Activate Framework Installation and Configuration

Introduction

The Activate Framework is NOT just content. It is an end-to-end framework for getting the most out of your security tools. The framework is designed with these factors in mind:
  • A (security) device is useless if it is improperly configured. This means it should be configured to operate using the best practices for that device AND its auditing should be configured to log the things necessary to detect the actions that the device is designed to perform.
  • The ArcSight connectors should be configured and tuned to get the relevant information into ArcSight ESM. This includes validation that the device logs are properly normalized (parsed), with the data mapped to the proper ArcSight Security Event Schema fields, and properly categorized.
  • The ArcSight ESM content (the Activate Content) needs to follow content development best practices, but more importantly, identify the events from the devices it needs in order to address the use cases it was written to support.
  • The ESM content also needs to assist security analysts in determining what is immediately important and actionable. For this, we have the Activate Workflow, which is based of the Micro Focus ArcSight SIOC workflow.
  • Part of the Activate Framework's workflow is process refinement. Tuning rules, updating the Network Model, updating the Asset Model, and regularly reviewing the entries in the Suppression Lists is part of this. Identifying gaps in security coverage, new use cases, retiring old use cases (i.e., your content should fall under a Software Development Life Cycle), is also important.

Prerequisites

Most people make the mistake of installing all the content, all at once, then wondering why nothing is working. The most common complaint is "I installed L1-X, and all the rules point to filters that are blank, and nothing works!" This is, of course, the way the system is designed. The L1 packages are dependent upon the Product packages. The Product packages have configuration steps that tell you how to update the proper L1 filters so that the content will work.

This, along with the points in the introduction, means that you should not just blindly start installing content! If anyone ever tells you that all you need to do is plug their device into your network and it automagically will start finding bad guys, they're nave, or they're just trying to make a sale. You spent a lot of time designing and implementing your network, then a lot more time designing and implementing your security program. Plug and Play isn't suddenly going to work, in spite of our goal to make it as easy as possible. We're security people, paranoia is an occupational requirement, if not hazard. Trust, but verify!

Please read the steps below. Plan out how you want to proceed, then do so purposefully and precisely. Don't lose sight of your big picture, and you will be successful!

Planning

The first thing you should do is identify the use cases you need and can address the soonest. Maybe your perimeter devices or your network devices are easier for your team to access than your servers or applications. You will want to cover as much as possible as quickly as possible, but rushing in will result in frustration and have an impact on your analysts' confidence. Go to the ArcSight Marketplace and identify the Activate Product Packages that match the devices you have. Review the configuration procedures for those product packages in this documentation (the Activate Wiki), and see which L1 packages they support. Look at the recommended device auditing settings for your selected devices. Look at the connector settings recommendations for your selected device. Look at the product packages' test and acceptance plans. Review the Activate Packages, looking at the L1 packages for which your product packages support. Then, once you've figured out which L1 package and which product packages you want to install, download them, and don't forget to download and install Activate Base first (and even that should be planned!).

Ideally, content is installed after the devices have been configured and the connector has been properly tuned. It is possible that the product packages could have some content that can help with the connector tuning.

Deploying the Activate Framework is a multi-phased, iterative project. If you plan it well, execute it well, and follow the outlined installation steps, you will see incremental improvement and success, and your analysts will begin to appreciate all the work that you have done.

Installation

  1. Select an L1 package (for most installations Perimeter Monitoring or Network Monitoring are a good first package).
  2. Install Activate Base and your selected L1 package.
  3. Select a Product Package that supports your selected L1 package.
  4. Get the Product Package's device configured.
  5. Get the Product Package's connector tuned and sending the right events.
  6. Install the product package that supports your installed L1 package.
  7. Get the system running coherently (run through the product package test plan, check the Main Channel and System Monitored Channel).
  8. If you have more product packages that support your selected and installed L1 package, install them (repeat steps 3-7 until complete and system is stable).
  9. You now have a choice. You can install another L1 package, or you can start preparing for L2. If you select another L1 package, repeat steps 1-8. At some point, you will get to the next steps.
  10. Start on your Network Model. The fundamental starting point is identifying what is internal.
  11. Start on the asset model. Primary task is to identify the assets. Secondary is to categorize them. Start asset category assignments with your DNS servers (L2 Perimeter Monitoring needs this)!
  12. Select an L2 package for an L1 package you already have and install it.
  13. Iteratively improve the Network Model. This is an ongoing process, as networks are never static.
  14. Iteratively improve the Asset Model. This is an ongoing process, as networks are never static (assets are added, replaced, etc.).
  15. Get the system running coherently (Check the Main Channel and System Monitored Channel).
  16. Repeat steps 13-15 until the system is stable.
  17. Repeat steps 12-16 until all the L2 packages are installed.

Testing and QA

Every network is different in some way. There are some common elements, but there is always something happening with any network infrastructure. Setting up a test environment is a best practice. Testing the Activate Framework content in a test environment, especially one that has the same events from the devices as your production environment, will give you a really good idea of the impact of the content on your production system. Once you understand the impact of your first L1 and product package combination, and you see how the workflow operates and have run through the product package's test plan, you will be more confidently able to proceed.

If you don't have a test environment, we strongly recommend that you build one. But, if you cannot, at least within the time you have for deployment, then we highly recommend that you proceed very carefully, and in much more deliberate and careful stages. Don't risk unnecessary downtime because of a rush to get content up and running. Install an L1 package and a supporting product package, do all the required configuration, then watch and analyze your system for at least a day. See how peak periods affect performance and which rules tend to fire. Get a feeling for how the system is doing overall and make sure you are comfortable with it before installing the next product package of product and L1 package combination.

Next Steps

Once you have your system installed and running the Activate Framework, you are likely to run into new requirements. Perhaps the product package for one or more of your devices does not yet exist. Protect724's Activate Framework group has an Activate Development page where you can see if anyone has requested a product package for a device, and whether anyone is actively working on it. You can add your device to the list. If you are feeling that you can contribute to a product package, or need to build your own content to address use cases specific to your enterprise, you can start with building your content, using the Activate Framework best practices, and leverage all the resources we've built for everyone's benefit. If you're not confident enough to build your own product packages or content, our services organization will be happy to help you, and there is training available for content and use case development. Other members of the Activate Community will also help, if you ask the right questions in the right forum on Protect724. The Activate Community is made up of Micro Focus ArcSight employees, partners, and customers.

-- GeorgeBoitano - 21 Jan 2016
Topic attachments
I Attachment Action SizeSorted ascending Date Who Comment
models.pngpng models.png manage 13.5 K 18 Apr 2016 - 17:36 MaryCordova  
CIF_FlexConnector.docxdocx CIF_FlexConnector.docx manage 577.3 K 25 Apr 2016 - 01:12 AdaiKumarappan CIF_FlexConnector
Topic revision: r6 - 17 Aug 2018, YunPeng


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback