Difference: ActivatePhilosophyDFM (1 vs. 6)

Revision 6
16 Aug 2018 - Main.OswaldoDimas
Line: 1 to 1
 
META TOPICPARENT name="ActivatePhilosophyALC"
<--WYSIW-->
Line: 8 to 8
 

Introduction

Changed:
<
<
The Multi-Sensor Data Fusion Model is the core of the ArcSight Activate Framework. The DataFusionModel-walkthrough.pdf document provides a more detailed description of how it works. There is also a video with a simple example of data fusion.
>
>
The Multi-Sensor Data Fusion Model is the core of the ArcSight Activate Framework. The DataFusionModel-walkthrough.pdf document provides a more detailed description of how it works. There is also a video with a simple example of data fusion.
 

Data Fusion Model Overview Graphic

  • MSDFMcycle.png

Data Fusion Model Overview Table

Revision 5
13 Aug 2018 - Main.YunPeng
Line: 1 to 1
 
META TOPICPARENT name="ActivatePhilosophyALC"
<--WYSIW-->
Line: 23 to 23
  This includes content from both product packages and L1 packages. At L1, we are focused on understanding the fundamental meaning of an event from the device.

Level 2 - Situational Awareness (Situational Refinement)

Changed:
<
<
At L2, we add context that is specific to the network, e.g., the Network Model or the Asset Model, or context that is specific to the Internet through use of threat intelligence data. We can think of some threat intelligence data as network modeling or asset modeling of parts of the Internet. That is, of course, an over-simplification, but it does help with understanding what kind of context we're adding at this level. Any information that is used to enrich events at this level is specific to that network. For example, prentice.hayes@microfocus.com may be an administrator on one network, but isn't likely to exist, much less be an administrator, on your network.
>
>
At L2, we add context that is specific to the network, e.g., the Network Model or the Asset Model, or context that is specific to the Internet through use of threat intelligence data. We can think of some threat intelligence data as network modeling or asset modeling of parts of the Internet. That is, of course, an over-simplification, but it does help with understanding what kind of context we're adding at this level. Any information that is used to enrich events at this level is specific to that network. For example, someone may be an administrator on one network, but isn't likely to exist, much less be an administrator, on your network.
 

Notes on L1 and L2

There are some aspects of L1 that are often confused with L2, and that confusion is usually based on topics such as privileged accounts, critical services, etc.
Revision 4
03 Nov 2017 - Main.PrenticeHayes
Line: 1 to 1
 
META TOPICPARENT name="ActivatePhilosophyALC"
<--WYSIW-->
Line: 17 to 17
 

Distinctions between the Levels

Level 0 - Data Refinement

Changed:
<
<
This is the Data Refinement level. For ArcSight, this includes the auditing and logging configurations of the devices. We are assuming that you are following best practices for any given device or product with respect to that device's functionality. We also include the log data collection mechanism in this level, i.e., the connectors.
>
>
This is the Data Refinement level. For ArcSight, this includes the auditing and logging configurations of the devices. We are assuming that you are following best practices for any given device or product with respect to that device's functionality. We also include the log data collection mechanism in this level, i.e., the connectors.
 

Level 1 - Indicators and Warnings (Object Refinement)

Changed:
<
<
This includes content from both product packages and L1 packages.
>
>
This includes content from both product packages and L1 packages. At L1, we are focused on understanding the fundamental meaning of an event from the device.

Level 2 - Situational Awareness (Situational Refinement)

At L2, we add context that is specific to the network, e.g., the Network Model or the Asset Model, or context that is specific to the Internet through use of threat intelligence data. We can think of some threat intelligence data as network modeling or asset modeling of parts of the Internet. That is, of course, an over-simplification, but it does help with understanding what kind of context we're adding at this level. Any information that is used to enrich events at this level is specific to that network. For example, prentice.hayes@microfocus.com may be an administrator on one network, but isn't likely to exist, much less be an administrator, on your network.

Notes on L1 and L2

 

There are some aspects of L1 that are often confused with L2, and that confusion is usually based on topics such as privileged accounts, critical services, etc.

To resolve some of this, we have stopped referring to "critical services," using the term "essential services," instead. There is a definite difference between a "critical service" and a "critical host." For example, the network service on any host is critical to that host's capability to participate on the network, but that does not make that host "L2." Therefore, we now say that services such as the network service are "essential."
Changed:
<
<
With privileged accounts, however, things are a bit different. One would normally consider a privileged account to be L2 data. However, this is not true for default privileged accounts, e.g., the Windows Administrator default account, or the *nix root account. In this case, we need to make the distinction between default privileged accounts and custom privileged accounts. A default account, regardless of its privileges, exists on every system (until and if it is removed after deployment), regardless of who owns that system. Every Windows system has a set of default accounts and groups.
>
>
With privileged accounts, however, things are a bit different. One would normally consider a privileged account to be L2 data. However, this is not true for default privileged accounts, e.g., the Windows Administrator default account, or the *nix root account. In this case, we need to make the distinction between default privileged accounts and custom privileged accounts. A default account, regardless of its privileges, exists on every system (until and if it is removed after deployment), regardless of who owns that system. Every Windows system has a set of default accounts and groups. This information doesn't become L2 until custom accounts are added to the default groups, or custom groups are created.

Level 3 - Impact and Threat Analysis (Impact Refinement or Threat Refinement)

This level is concerned with tracking the activity of entities (systems and accounts, including user accounts, service accounts, etc.), across the ArcSight Attack Life Cycle, as well as tracking the states of the entities, both internal and external.

Level 4 - Process Refinement

This level is concerned with everything from the devices, through the connectors, through the content, to the analysts' workflow and security team's operations, and how it works. This includes tuning the content, if necessary, tracking metrics on the case load of the analysts and related teams, to gap analysis, both for devices protecting your network and content to monitor the output of all your devices and coverage of the use cases with which you and your organization are concerned.
 

--
Revision 3
03 Nov 2017 - Main.PrenticeHayes
Line: 1 to 1
 
META TOPICPARENT name="ActivatePhilosophyALC"
<--WYSIW-->
Line: 10 to 10
 

The Multi-Sensor Data Fusion Model is the core of the ArcSight Activate Framework. The DataFusionModel-walkthrough.pdf document provides a more detailed description of how it works. There is also a video with a simple example of data fusion.

Data Fusion Model Overview Graphic

Changed:
<
<

MSDFMcycle.png
>
>
  • MSDFMcycle.png
 

Data Fusion Model Overview Table

Added:
>
>
  • DFMstack.png

Distinctions between the Levels

Level 0 - Data Refinement

This is the Data Refinement level. For ArcSight, this includes the auditing and logging configurations of the devices. We are assuming that you are following best practices for any given device or product with respect to that device's functionality. We also include the log data collection mechanism in this level, i.e., the connectors.

Level 1 - Indicators and Warnings (Object Refinement)

This includes content from both product packages and L1 packages.

There are some aspects of L1 that are often confused with L2, and that confusion is usually based on topics such as privileged accounts, critical services, etc.

To resolve some of this, we have stopped referring to "critical services," using the term "essential services," instead. There is a definite difference between a "critical service" and a "critical host." For example, the network service on any host is critical to that host's capability to participate on the network, but that does not make that host "L2." Therefore, we now say that services such as the network service are "essential."

With privileged accounts, however, things are a bit different. One would normally consider a privileged account to be L2 data. However, this is not true for default privileged accounts, e.g., the Windows Administrator default account, or the *nix root account. In this case, we need to make the distinction between default privileged accounts and custom privileged accounts. A default account, regardless of its privileges, exists on every system (until and if it is removed after deployment), regardless of who owns that system. Every Windows system has a set of default accounts and groups.
 
Changed:
<
<
DFMstack.png
>
>
--
 
Changed:
<
<
-- PrenticeHayes - 24 May 2017
>
>
PrenticeHayes - 24 May 2017
 

META FILEATTACHMENT attachment="DataFusionModel-walkthrough.pdf" attr="" comment="" date="1509663291" name="DataFusionModel-walkthrough.pdf" path="DataFusionModel-walkthrough.pdf" size="258820" user="PrenticeHayes" version="2"
META FILEATTACHMENT attachment="DFMstack.png" attr="" comment="" date="1509663251" name="DFMstack.png" path="DFMstack.png" size="169123" user="PrenticeHayes" version="2"
Revision 2
02 Nov 2017 - Main.PrenticeHayes
Line: 1 to 1
 
META TOPICPARENT name="ActivatePhilosophyALC"
Added:
>
>
<--WYSIW-->

<--YG content - do not remove this comment, and never use this identical text in your topics-->
 

ArcSight Multi-Sensor Data Fusion Model

Added:
>
>

Introduction

  The Multi-Sensor Data Fusion Model is the core of the ArcSight Activate Framework. The DataFusionModel-walkthrough.pdf document provides a more detailed description of how it works. There is also a video with a simple example of data fusion.
Added:
>
>

Data Fusion Model Overview Graphic

 
Changed:
<
<
DFMstack.png
>
>
MSDFMcycle.png

Data Fusion Model Overview Table

 
Changed:
<
<
MSDFMcycle.png
>
>
DFMstack.png
 

-- PrenticeHayes - 24 May 2017
Changed:
<
<
META FILEATTACHMENT attachment="DataFusionModel-walkthrough.pdf" attr="" comment="" date="1495632981" name="DataFusionModel-walkthrough.pdf" path="DataFusionModel-walkthrough.pdf" size="224500" user="PrenticeHayes" version="1"
META FILEATTACHMENT attachment="DFMstack.png" attr="" comment="" date="1495634106" name="DFMstack.png" path="DFMstack.png" size="68628" user="PrenticeHayes" version="1"
META FILEATTACHMENT attachment="MSDFMcycle.png" attr="" comment="" date="1495634129" name="MSDFMcycle.png" path="MSDFMcycle.png" size="100490" user="PrenticeHayes" version="1"
>
>
META FILEATTACHMENT attachment="DataFusionModel-walkthrough.pdf" attr="" comment="" date="1509663291" name="DataFusionModel-walkthrough.pdf" path="DataFusionModel-walkthrough.pdf" size="258820" user="PrenticeHayes" version="2"
META FILEATTACHMENT attachment="DFMstack.png" attr="" comment="" date="1509663251" name="DFMstack.png" path="DFMstack.png" size="169123" user="PrenticeHayes" version="2"
META FILEATTACHMENT attachment="MSDFMcycle.png" attr="" comment="" date="1509663274" name="MSDFMcycle.png" path="MSDFMcycle.png" size="197894" user="PrenticeHayes" version="2"
 
This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback