Difference: ActivatePhilosophyDFM (r6 vs. r5)

ArcSight Multi-Sensor Data Fusion Model


The Multi-Sensor Data Fusion Model is the core of the ArcSight Activate Framework. The DataFusionModel-walkthrough.pdf document provides a more detailed description of how it works. There is also a video with a simple example of data fusion.

Data Fusion Model Overview Graphic

  • MSDFMcycle.png

Data Fusion Model Overview Table

  • DFMstack.png

Distinctions between the Levels

Level 0 - Data Refinement

This is the Data Refinement level. For ArcSight, this includes the auditing and logging configurations of the devices. We are assuming that you are following best practices for any given device or product with respect to that device's functionality. We also include the log data collection mechanism in this level, i.e., the connectors.

Level 1 - Indicators and Warnings (Object Refinement)

This includes content from both product packages and L1 packages. At L1, we are focused on understanding the fundamental meaning of an event from the device.

Level 2 - Situational Awareness (Situational Refinement)

At L2, we add context that is specific to the network, e.g., the Network Model or the Asset Model, or context that is specific to the Internet through use of threat intelligence data. We can think of some threat intelligence data as network modeling or asset modeling of parts of the Internet. That is, of course, an over-simplification, but it does help with understanding what kind of context we're adding at this level. Any information that is used to enrich events at this level is specific to that network. For example, someone may be an administrator on one network, but isn't likely to exist, much less be an administrator, on your network.

Notes on L1 and L2

There are some aspects of L1 that are often confused with L2, and that confusion is usually based on topics such as privileged accounts, critical services, etc.

To resolve some of this, we have stopped referring to "critical services," using the term "essential services," instead. There is a definite difference between a "critical service" and a "critical host." For example, the network service on any host is critical to that host's capability to participate on the network, but that does not make that host "L2." Therefore, we now say that services such as the network service are "essential."

With privileged accounts, however, things are a bit different. One would normally consider a privileged account to be L2 data. However, this is not true for default privileged accounts, e.g., the Windows Administrator default account, or the *nix root account. In this case, we need to make the distinction between default privileged accounts and custom privileged accounts. A default account, regardless of its privileges, exists on every system (until and if it is removed after deployment), regardless of who owns that system. Every Windows system has a set of default accounts and groups. This information doesn't become L2 until custom accounts are added to the default groups, or custom groups are created.

Level 3 - Impact and Threat Analysis (Impact Refinement or Threat Refinement)

This level is concerned with tracking the activity of entities (systems and accounts, including user accounts, service accounts, etc.), across the ArcSight Attack Life Cycle, as well as tracking the states of the entities, both internal and external.

Level 4 - Process Refinement

This level is concerned with everything from the devices, through the connectors, through the content, to the analysts' workflow and security team's operations, and how it works. This includes tuning the content, if necessary, tracking metrics on the case load of the analysts and related teams, to gap analysis, both for devices protecting your network and content to monitor the output of all your devices and coverage of the use cases with which you and your organization are concerned.


PrenticeHayes - 24 May 2017

View topic | View difference side by side | History: r6 < r5 < r4 < r3 | More topic actions
This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback