Article Options

SecOps - A step closer to bridging the Security Operations and IT Operations organizations

Wh1t3Rabbit| March 8, 2012
1 Comments

Today's post is a guest-blog by Scott Edwards, from the HP BSM (Business Service Management) group - oddly enough not a 'security' function - but as I promised in a previous post to provide more information on the SOC + NOC integrations.  This is some very cool, very useful stuff that crosses domains from security to network and applications - beyond the boundaries of traditional security.  I think you'll enjoy the read, and more importantly find the opportunity to enrich your IT Operations <> Security Operations relationship and efficiency.

 

This post in rare form presents HP products because I firmly believe this is something that has the potential to change the game in many large and medium-sized organizations.  If you're in operations (IT or Security) you really need to give this a read.

 

------------------------------------------------------------------------------------------------------

 

Have you ever thought this question -- “Are my web-facing applications under attack …or are they under-provisioned?

It is a simple question. One that you may have asked numerous times.  With the way your Operations and Security teams are structured, could you provide a definitive answer?

Security information is rarely integrated with IT operations data.  Often, the Security Operations Center (SOC) and the Network Operations Center (NOC) are silo groups, working independently, without any integration or even communication.  And without any type of integration between these two groups, you don’t have the complete visibility you need in order to troubleshoot and find the root cause of a problem.

Here’s a typical example. If operations is seeing a key app slowing down, they don’t know if it is related to some usage spike related to an unusual load, if it is a piece of failing hardware, or some sort of bot attack.  Customers don’t have the insight or context they need to react quickly, and drill down to the root problem, so they can protect their business.  In this type of scenario, the operator may just throw more resources at the host to meet the demand spike.  But, if there is some type of security breach, that approach is just wasting money, and won’t solve anything.

As you can see, a new approach is needed.  And now, it is here with the integration of ArcSight and BSM.

With BSM 9.1, the operations team has the capability to now bring security events from ArcSight Enterprise Security Manager (ESM) and Logger products into one central Operations Bridge, which we call Operations Manager i (OMi).  OMi has become the Manager of Mangers as it brings events from various different parts of the data center into one single console.   This includes events from each of the BSM monitoring tools for systems, network, and applications, but also 3rd party vendors such as Nagios and SCOM.   Additionally, OMi now shows security events coming in from ArcSight.

SolArch - BSM-ArcSight.jpg

 

In our hypothetical example above, the operations team can determine a security issue by searching the webserver logs from ArcSight Logger to immediately see what could be some kind of Denial of Service (DOS) attack where hundreds of requests are made for the same document from the webserver.  As shown below in OMi, we see a 95% capacity utilization rate on Weblogic server “web1.arcnet.com”.

 

Dashboard1.jpg

--

Dashboard2.jpg

 

 

This suspicion can be corroborated by looking into Logger as well by doing a simple “Google-like” search.  In the screenshot below, you see the number of attempts to download a document.

 

Dashboard3.jpg

 

By integrating ArcSight with BSM, the visibility goes both ways, as the SOC team can get insight into operational events.

 

Dashboard4.jpg

(ArcSight ESM showing OM events)

The security team can enrich existing data sources from ESM by pulling in specific operations content (ESM receives data through the OM SmartConnector) and then can correlate the OM/OMi events with other security events from other sources

Additionally, there is a lack of visibility today into network performance issues related to security problems.  The solution comes from consolidating network management incidents and SNMP trap incidents and then forwarding them to ESM.  The benefit for the SOC is that network performance incidents can be seen in the context of security events, thereby providing the security operations staff with visibility into the network performance impact of security problems.

All in all, by integrating ArcSight and BSM the SOC and NOC team can have complete visibility into anomalies and threats across ALL enterprise data.  This is the vision of SecureOps.

More on this subject to come…


Labels: NetOps| Operations Manager| SecOps
Labels:
Comments
Phil Cox(anon) | ‎03-08-2012 11:16 PM
Options

I started something similar in a company I was consulting for prior to moving to RightScale. They were a heavy ITIL shop, and were spending boat loads of money (interestingly enough to HP) on service definitions and ability to monitor and measure to meet them. We had a much more limited budget for the SIEM intitiative, but the goal from the start was to design security alerts so they they could become an integral part of the overall operations monitoring team. Thus leveraging the 1st leve support to triage those alerts and be educated enough to pass them on or adress them, just like they would other operaional issues.

 

As noted above, you need tools to automate this, and expertise on the tools that you choose. It can be done will all open-source (note I did not say FREE) or stuff you buy, but both will require:

  • diligence to get the security monitoring part as tuned as traditional operational monitoring
  • comitment to training the 1st level folks on proper response
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author(s)


Follow Us
Community Announcements
50 Must Read IT Blogs