User`s guide

ManualsBrandsVMware ManualsOtherVCLOUD REQUEST MANAGER 1.0.0

Technical white paper

HP CloudSystem Enterprise

Integrating security with HP ArcSight

Table of contents

Executive summary ...................................................................................................................................................................... 3

HP CloudSystem Enterprise overview ...................................................................................................................................... 3

HP CloudSystem Enterprise supply layer ............................................................................................................................ 3

HP CloudSystem Enterprise demand and delivery: HP Cloud Service Automation .................................................... 3

HP CloudSystem Enterprise components ........................................................................................................................... 4

HP ArcSight overview ................................................................................................................................................................... 4

Enterprise Security Manager .................................................................................................................................................. 4

HP ArcSight Logger ................................................................................................................................................................... 5

HP ArcSight Connectors ........................................................................................................................................................... 5

Typical deployment scenarios .................................................................................................................................................... 6

Sending events in RAW and CEF format to HP ArcSight Logger ..................................................................................... 6

Sending events to HP ArcSight Logger using Connectors ............................................................................................... 7

Sending events to HP ArcSight ESM using Connectors ..................................................................................................... 8

Devices ........................................................................................................................................................................................ 9

Grouping devices ....................................................................................................................................................................... 9

Forwarding events to HP ArcSight ESM.............................................................................................................................. 10

Protecting HP CloudSystem Enterprise components with HP ArcSight .......................................................................... 11

Cloud Service Automation 3.1 .............................................................................................................................................. 12

Matrix Operating Environment ............................................................................................................................................. 13

Server Automation .................................................................................................................................................................. 15

VMware ESXi 5 Host ............................................................................................................................................................... 15

Networking ............................................................................................................................................................................... 21

HP TippingPoint Security Management System (SMS) Appliance ................................................................................ 22

Protecting CloudSystem Enterprise Services with HP ArcSight ........................................................................................ 25

HP LAMP solution .................................................................................................................................................................... 25

Working with events ................................................................................................................................................................... 27

Searching the HP ArcSight Logger ...................................................................................................................................... 27

HP ArcSight ESM – Viewing Events with Active Channels ............................................................................................... 29

Zones ......................................................................................................................................................................................... 31

Queries ...................................................................................................................................................................................... 31

Rules .......................................................................................................................................................................................... 34

Cloud Security Alliance ............................................................................................................................................................... 35

Summary ....................................................................................................................................................................................... 36

Summary of content (39 pages)

PAGE 1
Technical white paper HP CloudSystem Enterprise Integrating security with HP ArcSight Table of contents Executive summary ...................................................................................................................................................................... 3 HP CloudSystem Enterprise overview ...................................................................................................................................... 3 HP CloudSystem Enterprise supply layer ........
PAGE 2
Technical white paper Appendix A: ASLinuxAudit.props .............................................................................................................................................. 36 For more information .................................................................................................................................................................
PAGE 3
Technical white paper Executive summary Organizations are faced with threats that could disrupt operations and critical IT services. HP CloudSystem Enterprise provides automation to rapidly deliver compute resources to cloud consumers. Security must be a key component to ensure availability of the components that deliver and provision cloud based services. This document is a reference implementation of an HP ArcSight Security Information and Event Management (SIEM) solution and CloudSystem Enterprise.
PAGE 4
Technical white paper comprehensive service automation solution. Cloud Service Automation (CSA) can leverage CloudSystem Matrix infrastructure services, and adds applications to the supply layer. It also expands the system’s infrastructure capabilities: for example, with CSA, HP CloudSystem Enterprise can support multiple hypervisors—such as those from VMware, Microsoft, KVM, and Xen—within the supply layer.
PAGE 5
Technical white paper Key Benefits • A cost-effective solution for all your regulatory compliance needs • Automated log collection and archiving • Fraud and Real-time threat detection • Forensic analysis capabilities for cyber security • Detect threats early using timely reputation data with HP RepSM HP ArcSight Logger With HP ArcSight Logger you can improve everything from compliance and risk management, security intelligence and IT operations to efforts that prevent insider and advanced persistent threa
PAGE 6
Technical white paper Typical deployment scenarios Security and log event information is captured at the host and application level. Events can be sent directly to an HP ArcSight Logger or HP ArcSight ESM. HP ArcSight Connectors can be used to normalize the log data into the Common Event Format (CEF). The Common Event Format presents log data from various vendors to the HP ArcSight ESM and HP ArcSight Logger in a standardized format for searching and correlation.
PAGE 7
Technical white paper Sending events to HP ArcSight Logger using Connectors HP ArcSight Connectors can be installed on CloudSystem Enterprise host operating systems to collect operating system event information. This information is converted to the standard CEF format at each host by the HP ArcSight Connector. Log events are collected by the HP ArcSight Connectors and sent to a SmartMessage receiver configured on the HP ArcSight Logger.
PAGE 8
Technical white paper Sending events to HP ArcSight ESM using Connectors The HP ArcSight Connectors can also send CEF formatted log data directly to the HP ArcSight ESM as shown in Figure 4 below. This is useful for monitoring high value assets by the HP ArcSight ESM. Connectors can be configured to send log data to multiple locations simultaneously, for example to both the HP ArcSight Logger and HP ArcSight ESM. Figure 4.
PAGE 9
Technical white paper Devices As systems connect to the HP ArcSight Logger, either through the UDP receiver or the SmartMessage receiver, they will automatically be registered and displayed in the Devices section of the HP ArcSight Logger Configuration interface. Figure 6. Devices registered with the ArcSight Logger Grouping devices Device Groups can be created in the HP ArcSight Logger. In Figure 7 below, we have created a device group named CSE.
PAGE 10
Technical white paper Forwarding events to HP ArcSight ESM The HP ArcSight Logger can be used to aggregate events and forward specific events to an HP ArcSight ESM system for further analysis and correlation. To accomplish this, forwarders are created in the HP ArcSight Logger > Configuration > Event Output interface. The forwarders are configured to send log data to an ESM Destination.
PAGE 11
Technical white paper We can also forward events from specific devices or device groups. In our example in Figure 10, we have created a forwarder based on a device group named CSE and a forwarder named CSE Application Events. All events from systems that are part of the device group CSE will be forwarded to the HP ArcSight ESM. Figure 10. Event Forwarding based on a Device Group Below in Figure 11, you can see the two forwarders that were created: CSE Application Events and Windows Logon Failures.
PAGE 12
Technical white paper Cloud Service Automation 3.1 Monitoring of events that occur in the core applications that comprise HP CloudSystem Enterprise: CSA, OO, HPIO, UCMDB, and SiteScope, is thoroughly documented in the Cloud Service Automation 3.1 documentation, HP Cloud Service Automation 3.10 Integration with ArcSight Logger document ID KM00231339 . Access to this document requires an HP Passport account.
PAGE 13
Technical white paper The events captured from the log4j application logs will be sent to the HP ArcSight Logger and then select events can be configured and forwarded to the HP ArcSight ESM manager via the Logger2ESM connector described earlier. The “log4j.appender.cef1.hostName=192.x.x.x” line in the log4j.properties file specifies the HP ArcSight Logger IP Address.
PAGE 14
Technical white paper HP Virtual Connect To enable HP Virtual Connect (VC) to be monitored and viewed in HP ArcSight Logger and HP ArcSight ESM, you need to point the internal system log of the VC to the HP ArcSight Logger.
PAGE 15
Technical white paper Figure 14. Enabling Virtual Connect Remote System Logging • Select “Test”. By doing so, a test message is sent to the Logger. If everything is working, you should see the IP or the host name of the HP Virtual Connect Manager registered in HP ArcSight Logger in the “Configuration -> Devices” page (Figure 6) • Once you have validated that your VCM is communicating properly with HP ArcSight Logger, sign out and close the VCM window.
PAGE 16
Technical white paper Figure 15. Setting the ESXi Syslog.global.logHost variable • Select “OK”. • Select “Security Profile” under the “Software” group box – To the right of “Firewall” select “Properties” Figure 16.
PAGE 17
Technical white paper – In the “Firewall Properties” window, scroll down the list until you see “syslog” and select the check box to enable it (Figure 17). Figure 17.
PAGE 18
Technical white paper – Optionally, you can select the “Firewall…” button, select the “Only allow connections from the following networks” radio button, and specify your HP ArcSight Logger server or external syslog server for added security. (Figure 18) Figure 18. Restricting outbound syslog traffic from the VMware ESXi Host to HP ArcSight Logger – Select “OK” on the “Firewall Settings” and/or “Firewall Properties” windows.
PAGE 19
Technical white paper Figure 19. Selection of “VMware Web Services” • Select the “Details” tab and select “Copy to File…” – Select “Next >” on the Welcome screen – Select “Base-64 encoded X.509 (.CER)” and select “Next >” – Select “Browse” and save the file to a location on your local disk and select “Next >” – Select “Finish” • Now open a command window. If you are not logged in as Administrator you will need to run the command window with “Run as administrator”.
PAGE 20
Technical white paper Figure 20. Selection of “VMware Web Services” Connector • Select “true” for the “ValidateCert” option, then select “Next >” • Select “Add” on the “Enter the device details” window and enter the following: – Host – Host name or IP address of the VMware Web Services device. – User – User name for accessing VMware Web Services. It is strongly recommended for security reasons to use or create a user in vCenter that only has Read-Only permissions to what you want monitored.
PAGE 21
Technical white paper Figure 21. Example of completed Connector VMware Web Services device details – NOTE: If you get an information dialog box stating the Connector table parameters did not pass the verification with error[0:Unable to open a connection to[localhost]], then your certificate was not imported correctly or was the wrong certificate. You need to re-run the keytool and possibly export the certificate again to rectify the issue before continuing.
PAGE 22
Technical white paper HP TippingPoint Security Management System (SMS) Appliance The TippingPoint product has two types of devices, sensors and SMS devices, that act as the management console and central logging point. The SMS provides a separate syslog output format option that works with third-party network security devices and host applications.
PAGE 23
Technical white paper • Select “Add” on the “Enter the device details” window and enter the following: – Host – Host name or IP address of the HP TippingPoint SMS – User – User name for accessing HP TippingPoint SMS. It is strongly recommended for security reasons to use or create a user in HP TippingPoint SMS that only has Read-Only permissions to what you want monitored. You could grant that user permissions to the entire HP TippingPoint SMS or just particular devices, segment groups, profiles, etc.
PAGE 24
Technical white paper • Log into the HP TippingPoint SMS and navigate to “Admin > Server Properties > Syslog” – Select the “New…” button and fill in the information for the system you just installed the HP TippingPoint SMS connector on. You can set up multiple Facilities and Severity levels as needed for your configuration. An example is given in Figure 24. Figure 24.
PAGE 25
Technical white paper Protecting CloudSystem Enterprise Services with HP ArcSight In addition to protecting the HP CloudSystem Enterprise core components that are responsible for supply and delivery of cloud services, the cloud services should also be protected upon provisioning. In this section we will demonstrate how to integrate the HP ArcSight Connector installation and configuration to dynamically connect to the HP ArcSight ESM and HP ArcSight Logger.
PAGE 26
Technical white paper The zip file is then imported into Server Automation. Add a Post-Install script as seen in Figure 27 to run the silent installer and start the service after deployment. Figure 27. Policy Properties The response file ASLinuxAudit.props was created by manually deploying the ArcSight Smart connector for Linux and issuing the command runagentsetup.sh –i recorderui and specifying a response file name. The complete response file is found in Appendix A.
PAGE 27
Technical white paper Figure 28. Policy Items Including the ArcSightSecurityPackages policy into the MariaDB-RHEL6 and ApacheWordPress-RHEL6 policies will automatically deploy the ArcSight Smart Connector for Linux audit logger to the database and web servers and start logging events to ArcSight Logger. The linux_auditd events are visible from the summary page of the ArcSight Logger under Agent Type and the nodes will be displayed in the Configuration > Devices section of the HP ArcSight Logger.
PAGE 28
Technical white paper log4j.appender.cef1=com.hp.esp.arcsight.cef.appender.Log4jAppender log4j.appender.cef1.deviceVendor=HP log4j.appender.cef1.deviceProduct=CSA log4j.appender.cef1.deviceVersion=3.1 log4j.appender.cef1.transportType=SYSLOG log4j.appender.cef1.hostName=192.x.x.x log4j.appender.cef1.port=514 log4j.appender.cef1.layout=org.apache.log4j.PatternLayout log4j.appender.cef1.layout.ConversionPattern=%d [%-18t -%x] %-5p %C.%M - %m%n log4j.appender.cef1.useCefHeader=true log4j.appender.cef1.
PAGE 29
Technical white paper HP ArcSight ESM – Viewing Events with Active Channels Events can be viewed in the ESM using an Active Channel. To view events forwarded to the HP ArcSight ESM from the ArcSight Logger, right click on the logger connector and set as current filter. This will display all current events as shown in Figure 31. Figure 31. ArcSight EMS Manager Logger2ESM Connector To test our failed login forwarder created earlier, we will attempt to login to oo.fog.cloud.internal.
PAGE 30
Technical white paper Figure 33. View of Failed Logons with additional fields Click on the event to view the event details. Looking at the details we can see details of the failed logon attempt. The Figure below (Figure 34) shows some of the possible event information that is collected by the Connector when the Failed Logon event is triggered, any of the fields in the event details can be used as search criteria for queries and rules described later in this document. Figure 34.
PAGE 31
Technical white paper Zones High value assets can be grouped into Zones. A Zone is based on a range of IP Addresses which can be used as a filter to search and view log activity. Figure 35. ArcSight ESM Manager Zones Grouping of machines by zones allows the ArcSight administrator to monitor the high value assets; we have grouped the CloudSystem Enterprise server nodes in the Zone named CloudSystem Enterprise. Figure 36.
PAGE 32
Technical white paper Figure 37. ESM Query Failed Logon – General In the Fields tab we can select which event fields we want to return and display when the Query is executed. Using the failed logon event we’ll display the Category Outcome, Category Behavior, Target Address, Target Host Name and Attacker User Name, as illustrated in Figure 38. Figure 38. ESM Query Failed Logon – Fields Next we’ll select the conditions that must be met to satisfy our Query.
PAGE 33
Technical white paper Next we’ll create a query viewer that will be used to execute our Failed Logon Query. We’ve named this Query Viewer “Failed Logons” and selected our Failed Logon Query in the Query field. Figure 40. ESM Query Viewer Failed Logon – Attributes By default the Query data will be refreshed every 15 minutes. When we execute our Failed Logon Query using the Failed Logon Query Viewer all events that meet our query criteria are displayed.
PAGE 34
Technical white paper Rules Rules are used to trigger an Action when a specific event or event(s) occur. Keeping with our Failed Logon example we are going to create a Rule named Failed Logon Notify that will trigger an email when three failed logons occur on the same host within two minutes. The Rules configuration is similar to the Query configuration. Use the Rule Editor to define the Conditions.
PAGE 35
Technical white paper Cloud Security Alliance The Cloud Security Alliance is a not-for-profit-organization that provides guidance, education, and promotes best practices for security in cloud computing. The Cloud Security Alliance’s mission statement is: “To promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing.
PAGE 36
Technical white paper Table 1. Security controls Control Number Description HP ArcSight Information Security – User Access Reviews IS-10 All levels of user access shall be reviewed by management at planned intervals and documented. For access violations identified, remediation must follow documented access control policies and procedures.
PAGE 37
Technical white paper # What would you like to do? # # Please select one of the following options : # # 0 - Add a Connector(addconnector) # 1 - Enable FIPS mode(setfipsmode) # containeroperation=addconnector # ========================================================= # Panel 'connectortype' # ========================================================= # Select the connector to configure # # Type connectortype.
PAGE 38
Technical white paper # ========================================================= # Panel 'connectordetails' # ========================================================= # Enter the connector details # # Name connectordetails.name=LinuxAudit # Location connectordetails.location=Houston # DeviceLocation connectordetails.devicelocation=Houston # Comment connectordetails.
PAGE 39
Technical white paper For more information Learn more at hpenterprisesecurity.com/products To read more about CloudSystem Enterprise go to hp.com/go/cloudsystementerprise Understanding the HP CloudSystem reference architecture http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA3-4548ENW For more information about the Cloud Security Alliance https://cloudsecurityalliance.org/ To help us improve our documents, please provide feedback at hp.com/solutions/feedback. Sign up for updates hp.