Wednesday, June 2, 2010

"Good enough" ArcSight/Use Cases

There have been a couple articles that have popped up here and there that seem to have had their base in Duncan Hoopes’ FUDsec article relative to things being “good enough” – well if not their base then a similar theme.

Last week I took some time to drill into several Win2k8 failed login events and how ArcSight was parsing them. For event 4625 (which replaced 10 Win2k3 events) I was surprised to find a rather key piece of data - sub status code – stuck in a field you can’t query on and isn’t consistent with where the same data was parsed and dumped in the corresponding Win2k3 events. What is key about these codes is it lets the reader know WHAT the condition was surrounding this particular login failure – user account doesn’t exist, account was locked out, account is currently disabled, etc. It would be easy to question why hasn’t ArcSight “fixed” this issue. The better thing to ask though to me is why hasn’t anyone over the last 2 years plus that the OS been out actually brought the issue up to ArcSight in the first place?

Maybe I look at our service contract different than others and honestly you can make an override relatively easy; bypass the issue and move on. Why not bring it up and try to get the thing fixed at a macro level….unless people don’t have content that involves that data and aren’t looking at it anyway? Is this a case of simply getting the ball on the green and wrapping your arms around just the event is good enough? Don’t get me wrong I don’t have a ton of content built around each of the sub messages but I do throw them into the Trend that is tracking failed logins where they eventually show up in multiple reports. I mean wouldn’t you want to differentiate between 600 failed login attempts but that they were because some idiot used his domain credentials on a service account and didn’t change the password vs 600 failed login attempts for an account that didn’t exist?

4 comments:

  1. Mark, just FYI this issue has been addressed in more recent connector builds (specifically v4.8.2 and beyond). I won't comment on why adoption of Win 2008 may not have happened as soon as Microsoft released it :-)

    Thanks for the feedback,
    Bob (yes, I am an ArcSight employee)

    ReplyDelete
  2. Thanks for stopping by and posting Bob. I should note that my post was done after v5.0.0.5560 was released.

    At any rate though the main purpose of my post wasn't to come down overly hard on ArcSight. Supporting 200-250 COTS titles is a little tough really so I get the odd bit of data in the wrong field. This was more of a general musing on why this issue is only coming to the surface now by the user base. I also hadn't accounted for OS adoption rate either. Am sure we aren't the only company who is only just now rolling DCs to 2008. I do hope the action on the AS user boards allows for quicker and more transparent (not really the right word) interaction between the user base and the bit of ArcSight that is deeper than the break/fix support user interaction.

    ReplyDelete
  3. Hi Mark, I am looking for some use cases myself but struggling a bit. I am specifically interested in DNS/DHCP information. I'm not sure how good ArcSight is at collecting and reporting on this, i.e. who had what IP address at a particular time (DHCP) or who queried what at a particular time (DNS) or even whether people would want this info. Do you think it would be useful? I represent a niche vendor who has produced a DNS/DHCP monitoring tool and we are looking to integrate with SIEM vendors, but I'm struggling with the use cases a bit.

    Cheers,

    Paul

    ReplyDelete
  4. Paul

    I do think those sorts of records are useful. There are a number of ways your question could be read though. If you want, shoot me an email if you want to discuss this offline. Throw a "J" between my first initial and last name and then shoot that over to gmail.

    Mark

    ReplyDelete