IT Operations Management (ITOM)

Quick Guide to Using SecOps Tools

Quick Guide to Using SecOps Tools


By Phil Nguyen, HP Software Community Director

If you’re a professional in either IT Security or IT Operations, you know how little those two teams usually work together. Security focuses on sensitive data, Ops focuses on availability, and there’s not a lot of trust between the two to grant access to each other’s systems.

The classic example is that an Ops admin sees a spike in CPU when there’s a SQL insertion, or is alerted to some kind of misbehaving web application. He typically won’t instantly recognize it as a security event, but even if and when he does, he usually just throws it over the fence to Security and that’s the last he deals with it.

But while each team has its own set of responsibilities, both operate for the purpose of reducing risk to the business and only through a shared set of best practices and resources can that larger goal be achieved.

This guide will take you through several use-case scenarios for how Security and Ops teams can work together as SecOps with a range of HP Software tools.

A robust set of integrated analytical tools—including HP Software’s Business Service Management (BSM) and ArcSight Logger and Enterprise Security Manager—enable SecOps teams to capture events, and then analyze, compare, and act upon their findings to prevent repeat incidents.

Here are some examples of how a unified team can use HP Software tools to look at the same data, interpret it, and draw the correct conclusions to help defend their company in almost real-time.

Overview of ArcSight-BSM Integration
BSM features an Operations Bridge that combines several software products to act as a kind of Manager of Managers. It provides universal event consolidation for all events across operations are coming into one central location.
Now ArcSight products such as Logger and ESM are able to integrate with the BSM Operations Bridge.


Here is a conceptual diagram of how it works:


1. Logs for Operations
One key use-case is to share log information. ArcSight logs a lot of data from different kinds of applications, firewalls and intrusion detection software. Both raw and correlated event data can be collected and stored from a variety of sources, providing a comprehensive view of all the machine data that’s been captured.



Without Logger, this SNMP trap event would not have been identified, but it leads us to the root cause of the outage.


These logs can be shared between Security and Ops teams so that both have ready access to search in these logs or to create alarms, because they have a single tool to trouble-shoot with historical event and log data. ArcSight Logger collects metrics from more sources than OM, OMi, or NNMi, while events in BSM products like OM, OMi, and NNMi are now richer and more comprehensive because, for instance, syslog data from network devices are brought into NNMi.

Let’s look at how ArcSight data is pulled into OMi. If a customer is using OMi for event consolidation, he can take all of the different log files that are captured by ArcSight Logger product, even with the ESM, and then feed that into OMi.

Here is how an ArcSight event shows the CI/Node information in OMi to help identify an issue:


Now an Ops admin can correlate a CPU spike to the security event. The data from typical monitoring products that look at performance, availability and fault (OM, Network Node Manager, and third party products) combine with log information from ArcSight to create a rich set of information that OMi automatically correlates.

2. Event analytics
Another way to use these tools is to take the events that are coming into OM, or OMi, and send them back in to the Logger product to perform “Event Analytics”.


While software like OM and NNM also deal with events, some kinds of analysis functions require a long history. These events, which are often coming on a daily or hourly basis, can be archived into Logger.

Here is how the analysis of OMi event pattern and execution of contextual searches can work with Logger:




By using Logger as a single repository of IT events, log files & security events, Ops admins can now perform a kind of enhanced triage. ArcSight Logger’s offers extensive search capabilities that allow operators to quickly and easily search through terabytes of historical event data for previous incidents and associated resolutions. ArcSight Logger also detects previously unknown patterns, which allows for the creation of a more robust set of correlation rules in OMi. Finally, newly detected patterns also allow for creation of more automated workflows in OO.

Here is a screen shot of the ArcSight Logger:



The Ops team can now have access to a wealth of information that they can use to go back and review everything associated with a particular event, and create rules to proactively reduces those incidents in the future.

3. Integrating NOC & SOC

What the logs for Ops and event analytics enable is a closer integration of Security and Operation, or what we call “SecOps”. Similar to how Development and Operations teams work together in the DevOps methodology, SecOps improves communication and the sharing of information, data and tools.

More specifically, this approach offers end-to-end visibility across the entire IT infrastructure, including security aspects. ArcSight brings security events into OM, OMi, and NNMi for correlation with infrastructure availability and performance events. Ops admins can analyze and correlate every occurrence across the organization—every login, logoff, file access, database query, etc.—with operational event data.








Here is one use-case for how SecOps could function to correlate ESM security and infrastructure events could be correlated:




In this example, imagine that Sam hacks an HR database. Depending on what is occurring, Ops would detect the event as a fault or a bottleneck, not a security event. Without information from ArcSight Logger, an Ops admin might just see a spike in CPU and shift more processing resources to take care of the problem.


But by correlating it with the log information and ESM data, the root cause can be identified as an attack and effectively resolve the issue by delegating it to the Security analyst. Because for Security, time is the enemy. They need to detect issues as soon as possible, and this empowers Ops to pass it over to them to take correction action quickly.


Here is how you can establish Security KPIs in OMi:




Bringing it all together
As organizations continue to struggle with security, Ops teams can play a bigger role to help reduce the risks that businesses are facing. This is a complete integration of the tools that many organizations already have.

Correlating events and faults with the overall business context enables organizations to adopt what we call the Run-Time Service Model (RTSM). This is a comprehensive, automated, and up-to-date model for dynamic services:



This provides a complete view, from the highest level of the business service, right through applications, middleware, network and systems, so organizations really can detect instantly when a security event occurs, and know under which business context it has occurred.

In the end, this can ensure that Security, Operations and other IT departments are able to work together to correctly analyze issues and quickly address them.

Learn more about SecOps


  • infrastructure management
0 Kudos
About the Author


This account is for guest bloggers. The blog post will identify the blogger.