Symantec Security Information Manager Version 4.7

Symantec Security Information Manager

Version 4.7

Agenda

What are the challenges?

What is Security Information Manager?

How does Security Information Manager work?

Managing IT Security

PREVENT

INFORM

COMPLY

• Monitor user access

violations

• Prioritize attacks as they

occur

• Reduce impact through

quicker remediation

• Assist forensic

investigations

• Establish metrics and

trends

• Correlate to global

threat activity

• Collect, query and

analyze log data

• Meet long term log

retention requirements

• Provide on demand

What is Security Information Manager?

Collection

Storage

Correlation

Reporting

Security

Information

Manager

• Flexible capacity

• Archive segmentations

• Quick queries/searches

• Retention Policy

Automation

• Customizable consoles

• Web based portals

• Raw event data viewer

• Over 150 out of the box

compliance reports

• Broad and customizable

• High volume processing

• Meaningful normalization

• Assured reliability

• Pattern based rules

• Global Intelligence

Network integration

• Asset groupings

• Over 400 out of box

Why Symantec

Symantec Security Information Manager

“Optional”

Intelligence

Feed

(GIN)

 Only 1 optional component

 No excessive “add-on” costs

 Single deployment supports evolving needs

Universal

Collector

Other

sources…

Firewall

Intrusion Prevention Windows Events Syslog

Collectors

Correlation

Manager

Manager

Console

Pre-built

Queries

LiveUpdate

Service

Log

Archiving

Infrastructure

Components

Reports and

Dashboards

All Inclusive Solution

150+

Pre-defined

Key Advantages

•

Lower acquisition and maintenance costs

–

Rapid Deployment = Faster time to value

–

Lower maintenance overhead

•

Dynamic correlation with updated external intelligence content (GIN)

–

Expands external attack information for bots, worms and IP addresses

–

Improves posture for proactive protection

•

Flat file data structure

–

Faster querying

–

More economical archiving and storage

•

Automated updates to remediation and workflow guidance

–

Attack descriptions

–

Optimal safeguard details and mitigation steps

•

Single solution for log and event management

–

Does not require two separate infrastructures

What to ask yourself



What is the required deployment timeframe for your SIM?



What staff resources and expertise will be available to maintain database

tuning and correlation rule development?



What are your requirements for true “real time” processing of events?



Can your SIM detect malicious IPs coming in or targeting your network?



Can your SIM detect malicious traffic coming from your network to a

malicious IP source?



Can your SIM determine when malicious IP traffic is actually coming from an

internal address in your own network?



Can your SIM make recommendations for best safeguards and mitigation

 Firewall breaches

 Infected systems

 Virus outbreaks

 Privileged user activities

 Other internal

events…

Corporate

Network

Mail and

Groupware

Antivirus

OS

Databases

IDS/IPS

Firewalls

Syslogs

Vulnerability

Scanners

Other

sources

…

Typical SIM’s focus ONLY

EXTERNAL activities are becoming

increasingly important….

Additional Intelligence on:

 Malicious IPs

 Botnet IPs

 Worm IPs

Comprehensive

Visibility

 Firewall breaches

 Infected systems

 Virus outbreaks

 Privileged user activities

 Other internal

events…

Malicious Traffic

Why Is This Important?

• Incoming Botnet commands and controls

from a malicious host

• Port scans against the network

Coming to or targeting

your network

• Bot communicating information back to a

malicious host

• Proprietary data leaks

Coming from your

network to a malicious

source

• Network used as a proxy by hackers to

conduct their business

• Network bandwidth compromised

True Integration

Integrated Global Intelligence console information:

•

Latest global threat trends and statistics

•

Current vulnerability and attack pattern details

•

Up to date threat resolution details and recommended safeguards

Dedicated Global Intelligence rules:

•

IP Watchlist Source

•

IP Watchlist Destination

•

Organization IP in Watchlist

Global Intelligence integration into multi-conditional rules

Indicating Source IP Activity

Indicating Target IP Activity

Indicating IP Watchlist Activity from

Inside the Network

Making a Good Thing Better

Advanced Capabilities

Symantec Security

Information

Manager

Every Other SIM

Do you know if there’s malicious traffic being

sourced from your network?

Yes

?

Can you identify known Worm IPs communicating

with your network?

Yes

?

Can you identify resources in your network

communicating information back to a known

malicious host?

Yes

?

Can you detect when your network is being used as

a proxy by hackers to conduct their business?

Yes

?

Can you preemptively correlate external malicious

Summary

•

Unified log Management and Correlation

•

Advanced Intelligence

•

Comprehensive Analysis

•

Broad and Customizable Data Collection

•

Flexible Storage Options and Automated Archiving

Intrusion Detection/Prevention

Symantec Network Security (SNS) Symantec HIDS

Symantec ITA Snort

Symantec Sygate

Symantec Critical System Protection Cisco IDS

Cisco Security Agents TippingPoint NIPS

Enterasys Network Dragon eEye Retina JuniperIDP ISS Siteprotector McAfee Intrushield SourceFire

Enterprise AV Solutions

Symantec AntiVirus 8, 9, 10 Symantec Endpoint Security 11 Symantec Mail Security for Exchange Symantec Mail Security for Lotus Domino Symantec Mail Security for SMTP Symantec Mail Security

Cisco IronPort McAfee EPO McAfee GroupShield McAfee VirusScan Kaspersky AV F-Secure AV Sophos AV CA AntiVirus

Trend Micro Control Manager (TMCM) Trend Server Protect Information Server Trend Interscan Messaging Security Suite Trend Scanmail

Trend Interscan Viruswall

Trend Interscan W eb Security Suite

Identity Management

Microsoft W indows DHCP Microsoft Operations Manager Microsoft Active Directory

Routers, Switches and VPN

Cisco IOS Juniper VPN CyberGuard Cisco VPN 3000 Concentrator Air Defense

Vulnerability/Policy/Config Scanners

Symantec ESM Symantec CCS Nessus nCircle Qualys QualysGuard StillSecure VAM Tripwire Ecora

Operating systems

Microsoft W indows Event Log Solaris OS Collector Sun BSM SUSE Linux Debian Linux RedHat Linux IBM AIX HP/UX Tandem RACF SMF SELinux IPTables Novell Netware IBM System i (AS/400) Snare for W indows

Firewalls

Symantec Gateway Security Cisco PIX

Cisco FWSM Nokia FW

Juniper NetScreen Firewall Checkpoint Firewall-1 Nortel Contivity Fortinet Fortigate SunScreen

Microsoft W indows Firewall Microsoft ISA

SideWinder G2 StoneSoft Stonegate

Other

Cisco Netflow Fox Server Control Blue Lance LT Auditor PassGo UPM

Kiwi Syslog Generic Syslog Symantec Cyberwolf

Databases

Web servers, Filters and Proxies

Apache Web Server IBM W ebsphere Bluecoat Proxy Microsoft ISA Microsoft IIS

Sun One W ebServer

Data Collection

•

Access valuable data from both existing

and new security investments

•

Minimize overhead in data collection

process

•

Create meaningful associations to enrich

data value

Data Storage

•

Maintain efficient and adaptable capacity

for changing volume requirements

•

Optimize data organization for quick and

easy access

•

Reduce overhead associated with

managing varying retention period

requirements

Data Correlation

•

Maintain consistent data analysis

standards without compromising staff

resources and productivity

•

Leverage intelligence from distributed

sources and investments

•

Utilize data for proactive prevention instead

of just reactive response

•

Draw immediate conclusions based on

business impact

Data Presentation

•

Provide “self service” to key stakeholders

reducing IT staff disruptions

•

Easily fulfill forensic reporting

requirements

•

Automate report distributions