ArcSight Data Collection and Event Processing

A data source on a network node generates event data, which is collected by an ArcSight agent. The agent normalizes the data into the ArcSight schema, then tags it with event categories and looks up zone and customer attributes from the ArcSight network model. Finally, if so configured, the agent filters and aggregates events to reduce the event stream..
The first phase of the ArcSight process is done by the agent. The agent is usually configured with aggregation and filter criteria, which perform the first level of narrowing the event stream. The agent also applies event categories, which represent the first layer of evaluation criteria applied by ArcSight. The agent performs the following functions, which are described in detail in the pages that follow.


• Collect event data
• Normalize event data
• Apply event categories
• Look up Customer and Zone in Network Model
• Aggregate and Filter events

 

SPLAT Installation

1
SPLAT Installation using the
Command Line

·

Insert the Checkpoint R65/R70 CD into the Server’s DVD Drive

·

You will see a Welcome to

Checkpoint SecurePlatform screen. It will prompt you to press any key within 90

seconds. Press any key to start the installation; otherwise it will abort the

installation.

·

You will now receive a message

stating that your hardware was scanned and found suitable for installing

SecurePlatform. Do you wish to proceed with the installation of Checkpoint

SecurePlatform? Select OK.

·

In System type section, what

type of system would you like to install?

Choose SecurePlatform Pro.

·

Next it will give you the

option to select the keyboard type. Select your Keyboard type (default is US)

and enter OK to continue.

·

In the Networking Device Screen

select eth1 and OK.

·

Enter you r Security Gateway’s External IP address (217.40.157.100), subnet

mask and Default Gateway IP address (217.40.157.98), Select OK.

·

Enable Web based configuration,

and change the port to 4443 (for security purpose). Select OK.

·

Now you will see the

Confirmation screen. It will say that the next stage of the installation

process will format your hard drives. Press OK to Continue.

·

Once hard drive is formatted

and images are copied, it will prompt you to reboot the machine and importantly

REMOVE THE INSTALLATION CD. Press Enter to Reboot.

·

After system reloads, insert

default login name and password, which is admin

for both credentials.

·

It will prompt you for a new

password. Choose a password of your choice.

·

Next, it will prompt you for a

different user name. Select a user name of your choice.

·

The next step is to launch the

configuration wizard. To start the configuration wizard, type "sysconfig"

·

You would be asked to enter n for next and q for Quit. Enter n for

next.

·

Press 1 to configure the host

name, and press 1 again to set host name,

and press enter.

·

Press e to get out of this section.

·

Press 2 to configure the domain

name. Press 1 to set the domain name,

and press enter.

·

You can press 2 to show the

domain name.

·

Press e to exit.

·

Press 3 to configure Domain Name

Servers, and press 1 to add a domain name server.

·

Enter your domain name server

IP Address. Press e to exit.

·

Press 4 to configure the Internal and DMZ Ethernet interfaces.

·

Press 2 to configure a new connection. Press 2 again to select eth0

interface.

·

Press 1 to change IP settings,

insert IP address 192.168.1.250, subnet

mask 255.255.255.0.

·

Enter broadcast address of the

interface eth1 (leave empty for default): Press Enter.

·

Similarly configure the eth2 interface, which will be acting as a

DMZ in this case with 172.20.1.1 IP

address and 255.255.255.0 subnet

mask. Press e to exit.

·

Choose a time and date

configuration item, Press n to configure the time zone, date and local time.

·

The next prompt is the Import

Checkpoint Products Configuration. You can n for next to skip this part as it

is not needed for fresh installs.

·

Next is the license agreement,

Press Y and accept the license

agreement.

·

The next section would show you

the product Selection, Choose Check

Point Power option, and press n

to continue.

·

Select New Installation from

the menu, and Press N to continue.

·

Next menu shows the products to

be installed. Choose VPN-1 Power only

as it is a distributed installation. Press N to continue.

·

After VPN-1 Power package is

completed, Press n for both

Dynamically Assign IP Address gateway installation and Clustering Products.

·

Do you want to add License? Press n.

·

Enter SIC Authentication Key. This key

is used to establish secure certificate between Security Gateway and

SmartCenter Server in order to trust each other.

·

Reboot the System.

2

SPLAT Installation using the Web Interface

·

Insert the Checkpoint R65/R70 CD into the Server’s DVD Drive

·

You will see a Welcome to

Checkpoint SecurePlatform screen. It will prompt you to press any key within 90

seconds. Press any key to start the installation; otherwise it will abort the

installation.

·

You will now receive a message

stating that your hardware was scanned and found suitable for installing

SecurePlatform. Do you wish to proceed with the installation of Checkpoint

SecurePlatform? Select OK.

·

In System type section, what

type of system would you like to install?

Choose SecurePlatform Pro.

·

Next it will give you the

option to select the keyboard type. Select your Keyboard type (default is US)

and enter OK to continue.

·

In the Networking Device Screen

select eth0 and OK.

·

Enter you r Security Gateway’s Internal IP address (192.168.1.250), subnet

mask (255.255.255.0), Select OK.

·

Enable Web based configuration,

and change the port to 4443 (for security purpose). Select OK.

·

Now you will see the

Confirmation screen. It will say that the next stage of the installation

process will format your hard drives. Press OK to Continue.

·

Once hard drive is formatted

and images are copied, it will prompt you to reboot the machine and importantly

REMOVE THE INSTALLATION CD. Press Enter to Reboot.

·

To connect to the

SecurePlatform Web interface, Initiate a connection from a browser to the

administration IP address https://192.168.1.250:4443

·

Note - Pop-ups must always be

allowed on https:// 192.168.1.250:4443

·

SecurePlatform License screen

appears. Click I Accept to continue.

·

Type admin for Login Name and

admin for Password. Click the Login tab.

·

In next screen, you must set

your permanent password. Enter New

Password and Confirm New Password.

Click on Save and Login Tab.

·

Read the message in First Time Configuration Wizard- Welcome screen

and click Next.

·

The First Time Configuration Wizard – Network Connections screen appears. Select eth1 interface by clicking the hyperlink of the interface name.

·

In Edit Ethernet Connection eth1 screen, Insert Security Gateway’s

external IP Address and Netmask. Click Apply to continue.

·

In Edit Ethernet Connection eth2 screen, Insert Security Gateway’s DMZ IP Address and Netmask.

Click Apply to continue.

·

Click Next to continue.

·

The First Time Configuration Wizard – Routing Table displays. Click

on New and select Default Route

·

Insert the Internal IP Address

of Internet Router. Click Apply

·

Click Next to continue

·

Insert DNS Servers IP addresses and Click Next.

·

Complete Hostname, Domain Name, and Management Interface information. Click

Next

·

Enter the correct date and time

under the Manual device data and time

configuration option. Click Apply

and confirm the changes. Click Next.

·

In the Web and SSH Clients screen, add

only those IP addresses which would be allowed to access Security Gateway.

·

Under Installation options, select Check

Point Power (default) and click Next

·

In the Products section, choose

VPN-1 Power and click Next

·

Skip the option in the Gateway Type box. Click Next

·

IN the Secure Internal Communication box, type Authentication key of

your choice. Confirm the key and Click Next

·

Read the Summary and confirm your selection of products. Click Finish

·

Click Yes to start the configuration process.

·

After the configuration process

has completed, the Gateway server will reboot automatically. After reboot, a

message will inform you that the process is complete. Click OK

ArcSight SIEM solution Architecture

SmartAgents

SmartAgents (agents) are the interface to the network nodes that generate ArcSight-relevant data on your network. Agents collect event data from network nodes, then normalize it in two ways: first they normalize values (such as severity, priority, and time zone) into a common format, then they normalize the data structure into a common schema. Agents can then filter and aggregate events to reduce the volume of events sent to the ArcSight Manager, which increases ArcSight’s efficiency and accuracy, and reduces event processing time.

Agents also support commands that alter the source and/or execute commands on the local host, such as instructing a scanner to run a scan. Agents also add information to the data they gather, such as looking up IP and/or host names in order to resolve IP/host name lookup at the Manager.

Agents perform the following functions:

 

Parse individual events and normalize them into a common schema (format) for use by ArcSight.

 

Collect all the data you need from a source device, so you do not have to go back to the device during an investigation or audit.

Filter out data you know will not be needed for analysis to save network bandwidth and storage space.

 

Aggregate events to reduce the quantity of events sent to the Manager.

 

Pass events to the Manager after they have been processed.

 

Categorize events using a common, human-readable format. This saves you from having to be an expert in reading the output from a myriad of devices from multiple vendors, and makes it easier to use those event categories to build filters, rules, reports, and data monitors.

 

Depending on the network node, some agents can also instruct the device to issue commands to devices. These actions can be executed manually or through automated actions from rules and some data monitors.

　

ArcSight releases new and updated agents regularly.

ArcSight Supported Data Sources

ArcSight collects output from data sources with network nodes, such as intrusion detection and prevention systems, vulnerability assessment tools, firewalls, anti-virus and anti-spam tools, encryption tools, application audit logs, and physical security logs.

The graphic on the next page shows the types of data sources that ArcSight supports.

ArcSight Manager

The Manager is the heart of the ArcSight solution. It is a Java-based server that drives ArcSight’s analyses, workflow, and services. The ArcSight Manager is portable across a variety of operating systems and hardware platforms. It also correlates output from a wide variety of security systems.
 

ArcSight Database

As events stream into the Manager from the agents, they are written to the ArcSight database with a normalized schema. This enables ArcSight to collect all the events generated by devices on your network for later analysis and reference.

The ArcSight database is based on Oracle 9i. A typical installation will retain active data online for a period ranging from weeks to months

ArcSight Console

The ArcSight Console is a workstation-based interface intended for use by yfull-time security staff in a Security Operations Center (SOC) or similar security-monitoring environment. It is the authoring tool for building ArcSight filters, rules, reports, Pattern Discovery, dashboards and data monitors. It is also the interface for administering users and resources.

ArcSight ESM

ArcSight ESM collects, normalizes, aggregates, and filters millions of events from thousands of assets across your network into a manageable stream that is prioritized according to risk, exposed vulnerabilities, and the criticality of the assets involved. These prioritized events can then be correlated, investigated, analyzed, and remediated using ArcSight’s tools, which gives you situational awareness and real-time incident response time.

　

Correlation

. Many interesting activities are often represented by more than one event. Correlation is a process that discovers the relationships between events, infers the significance of those relationships, prioritizes them, then provides a framework for taking actions.

􀂄

Monitoring. Once events have been processed and correlated to pinpoint the most critical or potentially dangerous, ArcSight provides a wide variety of flexible monitoring tools that enable you to investigate and remediate potential threats before they can damage your network.

􀂄

Workflow. The workflow framework provides a customizable structure of escalation levels to ensure that events of interest are escalated to the right people in the right timeframe. This enables members of your team to do immediate investigations, make informed decisions, and take appropriate and timely action.

􀂄

Analysis. When events occur that require investigation, ArcSight provides an array of investigative tools that enable members of your team to drill down into an event to discover its details and connections, and to perform functions, such as NSlookup, Ping, Portinfo, Traceroute, WebSearch, and Whois.

􀂄

Reporting. Briefing others on the status of your network security is vital to all who have a stake in the health of your network, including IT and security managers, executive management, and regulatory auditors. ArcSight’s reporting tools can be used to create versatile reports that can focus on narrow topics or report general system status either manually or automatically on a regular schedule.