Find the intruders using
correlation and context
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
Agenda
The changing threat landscape
What can you do to find intruders?
Best practices for timely detection and mitigation
HP ArcSight
Discovery
Find the intruder at each and every step of the process
Research
Our
enterprise
Their
ecosystem
Infiltration
Capture
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Riskier Enterprises + Advanced Attackers = More Attacks
Threat landscape
State funded
LulzSec
Anonymous
Cloud
SDN
Mobile/BYOD
Attacks
24 Million
40 Million
95 Million
101 Million
130 Million
New
Technologies
2013 January February March April May June
July August September October November December
2014
January February
March
April
average time to detect breach
243
days
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
130
%
No effective way…
Too many products,
vendors, solutions
Current solutions are not enough
Big data…
hundreds of apps
emitting large volumes of
raw machine data
Silo’d products…
Apps and devices are in
silos that don’t learn or
share information
Limited context
…
need a domain expert to
understand and make
sense of raw logs
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What can you do to find them?
Put the clues together
Detect anomalous patterns
Profile user behavior
69%
of breaches
discovered by an
external party
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
What can you do to find them?
Put the clues together
Detect anomalous patterns
Profile user behavior
Monitor your applications
56%
of malware evades
sandboxing
What can you do to find them?
Put the clues together
Detect anomalous patterns
Profile user behavior
42%
of breaches involved
social engineering or
malicious insiders
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
What can you do to find them?
Put the clues together
Detect anomalous patterns
Profile user behavior
Monitor your applications
84%
of breaches occur at
the application layer
Best practices for timely detection
and mitigation
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Transform Big Data into actionable intelligence
Analyze
Collect/correlate
Search
up to 100,000 events/ second from 350+
connectors
2 million+ events
per second
a breach in 4 hours with
quick forensic investigation
Transformation in Detail
Capability
Benefit
Collect
Collect logs from any device, any source, and in any format at
high speed
Enrich
Machine data is unified into a single format through
normalization and categorization
Search
Simple text-based search tool for logs and events without
the need of domain experts
Store
Archive years’ worth of unified machine data through high
compression ratios
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Adding context to security intelligence
Context
Users &
Roles
Threat
Intelligence
Business
Asset model
Applications
Data
capture
Event correlation
Controls
monitoring
User
monitoring
App
monitoring
Fraud
monitoring
Log management
App
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Shared threat intelligence
Feeds
Open Source
Threat DB
Privacy
Enhanced
TC Forum
Threat Central
HP Security Research
TC Portal
Private Community
Sector Community
Global Community
InQuest
Partners
The multiple login example
Adding identity and role context
Action: login
Application: Sales Force
User: [email protected]
Login time: 1/1/14, 10:05pm
Place: London, UK
Action: login
Application: Windows
User: johnd
Login time: 1/1/14, 10:00pm
Place: Sunnyvale, CA, USA
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Example: add user context to database logging
Application Layer Intelligence
Events
SQL
User name
User name
Only by logging through
the application database
logs can include user
information.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Security is complex, ArcSight helps you….
Get Control
Transform Big Data
into actionable
security intelligence
Get Efficient
Faster resolution
with fewer
resources
Get Compliant
Automate your
compliance
out-of-the box
HP ArcSight delivers
minutes to generate IT GRC report
ArcSight content generates IT GRC reports
that otherwise would take 4 weeks
hours to respond to a breach
ArcSight enables forensic investigation and
a quick response to a data breach that
otherwise would take 24 days
days to fix a threat vulnerability
Seamless integration allows faster
4
5
2
days to run an IT audit
Search results yield audit-quality logs that
otherwise would take 6 weeks
minutes to fix an IT incident
Full-text searching of any data enables
incident resolution that otherwise would
take 8 hours
10
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
ArcSight takes the complexity out of Big Data
Volume
•
Cross-device, real-time correlation of data across IT
•
Long term archival at 10:1 compression ratio with ArcSight
•
Send it to Hadoop at over 100,000 EPS
Velocity
•
SmartConnectors collect logs, events, flows at over 100,000 EPS
from almost any log generating source
•
Search data at over 2,000,000 EPS
Variety
•
Collects machine generated data from 350+ distinct sources
•
Autonomy collects human generated data from 400+ distinct sources
•
Collect from Hybrid network such as physical, virtual, and cloud
VE
LOCIT
• HP ArcSight named A LEADER in the Gartner
Magic Quadrant for Security Information
and Event Management (SIEM), 10 YEARS IN
A ROW.
• The
MOST VISIONARY PRODUCT in the
Gartner SIEM MQ
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
BMW
“HP ArcSight ESM has enabled our
IT department to be an enabler
of the business. We can act very
fast on security incidents and
can reduce the loss of contracts
and financial services due to the
improved integrity of our
network.”
— Marc Seiffert, Senior IT Specialist
HP ArcSight Information Security Product Family
A comprehensive solution for big data security and compliance
Big Data
Security
Next Gen FW
Security Intelligence and
Operations Center
•
Largest number of SOCs
built through HP ArcSight
SOC Appliance for mid-market
•
One box solution for
security use cases
•
Delivers value
out-of-the-box
Security Information and
Event Management (SIEM)
•
Leaders in Gartner MQ for
10 years in a row
Universal Log Management
•
Collect, store, analyze
machine data from
anywhere
•
Cost-effective
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Join Our Conversation
We are on your side. Visit our blogs.
HP Security Research hp.com/go/HPSRblog
HP Security Products
hp.com/go/SecurityProductsBlog
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
