In order for any ESM solution to work effectively in a mobile solution provider’s environment it must meet stringent requirements surrounding flexibility; scalability; correlation and analysis; and incident response.
To address these requirements, security organizations are turning to ArcSight ESM for centralized information risk management and, ultimately, to protect their critical assets. With ArcSight ESM, security organizations have the ability to comprehensively manage their security information and respond to the right security threat at the right time.
ArcSight, Inc. Corporate Headquarters: 408 864 2600 5 Results Way, Cupertino, CA 95014, USA EMEA Headquarters: +44 870 351 6510 www.arcsight.com Asia Pac Headquarters: 852 2166 830 email: firstname.lastname@example.org Addressing Mobile Threats: Effective Detection and Response Untitled Document Executive Overview Mobile threats can take on many forms including malware, distributed denial of service attacks (DDoS) and fraud. While these attacks aren t new, their ability to leverage mobile devices is. The use of mobile devices continues to grow because of their increasing utility that makes them an indispensable part of personal and professional life. Because of this, criminals are discovering a greater number of targets than they previously had when their sole focus was on traditional computer systems. 60% of enterprise data will be mobile by 2006 IDC Many mobile communication providers are unprepared to address these threats. While there is much discussion as to where security should be implemented at the mobile device, within individual organizations or within the mobile solution provider s cloud most experts agree that to be effective, much of the security must be in the cloud, although a layered approach is certainly the best in a perfect world. Thus, the notion of security services provided by mobile communication providers is becoming top-of-mind as customers demand better security solutions for their mobile devices. Introduction Mobile malware is rapidly evolving. It is becoming increasingly sophisticated and can propagate much faster every day. In fact, experts predict the evolution of mobile malware will outpace the growth of traditional Internet malware. Malicious intent ranges from sabotage to fraud, and because organizations and individuals depend more and more on mobile communications, the stakes are high. A pandemic-level attack could easily and quickly impact millions of users. Smartphones are increasingly powerful and programmable. They run on operating systems including Symbian, PalmOS and Windows Mobile. Many have open APIs and offer a number of connectivity mechanisms through which malware can spread or carryout malicious acts, including: " Connectivity to mobile networks, the Internet and organizational LANs " Symbian installation files (SIS) " Short message service (SMS) " Multimedia message service (MMS) " Bluetooth " Wireless " USB " Infrared (IR) These devices are typically always on and boast higher mobile network speeds. That means complex malware can propagate more quickly. In just the last year, there has been a 600 percent increase in the number of mobile malware attacks aimed at both sabotage and financial gain. Threats have Addressing Mobile Threats: Effective Detection and Response 2 Untitled Document mushroomed from multivector worms using Bluetooth and MMS, to cross-infection attacks between mobile devices and PCs, to the first instance of mobile spyware in March 2006. Ultimately, these attacks can lead to denial of mobile resources, information theft or destruction and fraud. Figure 1. According to Kaspersky Lab, mobile malware increased significantly from June 2004 through August 2006. Mobile solution providers are now concentrating their efforts on telecommunication-grade solutions that can efficiently and effectively identify and respond to abuse with advanced event correlation, anomaly detection, pattern recognition and incident response solutions like ArcSight" Enterprise Security Manager (ESM) and ArcSight Network Response Manager" (NRM). Without these solutions, mobile customers are left to fend for themselves. And, as outlined later in this paper, without an effective incident detection and response solution, a few isolated forms of mobile device abuse can quickly explode into a pandemic. ArcSight ESM and ArcSight NRM Solutions In order for any ESM solution to work effectively in a mobile solution provider s environment it must meet stringent requirements surrounding flexibility; scalability; correlation and analysis; and incident response. To address these requirements, security organizations are turning to ArcSight ESM for centralized information risk management and, ultimately, to protect their critical assets. With ArcSight ESM, security organizations have the ability to comprehensively manage their security information and respond to the right security threat at the right time. ArcSight NRM is an intelligent incident response system that drastically reduces the time required to effectively respond to cyber security incidents from minutes, hours or even days to just seconds. Using ArcSight NRM, a single operator can quickly and easily quarantine and instantly disconnect Addressing Mobile Threats: Effective Detection and Response 3 Untitled Document any desktop, laptop or other host anywhere across the enterprise without endangering the availability of business systems and mission-critical traffic flows. The number of malicious software programs created for mobile devices is expected to reach 726 by the end of 2006, up from an estimated 226 at the end of 2005 - McAfee The following sections address the need for flexibility, scalability, correlation and analysis and incident response in an ESM solution, and then describe how ArcSight solutions address these requirements. Flexibility Flexibility is imperative because the solution must be able to model mobile-related attributes, such as MSISDN, IMEI, IMSI and the like. This modeling is in addition to more traditional events generated by operating systems, applications, network devices, security products and other event-generating systems. With ArcSight ESM, as long as the events can make their way to the ArcSight Manager for analysis, the source of the event and the content of the event fields are inconsequential. This applies to commercial, open source, legacy and proprietary solutions and is designed to work with proprietary formats often found in log data from the core elements of a mobile solution provider s network. In practice, there is often a desire within ArcSight ESM to map events from the IP world to the mobile world. For example, IP addresses mapped to MSISDN. To do this properly, telecommunication-grade event capture, normalization, categorization, prioritization and transportation must be utilized. Event Capture Within ArcSight ESM, events are captured using ArcSight SmartConnectors. ArcSight SmartConnectors reside most commonly on aggregation points such as log servers or multi-device managers, for example firewall and IDS managers. Rarely is there a 1:1 relationship between a connector and an end device. More likely it is 1:100s or even 1:1000s. Regardless of the device output ODBC , SNMP, SMTP, syslog, flat file, binary or proprietary (for example Cisco RDEP or Check Point OPSEC) connectors are flexible enough to work with virtually anything that creates a log as long as the log is accessible through some mechanism over an IP network. Some ArcSight customers use ArcSight SmartConnectors to collect events from physical security systems and SCADA systems which are used primarily for critical infrastructure such as nuclear power plants, oil pipelines and rail systems. Before information is transported from the ArcSight SmartConnector to the ArcSight Manager for processing and analysis, it is normalized. Addressing Mobile Threats: Effective Detection and Response 4 Untitled Document Event Normalization Normalization is the process of manipulating the fields of disparate event schemas from various products and vendors and mapping those fields into a common schema. This is all done with 100 percent data retention and payload when available no data is lost. This is critically important since mobile solution providers rely heavily on the log data that is generated and each field is critically important. Thus by retaining 100 percent of the data for every event and completely normalizing all the fields, the data becomes far more useful in heterogeneous environments. This process benefits from the efficiencies of the ArcSight Manager when processing the data, as well as the analyst conducting an investigation. In addition to making the events more useful for automated processing within the ArcSight Manager, the ArcSight SmartConnectors add another step to make it more human-readable through a process called categorization. Event Categorization Following normalization, the ArcSight SmartConnectors will categorize the events. Categorization is the process of enriching the event data with vendor-neutral content. For example, three devices many interpret an attack differently can produce an event called XYZ, ABC and 123. However, the ArcSight category for all three events may be an attack of type DDoS. These fields added by the categorization process allow for more generic, human-readable output in addition to the original event data. Other information that can also be added includes global positioning system (GPS) data, asset information such as location, operating system, patches, open ports, vulnerabilities, asset criticality, relevance to regulatory compliance and so on. At this stage, the events are ready to be prioritized based on criticality. Event Prioritization When processing hundreds of millions of events daily, it is important to prioritize. ArcSight ESM helps reduce analysis time be assigning higher priorities to the most critical events. This triage process helps ensure that the events requiring the most attention are given more weight than those of less importance. In some cases, only higher priority events are transported from the connector to the manager in real time, while lower priority events are batched and sent at regular intervals. As an aside, an additional prioritization step takes place on the ArcSight Manager. The manager will consider the initial prioritization score generated by the connector and compare it with additional data that the connector doesn t have access to, such as a stream of events coming from a source unknown to the connector or information regarding a target s vulnerabilities, business relevance and so on. Addressing Mobile Threats: Effective Detection and Response 5 Untitled Document Event Transport &device-side anti-virus (tools) for cell phones will be completely ineffective. The most effective approach to blocking mobile malware will be to block it in the network. - John Pescatore, Vice President and Research Fellow Gartner Research Once events have gone through the above process, the final step is compression, encryption and transport to one or many ArcSight Managers for correlation and analysis. This process typically sends all events to the ArcSight Manager, but modifications can be made to aggregate like events and even filter out data that is considered less important. ArcSight ESM uses connection-orientated protocols for communication, network time protocol (NTP) with multiple time stamps and heartbeat protocols between the connector and the manager to ensure accurate and dependable event transportation. Clearly, with so many events being moved across the network, scalability is another critical concern. Scalability Along with flexibility comes the need for telecommunication-grade scalability. This is essential for many government organizations and large enterprises. Telecommunication companies demand the ultimate in scalability. Mobile networks will often generate hundreds of millions of events per day from tens of millions of devices. Since ArcSight ESM is deployed in the world s largest and mission-critical environments, the ArcSight ESM solution has been forged to offer the ultimate in scalability, reliability and fault tolerance. ArcSight ESM has been operating for years in environments where security is part of the organization s critical path, and without scalability this type of mission-critical operation would be impossible. The general architecture of ArcSight ESM consists of multiple end devices generating thousands of events per second that that feed event connectors. From these connectors, events are streamed to an ArcSight Manager for real-time processing and analysis. Events are also moved from the ArcSight Manager to a database which allows for forensic analysis and reporting. Finally, there are two user interfaces: a fat client which can be installed on a desktop or laptop computer and a Web interface designed for those that need access to information, but not administration capabilities. Addressing Mobile Threats: Effective Detection and Response 6 Untitled Document Figure 2. Thousands of events per second from various end devices and applications are streamed to an ArcSight Manager for real-time processing and analysis. Some events are moved from the ArcSight Manager to a database which allows for forensic analysis and reporting. ArcSight ESM has several features that enable optimal scalability at every level of the product. The ArcSight SmartConnectors are designed to send data to one or multiple ArcSight Managers or a primary ArcSight Manager and fail-over to a secondary ArcSight Manager. The connectors themselves can cache data in case communication with a manager is slow because of network congestion or has failed because of a network outage for example. The connectors can also filter out information that is deemed less critical and aggregate like events based on user-defined criteria. This helps to reduce the overall event load placed on the network, processing and storage resources. The ArcSight Managers can be deployed in a high availability (HA) model and a hierarchy allowing managers to scale in a horizontal and vertical architecture. Having a multi-tier architecture is common for large environments where separation of event flows is desirable, as well as having a central location: a manager of managers that process the event flows from lower level managers. Addressing Mobile Threats: Effective Detection and Response 7 Untitled Document Figure 3 shows a common example of a three-tier architecture where events are split between operational traffic and customer traffic as the first tier, and then further segregated between geographies at the second tier. Finally, all or a subset of the original data is forwarded to a HA pair of master managers at the top tier. Figure 3. Events are split between operational traffic and customer traffic and then further segregated between geographies. All or a subset of the original data is forwarded to a HA pair of master managers. The ArcSight database can also be run in HA mode with each corresponding ArcSight Manager. Thus any HA manager and database pair can survive any one manager with any one database being down without impacting operations. The ArcSight Consoles can connect to one or many ArcSight Managers. ArcSight Managers are capable of supporting multiple consoles and multiple Web connections simultaneously. This is one of the reasons that ArcSight is extremely popular with managed security service providers (MSSPs). The net is that the entire ArcSight ESM architecture is designed with robust scalability built into every level. But at this point the data still needs to be turned into actionable information and that is done through the correlation and analysis process. Addressing Mobile Threats: Effective Detection and Response 8 Untitled Document Correlation and Analysis We have to acknowledge that today s mobile viruses are very similar to computer viruses in terms of their payload. However, it took computer viruses over twenty years to evolve, and mobile viruses have covered the same ground in a mere two years. Without doubt, mobile malware is the most quickly evolving type of malicious code, and clearly still has great potential for further evolution. - Kaspersky Lab Correlation and analysis is at the root of what mobile solution providers are demanding in order to effectively and efficiently mitigate risk. For mobile providers, correlation starts with the ability to compare the number of events across various devices and device types from IP and mobile infrastructures alike. This means being able to leverage any and every field within a given schema. " Correlation within ArcSight ESM is expressed as rules. Rules enable an analyst to look for known malicious behavior. Going hand-in-hand with event correlation are the native analysis features in ArcSight ESM: " Event visualization allows efficient analysis of large volumes of data. " Anomaly detection identifies deviations from the norm, for example sudden spikes or dips in traffic or many sources connecting to one destination simultaneously, such as DDoS attacks. " Discovery techniques allow for the opposite of rules allowing the analyst to see relationships that they were not specifically looking for. These ArcSight ESM capabilities working synergistically provide a robust and holistic real-time and forensic event analysis solution. And when they are coupled with the network response remediation capabilities of ArcSight NRM (discussed later in this paper) the mobile solution providers are armed with an indispensable suit of tools for mitigating mobile threats. Event Visualization Figure 4 illustrates just one of a limitless array of possible event graphs. These graphs enable relationships to be gleaned amongst a group of events. Because ArcSight ESM maintains 100 percent data capture, schema enrichment in the form of categorization, along with GPS information and the like, any of these fields can be used to find relationships among any set of events. Examples include source and destination IPs and ports to geographies, identification information and event category, including authentication failures, denial of service activity and scans. The event graphs are interactive and allow an analyst to zoom in, display more detailed information, explore other relationship possibilities and even display the underlying event data for any point. This is an invaluable tool for an analyst that is looking for causal relationships amongst millions of events. Figure 4 represents both innocuous and malicious traffic. Notice the gray node with the blue arrow pointing to it. This illustrates one source node connecting to many destination nodes in a very short period of time. While it is possible that this is legitimate traffic, a quick drill-down into the events would reveal that it is in fact an attacker scanning multiple targets for a specific open port, called a horizontal port scan. Addressing Mobile Threats: Effective Detection and Response 9 Untitled Document Figure 4. Graphical representations of both innocuous and malicious traffic can reveal anomalies in normal event patterns. Event visualization has many uses including helping to identify anomalies. However, ArcSight offers a number of purpose-built features specifically geared for anomaly detection. Anomaly Detection Since anomaly detection is rooted in identifying deviations from the norm, one of the best was to explain its operation within ArcSight ESM is through examples. Figure 5 illustrates how anomalies can easily be spotted. The yellow line represents a moving average over time, while the green bars represent spikes and dips in relation to the average. These charts are a data monitor. This particular data monitor displays the moving average of events by a selected data field. Addressing Mobile Threats: Effective Detection and Response 10 Untitled Document Figure 5. Data monitors allow for quick detection of any anomalies and deviations from the norm. Just like event graphs, these data monitors are interactive and allow for detailed event views with drill-down. Also like events graphs, these data monitors have limitless parameters that they can be set to monitor. ArcSight ESM offers several data monitors that can help analyst investigations, including: " Event-based, which are used to create graphical views based on event summaries; " Non-event based, which are used to create graphical views based on internal ArcSight system status; and " Correlation, which is used to evaluate event streams and discover anomalies. The correlation data monitors are extremely useful for anomaly detection. ArcSight ESM offers various formats for the analysts to use including: " Event Correlation. This data monitor provides flow-volume correlation between two different event streams. This helps corroborate attacks reported by different systems. " Event Reconciliation. This data monitor correlates events arriving from one sensor with events arriving from another sensor. Reconciliation matches every event from stream one with one event from stream two. For example, if there is an IDS in front of a firewall, reconciliation will look at all the accepted traffic from the firewall and compare it with attack events from the IDS. Addressing Mobile Threats: Effective Detection and Response 11 Untitled Document " Moving Average. As pictured in Figure 5, this data monitor displays the moving average of events by a selected data field. A moving average allows for short-term fluctuations to be removed and more correctly shows long-term trends. The moving average data monitor can also plot values using various numeric fields in the event. " Session Reconciliation. This data monitor correlates events on the basis of their occurrence within a relevant time period, such as a user ID assigned for a particular device. " Statistics. This data monitor is similar to the moving average data monitor, except that it enables an analyst to select other statistical methods in addition to moving average. Statistical methods include average, standard deviation, skew and kurtosis. Correlation, visualization and anomaly detection are extremely powerful. However, one more component is required to facilitate a complete solution that meets the needs of mobile solutions providers: discovery techniques. Discovery Techniques ArcSight offers two additional products that can be used with ArcSight ESM. They are ArcSight Pattern Discovery" and ArcSight Interactive Discovery. ArcSight Pattern Discovery is an advanced pattern identification engine. It will automatically discover repeating event patterns, such as the spread of malware. Additionally, it will automatically create correlation rules which fingerprint the threats so that the threats can be expressly monitored for against future events. This discovery solution is particularly well suited for identifying previously unknown and/or repetitive attacks. ArcSight s patent pending technology requires no prior knowledge of the threat and can operate at rates over 20,000 events per second (1,728,000,000 events per day). Some examples of where this technology has shown great utility are: " Zero-day attacks, such as emerging worms and worm variants. " Large-scale attacks, such as those launched from botnets. " Low and slow attacks that may take place across a wide range of systems over a long period of time. Figure 6 depicts various facets of the ArcSight Pattern Discovery mechanism. Addressing Mobile Threats: Effective Detection and Response 12 Untitled Document Figure 6. With ArcSight Pattern Discovery: 1. Repeating event patterns are automatically identified. 2. Captured event details help distinguish benign patterns from attacks. 3. Saved attack patterns can become rules to allow greater automation. ArcSight Pattern Discovery has proven to be one of the most useful tools at an analyst s disposal. And when it is coupled with ArcSight Interactive Discovery, the capabilities surrounding detailed pattern analysis and investigation are amplified even more. ArcSight Interactive Discovery is a powerful visual analytics application. It accelerates the discovery of subtle, suspicious events. It also generates visual summaries in compelling formats that make the underlying information understandable to those that are technical and non-technical alike. The interactive visualizations and multiple graph types complement ArcSight Pattern Discovery and the visuals and data monitors covered earlier. For incident investigation, perhaps the greatest strength of Interactive Discovery is its ability to switch between various perspectives to discover outliers. The best way to get a feel for ArcSight Interactive Discovery is to consider a few examples. In figure 7, a 3D graph is used to illustrate the aggregated event count against the ArcSight categories and ArcSight category outcomes. This is an Addressing Mobile Threats: Effective Detection and Response 13 Untitled Document excellent use of vendor neutral categorization that allows a complete view of the network s current state, as opposed to simply looking at a few devices and vendor types. Figure 7. A 3D graph is used to illustrate the aggregated event count against the ArcSight categories and ArcSight category outcomes, which allows a holistic view of the networks current state. Figure 8 shows potentially malicious traffic in the form of a single source in Germany conducting a TCP SYN port sweep on port 554. This port is most commonly used for Real Server and QuickTime streaming services. Addressing Mobile Threats: Effective Detection and Response 14 Untitled Document Figure 8. Potentially malicious traffic in the form of a single source in Germany conducting a TCP SYN port sweep on port 554. This port is most commonly used for Real Server and QuickTime streaming services. As shown in Figure 9, slices of time are evaluated within the traffic flows to identify outliers. On the left, the priority of events determined earlier by ArcSight ESM are color coded. By selecting the section in yellow highlighted by the red square, more detailed information is displayed on the right, including a constant stream of events related to one source in particular. Figure 9. Slices of time are evaluated within the traffic flows to identify outliers. Detailed and prioritized event information is displayed. This information is shown on the right within the red square. Additionally, while it is likely not an attack, shown within the red circle are several sources that appear to have traffic patterns at very predicable intervals across the Addressing Mobile Threats: Effective Detection and Response 15 Untitled Document time slice. This type of traffic is commonly found with network monitoring tools, heartbeat protocols and the like. Looking at the data streams together, it is easy to identify patterns that stand out. In this final ArcSight Interactive Discovery example, the traffic is plotted against a map and a globe. This allows the analyst to determine which sources around the world are generating the most traffic, and based on color, which traffic contains the most critical security priorities. Figure 10. Traffic plotted against maps allows analysts to determine traffic patterns around the globe, and based on color, which traffic contains the most critical security priorities. ArcSight Pattern Discovery and ArcSight Interactive Discovery for mobile solution providers address critical points: " Data mining of recurring patterns of activity " Identifying behavioral clusters " Highlighting cluster outliers " Identifying behavioral anomalies " Visualizing and exploring inter-relations between CDRs (IP, MMS, SMS, etc.) Analysis is important. But the end result is leveraging the actionable information to respond. Once malicious activity is identified, ArcSight ESM, working in conjunction with ArcSight NRM enables the enterprise to take quick action. Incident Response Now that flexibility, scalability, correlation and analysis have been covered, the next and final piece that will be addressed is incident response with ArcSight NRM. With ArcSight NRM, mobile providers can respond to threats through a secure, centralized, network response appliance. Instead of Addressing Mobile Threats: Effective Detection and Response 16 Untitled Document relying on various systems and interfaces with fragmented authentication mechanisms and uncertain documentation of changes, analysts and network engineers can leverage a common solution across the entire network architecture and the changes made can be audited and used to fine-tune the process. A response to an incident can be completely automated and driven from an ArcSight ESM rule firing. However, except for the most mission-critical assets, most organizations prefer to have a level of human intervention between the discovery of an incident and a response. Thus, upon a rule firing in ArcSight ESM, an analyst can be made aware of an incident. Escalation procedures and change management policies can be built directly into the ArcSight NRM solution allowing the response to follow an approved incident management program. Also, any alerting mechanisms (such as email, page, SMS, buzzers or flashing lights) can be built into ArcSight ESM and ArcSight NRM triggers following an incident. All interaction with the ArcSight NRM appliance is encrypted. Sensitive information is encrypted in both transit and storage. Strong authentication is also used to ensure that ArcSight NRM complies with organizational access control requirements, such as two-factor authentication. During an incident, it can be easy to overlook the documentation changes. If changes are launched from multiple locations using disparate solutions, auditing can be nearly impossible. Perhaps most important is that there are many ways to modify ACLs, change firewall rules, filter MAC addresses, disable ports and disable user accounts. However for consistency, ArcSight NRM always makes changes that are aligned with organizational polices and that follow networking and security best practices. If a change is made, but it needs to be rolled back the configuration to a prior version, it can be done with just a few clicks directly from ArcSight NRM. Having a centralized incident response capability is an incredible efficiency gain as most organizations tend to go into panic mode when a malicious incident arises. ArcSight NRM ensures that: " Policies, procedures and best practices are consistently followed " Change management, escalation and alerting mechanisms are integrated " All changes are reversible and documented " Audit trails are maintained and reports can be run against them " The incident response appliance is secure and operates securely using encryption and strong authentication " Changes can be made across any device and vendor type at layer-2, layer-3 and even at a user level through central access control systems such as LDAP " Changes made will stop the attack based on ArcSight NRM knowledge of the network architecture Addressing Mobile Threats: Effective Detection and Response 17 Untitled Document It is worth exploring this last point a bit more. Consider an attacker that has multiple forms of access. This attacker can be blocked at all access points simultaneously. This is particularly important for insider threats. Sessions can be terminated and changes can be made on layer-2 switches, layer-3 switches, routers, firewalls, wireless access points, VPN concentrators, access control systems and even access through physical access points can all be de-provisioned at a moment s notice. Leveraging ArcSight Solutions Now with an understanding of some key features of ArcSight ESM and ArcSight NRM, the following section will outline initial threat scenarios and some benefits of using ArcSight solutions for effective incident detection and response that can assist in mitigating risk. Mobile Malware Propagation Problem As malware propagates across the Internet and infects PCs, an infected PC can in turn infect a smartphone by many paths, including IR, Bluetooth and Sync. The infected smartphone can in turn propagate the malware through wireless LANs to other smartphones. The malware can cross-infect different phones using MMS, which in turn infects other phones via general packet radio service (GPRS). This can result in massive malware propagation causing problems similar to malware installed through traditional computer system attacks (e.g., spyware), information theft and interrupted communication. The ArcSight Solution With ArcSight ESM, the mobile provider can detect known and unknown malware behavior among subscribers based on connectivity patterns and content forwarding. This is done with a combination of cluster and outlier identification. Using correlation, anomaly detection and discovery techniques, the malicious points can quickly be identified, verified and addressed. ArcSight NRM may be leveraged to respond to these threats at a network level. DDoS Floods Problem Botnets on infected mobile devices wait for instructions from their owner. If they are instructed to launch DDoS floods, the mobile provider s core infrastructure may be overwhelmed with a high volume of seemingly legitimate requests. This can result in service being denied, calls will be unable to connect and won t be transmittable. Additionally, subscribers cannot be billed. Addressing Mobile Threats: Effective Detection and Response 18 Untitled Document The ArcSight Solution ArcSight ESM can detect an anomalous increase in call detail record (CDR) averages by subscriber, application, content type and more, and render visuals so that mobile providers can explore interrelations between CDRs. ArcSight ESM can further conduct root-cause analysis to discover the clusters of subscribers making the repetitive request, take action based on those infected subscribers and automatically track the incident. Visualization capabilities within ArcSight ESM are extremely helpful in this area. ArcSight ESM has underlying flexibility for communicating with various device types that ensures the visuals are seeded with the most comprehensive information. Additionally, because ArcSight ESM has a highly scalable design, this ensures that regardless of the network infrastructure s size, these floods can be accurately detected. As with the previous malware propagation case, ArcSight NRM may be leveraged to respond to these threats at a network level. Fraud Problem Multiple international mobile equipment identities (IMEIs) per international mobile subscriber identity (IMSI) are used indicating a cloned subscriber identity module (SIM). There may be anomalies between MMS header information versus actual content size for example, a subscriber who transmits 100K of data but is only billed for 1K. These acts can result in billing discrepancies and the mobile service providers loosing revenue. The ArcSight Solution ArcSight ESM can address this type of fraud by enabling providers to reconcile CDR parameters based on content size and to track usage by specific subscriber, application and so forth. ArcSight ESM can also conduct geospatial CDR comparisons and link IMEI-IMSI pairings for comparison with CDRs. The normalization and categorization features in ArcSight ESM along with event enrichment in the form of GPS data makes this possible. ArcSight Pattern Discovery and ArcSight Interactive Discovery assist the analysts during the investigation. Summary The sophistication of mobile threats is increasing rapidly and so is the world s dependence on secure and reliable mobile communication. Most experts agree that mobile malware will out-pace the evolution of existing Internet threats. Mobile operators need defense-in-depth utilizing secure measures at the handset as well as within the mobile provider s cloud. Addressing Mobile Threats: Effective Detection and Response 19 Untitled Document ArcSight ESM and ArcSight NRM offer unmatched flexibility, scalability, correlation, analysis and response solutions that are in place today with the largest and most mission-critical organizations across the globe, including telecommunication-grade environments. Regardless of threats from malware, DDoS or fraud, ArcSight solutions are suited to provide the very best in advanced real-time and forensic event analysis and incident response. About ArcSight ArcSight, a leader in Network and Security Information Management delivers mission-critical solutions for security, network and IT operations that enable enterprises to turn operational data into action. ArcSight solutions address today's complex enterprise networks that span multiple organizations and corporate business initiatives. By comprehensively collecting, analyzing, managing and responding to security and network data, ArcSight solutions mitigate information risk for real-time threat management, compliance reporting and automated network response. ArcSight's customer base includes leading global enterprises, government agencies and MSSPs. 2007 ArcSight, Inc. All rights reserved. ArcSight, the ArcSight Logo and ArcSight NRM are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners. 01/07 Addressing Mobile Threats: Effective Detection and Response 20