Security Information & Event Management (SIEM)

Security Information & Event

Management (SIEM)

September 6, 2012

1

2

September 6, 2012

Enterprise Security

CAN?

How?

Getting to Optimized:

The Maturity Model of Enterprise Security

Technology Architecture for Security

How Connected Is Your Security?

Host IPS Agent Systems Management Agent Audit Agent Antivirus Agent Encryption NAC DLP Agent EVERY SOLUTION HAS AN AGENT EVERY AGENT HAS A CONSOLE EVERY CONSOLE REQUIRES A SERVER EVERY SERVER REQUIRES AN OS/DB

EVERY OS/DB REQUIRES PEOPLE, MAINTENANCE,

PATCHING

WHERE DOES IT END?

Technology Architecture for Security

How Connected Is Your Security?

SINGLE CONSOLE SINGLE

AGENT

McAfee ePO Server

(AV, Host IPS, DLP, NAC,

Application Control, Encryption,

MOVE-AV, Deep Command, Deep

Defender

Policy Auditor, Risk Advisor,

SiteAdvisor, AV for NetApp, AV for

SAP Netweaver)

McAfee Security Connected

Solution Platform

SECURITY MANAGEMENT Security Operations Mgmt Policy Auditing & Management Vulnerability Management Risk Management

Compliance Management

PARTNER COMMUNITY

McAfee Connected

Global Strategic Alliance Partners Security Innovation Alliance High Assurance Firewall

Network Intrusion Prevention Network Access Control Network Behavior Analysis NETWORK SECURITY

7 September 6, 2012

INFORMATION SECURITY Email Security

Web Security

Data Loss Prevention Encryption

Identity & Access Management API and Web Services Security

Server & Database Protection Smartphone and Tablet Protection Virtual Machine and VDI Protection Hardware Assisted Security

Embedded Device Protection ENDPOINT SECURITY Malware Protection Device Encryption Application Whitelisting Desktop Firewall Device Control Email Protection

McAfee’s Open Platform for Security Risk Management

.

Threat

Reputation

What It Takes to Make an Organization Safe

Global Threat Intelligence

Network

IPS Firewall

Web

Gateway Gateway Mail Host AV Host IPS 3rd Party _Feed

McAfee Threats Report Q2, 2012

Ransomware

September 6, 2012 10

McAfee Threats Report Q2, 2012

Network Threats

September 6, 2012 11

What is SIEM?

September 6, 2012 12

SIEM is the Evolution and Integration

of Two Distinct Technologies



Security Event Management (SEM)

―

Primarily focused on Collecting and

Aggregating Security Events



Security Information Management (SIM)

―

Primarily focused on the Enrichment,

Normalization, and Correlation of

Security Events

Security Information & Event

Management (SIEM) is a Set

of Technologies for:



Log Data Collection



Correlation



Aggregation



Normalization



Retention



Analysis and Workflow

1

2

3

Three Major Factors Driving the Majority of SIEM Implementations

Real-Time

Threat Visibility

Security

Operational

Efficiency

Krav og logning i ISO27002 & DS484

September 6, 2012 13

• DS484 - 10.10 Logning og overvågning

• Informationsbehandlingssystemer skal overvåges og

sikkerhedsrelaterede hændelser skal registreres. Der skal være en

logning, som sikrer, at uønskede forhold konstateres.

• ISO27002 - 10.10 Monitoring

• Systems should be monitored and information security events should

be recorded. Operator logs and fault logging should be used to

Log Management

INVESTIGATE LOGS AFTER THE FACT

Investigate

Log Management and Search

What else happened at this time? Near this time?

What is the time zone?

What is this service? What other messages did it produce?

What other systems does it run on?

What is the hosts IP address? Other names? Location on the network/datacenter?

Who is the admin? Is this system vulnerable to exploits?

What does this number mean? Is this

documented somewhere?

Who is this user? What is the users access-level? What is the users real name, department, location?

What other events from this user? What is this port? Is this a _{normal port for this} service? What else is this service being used for? DNS name, Windows name, Other names? Whois info? Organization owner? Where does the IP originate from (geo location info)? What else happened on this host? Which other hosts did this IP communicate with?

Correlate Events

Consolidate Logs

Perimeter

Thousands of Events

APTs

Cloud

Data

Insider

Compliance

Historical Reporting

The Big Security Data Challenge

Anomalies

Large Volume Analysis

The SIEM ‘Catch 22’ – Fundamental Problem

September 6, 2012 17

Source: Forrester, Verizon

80%

of threats come

from insiders

39%

of threats target

software, applications,

and services

66%

of those involved

EVENT, LOG AND COMPLIANCE CONTENT CONTEXT 010011 100 1001 100110 11 100 1 110 10 010011 001 100 1101 10101 110 1

Broad Context Correlation

APP Device & Application Log Files Application Content Authentication & IAM Events from Security Devices & Endpoints User Identity Location VA Scan Data Network

Flows Time OS Events

010011 100 1001 100110 11 100 1 110 10 010011 001 100 1101 10101 110 1

Situational Aware Risk Management

EVENT, LOG AND COMPLIANCE CONTENT

Today’s SIEM Needs

Log Management

Traditional Context

Content Aware

Dynamic Content

Visualize, Investigate, Respond

GLOBAL THREAT

LANDSCAPE

ENTERPRISE RISK

LANDSCAPE

Advanced Correlation Engine

• See log frequencies • Search for logs • Correlate events • What data

is involved? • Who is doing it? • Are they

a bad actor?

• What is the risk of the system?

• What is the risk of the user?

• Threat intelligence feed

• Immediate alerting

• Historical Analysis

GTI

(*)

_{with SIEM delivers even greater value}

Sorting Through a Sea of Events…

200M events

18,000 alerts

and logs

Dozens of

endpoints

Handful

of users

Specific files

breached

(if any)

Optimized

response

Have I Been Communicating With Bad Actors?

Which Communication Was Not Blocked?

What Specific Servers/Endpoints/ Devices Were Breached?

Which User Accounts Were Compromised?

What Occurred With Those Accounts?

How Should I Respond?

23

Example: Repeated failed login attempts

Description: Monitor for repeated failed logins to various systems and during short and long time spans. (One source to many destinations.)

Method: Alert‽

Receiver: SOC

Action: Investigate and report

Purpose: Proactively stop security incidents

Data Sources: Active Directory (Global & XDS), Identity Manager (Sun), {Server Specific}, {Database specific}, {Application specific}

Data Status Partly ready, depending on scope.

Login Failed: sssaaa Login Failed: sssaab Login Failed: sssaac Login Failed: sssaba

NitroSecurity

Console (Alert)

Industry Recognition

September 6, 2012 24

 Placed in the “Leaders” quadrant in Gartner’s

latest SIEM Magic Quadrant

 Ranked in the top 3 for Critical Capabilities

 “We have been able to validate Nitro’s high

performance with large production deployments”

 Winner of InfoWorld’s prestigious 2011

Technology of the Year Award for NitroView ESM and ELM solutions

 “This honor is the result of NitroSecurity’s #1

ranking, outscoring six other vendors to achieve the highest overall score”

 “The best and fastest database in the security

industry”

 “Very advanced technology and the vision to

apply it in a threat management environment”

 “An analyst’s power tool that provides strong

SIEM capabilities in a highly configurable dashboard approach”

 NitroSecurity offers one of the most useful and

seamless incident response-focused ESIM products available today

 The rate at which the NitroEDB can insert and

Sample Customers

September 6, 2012 26

Government

Financial

Enterprise

Education

Energy