4. Rolling the Dice on The “Unlucky Seven”
Bot, Worm, and Virus Attacks VPN Sneak Attacks
Hacker Detection System and User Impact
Bandwidth Hogs and Policy Violations Failed Audits, Fines and Penalties
UnauthorisedApplication Access
MORE Penalties
LESS Headcount
5. Corporate HQ
Public Network
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
What malware is infiltrating my environment, and how is it propagating?
Is my AntiVirus system able to mitigate malware threats?
6. Corporate HQ
Public Network
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
Who is attacking me and where are they attacking from?
Which of my internal systems are they attacking?
7. Corporate HQ
Public Network
Mobile Users
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
What internal systems are used most, and from where?
Who is using the most bandwidth and what protocols, services or applications are they
accessing?
8. Corporate HQ
Public Network
Mobile Users
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
Which systems have suspicious access/ application activity?
Are terminated accounts still being used?
Which accounts are being used from suspicious locations?
9. Which systems have suspicious access/ application activity?
Are terminated accounts still being used?
Which accounts are being used from suspicious locations?
10. Corporate HQ
Public Network
Mobile Users
Home VPN
Wireless
Hot-Spot
Public VPN
Branch
Office
Remote Workers
Where are my remote users coming from, what are they accessing?
Are the remote computers coming in remotely secure and up to date?
11. What users and equipment are affected?
What is the level of degradation in my environment?
12.
13. Definition of SIM / SEM / SIEM
Four major functions of SIEM
Log Consolidation
Threat Correlation
Incident Management
Reporting
14. Information from Rules, Intelligence,
26 Firewalls 10 IDS / IPS 271 Servers / Other
Scanning, Trending & Auditing
510,618,423 events
& ESM Platform
BO Connector
Negative Normalization Positive Anomaly
Filter Filter Filter
& Aggregation
506,813,197 3,803,598 1628
Remaining Events of Interest 3,805,226
Event Consolidation 207,499
Rules/Logic/Correlation Engines 5633
Incident Handling Process: Aggregate, Correlate, Categorize, Assess Threat, and Respond
Security Event Security Event Security Event
BO People &
Security Event
Worm - Client Suspicious System /
Benign
Process
Not Vulnerable Activity Application
1 Incident 3 Incidents 1 Incident
5532 Events
(21 Events) (32 Events) (48 Events)
Incident is logged for future Incident requires near term Incident requires immediate
correlation and reporting, but intervention by incident intervention by incident response
no further action required. response team and/or the team and the client to prevent
client to prevent availability or and/or remediate availability or
security issue in progress.
security issue.
Medium Threat High Threat
Low Threat
Inform Client
15. Bot, Worm and Virus Attack Visibility and Alerting
• What malware is infiltrating my environment, and how is it propagating?
• Is my Anti-Virus infrastructure able to handle malware?
Hacker Detection
• Who is attacking me?
• What are they attacking?
Bandwidth Hogs and Policy Violations
• What users are bandwidth hogs?
• What protocols, services and applications are they accessing?
Application Access Monitoring
• Which Systems have suspicious access/application activity?
• Are terminated accounts still being used?
• Which accounts are being used from suspicious locations?
16. Remote Access
• Where are my remote users coming from and what are they accessing?
• Are the remote computers coming in secure and up to date?
System and User Impact
• What users and equipment are compromised?
• How much degradation is there in my IT environment?
Are my compliance controls working?
• Will I pass my next audit?
• Am I subject to fines and penalties?
17. Better Collection Fits all IT environments
Stronger Correlation Catches all incidents
Automated Expertise Requires less resources
18. Software as
a Service
Platform
Industry
Industry
Leading
Leading
SIEM
24x7 SOC
Platform
Boxing
Orange
SIEM
Service
8 years of delivering Managed Security Services
24hr Security Operations Centre
Innovative Security Solutions and Service
Highly skilled professional services team & support analysts
Wide experience in multi vendor environments
PCI:SSC ASV accredited