SlideShare ist ein Scribd-Unternehmen logo

Redefining siem to real time security intelligence

Brendaly Marcano
Brendaly Marcano
Technologie
1 von 17
Downloaden Sie, um offline zu lesen
Redefining SIEM to Real Time Security Intelligence David Osborne Security Architect September 18, 2012
Its not paranoia if they really are out to get you • Malware • Malicious Insiders • Exploited Vulnerabilities • Careless Employees • Mobile Devices • Social Networking • Social Engineering • Zero-Day Exploits • Cloud Computing Security Threats • Cyber Espionage
Reality of Compliance • Audits happen quarterly or annually • Effort and budget spent to get compliant • Little focus or process to stay that way
SIEM – The Great Correlator • Major SIEM Functions – Collect – Normalize – Correlate • Collect log and event data from systems across the network – Security devices, applications, OS, databases, end-point protections, etc. • Normalize similar events across disparate data sources – Login events from a VPN, OS, or Application are all ―authentication events‖ • Correlate multiple events into known attack vectors or policy violations – ―Multiple failed logins followed by a success‖ indicates brute force access – Eliminates the need for an analyst to try to ―piece together‖ the event
Redefining SIEM • Security is a Process, not a Product – Each stage supports the next – A ―weak link‖ breaks the process – Tools need to automate each stage – Integration provides actionable intelligence • Legacy SIEMs are Limited – Risk Assessment — limited to VA scan data – Threat Detection — limited to event correlation – Incident Response — limited to log analysis – Compliance Reporting — limited to canned reports
SIEM is Still Evolving…To • SIEM Content Awareness (Next Generation SIEM) – Content Awareness is Understanding the Payload at the Application Layer • What is actually being Communicated, Transferred, and Shared over the Network. • Examples of ―Content‖ Awareness is the understanding of: – Email contents, including the attachments – Social, IM and P2P Network Communications – Document Contents – Application Relationships with Database Queries and Responses – Database Monitoring – Data Leakage – Sensitive Information within chat, email, printed, etc
Adding Context to Logs DNS name, Windows name, Other names? What else happened at this time? Whois info? Organization owner? Where does Near this time? the IP originate from (geo location info)? What What is the time zone? else happened on this host? Which other hosts did this IP communicate with? What is this service? What other messages did it produce? What other systems does it run on? Log record What is the hosts IP address? Who is this user? What is the users Other names? Location on the access-level? What is the users network/datacenter? real name, department, location? What is this port? Is this a Who is the admin? Is this What other events from this user? normal port for this system vulnerable to exploits? service? What else is this service being used for? What does this number mean? Is this documented somewhere?
Broad Content and Context Correlation Authentication Application & IAM Events from Contents Security Devices User Identity Device & Application Log Files Malware Insider Advanced Viruses Threats Threats Trojans Exploits Database Transactions Location OS events VA Scan Data
SIEM and Situational Awareness • SIEM DOES NOT SOLVE APT, but Provides Situational Awareness – THERE IS NO APT ―ALL IN ONE SOLUTION‖ • SIEM Can Help with Attacks – Determining the Scope of Attack • What Systems or Devices were Involved • What DATA was Compromised • What Evasion Techniques were Utilized • Timelines • Toolsets Utilized • Work Flows and Processes of Attackers – Heuristics for Historical Correlation • Even with SIEM, Security Expertise and Experience is REQUIRED – Well Trained Security Analysts, Highly Developed Security Policies and Procedures Combined with SIEM for Situational Awareness is the BEST Strategy for dealing with Exploits, Low and Slow Attacks and APT
Scalability & Performance • Unmatched Speed – Industry’s Fastest SIEM – 100x to 1,000x faster than current solutions – Queries, correlation and analysis in minutes, not hours • Unmatched Scale – Collect all relevant data, not selected sub-sets – Analyze months and years of data, not weeks – Include higher layer context and content information – Scales easily to billions of data records
NitroView Overview “Single Pane-of-Glass” McAfee ESM McAfee ELM McAfee Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available McAfee ADM McAfee DEM McAfee ACE  Application Data Monitor  Database Activity Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical Correlation Application Visibility Data Visibility Risk Scoring 100s of applications and 500+ document types Data traffic from leading databases Detect potential threats  Asset information/context  Vulnerability Information  Which assets are most at-risk 11 September 18, 2012
Global Threat Intelligence (GTI) ESM ELM Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available ADM DEM ACE  Application Data Monitor  Database Event Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical Correlation Shared Threat Intelligence Application Visibility Data Visibility Risk Scoring • Reputation-based  WW visibility into all types of cyber threats • Automatic, push feed • Today – Bad Actors/Dangerous IPs • Additional GTI capabilities: • file, web, message & network connection reputation • web categorization 12 September 18, 2012
How can SIEM help with MTTR? • Advanced Correlation uses activity to determine Risk
How can SIEM help with MTTR? • Baselines to determine deviations from normal activity
How can SIEM help with MTTR? • Normalization of events into a common taxonomy
How can SIEM help with MTTR? • Global Threat Intelligence to determine if I have any communication with external known bad actors
17

Empfohlen

MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENVladyslav Radetsky
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 

Empfohlen

MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENVladyslav Radetsky
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
SIEM
SIEMSIEM
SIEMNapier University
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
IBM Security QFlow & Vflow
IBM Security QFlow & VflowIBM Security QFlow & Vflow
IBM Security QFlow & VflowCamilo Fandiño Gómez
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)Osama Ellahi
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceCamilo Fandiño Gómez
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Alert Logic
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enoughCloudAccess
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
SIEM
SIEMSIEM
SIEMvikasraina
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 Andris Soroka
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalManageEngine EventLog Analyzer
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center SecuritySzymon Dowgwillowicz-Nowicki
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRaffael Marty
 

Weitere ähnliche Inhalte

Was ist angesagt?

IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)Osama Ellahi
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceCamilo Fandiño Gómez
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Alert Logic
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enoughCloudAccess
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 Andris Soroka
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 

Was ist angesagt? (20)

SIEM
SIEMSIEM
SIEM
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
IBM Security QFlow & Vflow
IBM Security QFlow & VflowIBM Security QFlow & Vflow
IBM Security QFlow & Vflow
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
SIEM
SIEMSIEM
SIEM
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 

Ähnlich wie Redefining siem to real time security intelligence

RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRaffael Marty
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOpenStorageSummit
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
Information Security
Information SecurityInformation Security
Information SecurityMohit8780
 
Bright and Gray areas of Clound Computing
Bright and Gray areas of Clound ComputingBright and Gray areas of Clound Computing
Bright and Gray areas of Clound Computingpallavikhandekar212
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgJohn M. Kennedy
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemSweta Sharma
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
Security in the Cloud
Security in the CloudSecurity in the Cloud
Security in the CloudWSO2
 

Ähnlich wie Redefining siem to real time security intelligence (20)

2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal Stern
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
Vormetric - Gherkin Event
Vormetric - Gherkin EventVormetric - Gherkin Event
Vormetric - Gherkin Event
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
 
Information Security
Information SecurityInformation Security
Information Security
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
Bright and Gray areas of Clound Computing
Bright and Gray areas of Clound ComputingBright and Gray areas of Clound Computing
Bright and Gray areas of Clound Computing
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwg
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Security in the Cloud
Security in the CloudSecurity in the Cloud
Security in the Cloud
 
Security in the Cloud
Security in the CloudSecurity in the Cloud
Security in the Cloud
 

Kürzlich hochgeladen

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 

Kürzlich hochgeladen (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 

Redefining siem to real time security intelligence

  • 1. Redefining SIEM to Real Time Security Intelligence David Osborne Security Architect September 18, 2012
  • 2. Its not paranoia if they really are out to get you • Malware • Malicious Insiders • Exploited Vulnerabilities • Careless Employees • Mobile Devices • Social Networking • Social Engineering • Zero-Day Exploits • Cloud Computing Security Threats • Cyber Espionage
  • 3. Reality of Compliance • Audits happen quarterly or annually • Effort and budget spent to get compliant • Little focus or process to stay that way
  • 4. SIEM – The Great Correlator • Major SIEM Functions – Collect – Normalize – Correlate • Collect log and event data from systems across the network – Security devices, applications, OS, databases, end-point protections, etc. • Normalize similar events across disparate data sources – Login events from a VPN, OS, or Application are all ―authentication events‖ • Correlate multiple events into known attack vectors or policy violations – ―Multiple failed logins followed by a success‖ indicates brute force access – Eliminates the need for an analyst to try to ―piece together‖ the event
  • 5. Redefining SIEM • Security is a Process, not a Product – Each stage supports the next – A ―weak link‖ breaks the process – Tools need to automate each stage – Integration provides actionable intelligence • Legacy SIEMs are Limited – Risk Assessment — limited to VA scan data – Threat Detection — limited to event correlation – Incident Response — limited to log analysis – Compliance Reporting — limited to canned reports
  • 6. SIEM is Still Evolving…To • SIEM Content Awareness (Next Generation SIEM) – Content Awareness is Understanding the Payload at the Application Layer • What is actually being Communicated, Transferred, and Shared over the Network. • Examples of ―Content‖ Awareness is the understanding of: – Email contents, including the attachments – Social, IM and P2P Network Communications – Document Contents – Application Relationships with Database Queries and Responses – Database Monitoring – Data Leakage – Sensitive Information within chat, email, printed, etc
  • 7. Adding Context to Logs DNS name, Windows name, Other names? What else happened at this time? Whois info? Organization owner? Where does Near this time? the IP originate from (geo location info)? What What is the time zone? else happened on this host? Which other hosts did this IP communicate with? What is this service? What other messages did it produce? What other systems does it run on? Log record What is the hosts IP address? Who is this user? What is the users Other names? Location on the access-level? What is the users network/datacenter? real name, department, location? What is this port? Is this a Who is the admin? Is this What other events from this user? normal port for this system vulnerable to exploits? service? What else is this service being used for? What does this number mean? Is this documented somewhere?
  • 8. Broad Content and Context Correlation Authentication Application & IAM Events from Contents Security Devices User Identity Device & Application Log Files Malware Insider Advanced Viruses Threats Threats Trojans Exploits Database Transactions Location OS events VA Scan Data
  • 9. SIEM and Situational Awareness • SIEM DOES NOT SOLVE APT, but Provides Situational Awareness – THERE IS NO APT ―ALL IN ONE SOLUTION‖ • SIEM Can Help with Attacks – Determining the Scope of Attack • What Systems or Devices were Involved • What DATA was Compromised • What Evasion Techniques were Utilized • Timelines • Toolsets Utilized • Work Flows and Processes of Attackers – Heuristics for Historical Correlation • Even with SIEM, Security Expertise and Experience is REQUIRED – Well Trained Security Analysts, Highly Developed Security Policies and Procedures Combined with SIEM for Situational Awareness is the BEST Strategy for dealing with Exploits, Low and Slow Attacks and APT
  • 10. Scalability & Performance • Unmatched Speed – Industry’s Fastest SIEM – 100x to 1,000x faster than current solutions – Queries, correlation and analysis in minutes, not hours • Unmatched Scale – Collect all relevant data, not selected sub-sets – Analyze months and years of data, not weeks – Include higher layer context and content information – Scales easily to billions of data records
  • 11. NitroView Overview “Single Pane-of-Glass” McAfee ESM McAfee ELM McAfee Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available McAfee ADM McAfee DEM McAfee ACE  Application Data Monitor  Database Activity Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical Correlation Application Visibility Data Visibility Risk Scoring 100s of applications and 500+ document types Data traffic from leading databases Detect potential threats  Asset information/context  Vulnerability Information  Which assets are most at-risk 11 September 18, 2012
  • 12. Global Threat Intelligence (GTI) ESM ELM Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available ADM DEM ACE  Application Data Monitor  Database Event Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical Correlation Shared Threat Intelligence Application Visibility Data Visibility Risk Scoring • Reputation-based  WW visibility into all types of cyber threats • Automatic, push feed • Today – Bad Actors/Dangerous IPs • Additional GTI capabilities: • file, web, message & network connection reputation • web categorization 12 September 18, 2012
  • 13. How can SIEM help with MTTR? • Advanced Correlation uses activity to determine Risk
  • 14. How can SIEM help with MTTR? • Baselines to determine deviations from normal activity
  • 15. How can SIEM help with MTTR? • Normalization of events into a common taxonomy
  • 16. How can SIEM help with MTTR? • Global Threat Intelligence to determine if I have any communication with external known bad actors
  • 17. 17