Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Using HP ArcSight to track and monitor Heartbleed vulnerability

‎04-25-2014 05:51 AM - edited ‎07-07-2015 09:43 AM

I sat down with my technical engineer, Johnny Khoury, last week and asked him a bunch of questions regarding the Heartbleed bug. I thought you may have similar questions in your organization. Some of the questions were:

 

  • What is Heartbleed?
  • How and why is it dangerous?
  • How do we know we are hacked through that vulnerability?
  • Can we validate that we are not hacked?
  • How can we prove that we are monitoring?
  • How can HP ArcSight monitor and track this?
  • Are HP ArcSight customers safe?

His anwers were straight to the point and I blogged about some of my interpretation on this discussion earlier. After he showed me how easy it is to find if this is a threat with only few searches, I was convinced that this is simple and trackable problem. Comprehensive log management and running forensic investigation through simple queries using HP ArcSight can induce confidence into your IT environment. This is the summary of what he said and showed...

 

Heartbleed is a serious vulnerability in the popular OpenSSL cryptographic software library and it affects many web servers and applications. It is difficult to patch all web servers  immediately, so it is important to at least track and monitor the type of traffic being generated in your organization. Using the new and updated HP ArcSight Logger 5.5 super indexed fields, users can  leverage these fields for ultra-fast search and analyze the security events in real-time.

 

Let's look at a simple use case on "Who is talking to my web server on port: 443?"

 

Use Logger to determine the servers that are running 'HTTPS' protocol and understand the traffic that is being generated for a specific time--say three weeks since it was disclosed.  This search should give you analysis of the traffic generated. Search in English-like query by searching the 'destination port 443 users'. 

 

Using the most commonly used port: 443 for 'HTTPS' protocol, run a query against 443, using the following condition:

 

  • Top traffic being generated on port: 443

In this example, I want to get the top 10 grouping for source/ destination address and name of events and the outcome

 

destinationPort=443 |where src IS NOT NULL | top 10 name deviceVendor sourceAddress destinationAddress categoryOutcome

 

if I want to get more details I can drill down to the details of the events:

 

 

  • Drill down to the real events: Further drill down to the actual security events and logs

 

 

 

 

  • Analyze rare events associated with the traffic on port: 443. List the search results in a tabular form of the least common values for the specified field. Simply modify the word 'top' with 'rare'

 

destinationPort=443 |where src IS NOT NULL | rare name deviceVendor sourceAddress destinationAddress categoryOutcome

 

 

 

  • Analyze the least common occurrence of events using 'tail'

 

destinationPort=443 |where src IS NOT NULL |chart count by  name deviceVendor sourceAddress destinationAddress categoryOutcome | tail 5

 

 

As you can see, you could use simple queries to run forensics to prove that you are either safe from Heartbleed or prove that you have been hacked through that vulnerability.

0 Kudos
About the Author

Sri_Karnam

Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all