Micro Focus ArcSight Incident Response – Expensive and Repetitive
For mature Micro Focus ArcSight SOCs, responding to incidents correctly and efficiently is very important. Too often, analysts consume time and resources performing repetitive tasks. Their standard operating procedures require them to sign onto numerous platforms, often cutting, pasting and reformatting event data as they go. Analysts spend too much time sending form emails, opening remedy tickets, making firewall changes, mitigating endpoint virus infections, gathering platform data and researching internal host information.
Another problem ArcSight SOCs face is enforcing consistency among analysts. Despite the best standard operating procedures, different analysts often handle the same events differently, and this is especially noticeable among shifts and locations. Inconsistent event handling can easily lead to improper event handling, defeating the whole purpose of your ArcSight SIEM and your SOC. Improper handling is expensive and potentially misses or mishandles important security events.
Automated Incident Response – Removing Uncertainty
For SEMplicity, incident response automation takes two forms: simple integration commands that analysts invoke manually, and fully automated rule actions. For both these use cases, the Micro Focus ArcSight ESM provides a powerful automation framework: the ActionConnector. At SEMplicity, we are experts in all aspects of event response automation using ArcSight ActionConnectors. Using an ActionConnector in combination with other ArcSight SIEM content, we can take any complex repetitive task (such as ending VPN sessions, disabling suspicious users or creating remedy tickets) and create a simple command for analysts to invoke that often replaces a complex, multi-step, cross-platform procedure. Better yet, if the specific alert is always handled the same way, we can fully automate the response so that no analysts are even involved.
By automating repetitive analyst tasks, we can reduce the hours your security analysts spend on mundane tasks and free up their time to pursue new network threat events. This creates a more efficient and more effective SOC, a core objective for all mature ArcSight SIEM implementations.
|Initial Scoping Meeting||Determine repetitive tasks to be automated. Select a host for ActionConnector.|
|Install ActionConnector||Install the general framework for incident automation.|
|Implement ESM ActionConnector Content||Provide dashboards and reports detailing all ActionConnector activity|
|Implement ActionConnector programs||Identity and automate two common SOC tasks. This process uses the extensive library of SEMplicity automation programs and also includes development services to create new programs designed to automate tasks specific to your site.|
|Implement Integration Commands||Activate and document integration commands allowing analysts to invoke ActionConnector programs and see results interactively.|
|Automate Integration Commands||For appropriate commands and alerts, create or modify rules to automatically execute.|
|Change SOPs||Modify standard operation procedures in accordance with new Integration Commands and automation.|
|Knowledge Transfer||Train client personnel on the creation of new ActionConnector programs, Integration Commands and automation.|
|Comprehensive ActionConnector Report||Provide a full engagement report detailing new infrastructure, programs and commands implemented, new content and automation roadmap.|
ArcSight ActionConnector automation is best implemented as a two-week on-site sprint. If desired, SEMplicity can provide supplementary programming services to automate additional repetitive SOC tasks.
- Admin credentials for the ArcSight Manager
- A Windows or Linux host for the ActionConnector with admin access
- Two hours with SOC manager to determine automation objectives
- Remote access, if follow-on programming services desired