Today's post is a guest-blog by Scott Edwards, from the HP BSM (Business Service Management) group - oddly enough not a 'security' function - but as I promised in a previous post to provide more information on the SOC + NOC integrations. This is some very cool, very useful stuff that crosses domains from security to network and applications - beyond the boundaries of traditional security. I think you'll enjoy the read, and more importantly find the opportunity to enrich your IT Operations <> Security Operations relationship and efficiency.
This post in rare form presents HP products because I firmly believe this is something that has the potential to change the game in many large and medium-sized organizations. If you're in operations (IT or Security) you really need to give this a read.
Have you ever thought this question -- “Are my web-facing applications under attack …or are they under-provisioned?”
It is a simple question. One that you may have asked numerous times. With the way your Operations and Security teams are structured, could you provide a definitive answer?
Security information is rarely integrated with IT operations data. Often, the Security Operations Center (SOC) and the Network Operations Center (NOC) are silo groups, working independently, without any integration or even communication. And without any type of integration between these two groups, you don’t have the complete visibility you need in order to troubleshoot and find the root cause of a problem.
Here’s a typical example. If operations is seeing a key app slowing down, they don’t know if it is related to some usage spike related to an unusual load, if it is a piece of failing hardware, or some sort of bot attack. Customers don’t have the insight or context they need to react quickly, and drill down to the root problem, so they can protect their business. In this type of scenario, the operator may just throw more resources at the host to meet the demand spike. But, if there is some type of security breach, that approach is just wasting money, and won’t solve anything.
As you can see, a new approach is needed. And now, it is here with the integration of ArcSight and BSM.
With BSM 9.1, the operations team has the capability to now bring security events from ArcSight Enterprise Security Manager (ESM) and Logger products into one central Operations Bridge, which we call Operations Manager i (OMi). OMi has become the Manager of Mangers as it brings events from various different parts of the data center into one single console. This includes events from each of the BSM monitoring tools for systems, network, and applications, but also 3rd party vendors such as Nagios and SCOM. Additionally, OMi now shows security events coming in from ArcSight.
In our hypothetical example above, the operations team can determine a security issue by searching the webserver logs from ArcSight Logger to immediately see what could be some kind of Denial of Service (DOS) attack where hundreds of requests are made for the same document from the webserver. As shown below in OMi, we see a 95% capacity utilization rate on Weblogic server “web1.arcnet.com”.
This suspicion can be corroborated by looking into Logger as well by doing a simple “Google-like” search. In the screenshot below, you see the number of attempts to download a document.
By integrating ArcSight with BSM, the visibility goes both ways, as the SOC team can get insight into operational events.
(ArcSight ESM showing OM events)
The security team can enrich existing data sources from ESM by pulling in specific operations content (ESM receives data through the OM SmartConnector) and then can correlate the OM/OMi events with other security events from other sources
Additionally, there is a lack of visibility today into network performance issues related to security problems. The solution comes from consolidating network management incidents and SNMP trap incidents and then forwarding them to ESM. The benefit for the SOC is that network performance incidents can be seen in the context of security events, thereby providing the security operations staff with visibility into the network performance impact of security problems.
All in all, by integrating ArcSight and BSM the SOC and NOC team can have complete visibility into anomalies and threats across ALL enterprise data. This is the vision of SecureOps.
More on this subject to come…