Please find the initial deliverable for ArcSight ESM and Express that provides assistance, support and identification of the recently announced ShellShock vulnerability. Our Professional Services team have done a huge amount of work to help in this process (would love to claim the glory, but its really not me!) and we are very proud to make this available to the community.
You will see that there is a ZIP file attached and it contains the following files:
- Shellshock Guide.docx
The guide document covers everything that you need and includes a step by step process for the installation of the sysdig tool, the FlexConnector to receive the logs and then the actual content to identify when the vulnerability is used. The issue with ShellShock is that it is usually NOT going to generate log data that will be picked up by any SIEM (contrary to what some are saying). That's OK, but we need to have some indicators that a compromise attempt is being attempted and this is why we need the use of sysdig. From there, we need to process some of the log data to give us a really good view of what is happening.
The content will be refined over the days and weeks coming up and please do provide feedback and comments on this. The idea is that we can work together as a community to drive this to be better value. We have made a judgment call on this and we have worked out a way to resolve this now. But what is clear is that the attackers are morphing and adjusting their attack options and this means we need to modify our ways too.
I will also look to make this more easily accessible and available to the wider ArcSight community too. At the moment Protect 724 is a great resource, but not everyone uses it and we really need to get this out so that more customers can use this. Expect to see more on this in the coming days and weeks.
Thanks all and I hope this is useful for everyone.