Add Context and Enrich Alert Information for a More Effective Response with DFLabs and ArcSight

Responding to a new security incident in the fastest possible time frame is critical for any security operations center (SOC) or computer security incident response team (CSIRT), but having the necessary information at your fingertips is key in order to help improve response times and appropriately deal with the threat at hand. In this blog post we’ll take a closer look at how security teams can increase the efficiency and effectiveness of their response by adding context and enrichment to the alert information directly from ArcSight, when utilizing DFLabs’ Security Orchestration, Automation and Response (SOAR) platform and its many other bidirectional integrations.

The Problem

Organizations are generating more log data than ever before and are increasingly turning to SIEM tools to help manage, correlate and alert on potential events from this large quantity of data. Once data is correlated and an alert is generated, enriching alert data is often a manual task which consumes a significant amount of analysts’ time. Pivoting from a single alert or from enriched information is often also a manual process, requiring many more custom written queries within the SIEM. Enriched and additional data must then be correlated manually by the analyst before it becomes actionable.

On a daily basis an analyst will face a number of challenges and is likely to be asking themselves the following questions:

  1. How can I use the SIEM logs to add context to a security event?
  2. How can I enrich information from the initial security alert?
  3. How can I pivot from the initial security alert to further my investigation?
The DFLabs and ArcSight Solution

DFLabs and MicroFocus ArcSight bring SOAR and SIEM together to allow rapid, informed responses to security incidents based on enriched, actionable information. DFLabs’ IncMan SOAR platform allows users to automatically query ArcSight to pivot from an initial alert to gather increase insight into the activity within the organization. IncMan also allows users to enrich information retrieved from ArcSight, such as IP addresses, hostnames and domains, using any number of IncMan’s other integrations.

About MicroFocus ArcSight

ArcSight is an industry-leading Security Information and Event Management (SIEM) solution from MicroFocus. ArcSight collects and analyzes events from across systems and security tools. It detects security threats in real time so that analysts respond quickly, and it scales to meet demanding security requirements. ArcSight’s advanced distributed correlation engine, helps security teams detect and respond to internal and external threats, reduces response time from hours or days to just minutes.

Use Case

To get a real understanding of how the two solutions work together, here is a simple use case in action.

A Web Application Firewall (WAF) has observed a potential attack against an application server in the organization’s DMZ. IncMan automatically responds by initiating an appropriate runbook for the alert. The runbook begins by performing basic enrichment on the source IP address of the malicious traffic. This basic enrichment is followed by a query for IP reputation information on the source IP address from the organization’s threat reputation service of choice.  

Following the threat reputation search, ArcSight is queried for any other events which have been recently generated by the source IP address. If ArcSight returns any other recent events generated by the source IP address, or the source IP address has a negative threat reputation, the severity of the incident is automatically upgraded to High. The analyst is then presented with a user choice decision to determine if the source IP address should be blocked at the perimeter firewall. If the analyst chooses to automatically block the source IP address, a ticket will be created in ArcSight Enterprise Security Manager (ESM) to notify the appropriate teams to follow up on the emergency change according to the organization’s policies.

These actions are followed by a second query to ArcSight, this time for any other recent events involving the web application server. If ArcSight returns any other recent events generated from the web application server, the severity of the incident is automatically upgraded to High (unless it has already previously been upgraded).  The runbook concludes by performing a query of the organization’s endpoint detection solution for all recent events from the web application server. This information will be retained for review by the analyst during the investigative process.

ArcSight

 

ArcSight Actions

In summary, here are the actions available to security analysts by using ArcSight.

Enrichment:

  • Get Active List Entries
  • Search Into Events

Containment:

  • Add Active List Entries
  • Clean Active List Entries

Notification:

  • Create Ticket
  • Get Ticket
  • Update Ticket

Integrating ArcSight with DFLabs’ IncMan SOAR allows organizations to efficiently triage the volume of alerts being generated by the SIEM, automatically prioritizing those alerts which may pose the greatest risk to the organization. By automating and orchestrating the SIEM with other security solutions, IncMan SOAR can automatically enrich the alert information, then pivot based on the enriched information as an analyst would do during a manual investigation. This ability to automatically enrich and pivot allows IncMan to more accurately prioritize incidents which may initially seem innocuous.  

How to Prevent Alert Fatigue

Security analysts today are spending the majority of their time dealing with the mundane, repetitive and administrative based tasks associated with incident response, as opposed to using their valued time proactively investigating and hunting threats in order to remain one step ahead of the increasing number of cyber threats they are facing.  On a daily basis, security teams are being bombarded with a plethora of security alerts, most commonly from their security information and event management (SIEM) solution, combined with log and event data from a number of other platforms and sources with their infrastructure.

A SIEM tool pulls event and logs data from a wide range of internal sources, sometimes up to 15 different third-party tools or more, to provide a complete all-around picture of an organization’s current security posture ongoing threats. The SIEM mainly acts as a security monitoring system by correlating relevant data from multiple sources and generating alerts when the events appear to be worthy of further investigation. At a basic level, SIEM implementations can be rule-based or can employ a statistical correlation engine to establish relationships between event log entries, while advanced SIEMs can be used for user and entity behavior analytics (UEBA) and some orchestration and automation processes.

Is there such a thing as too much information?

The main advantage of implementing a formal and automated SIEM process is to increase the overall visibility of the IT network and security infrastructure. However, this process and enhanced visibility often leads to large volumes of alerts being generated which then manually need investigating by security analysts. Quite often a number also turn out to be false positives after further investigation, wasting a considerable amount of time. In other cases, far too many alerts are being generated for the workforce to even begin to consider investigating them all. As a consequence, only the higher levels of alerts are prioritized, increasing the risk to the organization by disregarding some of the lower-level alerts.

A more effective and efficient solution

Rather than leaving the organization vulnerable to the risks of ignored alerts, a better solution is to complement the SIEM with security orchestration, automation, and response (SOAR) technology. Gartner created the term SOAR to describe an approach to security operations and incident response that aims to improve security operations’ efficiency, efficacy, and consistency. SOAR allows organizations to collect security data and alert information from a number of different sources, including a SIEM, and to then perform incident analysis and triage using a combination of human and machine power. This helps to formalize the response handling procedure, determining and deploying effective and repetitive incident response processes and workflows.

Acting as a force multiplier, SOAR allows security teams to do more with less resources. It provides capabilities to automate, orchestrate and measure the full incident response lifecycle, including detection, security incident qualification, triage and escalation, enrichment, containment, and remediation.  The overall goal of an organization utilizing a SOAR solution is to reduce the mean time to detection (MTTD) as well as the mean time to respond (MTTR) to an incident. This, in turn, minimizes the risk resulting from the growing number of cyber threats and security incidents, while also enabling the organization to achieve legal and regulatory compliance, while ultimately increasing the return on investment for existing security infrastructure technologies.

Action alerts immediately automatically

A SIEM solution ingests and processes large volumes of security events from various sources, then collates and analyzes the information to identify the issues, which subsequently triggers the creation of the initial security alert. This functionality is often limited to unidirectional communication with the data collection sources and in most cases, SIEM implementations do not carry out actions beyond the initial alert generation. This is where the power of SOAR can add significant value, taking the SIEM generated alert and orchestrating and automating responses, utilizing multiple security and IT tools from different vendors to remediate the threat.

Once a SIEM alert is generated, an incident is triggered within the connecting SOAR solution. Combined with machine automation and some level of human interaction where needed, a number of enrichment and response actions are carried out following a specific set of playbooks and runbooks for each individual incident type. A set of activities based on previously defined incident workflows and results, combined with machine learning are used to automate and guide the entire response process from start to finish.

Get more from the people you have

Integrating SIEM and SOAR combines the power of each to create a more robust, efficient and responsive security program, ensuring no alerts go untouched. It accelerates incident detection and response actions from minutes to seconds, ultimately enabling security teams to maximize analyst efficiency, minimize incident resolution time and avoid alert fatigue that negatively impacts so many of today’s security teams. It also enables organizations to automate most of the low-level work often performed by security analysts, allowing them to do what they do best, which is challenging and rewarding, while SOAR technology does the rest.