Technology Day Oslo 1
Find the needle in the security haystack
Gunnar Kristian Kopperud
Principal Presales Consultant
Find the needle in the security haystack
• Manually deep dive into logs, or manage your risk with confidence?
• As we saw in the two previous sessions your servers and clients are under continuous attack.
• Most companies today have experienced incidents with
malware, and many are even unaware that they have malware infected clients and servers in their network.
• This session will show how, related to the sessions above, one can automate and streamline analysis, correlation, alerting and reporting of incidents and deviations.
Haystacks in the old days...
Modern Haystacks
Haystacking...
Where is the needle...
And more advanced threats
8
IT Analytics for
Symantec Endpoint Protection
What is IT Analytics?
9 Leverages Business Intelligence • Advanced ad-hoc data-mining • Analyze Trends and historical information • Graphical dashboards and easy reporting Expands on Traditional Reporting • User friendly custom reports • Export to multiple formats• Pivot tables and charts
Utilizes Standard Technologies
• SQL 2005/2008 Analysis Services & Reporting Services Leverages OLAP Cubes • Business intelligence via multi-dimensional data exploration
Product Overview
10 Multi-Dimensional Ad-hoc/Pivot Table Reporting 4 Pivot Chart Functionality with Excel Export 5 Traditional Reporting 1 IT Analytics 2 Robust Graphical Dashboard 3 Alerts Cube11
Client Dashboard
11
12
Virus Alert Trend Report
12
13
Scan Cube Pivot Table
13
14
Key Performance Indicators
14
Technology Day Oslo 15
Security Information & Event
Management (SIEM)
Aggregate and Prioritize
16 Antivirus …Other log data
Intrusion Prevention Firewall
Device and Application Control
Network Access Control
Aggregation and Correlation
Multiple Data Sources Prioritization Alerts Reports Remediation
Millions of Unprioritized
Events
Reduced Number of Prioritized Incidents Data Normalized into Common Formats Central Visibility to Critical ThreatsSymantec Security Information Manager
“Optional” Intelligence Feed (GIN) Universal Collector Other sources… Firewall Intrusion Prevention Windows Events Syslog Collectors Correlation Manager Manager Console Pre-built Queries LiveUpdate Service Log Archiving Infrastructure Components Reports and Dashboards 150+ Pre-defined ReportsAll Inclusive Solution
Technology Day Oslo 18
Managed Security Services (MSS)
MSS is Making Security Simple
The Symantec Difference Share the unique perspective of our
Global Intelligence
Provide a World Class
Customer Engagement Service Governance to ensure mature, consistent delivery Increase detection through Edge to Endpoint Visibility Provide actionable information relevant to Business Context
Protect our customers proactively
19
The Keys to Successful Security Monitoring:
Edge to Endpoint VisibilityNetwork IDS Alerts • Limited to activity identified
by IDS vendor signatures • Limited 0-day threat detection
Firewall Logs
• Increased trending capability • Scan detection • Emerging threat and early
warning indicators
Proxy Logs
• Reputation-enabled analysis • Identification of malicious
web based activity
Endpoint Alerts • Confirmation of attack status
• Identification of malicious user activity.
20
Network IDP Alerts Network IDP Alerts
Firewall Analysis: Scan Detection Firewall Analysis: Hot IP Detection Firewall Analysis: IP Reputation Firewall Analysis: Anomalous Traffic Detection
Network IDP Alerts
Firewall Analysis: Scan Detection Firewall Analysis: Hot IP Detection Firewall Analysis: IP Reputation Firewall Analysis: Anomalous Traffic Detection Web Proxy Analysis:
Custom Threat Signatures Web Proxy Analysis:
URL Reputation
Network IDP Alerts
Firewall Analysis: Scan Detection Firewall Analysis: Hot IP Detection Firewall Analysis: IP Reputation Firewall Analysis: Anomalous Traffic Detection Web Proxy Analysis:
Custom Threat Signatures Web Proxy Analysis:
URL Reputation Endpoint Protection:
AV Alerts
Endpoint Protection: Host IDP Alerts
Endpoint Protection: Firewall Analysis
Firewalls Security Analyst Expert Query Engine Data mine Progressive Threat Model Relational Database OS & Apps Endpoints IDS Web Proxy
Successful Monitoring:
People, Process, TechnologyIdentification Validation
Classification
Incidents Escalated
21
Security Operations Centers
22
Reading, Chennai, Sydney, Hemdon
Homepage
Dashboard
Search for Logs – Managed Security Services (MSS)
Technology Day Oslo 25
Logs
Reporting – Managed Security Services (MSS)
Technology Day Oslo 27
SPC Enterprise – Data Collection and Analytics Platform
SPC Mobile – Executive Security Dashboard
Symantec Protection Center
Technology Day Oslo 28
Solution Overview Symantec Connectors Security Metrics Central Data Repository Business Asset System 3rd Party Connectors Security Workflows
Symantec Protection Center Enterprise
• Provide business centric analysis ofsecurity information
• Ensure a complete view by integrating your entire security portfolio
• Quick deployment with prebuilt security metrics and connectors
• Provide a central
solution for roles based information sharing • Automate security
remediation via action plans
Technology Day Oslo 29
From this...
To this...
To this with Symantec Protection Center
Summary
• Be more PROACTIVE against advanced external threats
• Soft Appliance (on premise) Symantec Security Information Manager (SIEM) to manage/prioritize INTERNAL policies/rules • Symantec Managed Security Services (MSS) to help you
manage/prioritize EXTERNAL Threats
• Use HYBRID Solution when you need to do both internal policy/rules reporting and manage external threats
• Present security LEVEL to the business with Symantec Protection Center
QUESTIONS?
Symantec Protection Center
Summary
Technology Day Oslo 35
Boardroom Scrutiny
Consolidates security data and applies advanced correlation and analysis
Integrates DeepSight threat intelligence
Connect security information to business assets Clearly communicate key metrics by business
Broad range of supported solutions Pre-built connectors and metrics for quick integration
Better
Security
Decisions
Tablet based view of security metrics
Facilitates communication with both IT and business peers
Evolving Threats Relevant to Business
Technology Day Oslo 36
DEMO
37
38
39
40
Find the needle in the security haystack
• Manually deep dive into logs, or manage your risk with confidence?
• As we saw in the two previous sessions your servers and clients are under continuous attack.
• Most companies today have experienced incidents with
malware, and many are even unaware that they have malware infected clients and servers in their network.
• This session will show how, related to the sessions above, one can automate and streamline analysis, correlation, alerting and reporting of incidents and deviations.
Kontakt oss på:
• Symantec Brukerforum– http://www.symantec.com/connect • Symantec Norge på Facebook
– http://www.facebook.com/SymantecNorge
• Norton Norge på Facebook
– http://www.facebook.com/nortonnorge
• Symantec Norge på Twitter
– http://twitter.com/SymantecNorge
• Lisenser og Support
– Tips: rapporter på web - ring etterpå – http://my.symantec.com/
43
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Technology Day Oslo 44
Gunnar Kristian Kopperud
