleasAdministrator,clickonPackages tab.ClickImport,selectpackageandfollowdirectionstoinstallpackage.

3. Toverifythepackageisinstalledsuccessfully,selectPackages tab in Navigator panel, and expand the ArcSight Solutions group.

12CollectingLogs,Events,andCorrelatedEventsFebruary 2012 Series

CollectingLogs,Events,and Correlated Events

TheCiscoInsightPackageisaprepackagedsetofpowerfulanalysistoolsdeveloped by ArcSight that provides that allow you to monitor activity, configuration changes, availability, and threats across Cisco devices in your environment.Acomprehensiveandeasilycustomizablesetofdashboards,active channels, and reports allows you to measure and report on the status ofdevicesandavarietyofotheractivitiestakingplaceinyournetwork.

Refer to the ArcSight Solution Guide: Cisco Insight Package v1.0 for more details on how to collect Cisco logs and events and correlate them with informationfromtherestoftheenterprise.Itprovidesinformationonthefollowing:

• Installationandconfiguration

• Usecases

• Compare,backupanduninstallpackage

Usecasesaretargetedcollectionsofpresentation,correlation,anddataprocessingresourcesdesignedtoaddressaparticularrequirementorCiscodevice.TheCiscoInsightPackagesupportsthefollowingusecases:

Use Case Description

CiscoOverview TheCiscoOverviewusecaseprovideshigh-levelreports describing logins, configuration changes, and other events involving Cisco firewalls and Cisco IntrusionPreventionSystemsinyourenvironment.

CiscoCross-Device TheCiscoCross-Deviceusecaseprovidesinfor-mation about logins, configuration changes, and bandwidth consumption across all Cisco devices in yourenvironment.

Cisco Generic Firewall

The Cisco Generic Firewall use case identifies and provides firewall information based on events reported by any Cisco firewall device or module in yournetwork.

Use Case Description

Cisco Generic Intrusion Prevention System (IPS)

The Cisco Generic IPS use case provides reports and dashboards based on alerts generated by any CiscoIDS/IPSdevicesormodules.

Cisco Adaptive Security Appliance (ASA)

The Cisco ASA use case provides firewall informa-tion based on events reported by Cisco ASA 5500 SeriesAdaptiveSecurityAppliances.

Cisco IPS Sensor The Cisco IPS Sensor use case provides event sta-tistics and configuration changes reported by Cisco IPSsensorssuchastheCiscoIPS4200Seriesappliance,CiscoCatalyst6500seriesIntrusionDetectionSystemServicesModule(IDSM),andCisco ASA Advanced Inspection and Prevention SecurityServicesModule(AIP-SSM).

CiscoIOSIPS TheCiscoIOSIPSusecaseprovideseventstatis-tics and configuration change information reported byCiscoIOSIPSdevicespresentinyournetwork.

Cisco IronPort Email Security Appliance (ESA)

The Cisco IronPort Email Security Appliance use case identifies and provides web traffic informa-tion based on events reported by Email Security Appliancespresentinyournetwork.

CiscoIronPortWebSecurity Appliance (WSA)

TheCiscoIronPortWebSecurityApplianceusecase identifies and provides web traffic informa-tionbasedoneventsreportedbyWebSecurityAppliancespresentinyournetwork.

CiscoNetwork TheCiscoNetworkusecaseidentifiesandprovidesinformation based on events reported by Cisco networkequipment.

13CollectingLogs,Events,andCorrelatedEventsFebruary 2012 Series

Following are some sample screen shots for Cisco Generic Firewall use cases.

Figure 5 - ArcSight Dashboard for Cisco Generic Firewall events

Figure 6 - ArcSight Event Viewer displaying all Cisco network events

14Generating ReportsFebruary 2012 Series

Generating Reports

The ArcSight Solution Guide: Cisco Insight Package v1.0 describes the severalpre-packagedreportsthatcanbeusedtotracklogins,configurationchanges,andothereventsinvolvingCiscodevicesinyourenvironment.The following table lists the information presentation and data process-ingresourcesthatsupporttheCiscoOverviewusecasesintheArcSight Solution Guide.

Cisco Resource Overview Report Description

OverviewofCiscoConfigurationChanges

Displayssummaryinformationonconfiguration changes to Cisco devices such as the change count per day, per hour, top affected device,andtopinvolvedusers.

CiscoFirewallOverview-TopAllowed Systems

Displayssummaryinforma-tion about top allowed systems reported by Cisco firewall devices inthelast24hourssuchasthetopinbound (or outbound) sources and destinations.

CiscoFirewallOverview-TopDeniedSystems

Displayssummaryinformationabout top denied systems reported by Cisco firewall devices in the last 24hourssuchasthetopinbound(oroutbound)blockedsourcesanddestinations.

OverviewofLoginsReportedbyCiscoDevices-Systems

Displayssummaryinformationonlogin attempts recorded by Cisco devices such as the top success-ful and failed login sources and destinations.

OverviewofLoginsReportedbyCiscoDevices-TrendandUsers

Displayssummaryinformationonlogin attempts recorded by Cisco devices such as the attempt count per day, per product, top users with successfulandfailedlogins.

Cisco Resource Overview Report Description

Cisco Intrusion Prevention System Overview

Displayssummaryinformationabout alerts reported by Cisco IPS devicesinthelast24hourssuchas alerts per day, the top alerts, top attackersandtargetsinvolved.

CiscoFirewallOverview-TrendandPort

Displayssummaryinformationonfirewall events from Cisco devices such as the inbound (or outbound) connections per day, top inbound (oroutbound)blockedports.

Thefollowingfigureshowsasamplepre-definedreportforCiscoFirewallactivity.

Figure 7 - ArcSight trend reports on Cisco Firewall activity

15Generating ReportsFebruary 2012 Series

WiththeArcSightComplianceInsightPackagesforvariousregulations(e.g.SOX,PCI,ITGovernance)onArcSightESMorExpress,customerscangetpre-definedComplianceReportsforthoseregulations.HereisasamplecompliancereportforSarbanes-Oxley(SOX).

Figure 8 - ArcSight Compliance Reports – Sarbanes-Oxley

16Maintaining the SIEM Solution February 2012 Series

Maintaining the SIEM Solution

ArcSight publishes the following product and content updates with the followingfrequency.

• Contentupdate(categorization,vulnerabilitymapping):twiceamonth

• Contextupdate(geolocationofIPs):onceamonth

• SmartConnectorupdates:everysixweeks

• Periodiccorrelationcontentupdates

• Periodicsoftwareupdates

17Common Troubleshooting TipsFebruary 2012 Series

Common Troubleshooting Tips

These troubleshooting steps help to diagnose and correct problems with gettingCiscoeventstobeconsumedandprocessedbyArcSight.PleaserefertotheArcSightAdministratorGuidesforArcsightESM,Logger,andExpress,tohelpwiththeArcSightplatform-specifictroubleshooting.

My device is not one of the listed SmartConnectors. ArcSightoffersanoptionalfeaturecalledtheFlexConnectorDevelopmentKit which may enable you to create a custom SmartConnector for your device.ArcSightcancreateacustomSmartConnector.ContactArcSightCustomerSupport.

My device is on the list of supported products, but it does not appear in the SmartConnector Configuration Wizard. Yourdeviceislikelyservedbyasyslogsub-connectorofeitherfile,pipe,ordaemontype.

Device events are not handled as expected. ChecktheSmartConnectorconfigurationtomakesurethattheeventfilter-ingandaggregationsetupisappropriateforyourneeds.

SmartConnector is not reporting all events. Checkthateventfilteringandaggregationsetupisappropriateforyourneeds.

Some Event fields are not showing up in the Console. CheckthattheSmartConnector’sTurboModeandtheTurboModeoftheManagerforthespecificSmartConnectorresourcearecompatible.IftheManager is set for a faster Turbo Mode than the SmartConnector, some eventdetailswillbelost.

SmartConnector is not reporting any events. ChecktheSmartConnectorlogforerrors.IftheSmartConnectorcannotcommunicatewiththeManager,itwillcacheeventsuntilitscacheisfull.

18ExampleofaDayZeroAttack(Malware-InfectedCustomerNetwork)February 2012 Series

ExampleofaDayZeroAttack(Malware-InfectedCustomerNetwork)

Zero-dayattacksoccurduringthevulnerabilitywindowthatexistsinthetimebetweenwhenvulnerabilityisfirstexploitedbyanattacker,andwhentheproductvendororsecurityserviceproviderreleasesacounter-measure(securitypatchoranIPSsignature)todetectthatthreat.

TheArcSightSIEMsolutionhasapatent-pendingfeaturecalled“PatternDiscovery”thatcanautomaticallydiscoverzero-dayattacks,detectlow-and-slowattacks,andprofilenewsuspiciouspatternsfromcurrentorhistoricaleventdata.Itthenallowsyoutoautomaticallycreatearulewithasinglemouseclick,andtakeanyoneofthefollowingoptionstofurtheranalyzeandrespondtosuchattacks–showrelatedevents,showeventgraph,investi-gatefurther,ortakeamitigationactioniftheattackispersistent.

ThefollowingstepsshowtheprocessofsettingupPatternDiscoverytodetectandmitigatezero-dayattacks.

1. Create a profile which allows you to select a subset of events from the eventstream,onwhichthePattern-Discoverytoolcanbeused.Thecriteriaforfilteringevent-streamcouldbeeventstarttime,endtime,sourceand/ordestinationIPaddress,applicationprotocolorpayload.

2. Takeasnapshotofqualifyingeventactivityfromcurrentorhistoricalevents, and choose Discover Patterns.

3. The resulting pattern tree displays the transactional relationship of the attackpatterns.Right-clickingonaspecificcellinthetreeallowsyoutofurtherinvestigate(e.g.showeventgraph),orautomaticallycreatearuletomitigatethethreatifitispersistent.

BothArcSightExpressandESMhasthePatternDiscoveryfeatureavailabletodetect,furtherinvestigateandrapidlyrespondtounknown(zero-day)attacks.

19ProductsVerifiedwithCiscoSmartBusinessArchitectureFebruary 2012 Series

ProductsVerifiedwithCisco Smart Business Architecture

ArcSightESM4.5.1hasbeenverifiedwithCiscoSmartBusinessArchitecture using the following software versions:

• CiscoASA5500Series8.2(1)

• CiscoIOSSoftwareRelease15.0(1)M2

• CiscoIOSXERelease2.6.1

• CiscoIntrusionPreventionSystem7.0.(2)E3

• CiscoIronPortAsyncOSVersion7.1forEmail

• CiscoIronPortAsyncOSVersion6.3forWeb

• CiscoSecurityMARS6.0.5.

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of

the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands

SMARTBUSINESSARCHITECTURE

C07-608384-0302/12