• No results found

Redefining SIEM to Real Time Security Intelligence

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Redefining SIEM to Real Time Security Intelligence"

Copied!
17
0
0

Loading.... (view fulltext now)

Download now ( 17 Page )

Full text

(1)

Redefining SIEM to

Real Time Security Intelligence

September 18, 2012

(2)

Its not paranoia if they really are out to get

you

• Malware

• Malicious Insiders

• Exploited Vulnerabilities

• Careless Employees

• Mobile Devices

• Social Networking

• Social Engineering

• Zero-Day Exploits

• Cloud Computing Security

Threats

(3)

Reality of Compliance

• Audits happen quarterly or annually

(4)

SIEM – The Great Correlator

• Major SIEM Functions

– Collect

– Normalize

– Correlate

• Collect log and event data from systems across the network

– Security devices, applications, OS, databases, end-point protections, etc.

• Normalize similar events across disparate data sources

– Login events from a VPN, OS, or Application are all ―authentication events‖

• Correlate multiple events into known attack vectors or policy violations

(5)

Redefining SIEM

• Security is a Process, not a Product

– Each stage supports the next

– A ―weak link‖ breaks the process

– Tools need to automate each stage

– Integration provides actionable intelligence

• Legacy SIEMs are Limited

– Risk Assessment — limited to VA scan data

– Threat Detection — limited to event correlation

– Incident Response — limited to log analysis

(6)

SIEM is Still Evolving…To

• SIEM Content Awareness (Next Generation

SIEM)

– Content Awareness is Understanding the Payload at the

Application Layer

• What is actually being Communicated, Transferred, and Shared over the Network.

• Examples of ―Content‖ Awareness is the understanding of: – Email contents, including the attachments

– Social, IM and P2P Network Communications – Document Contents

– Application Relationships with Database Queries and Responses

– Database Monitoring

(7)

Adding Context to Logs

Log record

What else happened at this time? Near this time?

What is the time zone?

What is this service? What other messages did it produce?

What other systems does it run on?

What is the hosts IP address? Other names? Location on the network/datacenter?

Who is the admin? Is this system vulnerable to exploits?

What does this number mean? Is this

documented somewhere?

Who is this user? What is the users access-level? What is the users real name, department, location?

(8)

Broad Content and Context Correlation

Events from Security Devices Database Transactions OS events Application Contents User Identity VA Scan Data Device & Application

(9)

SIEM and Situational Awareness

• SIEM DOES NOT SOLVE APT, but Provides Situational Awareness

– THERE IS NO APT ―ALL IN ONE SOLUTION‖

• SIEM Can Help with Attacks

– Determining the Scope of Attack

• What Systems or Devices were Involved • What DATA was Compromised

• What Evasion Techniques were Utilized • Timelines

• Toolsets Utilized

• Work Flows and Processes of Attackers

– Heuristics for Historical Correlation

• Even with SIEM, Security Expertise and Experience is REQUIRED

(10)

Scalability & Performance

• Unmatched Speed

– Industry’s Fastest SIEM

– 100x to 1,000x faster than current

solutions

– Queries, correlation and analysis in

minutes, not hours

• Unmatched Scale

– Collect all relevant data,

not selected sub-sets

– Analyze months and years of data,

not weeks

– Include higher layer context

and content information

(11)

NitroView Overview

September 18, 2012 11

“Single Pane-of-Glass”

McAfee ADM

 Application Data Monitor

 Layer 7 Decode

 Full Meta-Data Collection

Application Visibility

100s of applications and 500+ document types Data traffic from leading databases

Data Visibility

McAfee DEM

 Database Activity Monitor

 Database Log Generation

 Session Audit

Risk Scoring

Detect potential threats

 Advanced Correlation  Risk-Based Correlation  Historical Correlation McAfee ACE  Asset information/context  Vulnerability Information

 Which assets are most at-risk

McAfee ESM

 Unified Visibility & Analysis

 Compliance & Reporting

 Policy Management

McAfee Receiver

 3rd Party Log/Event Collection

 Network Flow Data Collection

 VMware Receivers Available

McAfee ELM

 Log Management

 Compliant Log Storage

(12)

Global Threat Intelligence (GTI)

September 18, 2012 12

ADM

 Application Data Monitor

 Layer 7 Decode

 Full Meta-Data Collection

Application Visibility

Data Visibility

DEM

 Database Event Monitor

 Database Log Generation

 Session Audit

Risk Scoring

 Advanced Correlation  Risk-Based Correlation  Historical Correlation ACE ESM

 Unified Visibility & Analysis

 Compliance & Reporting

 Policy Management

Receiver

 3rd Party Log/Event Collection

 Network Flow Data Collection

 VMware Receivers Available

ELM

 Log Management

 Compliant Log Storage

 SAN/CIFS/NFS/Local Storage

Shared Threat Intelligence

• Reputation-based  WW visibility into all types of cyber threats

• Automatic, push feed

• Today – Bad Actors/Dangerous IPs

• Additional GTI capabilities:

(13)

How can SIEM help with MTTR?

(14)

How can SIEM help with MTTR?

(15)

How can SIEM help with MTTR?

(16)

How can SIEM help with MTTR?

(17)

References

Download now ( PDF - 17 Page - 1.24 MB )

Related documents

Sustainability of evidence-based healthcare: research agenda, methodological advances, and infrastructure support

37 Developing measures of sustainability (overall and sub-dimensions) .01 18 Determining which analytic methods are most appropriate for sustainability research .02 48

Changing Behavior, Brain Differences, or Both? A Review of Effective ADHD Treatment

In one study that examined individually tailored adaptive and multimodal intervention for children with ADHD, researchers found evidence that high success rates could be found

International Student Perceptions of Leadership and Involvement on Campus

Results show that the two groups place significantly different value on involvement and leadership in high school, with domestic students reporting higher

Defining a Mathematical Function for Labor Productivity in Masonry Construction: A Case Study

The process of selecting the workers in a crew and assigning crews to different tasks is crucial for ensuring the success of a construction project and improved labor

2014 ZOHO Corp, Inc. All Rights Reserved

SIEM solutions monitor network systems, devices, and applications in real time, providing security intelligence for IT professionals to mitigate threats, correlate

Modeling in Corporate Real Estate

FmSim and ReSim are new software tools using system dynamics and simulation technologies which combine the user friendliness of spreadsheets, the methodology of flow diagrams

managing the risks of virtualization

14 Application Security OS Security Privileged User Customer Data Critical services Files & Logs.. the virtualization

Changing the Enterprise Security Landscape

HP has the potential to become a security powerhouse with a broad portfolio of security offerings — application, network security and security information and event management (SIEM)