12 – Operations Security
In the Reports Portal, select > > > > Dashboards or Reports > .
Control 12: Operations security of the ISO 27002 standard focuses on ensuring that the facilities that store and process information are protected from malware, data loss, and the exploitation of technical vulnerabilities. Use the following reports to check for compliance with the standard.
To assess your enterprise's compliance with this requirement, use the following dashboards and reports:
- Reports all account activities by type. The table provides results by the event name, the user associated with the event, the target IP address and host name, and number of events per user.
-
Reports the accounts that have performed the most administrative actions. The table provides results by admin account, destination IP address, the name and ID of the detected event, the affected product, the number of events, and when the most recent event occurred.
-
Reports the hosts that have had the highest number of logins and logouts by administrative accounts. The table provides results by the name of the event, the admin account, the IP address and name of the affected host, the action taken, the number of events, and when most recent event occurred.
-
Reports the applications that have had the highest number of configuration changes. For example, a user might have updated a license file or a program setting. The table provides results by the product modified, the IP address and zone of the host system, and the date that the modification occurred.
-
Reports the indication that audit logs have been cleared over time. The table provides results by when the event occurred, the IP address and host of the affected system, the affected account, the source account that might have cleared the audit log, and the affected device.
-
Reports assets with authenticated logins that used insecure ports. This report is useful for auditors to track and identify assets that are not following the security standard. The table provides results by the insecure port, the name of the source and target systems, the target user (if any), the type of event or user, the number of events, and the date of the most recent event.
-
Provides an overview of the authentication failure events in your enterprise. You can view a trend of failed authentication events over time, the different outcomes of the authentication events, and the failed logins by administrative and non-administrative users.
-
Reports events generated by devices that have blocked traffic. The table provides results by the target port, the source and target IP address and host name, the type of event, and number of events.
-
Reports the hosts with the most changes to the operating system. Detected modifications might be to the security options or OS accounts. The table provides results by the change made; the IP address, name, and zone of the affected host system; and the device product that was changed.
-
Reports events identified as covert channel activity. These events are generated by IDS devices and could indicate the use of different tools designed to establish an undetected channel to and from your enterprise. The table provides results by the type of event, the IP address and host name of the target and source systems, and when the event occurred.
-
Provides, in charts and a table, an overview of the database events. You can view the trend of events over time, events by product, by the behavior of each event, and user names, IPs involved in the events. The table lists the name of the event; the target user and associated IP address; the source user and associated IP address; the outcome of the event; and the number of events.
-
Reports the type and number of modifications made to devices in the network. The table provides results by the date, time, event name, affected product, and the host where the changes occurred.
-
Reports the devices with the most logging events, such as a database. The table provides results by the device host name and address, a count of events received, and when the device most recently received an event.
Because this report queries the logging activity from all devices, it will have a performance impact each time that you run it.
-
Provides, in charts, an overview of the different security incidents that might indicate that systems or data in your enterprise have been compromised. You can view a trend of events by severity over time, as well as events by geographic location, the techniques used, severity, source IP address, and target IP address. You can also review the relationships between target and source IP addresses.
-
Reports the number of detected events where a user might have exploited a well-known vulnerability. For example, an IDS might report an event associated with a Unicode vulnerability. The table provides results by the vulnerability, the affected host, the source system, and the number of detected events.
-
Reports the number of failed logins by administrative accounts over time. A high number of failed access attempts can indicate malicious activity. The table provides results by account name, the name and IP address of the host where the login failed, the affected product or operating system, the number of failures detected, and when the most recent event occurred.
-
Reports number of failures in updating anti-virus software over time. The table provides results by the update that failed; the IP address, name, and zone of the target system; the type of event, and when the failure occurred.
-
Reports the details of events that indicate failed attempts to access files. The table provides results by the targeted file, the IP address and name of the target system, the type of event, the number of attempts, and when the most recent attempt occurred.
-
Reports information about files that failed to be deleted. The table provides results by the targeted file, the IP address and name of the target system, the type of event, the number of attempts, and when the most recent attempt occurred.
-
Reports the number of failed logins over time. A high number of failed access attempts can indicate malicious activity. The table provides results by account name, the name and IP address of the host where the login failed, the affected product or operating system, the number of failures detected, and when the most recent event occurred.
-
Reports all events indicating that a system fault has occurred over time. The table provides results by the IP address and name of the host where the fault occurred, the name of the event, the number of events, and when the most recent event occurred.
-
Reports changes made to files in the production network. The table provides results by the target file, the IP address and name of the host of the file, the number of events, and when the most recent event occurred.
Before using this report, you must add the systems that reside in the production network to the variable . For more information, see the Solutions Guide for ArcSight Compliance Pack for IT Governance.
-
Reports events by host that indicate changes to firewall configuration. The table provides results by the IP address and zone of the firewall, the firewall rule and configuration that was changed, the number of changes, and the time that the event occurred.
-
Reports the user accounts with the most attempts to log in to databases in your environment. The table provides results by the user account, the affected host, the number of attempts, whether the attempt was successful, and events per hour.
-
Reports policy breaches by system, where the event matches the category technique of
/Policy/Breach. The table provides results by the device group, affected vendor and product, the IP address and name of the host, and when the breach occurred. -
Reports malicious code events by host system. The table provides results by the event name, the IP address and name of the affected device, the affected product, the category of the malicious code, and the outcome.
-
Provides, in charts, an overview of the malware events that might indicate systems or data in your enterprise have been compromised. You can view a trend of malware events over time, as well as events by geographic location, malware category and malicious event, the affected IP addresses and hosts, suspicious IP addresses and hosts names, and target IP addresses. You can also review the relationships between target and source IP addresses. You can also review the techniques used to exploit and launch further attacks.
-
Reports events that indicate configuration file changes on network equipment such as routers and switches. The table provides results by the change made, the device affected, the IP address where the change originated, the IP address and name of the host where the change occurred, and when the change occurred.
-
Reports all policy breaches by source IP address. A policy breach could be IM use or the downloading of unauthorized content. The table provides results by the affected policy, the IP address and name of the source and target hosts, the number of breaches, and when the most recent breach occurred.
-
Reports events that indicate resource exhaustion on particular hosts. A malicious user can create or exploit resource exhaustion vulnerabilities by causing the programs to crash or falter, or by interfering with the programs such that the programs do not have enough resources to perform properly. If this occurs, the systems and programs become unavailable for use. The table provides results by the IP address and name of the host where the event occurred, the type of event, the number of events, and when the most recent event occurred.
-
Provides an overview of scan results. You can view the signatures of potential vulnerabilities, the most active scanners, and the most scanned ports and assets.
-
Reports events that indicate changes to daemons, access policies, and other software changes in the production environment. The table provides results by the event, the IP address and name of the target asset, and the target user.
Before using this report, you must add the systems that reside in the production network to the variable . For more information, see the Solutions Guide for ArcSight Compliance Pack for IT Governance.
-
Reports the number of successful logins by administrative accounts over time. The table provides results by account name, the name and IP address of the host where the logins occurred, the affected product or operating system, the number of successful logins, and the date of the most recent event.
-
Reports events that indicate successful attempts to delete files by the target IP address. The table provides results by name of the deleted file, the IP address where the file was deleted, the number of files deleted, and when the deletion occurred.
-
Reports the number of successful logins over time. The table provides results by account name, the name and IP address of the host where the logins occurred, the affected product or operating system, the number of successful logins, and when the most recent event occurred.
-
Reports suspicious events in your network. The table provides results by the event name, the IP address and name of the host where the event occurred, the number of events, and when the most recent event occurred.
-
Reports all the trojan activity detected by IP address in the environment. The table provides results by the type of activity, the IP address that originated the activity, the IP address and name of the target host, and when the event occurred.
-
Reports the actions taken by non-administrative accounts. For example, a user might delete an infected file. The report provides results by the source account, the affected account, the name of the event, the IP address where the action occurred, the affected product, the outcome of the user’s action, the number of times that the action was detected, and the date of the most recent event.
Run this report with caution, as it can generate enormous amounts of data. This report will not include events in which both source and destination users are null.
-
Reports the user accounts that log in and out the most. The table provides results by the name of the login action and category, the user account, the IP address, name, zone of the affected system, and the date of the event.
-
Reports the systems with the most detected viruses by affected product. The table provides results by the virus name, the affected system and product, and the date of the event.
-
Provides an overview of the vulnerabilities detected per host. You can view a trend of vulnerabilities reported over time, the most reported vulnerabilities, the assets with the most vulnerabilities, and vulnerabilities by severity.
-
Reports vulnerabilities by type as detected by vulnerability scanners. The table provides results by the vulnerability, the IP address and name of the affected host, and the quantity found.
-
Provides an overview of the scans, probes, and unauthorized access reported in your environment. You can view results by the systems with the most unauthorized access attempts, severity of events, the most scanned ports, the vulnerabilities scanned, and the signature of the riskiest vulnerabilities.