Security Information Event Management (SIEM) solutions

Size: px
Start display at page:

Download "Security Information Event Management (SIEM) solutions"

Transcription

1 2014 All Rights Reserved ecfirst An ecfirst Case Study: Security Information Event Management (SIEM) solutions

2 TABLE OF CONTENTS EXECUTIVE SUMMARY... 4 HP ARCSIGHT SIEM... 6 PRODUCT OVERVIEW... 6 Security Analytics... 6 Automated Compliance... 7 Midsized Business... 8 FUNCTIONALITY REVIEW... 9 GARTNER REVIEW ON HP ARCSIGHT SIEM REFERENCES IBM QRADAR SIEM, Q1 LABS PRODUCT OVERVIEW FEATURES FUNCTIONALITY REVIEW GARTNER REVIEW ON IBM QRADAR SIEM REFERENCES MCAFEE SIEM PRODUCT OVERVIEW McAfee Enterprise Security Manager McAfee Global Threat Intelligence for ESM McAfee Enterprise Log Manager McAfee Advanced Correlation Engine McAfee Application Data Monitor McAfee Database Event Monitor for SIEM McAfee Event Receiver for SIEM FUNCTIONALITY REVIEW GARTNER REVIEW ON MCAFEE SIEM REFERENCES SPLUNK SIEM All Rights Reserved ecfirst 2

3 PRODUCT OVERVIEW FEATURES FUNCTIONALITY REVIEW GARTNER REVIEW ON SPLUNK SIEM REFERENCES LOGRHYTHM SIEM PRODUCT OVERVIEW FEATURES FUNCTIONALITY REVIEW GARTNER REVIEW ON LOGRHYTHM SIEM REFERENCES MAGIC QUADRANT MAGIC QUADRANT DESCRIPTIONS LEADERS CHALLENGERS VISIONARIES NICHE PLAYERS REFERENCES COMPARISON MATRIX All Rights Reserved ecfirst 3

4 EXECUTIVE SUMMARY Security threats are dynamic in nature and exploits are constantly evolving as attackers grow evermore organized, precise and persistent. As threats and security events evolve, SIEM vendors and the information security community must work together to build relevant and actionable business analytics into their systems. By continuously improving recommendations and the controls to support those recommendations, SIEM products can become true information security hubs that not only automate audits, but also provide proactive means to protect the organization. SIEM technologies for centralization and consolidation of an organization s security data will continue to be important investments for organizations wanting to accurately respond to threats and ultimately improve their risk and compliance postures. When an organization makes a plan to implement the 20 critical controls as a whole, SIEM should be one of the first controls implemented. The first 15 controls (the controls that are most easily automated) one at a time, which SIEM products can quickly be made to interact with many of them are: Inventory of authorized and unauthorized devices Inventory of authorized and unauthorized software Secure configurations for hardware and software on laptops, workstations and servers Secure configurations for network devices such as firewalls, routers, and switches Boundary defense Maintenance, monitoring and analysis of audit logs Application software security Controlled use of administrative privileges Controlled access based on need to know Continuous vulnerability assessment and remediation Account monitoring and control Malware defenses Limitation and control of network ports, protocols and services Wireless device control Data loss prevention This case study comparatively analyzes the following industry leading SIEM solutions: HP ArcSight IBM (Q1 Labs) QRadar McAfee 2014 All Rights Reserved ecfirst 4

5 Splunk LogRhythm Recommendation Without respect to the existing computing / networking environment at an organization, ecfirst recommends IBM (Q1 Labs) QRadar for those looking for a scalable and powerful SIEM solution. Ease of deployment and an excellent feature set, as well as IBM s proven track record for success set this product ahead in its class All Rights Reserved ecfirst 5

6 Product Overview HP ARCSIGHT SIEM The HP ArcSight Security Intelligence platform helps safeguard customer s business by giving them complete visibility into activity across the IT infrastructure: external threats such as malware and hackers; internal threats such as data breaches and fraud; risks from application flaws and configuration changes; and compliance pressures from failed audits. HP ArcSight is the industry s leading security information and event management (SIEM) solution for collecting, analyzing and assessing security events. The result is rapid identification, prioritization and response to cyber security attacks and insider threats. Only ArcSight correlates users, logs and NetFlow to understand the who, what and where of information security. Security Analytics HP ArcSight ESM (Enterprise Security Manager) HP ArcSight ESM is an universal log management solution that helps enterprises identify and prioritize current and potential security threats. HP ArcSight ESM analyses and correlates every event that occurs across the organization, every login, logoff, file access, database query, etc. to deliver accurate prioritization of security risks and compliance violations. HP ArcSight ESM is uniquely able to understand who is on the network, what data they are seeing, which actions they are taking with that data, and how that affects business risk. Features Advanced Security Event Correlation - Identify and prioritize security threats. Correlation engine analyzes logs from multiple devices and links events so customers can detect threats and allocate resources All Rights Reserved ecfirst 6

7 Total Environment Visibility - Resolve issues faster: Answer the who, what and when of everything. Automatically collect machine data from 350+ log generating sources and unify it in a common format. Automated Compliance - Collect, store and analyze any log or event data from any system. Add-on compliance packs help prove compliance with PCI, SOX, and IT governance using 500 built-in reports. Security Operations Center - Create a Big Data and security solution with a SOC that integrates IT ops and tools, service desk, CMDB, business intelligence tools and Big Data including Hadoop and HAVEn. Secure and Efficient Data Storage - Keep all organizations data secure, encrypting it in transit. Store more data longer and cheaper with 42TB of log stored centrally with a compression ratio of up to 10:1. Instant Detection - Collect and categorize up to 100,000 events per second for instant detection of activities affecting everything on customer s network, zero day or insider attacks. Automated Compliance HP ArcSight Logger HP ArcSight Logger is a log management tool for collecting and unifying data. HP ArcSight Logger collects information from any system that generates log data. It can process that information as much or as little as desired, and can produce ultra-fast searching across the data. As a result, organizations of any size can use this high performance log data repository to aid in faster forensic analysis of IT operations, application development, and cyber security issues, and to simultaneously address multiple regulations. Features Comprehensive Log Collection - Collect 100,000 events per second from 350 log sources, and consolidate all customers machine data into a single common format. Single Consolidated View - Control all customers data through a single, easy interface. Customers can integrate and automate processes for better security, compliance, and log analytics All Rights Reserved ecfirst 7

8 Full text search for easy forensics - Carry out full-text searching and forensics on billions of events: a text-based interface and normalization and categorization of data reduce resources required by 70%. Low cost storage - Reduces customers data storage requirements by up to 90%. Centralizes and store years worth of data under multiple storage groups through high compression ratios of up to 10:1. Streamlined Compliance - Get over 500 pre-built reports that will help customers to meet compliance requirements, help reduce reporting errors, and reduce the cost of compliance by up to 90%. Unlimited Data Scalability - Have no limits on the amount of data that customers can consume and process, or on the number of events that customers can manage in a day. Logger controls billions of events per day. Midsized Business HP ArcSight Express HP ArcSight Express is an SIEM appliance that helps identify and prioritize current and potential threats so teams can optimize their response. HP ArcSight Express correlates seemingly unrelated events and NetFlow data from network devices using the most advanced real-time correlation techniques. By correlating disparate events and NetFlow data, it can detect even the most subtle attacks. As a result, organizations can cut through millions of activities to focus on the most critical incidents affecting the organization. This provides better security and faster response with fewer resources. HP ArcSight Express also includes the first log management solution to fully integrate field-based and raw text search across structured and unstructured log data Features Advanced Security Event Correlation - Identifies and prioritizes security threats through an advanced correlation engine that collects and stores logs from all customer security devices and links events together. Built-in Dashboards and Reporting - Express shows customers how by offering the dashboards and reports that most security groups use for threat monitoring All Rights Reserved ecfirst 8

9 User Monitoring - Identifies suspicious behavior by monitoring for insider threats, compromised credentials, and exfiltration of data to high-risk locations, all within a single appliance. Integration Live Threat Intelligence - Sees connections to and from high-risk locations in real time through Reputation Security Monitor (RepSM), which supplies a direct feed about an IP's threat reputation. Ease of deployment and Management Can be deployed in as few as 12 minutes and customers can get clarity into their security posture within a day. Built-in connector management simplifies log collection. Data Security - ArcSight Express encrypts all data in transit and offers a 10x compression ratio so organization can store more data efficiently. Functionality Review 1. Identification of suspicious activity ArcSight ESM sifts through millions of log records, correlates them, and provides identity and asset context to find the critical events that matter in real time, via dashboards, notifications, and reports, enabling customers to accurately prioritize security risks and compliance violations. HP ArcSight Express ties together a user s accounts with their roles and aggregates the activity of that user. Detects complex threats to the organization, using a heuristic pattern analysis of historical data events. Understands how network bandwidth is being consumed, so that suspicious activities are correctly prioritized and investigated. HP ArcSight Express also includes a free trial to RepSM, which brings reputation-based intelligence to help security analysts detect and block communication between malicious hosts and infected infrastructure. 2. Reporting & Alerting of events Analyzes and correlates security events from across customer s IT infrastructure. Combine analysis with preloaded rule sets of HP ArcSight Express to report and alert on the events that matter to customers All Rights Reserved ecfirst 9

10 3. Method(s) of log collection supported Collect, categorize, and normalize log data from more than 350 distinct log-generating sources. Logger supports data collection from the broadest set of sources at high speed. Logger can be managed through a centralized management center (HP ArcMC), enabling customers to manage large deployments through a single console or manage small deployments with limited resources. Logger also comes as an appliance, software, and as a virtual appliance for deployment flexibility. 4. Device/system log types/formats supported The Common Event Format (CEF) is an open log management standard, created to simplify log management challenges. It uses a standardized format allowing customer to easily collect and aggregate data for analysis by an enterprise log management system. CEF is an extensible, text-based, high-performance format designed to support multiple device types and applications in the simplest manner possible. Specifically, CEF defines syntax for audit log records comprised of a standard header and a variable extension, formatted as key-value pairs. This format contains the most relevant event information, making it easy for event consumers to parse and make use of the data. 5. Licensing module/cost 1. ArcSight ESM Appliance: E Server: HP ArcSight E Server ArcSight ESM Appliance-2 Core ESM Manager license with Oracle embedded Part #: TG229AA List Price: $85,000 24x7 Support: $19, ArcSight Express Appliance: AE-7405 Server HP ArcSight AE-7405 Server ArcSight Express peak EPS/50k Flows/min, up to 750 Devices. Incl Log Mgt, 1 console, and View for Express for up to 50 Users. Part #: TG322AA List Price: $45,000 24x7 Support: $10, All Rights Reserved ecfirst 10

11 3. ArcSight Logger Appliance: L3400 Server HP ArcSight L3400 Server ArcSight Logger Up to 2k raw EPS. 200 local connector EPS. connector management. and 200 Devices Part #: TG238AA List Price: $20,000 24x7 Support: $4,600 Gartner Review on HP ArcSight SIEM According to Gartner report on HP ArcSight SIEM, ArcSight Enterprise Security Manager (ESM) software is oriented to large-scale, SEM-focused deployments. ArcSight Express is an appliance-based offering for ESM that is designed for the midmarket with preconfigured monitoring and reporting. ArcSight Logger appliances and software provide log data collection and management functions that can be implemented standalone or in combination with ESM. During 2013, ArcSight remained among the most visible SIEM competitors on Gartner client shortlists, but the introduction of competitive SIEM technologies within large ArcSight accounts continued, with customers citing ESM complexity and cost as inhibitors to expansion. With ArcSight ESM version 6, HP replaced the ESM Oracle Database with the Correlation Optimized Retention and Retrieval Engine (CORR-Engine) and implemented a simplified events per second (EPS)-based pricing model. It should validated significant improvements in event-handling capacity on the same hardware with reference customers. In late 2013, HP introduced ArcSight Risk Insight for ESM, which provides risk rating and management dashboards for security event data. HP also introduced ArcSight Application View, which enables application activity monitoring that is not dependent on log data. HP also released enhancements to ArcSight Express to simplify deployment and customization. Development plans include further integrations with HP's Vertica Analytics Platform and additional improvements in ease of deployment. Hence as per Gartner Review, ArcSight Express should be considered for midsize SIEM deployments. ESM is appropriate for larger deployments, as long as sufficient in-house support resources are available All Rights Reserved ecfirst 11

12 Strengths Cautions ESM provides a complete set of SEM capabilities that can be used to support a security operations center. ArcSight Express provides a simplified option for midsize SIEM deployments. ArcSight Logger can provide an inexpensive log management capability for two-tier deployment architectures that require long-term event archiving. Optional modules provide advanced support for user activity monitoring, IAM integration and fraud management. ArcSight continues to be very visible in competitive evaluations of SIEM technologies. ArcSight provides real-time statistical correlation, but profiling and anomaly detection operate against historical data only. While the CORR-Engine has eliminated a major source of deployment and support complexity, customers will still find ESM to be more complex than other leading solutions. References ht_express_product_brief.pdf f _Unify_Enterprise_IT_Data.pdf All Rights Reserved ecfirst 12

13 Product Overview IBM QRADAR SIEM, Q1 LABS As the most intelligent, integrated and automated SIEM solution in the industry, QRadar SIEM delivers deep visibility into network, user and application activity providing organizations with intelligence into potential and existing threats across their entire network and built on the highly flexible QRadar Security Intelligence Platform. QRadar SIEM provides a next generation solution that can mature with an organization, scale to support a growing infrastructure and deliver a common user experience to many groups across the organization. With log management, advanced threat detection, and policy-aware compliance management all combined in QRadar SIEM, organizations benefit with a tightly integrated solution that quickly and easily delivers corporate-wide security intelligence. Features Real-time Visibility for Threat, Compliance & Log Management Threat Detection & Prioritization Internet-based threats and fraud continue to proliferate in today s complex networks. Compounding this problem is a steady rise in insider theft of valuable corporate information. QRadar SIEM consolidates siloed information to more effectively detect and manage complex threats. The information is normalized and correlated to quickly deliver intelligence that allows organizations to detect, notify and respond to threats missed by other security solutions with isolated visibility. QRadar SIEM collects the following: Security events - Events from firewalls, VPNs, IDS/IPS, etc Network activity context - Layer 7 application context from network and application traffic User/Asset context - Contextual data from IAM products and vulnerability scanners Network events - Events from switches, routers, servers, hosts, etc Application logs - ERP, workflow, application databases, management platforms, etc 2014 All Rights Reserved ecfirst 13

14 The Key to Data Management: Reduce & Prioritize to Actionable Offenses With some organizations creating millions or billions of events per day, distilling that data down to priority offenses can be a daunting task QRadar SIEM collects stores and analyzes informational data and provides real-time event correlation for use in threat detection and compliance reporting and auditing QRadar SIEM provides long-term collection, archival, search and reporting of events and application data making it easier for auditing and searching for advanced persistent threats or low and slow attacks Managing Threats QRadar SIEM tracks significant incidents and threats and builds a history of supporting and relevant information. Information such as point in time, offending users or targets, attacker profiles, vulnerability state, asset value, active threats and records of previous offenses all help provide security teams with the intelligence they need to act regardless of where they are. Application Visibility & Anomaly Detection QRadar SIEM supports a variety of anomaly detection capabilities to identify changes in behavior against applications, hosts, servers and areas of the network. For example, off hours or excessive usage of an application or cloud-based service or network activity patterns which are inconsistent with historical profiles, the ability to detect application traffic at Layer 7 enables QRadar SIEM to provide accurate analysis and insight into an organization s network for policy, threat and general network activity monitoring. Scalability & High Availability QRadar SIEM was designed from the ground up to work as a complete, integrated solution. QRadar SIEM provides a solution that offers a common platform and user interface for all security intelligence tasks. QRadar SIEM comes as an all-in-one solution for small and medium sized businesses or an enterprise-level solution that is immensely scalable for medium to large deployments. Compliance Management QRadar SIEM brings the transparency, accountability and measurability critical to the success of meeting regulatory mandates 2014 All Rights Reserved ecfirst 14

15 and reporting on compliance. QRadar SIEM s unique correlation and integration of all surveillance feeds yields: More complete metrics reporting around IT risks for auditors Thousands of reports and rules templates to address industry compliance requirements QRadar provides prebuilt dashboards, reports and rules templates for the following regulations and control frameworks: CobiT, SOX, GLBA, NERC/FERC, FISMA, PCI-DSS, HIPAA, & UK GSi/GCSx, GPG, and more. Functionality Review 1. Identification of suspicious activity QRadar SIEM provides contextual and actionable surveillance across the entire IT infrastructure, helping organizations detect and remediate threats often missed by other security solutions. These threats can include inappropriate use of applications; insider fraud; and advanced, low and slow threats easily lost in the noise of millions of events. QRadar SIEM collects information that includes: Security events: Events from firewalls, virtual private networks, intrusion detection systems, intrusion prevention systems and more Network events: Events from switches, routers, servers, hosts and more Network activity context: Layer 7 application context from network and application traffic User or asset context: Contextual data from identity and access-management products and vulnerability scanners Operating system information: Vendor name and version number specifics for network assets Application logs: Enterprise resource planning (ERP), workflow, application databases, management platforms and more 2. Reporting & Alerting of events IBM Security QRadar Risk Manager complements QRadar SIEM by identifying a network s most vulnerable assets. It can 2014 All Rights Reserved ecfirst 15

16 immediately generate alerts when these systems engage in activity that potentially exposes them. Performs immediate event normalization and correlation with other data for threat detection and compliance reporting and auditing. Reduces billions of events and flows into a handful of actionable offenses and prioritizes them according to their business impact. Performs activity baselining and anomaly detection to identify changes in behavior associated with applications, hosts, users and areas of the network. Uses IBM Security X-Force Threat Intelligence optionally to identify activity associated with suspicious IP addresses, such as those suspected of hosting malware. 3. Method(s) of log collection supported QRadar SIEM automatically discovers many log sources in customer s deployment that are sending syslog messages. Any log sources that are automatically discovered by QRadar SIEM appear in the Log Sources window. Customers can configure automatically discovered log sources on a per Event Collector basis using the Autodetection Enabled parameter in the Event Collector configuration. 4. Device/system log types/formats supported The Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar. Appliances or applications that generate LEEF events allow QRadar to easily integrate identify, and process LEEF formatted events provided to QRadar. Events in LEEF format can be provided to QRadar using syslog, written to an event log and imported using the log file protocol, or use an alternate collection method. Depending on the method customer choose for event collection, LEEF events can be automatically discovered in QRadar and have a log source created automatically. Automatically discovered log sources reduce the amount of manual configuration required by customers. 5. Licensing module/cost IBM Security QRadar SIEM All-in-One Software 21XX Install License + SW Subscription & Support 12 Months (D0WR5LL) INR 5,278, All Rights Reserved ecfirst 16

17 IBM Security QRadar SIEM All-In-One Software 21XX Failover Feature Install License + SW Subscription & Support 12 Months (D0WR8LL) INR 2,642, IBM Security QRadar SIEM All-in-One Software 31XX Install License + SW Subscription & Support 12 Months (D0WRBLL) INR 7,192, For more information on IBM SIEM product cost please refer to this link: https://www- 112.ibm.com/software/howtobuy/buyingtools/paexpress/Express? P0=E1&part_number=D0WR5LL,D0WR8LL,D0WRBLL,D0WREL L,D0WRHLL,D0WRKLL,D0WRNLL,D0WRRLL,D0WRULL,D0WS CLL,D0WSFLL,D0WSILL,D0WSLLL,D0WSPLL,D0WSSLL,D0WS VLL,D0WSYLL,D0WRXLL,D10U8LL,D10UDLL,D10UGLL,D10UK LL,D10UVLL,D1140LL,D121DLL,D121FLL,D121ILL,D121KLL,D1 21MLL,D121PLL,D121RLL,D121TLL,D121CLL,D1227LL,D1229L L,D122BLL,D122DLL,D122ELL,D122HLL,D122ILL,D122KLL,D12 2MLL,D122PLL,D123GLL,D123ILL,D123KLL,D123LLL,D124KLL &cataloglocale=en_in&locale=en_in&country=ind&pt=jsp&cc =IND&VP=&TACTICS=&S_TACT=&S_CMP=&brand=none Gartner Review on IBM QRadar SIEM According to Gartner Review, QRadar can be deployed as an all-in-one solution for smaller environments, or it can be horizontally scaled in larger environments using specialized event collection, processing and console appliances. Enhancements to QRadar included the release of weekly threat intelligence feeds from X-Force. They have also introduced QRadar Network Anomaly Detection which has been designed to complement SiteProtector deployments adding NetFlow and anomaly detection to the SiteProtector IDS. IBM Security's QRadar SIEM technology provides log management, event management, reporting and behavioral analysis for networks and applications.. A distinguishing characteristic of the technology is the collection and processing of NetFlow data, DPI, full packet capture, and behavior analysis for all supported event sources. Enhancements to QRadar during the past 12 months included the introduction of QRadar Incident Forensics, which extends flow analysis, adding DPI and full packet capture capabilities. In addition, IBM Security introduced integrated vulnerability scanning via QRadar Vulnerability Manager (using technology licensed from Critical Watch), as well as new graphing/charting capabilities, improved search performance and API 2014 All Rights Reserved ecfirst 17

18 enhancements. IBM also provides additional connectors to Hadoop instances. IBM offers a co-managed service option for QRadar, which combines an on-premises QRadar deployment with remote monitoring from IBM's managed security services operations centers. Strengths Cautions QRadar provides an integrated view of the threat environment using NetFlow DPI and full packet capture in combination with log data, configuration data and vulnerability data from monitored sources. Customer feedback indicates that the technology is relatively straightforward to deploy and maintain in both modest and large environments. QRadar provides behavior analysis capabilities for NetFlow and log events. QRadar provides less-granular role definitions for workflow assignment compared with competitors' products. QRadar's multitenant support requires a master console in combination with distributed QRadar instances. The number of thirdparty service providers that offer QRadar-based monitoring services is limited when compared with vendors that lead in this area. References TEU5z16uolUKGzgIkz2EFye%2BLIHETpodcMTcFgPbrYEhcSI4JkxgVAR%2FH EcIFC6Q%3D%3D ftp://ftp.software.ibm.com/software/security/products/qradar/documents/71mr1/l ogmgr/logsources-71mr1.pdf 2014 All Rights Reserved ecfirst 18

19 Product Overview McAfee SIEM McAfee s high-performance, powerful security information and event management (SIEM) brings event, threat, and risk data together to provide strong security intelligence, rapid incident response, seamless log management, and extensible compliance reporting. At the core of their SIEM offering, Enterprise Security Manager consolidates correlates, assesses, and prioritizes security events for both third-party and McAfee solutions. As part of the Security Connected framework, McAfee Enterprise Security Manager tightly integrates with McAfee epolicy Orchestrator (McAfee epo) software, McAfee Risk Advisor, and Global Threat Intelligence, delivering the context required for autonomous and adaptive security risk management. McAfee Enterprise Security Manager McAfee Enterprise Security Manager provides the speed and rich context required to identify critical threats, respond quickly, and easily address compliance requirements. Continuous global threat and enterprise risk feeds deliver adaptive and autonomous risk management, allowing remediation of threats and compliance reporting in minutes instead of hours. Features Monitor one complete picture of security activity - Use one environment to consolidate, correlate, and report on security information from heterogeneous devices at lightning speed. Manage evolving threats with confidence - Integrate McAfee Global Threat Intelligence services and McAfee Risk Advisor with McAfee Enterprise Security Manager for a prioritized view of events, assets, and countermeasures. Know how network and security events correlate to real business processes and policies - Provide contextual information (vulnerability scanners, identity, authentication management systems, privacy solutions, or other supported systems) to enrich each event with context, allowing for a better understanding of how network and security events correlate to real business processes and policies All Rights Reserved ecfirst 19

20 Set policies, rules, and thresholds that will generate alerts and launch mitigations - Drive instant corrective action, such as issuing new configurations, implementing new policies, and deploying software updates. Reduce audit effort and expense for multiple regulations - Consolidate audit and compliance activities for over 240 regulations within a single pane of glass for continuous governance and rapid reporting. Collect the data and context organization need throughout their enterprise - Leverage our custom-built database engine and integration with McAfee epolicy Orchestrator (McAfee epo) software to extend visibility and control across customers entire security and compliance management environment. McAfee Global Threat Intelligence for ESM Built for big security data, McAfee Global Threat Intelligence for Enterprise Security Manager (ESM) puts the power of McAfee Labs directly into the security monitoring flow using McAfee s high-speed, highly intelligent Security Information and Event Management (SIEM). Features Get enhanced protection for the entire network - Immediately identifies when any node on customers network is communicating with a suspicious or known bad actor and quickly understand the threat s path. Leverage risk-based prioritization - Automatically incorporates IP reputation into the McAfee Enterprise Security Manager rule-less risk scoring algorithm, pinpointing the need to respond. Feel safe with 24/7 threat monitoring - Provides an accurate, upto-date understanding of the global threat landscape even after compromised systems have been cleaned. McAfee Labs is constantly scouring threat information to detect newly infected and malicious systems. McAfee Enterprise Log Manager McAfee Enterprise Log Manager automates log management and analysis for all log types, including Windows Event logs, Database logs, Application logs, and Syslogs. Logs are signed and validated, ensuring authenticity 2014 All Rights Reserved ecfirst 20

21 and integrity, a necessity for regulatory compliance and forensics. Out-ofthe-box compliance rule sets and reports make it simple to prove organization is in compliance with regulations and internal policies. Features Meet compliance log retention requirements - Collects, sign, and store any log type in its original format for as long as customer require supporting their specific compliance needs. Adapt storage and retention to each log source Uses easily customizable storage pools to ensure that customer logs are stored correctly and for the right amount of time. Analyze and search logs conveniently and appropriately - Differentiates logs stored for compliance from logs to be parsed and analyzed for security. Store logs locally or via a managed SAN By choosing best storage option for customer needs with up to 7.5 TB of usable HDD storage on the appliances, and optional fiber channel cards for high-speed SAN storage. Integrate log management with situational awareness - Get one-click access to original log files and even the specific log record from any point in the event management process. McAfee Advanced Correlation Engine McAfee Advanced Correlation Engine monitors real-time data, allowing customers to simultaneously use both rule-based and rule-less correlation engines to detect risks and threats before they occur. They can deploy Advanced Correlation Engine in either real-time or historical modes. Features Get real-time and historical threat detection - Customers can deploy McAfee Advanced Correlation Engine in either real-time or historical modes. In real-time mode, Advanced Correlation Engine analyzes events as they are collected for immediate threat and risk detection. Customers get rule-based correlation of real-time event data for detection of threats as they occur or rule-less correlation of real-time event data for detection of threats as they develop. Model enterprise risk - Provides impeccable modeling of organizations risks by scoring attributes that matter. Develop a baseline and send notifications when normal thresholds are exceeded All Rights Reserved ecfirst 21

22 Leverage proactive risk assessments against critical data - Uses both correlation engines simultaneously to detect risks and threats before they occur, so customer can use risk scores within traditional correlation logic. Achieve recursive threat assessment Customers can deploy Advanced Correlation Engine in historical mode and they can replay any historical data set through the traditional and rule-less correlation engines. McAfee Application Data Monitor McAfee Application Data Monitor decodes an entire application session to Layer 7, providing a full analysis of everything from the underlying protocols and session integrity all the way up to the actual contents of the application (such as the text of an or its attachments). This level of detail supports accurate analysis of real application use, while also enabling customer to enforce application use policies and detect malicious, covert traffic. Features Capture full session detail of all violations Customers can go beyond application flow monitoring to decode the entire application session, all the way to Layer 7. Leverage pre-built detection rules for regulated and sensitive data - Monitors access to and use of sensitive information such as credit card numbers, social security numbers, and bank routing numbers out of the box, or customizes the McAfee Application Data Monitor appliance s detection capabilities by defining customer own dictionaries of sensitive and confidential information. Document a complete audit trail of application events for compliance - Preserves all details of application sessions that violate policies for use in incident response, forensics, and compliance audits. Avoid interference with application performance and latency - Deploys Application Data Monitor as a passive SPAN port for passive monitoring, with no risk to an application's operation, performance, or reliability. Add application insight into McAfee Enterprise Security Manager Customers can Use McAfee Enterprise Security Manager as a central resource and interface for all monitoring and 2014 All Rights Reserved ecfirst 22

23 compliance activities and use application contents in event correlation and other advanced SIEM functions. McAfee Database Event Monitor for SIEM McAfee Database Event Monitor for SIEM delivers non-intrusive, detailed security logging of database transactions by monitoring access to database configurations and data. It not only consolidates database activity into a central audit repository, but integrates with McAfee Enterprise Security Manager to intelligently analyze and detect suspicious activity. Features Get compliance reports pre-built and ready to run - This solution complies with regulations such as PCI DSS, HIPAA, NERC-CIP, FISMA, GLBA, SOX, and others, while strengthening customer overall security posture with pre-defined rules and reports and privacy-friendly logging features. Benefit from integration with other McAfee products With this solution customer can get full integration with McAfee Enterprise Security Manager and McAfee Enterprise Log Manager for unprecedented event analysis and correlation, in addition to compliant storage and encryption of data activity logs. Find the data that enables customer s business Customer can discover all database instances including unauthorized or rogue databases. Uncover regulated and confidential data for compliance - Detect when a database contains sensitive information such as personal identity information so that customer can monitor all access to that information in accordance with PCI DSS, HIPAA, NERC-CIP, and other compliance requirements. Log database activity for a complete audit trail - Retain details of all database transactions, from login to logoff, to support compliance auditing requirements; masking can protect sensitive personal information in logs. Reconstruct sessions with one click - Speed investigations of database events by viewing the entire session from login to logoff with a single mouse click. Monitors customer network without compromising database performance or capture rates - Avoids overhead, monitor s customer s database over the network, and ensures the audit data customers need is retained All Rights Reserved ecfirst 23

24 Integrate database event information into SIEM workflows - Leverage integration with McAfee Enterprise Security Manager as a central resource and interface for all database monitoring and compliance needs, and enable database transactions to be used by event correlation and other advanced SIEM features. McAfee Event Receiver for SIEM McAfee Event Receiver collects third-party events and logs and performs native network flow collection faster and more reliably than any other solution. Features Get immediate access to data - Preserves and stores all details of parsed and correlated events in a highly indexed database for fast retrieval and analysis. Leverage flexible deployment options - Makes highly distributed deployment easier and more cost effective with virtual appliances. Retain and collect large amounts of security data - Collects over 20,000 events per second with a single McAfee Event Receiver. Every Event Receiver caches all collected data locally to preserve data in the event of a network communication error or outage. Functionality Review 1. Identification of suspicious activity McAfee Global Threat Intelligence for Enterprise Security Manager puts the power of McAfee Labs directly into the security monitoring flow through high-speed, highly intelligent McAfee SIEM, which is built for Big Security Data. McAfee Global Threat Intelligence for Enterprise Security Manager immediately detects when any node on customer network is communicating with a suspicious or known bad actor and quickly understands the threat s path. McAfee Labs is constantly scouring threat information to detect newly infected and malicious systems and when those systems have been cleaned providing organizations with an accurate, up-todate understanding of the global threat landscape With McAfee Global Threat Intelligence for and Enterprise Security Manager, organizations now have the power to understand the IP 2014 All Rights Reserved ecfirst 24

25 reputation for any event, including heterogeneous firewalls, intrusion prevention systems, routers, and endpoints. Leveraging McAfee Enterprise Security Manager s dynamic watch list capability, events are automatically associated with the source reputation score, and risk is adjusted. As global threats change, McAfee GTI keeps McAfee Enterprise Security Manager updated, ensuring that servers and systems continually have an accurate reputation score. This not only helps organizations understand risk, but also pinpoints urgent issues in real time, shrinking the incident response time window and providing accurate risk analysis. 2. Reporting & Alerting of events McAfee GTI integrates seamlessly with McAfee Enterprise Security Manager Alarm and alerting mechanisms, ensuring that interactions with known malicious systems gain the attention they deserve. McAfee Enterprise Security Manager calculates baseline activity for all collected information across the enterprise in real time and alerts customers of potential threats before they occur, while at the same time analyzing that data for patterns that could indicate a larger threat. 3. Method(s) of log collection supported Enterprise Log Manager collects logs intelligently, storing the right logs for compliance, and parsing and analyzing those logs for security. Customers can retain logs in their original format for as long as they require for specific compliance needs. Since McAfee do not alter the original log files, McAfee supports chain of custody and non-repudiation efforts. Log information is immediately available for real-time security investigations and incident response. 4. Device/system log types/formats supported McAfee Enterprise Log Manager automates log management and analysis for all log types, including Windows Event logs, Database logs, Application logs, and Syslogs. 5. Licensing module/cost McAfee Enterprise Security Manager - $38, All Rights Reserved ecfirst 25

26 McAfee Database Event Monitor for SIEM network monitoring device E - $26, Gartner Review on McAfee SIEM According to Gartner Review, The McAfee Enterprise Security Manager (formerly NitroView) line of appliances combines SIM and SEM functions with in-line network monitors, which implement DPI to obtain data and application context and content for security events. Capabilities can be extended and enhanced with a range of specialized add-on products, such as Database Event Monitor (DEM), which provides database activity monitoring and analysis, Application Data Monitor (ADM) for application monitoring, and Global Threat Intelligence (GTI). McAfee is further developing integration of ESM with its wider security portfolio to enable context about vulnerabilities, endpoint state and threats, and to enable automated response and blocking. Among the enhancements released in the past 12 months were a new suite of regulatory compliance reports, the capability to use flow data and statistical anomaly tracking in correlation rules, and big data connectors for Hadoop integration. Data obtained via the Hadoop connectors can be used to populate watchlists for correlation and to enrich SIEM data. Plans for the next 12 months include deeper integrations with McAfee's own portfolio to enable autoresponse capabilities such as policy changes on end-user devices, the quarantining and blacklisting of malicious activity, a software development kit (SDK) for external data queries and system management, enhanced threat detection utilizing Data Exchange Layer and Threat Intelligence Exchange, and additional data obfuscation for enhanced compliance in privacy laws.. Hence, McAfee Enterprise Security Manager is a good choice for organizations that require high-performance analytics under high-eventrate conditions, as well as organizations with advanced requirements for monitoring database applications and industrial control systems. Strengths Some of the highest event ingest rates and query performance levels that we have been able to validate have been with McAfee Enterprise Security Manager customers. Database and application monitoring, as well as network-based packet inspection, are provided for via McAfee Enterprise Security Database Event Monitor and Application Data Monitor All Rights Reserved ecfirst 26

27 Cautions McAfee Enterprise Security Manager has strong industrial control system (ICS) and supervisory control and data acquisition (SCADA) device support. Users have indicated that vendor support is good, but it can be difficult reaching the right point of contact. McAfee's advanced SIEM features and capabilities in areas such as endpoint intelligence and automated response require integrations with, or further investments in, other McAfee portfolio products. NetFlow filtering and alerting capabilities are limited. For example, there is no easy way to include all the packet data from an event that caused an alert in an notification. References All Rights Reserved ecfirst 27

28 Product Overview Splunk SIEM Splunk has quickly emerged to be a leading SIEM vendor. Over 2,000 customers use Splunk software for security use cases and Splunk has won numerous industry awards including placement as a leader in the 2013 Gartner Security Information and Event Management (SIEM) Magic Quadrant, and SC Magazine 2013 global awards for Best SIEM Solution - US and Enterprise Security Product - EMEA. Splunk offers two products that support SIEM use cases, Splunk Enterprise and the Splunk App for Enterprise Security. Splunk Enterprise is the core Splunk platform. It provides the core collection, indexing, search and reporting capabilities. Many Splunk security customers use the core Splunk Enterprise product to build their own real-time correlation searches and dashboards for a SIEM-like experience. For Splunk customers looking for pre-built, SIEM-like content, there is the Splunk App for Enterprise Security which runs on Splunk Enterprise and contains pre-built correlation rules, alerts, reports, dashboards, incident review/workflow functionality and third-party threat intelligence feeds. Features Automated Correlation Searches - that use the Splunk Search Processing Language (SPL) for cross data type correlations and give the user an understanding of evolving threat scenarios in real time Statistical Analysis - commands native to Splunk Enterprise employed to support dashboards that highlight anomalies in HTTP communications, a key communications protocol for advanced threats Technology Add-ons - that map specific data sources and data fields into a common information model Flexible Dashboards - that let customers create their own security portal based on their role in the organization s view of what s important Threat Analyzer - that supports visualizing patterns of host, identity or IP activity across data types and across time that may indicate a compromised host or malicious insider 2014 All Rights Reserved ecfirst 28

29 Reports and Security Metrics - any search result can be created as a graphic, dashboard, table or raw data that can be exported as a PDF or CSV; data models and pivot tables support turning raw unstructured data into analytics Incident Review, Classification and Collaboration - supported as part of a comprehensive incident review capability that allows for bulk event reassignment, changes in status and criticality classification for any change to occur, comments are required for auditing purposes User Identity Correlation - answers questions about a specific user s activity across multiple identities required for access to multiple applications Functionality Review 1. Identification of suspicious activity New features in the Splunk App for Enterprise Security include point and click predictive analysis visualizations, an easy-to-use threat intelligence framework and a threat investigator that facilitates viewing threat patterns for hosts or identities. Together, this functionality helps organizations to monitor for known and unknown threats. 2. Reporting & Alerting of events Splunk Enterprise searches (queries) can be saved and monitored in real time. Real-time alerts can be routed to the appropriate security team members for follow up. Correlation across system data by vendor or data type is supported in Splunk s easy-to-use Search Processing Language (SPL ). Splunk SPL supports correlations that can generate alerts based on a combination of specific conditions, patterns in system data or when a specific threshold is reached. 3. Method(s) of log collection supported Splunk lets customers gather log data from systems and devices, and run queries on that data to find issues and debug problems. Splunk software automatically indexes all of the data, including structured, unstructured and complex multi-line application log data, enabling customers to search on all of the data without need for custom connectors and without the scalability limitations inherent in traditional solutions. Once the data is in Splunk, customers can 2014 All Rights Reserved ecfirst 29

30 quickly search, report and diagnose operations and security issues in a faster, repeatable and affordable way. 4. Device/system log types/formats supported 5. Licensing module/cost Splunk App for Enterprise Security Annual 100GB/day - $19, Gartner Review on Splunk SIEM According to Gartner Review, Splunk Enterprise provides log management, search, alerting, real-time correlation and a query language that supports visualization using more than 100 statistical commands. Splunk is widely deployed by IT operations and application support teams for log management analytics, monitoring and advanced search and correlation. Analytics on batch data stored in Hadoop/NoSQL Stores and relational databases is provided by a separate product called Hunk, and the DB Connect App for bidirectional support for relational databases. During 2014, the vendor has remained very visible on SIEM evaluation shortlists. Over the past 12 months, Splunk has released many new functions directed at a major competitive issue deployment complexity. Splunk App for Enterprise Security now ships with 68 predefined security indicators that can be used to construct a custom dashboard, and there are now 40 predefined dashboards in the security domain menu. Splunk released a report builder with 200 predefined reports/panels. Splunk now aggregates 18 threat intelligence feeds to enable consolidation into common watchlists. Development plans include improved threat detection through trending, anomaly detection, expanded use of predictive analytics, and discovery of behavioral outliers for assets and users. Hence, Splunk is a good fit for security organizations that require customizable security monitoring and analytics, and is an especially good fit for use cases that span security and operations, and for deployments with a focus on application monitoring. Strengths Splunk's strong presence in IT operations groups can provide the security organization with early hands-on exposure to its general log management and analytics capabilities, "pre-siem" deployment by 2014 All Rights Reserved ecfirst 30

31 Cautions operations for critical resources, and in-house operations support for an expanded security-focused deployment. Splunk's dashboarding and analytics capabilities provide a flexible framework for customization to meet a variety of event management and log management requirements. Splunk has built-in support for a large number of external threat intelligence feeds from commercial and open sources. Splunk provides predefined parsing to a more limited set of IAM vendors than some competitors' products. Potential buyers should anticipate customization work to handle the parsing of IAM logs outside Active Directory, LDAP and selected other IAM technologies. Predefined reporting, while improved in the current release, is still more basic than that of many competitors. In cases where operations teams are not using Splunk for operations monitoring (to share deployment costs), Splunk is often significantly more expensive than competing SIEM solutions. References _Brief.pdf All Rights Reserved ecfirst 31

32 Product Overview LogRhythm SIEM LogRhythm is an enterprise-class platform that seamlessly combines SIEM, Log Management, File Integrity Monitoring and Machine Analytics, with Host and Network Forensics, in a unified Security Intelligence Platform. It is designed to address an ever-changing landscape of threats and challenges, with a full suite of high-performance tools for security, compliance, and operations. LogRhythm delivers comprehensive, useful and actionable insight into what is really going on in and around an enterprise IT environment. Features LogRhythm delivers: o o Next Generation SIEM and Log Management Independent Host Forensics and File Integrity Monitoring Network Forensics with Application ID and Full Packet Capture State-of-the art Machine Analytics Advanced Correlation and Pattern Recognition Multi-dimensional User / Host / Network Behavior Anomaly Detection Rapid, Intelligent Search Large data set analysis via visual analytics, pivot, and drill down Workflow enabled automatic response via LogRhythm's SmartResponse Integrated Case Management 2014 All Rights Reserved ecfirst 32

33 Functionality Review 1. Identification of suspicious activity Detecting Custom Malware with Host Behavior Anomaly Detection LogRhythm baselines normal host behavior and creates a whitelist of acceptable process activity. Host Activity Monitoring independently detects a new process starting. LogRhythm automatically recognizes that the new process is non-whitelisted. LogRhythm s machine analytics corroborates the event against related activity such as abnormal network traffic, accurately identifying the activity as high risk. An alarm is sent to a Security Administrator, who easily accesses forensic details to investigate. Exposing Compromised Credentials with User Behavior Anomaly Detection LogRhythm automatically establishes a profile for specific users, including whitelists of acceptable activity and behavioral baselines of observed user activities. AI Engine detects when a user engages in abnormal activity, such as logging in from a suspicious location, or deviating from a behavioral norm, such as accessing significantly different data or volume of data and uploading that data to a non-whitelisted cloud sharing application. SmartResponseTM either automatically disables the account or queues up the response for validation pending a more detailed forensic investigation into the user s activity. Identifying Data Exfiltration with Network Behavior Anomaly Detection Network Monitor provides critical visibility at network ingress/egress points, with generated SmartFlow data providing deep packet visibility into each network session observed and the applications in use. LogRhythm s machine analytics establishes various behavioral baselines across observed network activities, 2014 All Rights Reserved ecfirst 33

34 leveraging the extensive packet meta-data delivered via SmartFlow. Network-based anomalies are identified and corroborated against other log and machine data to provide accurate visibility into high risk activity. SmartCaptureTM automatically captures all packets associated with suspicious sessions for full packet forensics. 2. Method(s) of log collection supported Collect logs from all log sources, whether Windows events, syslog, flat file, NetFlow, databases or applications. Organize logs in a centralized, scalable, and secure. 3. Licensing module/cost LogRhythm SIEM $25,000 Gartner Review on LogRhythm SIEM According to Gartner Review, LogRhythm sells its appliance- and software-based SIEM solutions to midsize and large enterprises. The SIEM offering can be deployed in smaller environments with a single appliance or software instance that provides log management and event management, or it can be scaled as a set of specialized appliances or software instances (log management, event management and centralized console). New features and improvements in the latest 6.2 release of Security Intelligence platform include Active Directory group-based authentication for LogRhythm users, System Monitor Agent and collector load balancing, and a new capability designed to infer missing user information from event data called the Identity Inference Engine. Other enhancements in the past 12 months include a new UI release in 1Q14 that provides tablet support. Moreover, predefined correlation rules have increased to more than 500, and predefined modules containing correlation rules, saved searches and reports covering topics such as privileged user monitoring, network anomaly detection and targeted attack detection have been added. LogRhythm also released Network Monitor in 2013, a network forensic solution that provides flow analysis, deep packet inspection and full packet capture capabilities that can be seamlessly integrated with LogRhythm SIEM as a network sensor All Rights Reserved ecfirst 34

35 Hence, LogRhythm is a good fit for organizations that require a combination of SIEM, file integrity monitoring (FIM), and network monitoring, and those organizations that value ease of deployment and predefined function over a "build your own" approach to monitoring. Strengths Cautions LogRhythm provides a balance of log management, reporting, event management, privileged-user and file integrity monitoring, and network forensic capabilities to support security operations and compliance use cases. Its appliance format and configuration wizards allow for fast deployment with minimal resources. Gartner receives consistent user feedback stating that LogRhythm's predefined correlation rules and reporting templates provide coverage for the most useful and important use cases and ease initial implementation. LogRhythm continues to be very visible in competitive SIEM technology evaluations of Gartner clients. Users report that alert template content can only be minimally customized. In order to continue to support older versions of devices, legacy log processing rules are not removed. Feedback has indicated that this can cause confusion among users. References https://www.logrhythm.com/resources/in-depth-product-demo.aspx https://www.logrhythm.com/siem-2.0/one-integrated-solution/security-informationevent-management/compliance-automation-assurance.aspx https://www.logrhythm.com/siem-2.0/one-integrated-solution/securityinformation-event-management/compliance-automation-assurance.aspx 2014 All Rights Reserved ecfirst 35

36 Magic Quadrant 2014 All Rights Reserved ecfirst 36

37 Leaders Magic Quadrant Descriptions The SIEM Leaders quadrant is composed of vendors that provide products that are a good functional match to general market requirements, have been the most successful in building an installed base and revenue stream within the SIEM market, and have a relatively high viability rating (due to SIEM revenue or SIEM revenue in combination with revenue from other sources). In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for anticipated requirements. They typically have relatively high market share and/or strong revenue growth, and have demonstrated positive customer feedback for effective SIEM capabilities and related service and support. HP's ArcSight ArcSight Enterprise Security Manager (ESM) provides a complete set of SEM capabilities that can be used to support a security operations center. IBM QRadar McAfee Splunk IBM Security's QRadar SIEM technology provides log management, event management, reporting and behavioral analysis for networks and applications. IBM Security QRadar also provides log management, anomaly detection, incident forensics, and configuration and vulnerability management capabilities. It also fully integrates with IBM's Big Data and Analytics platform. McAfee Enterprise Security Manager (ESM), combines security information management (SIM) and SEM functions, is available as a stand-alone, all-in-one, virtual appliance and delivered as a managed service by partners. The Splunk App for Enterprise Security includes visualizations to identify anomalous behavior, a threat intelligence framework to organize and de-duplicate threat feed data and data models and a pivot interface to enable the fast creation of analytics All Rights Reserved ecfirst 37

38 LogRhythm LogRhythm provides a balance of log management, reporting, event management, privileged-user and file integrity monitoring, and network forensic capabilities to support security operations and compliance use cases. Challengers NetIQ EMC (RSA) The Challengers quadrant is composed of vendors that have a large revenue stream (typically because the vendor has multiple product and/or service lines), at least a modest-size SIEM customer base and products that meet a subset of the general market requirements. Vendors in this quadrant typically have strong execution capabilities, as evidenced by financial resources, a significant sales and brand presence garnered from the company as a whole or from other factors. However, Challengers have not demonstrated as rich a capability or track record for their SIEM technologies as vendors in the Leaders quadrant. NetIQ's SIEM offering is based primarily on the Sentinel platform, in combination with agent technology and content from Security Manager. NetIQ Sentinel is composed of three packages: Sentinel, Sentinel Log Manager and Change Guardian. RSA, The Security Division of EMC, provides log and full packet data capture, security monitoring forensic investigation, and analytics. RSA will support the envision platform until the end of The Security Analytics reporting system can pull data from both the Security Analytics data structures and the Internet Protocol Database (IPDB) in envision Visionaries The Visionaries quadrant is composed of vendors that provide products that are a good functional match to general SIEM market requirements, but have a lower Ability to execute rating than the Leaders. This lower rating is typically due to a smaller presence in the SIEM market than the Leaders, as measured by installed base or revenue size or growth, or by smaller overall company size or general viability All Rights Reserved ecfirst 38

39 AlienVault The foundation of AlienVault's security management solution is Open Source SIEM (OSSIM), which provides SIEM, vulnerability assessment, NetFlow, network and host intrusion detection, and file integrity monitoring. AlienVault offers SIEM in two products, one open source and one commercial. Niche Players SolarWinds The Niche Players quadrant is composed primarily of smaller vendors that provide SIEM technology that is a good match to a specific SIEM use case, a subset of SIEM market requirements. Niche Players focus on a particular segment of the client base or a more limited product set. Their ability to outperform or innovate may be affected by this narrow focus. Vendors in this quadrant may have a small installed base or be limited, according to Gartner's criteria, by a number of factors. These factors may include limited investments or capabilities, a geographically limited footprint, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on the vendor's value in the more narrowly focused service spectrum. SolarWinds packages its Log and Event Manager (LEM) software as a virtual appliance. SolarWinds LEM is a good fit for small or midsize companies that require SIEM technology that is easy to deploy and those that use other SolarWinds' operations monitoring components. Tenable Network Security Tenable Network Security's focus in this market is evolving to emphasize continuous compliance monitoring based on endpoint state (vulnerabilities, configuration), file activity, network activity and log data. Tenable's SIEM solution is a good choice for organizations that want to implement continuous monitoring based on the assessment of vulnerabilities, security configuration and log data All Rights Reserved ecfirst 39

40 Tibco Software Trustwave Tibco Software's LogLogic Log Management Intelligence line of solutions provides log collection and management capabilities. LogLogic is a good fit for use cases focused primarily on log management, providing organization wide LaaS, or those that involve log management and event forwarding to an MSSP or a third-party event manager. Trustwave's primary business is services for compliance, vulnerability assessment, managed security and security consulting. Trustwave is a good fit for midsize organizations that require a combination of compliance-oriented services and SIEM technology. EventTracker EventTracker targets its SIEM software and service offering primarily at midsize commercial enterprises and government organizations with security and operations event management and compliance reporting requirements. EventTracker is suited for midsize businesses that require log management. BlackStratus AccelOps BlackStratus has two offerings, Log Storm and SIEM Storm. Log Storm provides log management capabilities aimed at MSSPs and small to midsize enterprises, and is available as virtual and hardware appliances. BlackStratus is a good fit for service providers requiring a customizable SIEM platform, and end-user organizations looking tor well-formed multitenancy support. AccelOps provides log management, search, alerting, real-time correlation, and a dashboard environment for unified security, availability, and performance monitoring and analytics. It is one of the few vendors that have capabilities that are directed at both IT security and IT operations. It is a good fit for enterprises and MSSPs that require a combination of security monitoring and PAM, and integrated configuration management database (CMDB) capability All Rights Reserved ecfirst 40

41 References All Rights Reserved ecfirst 41

42 Comparison Matrix Vendor Products HP ArcSight Express SIEM Identification of suspicious activity Reporting of events Alerting Method (s) of log collection supported Device/system log types/formats supported HIGH HIGH HIGH HIGH HIGH LOW IBM QRadar HIGH HIGH HIGH HIGH HIGH HIGH McAfee SIEM HIGH HIGH HIGH HIGH HIGH HIGH Splunk SIEM HIGH MEDIUM MEDIUM LOW LOW LOW LogRhythm SIEM MEDIUM LOW MEDIUM LOW LOW LOW Licensing module/cost 2014 All Rights Reserved ecfirst 42

43 Corporate Office 295 NE Venture Drive Waukee, IA Toll Free: x17 Phone: x17 Fax: All Rights Reserved ecfirst 43

NitroView Enterprise Security Manager (ESM), Enterprise Log Manager (ELM), & Receivers

NitroView Enterprise Security Manager (ESM), Enterprise Log Manager (ELM), & Receivers NitroView Enterprise Security Manager (ESM), Enterprise Log Manager (ELM), & Receivers The World's Fastest and Most Scalable SIEM Finally an enterprise-class security information and event management system

More information

McAfee Acquires NitroSecurity

McAfee Acquires NitroSecurity McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security

More information

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring NitroView Unified Security and Compliance Unmatched Speed and Scale Application Data Monitoring Database Monitoring Log Management Content Aware SIEM TM IPS Today s security challenges demand a new approach

More information

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

WHITE PAPER SPLUNK SOFTWARE AS A SIEM SPLUNK SOFTWARE AS A SIEM Improve your security posture by using Splunk as your SIEM HIGHLIGHTS Splunk software can be used to operate security operations centers (SOC) of any size (large, med, small)

More information

QRadar SIEM and FireEye MPS Integration

QRadar SIEM and FireEye MPS Integration QRadar SIEM and FireEye MPS Integration March 2014 1 IBM QRadar Security Intelligence Platform Providing actionable intelligence INTELLIGENT Correlation, analysis and massive data reduction AUTOMATED Driving

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore Choosing the Right Log Management Product By Michael Pastore Tech Brief an Log management is IT s version of the good old fashioned detective work that authorities credit for solving a lot of crimes. It

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Q1 Labs Corporate Overview

Q1 Labs Corporate Overview Q1 Labs Corporate Overview The Security Intelligence Leader Who we are: Innovative Security Intelligence software company One of the largest and most successful SIEM vendors Leader in Gartner 2011, 2010,

More information

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become

More information

High End Information Security Services

High End Information Security Services High End Information Security Services Welcome Trion Logics Security Solutions was established after understanding the market's need for a high end - End to end security integration and consulting company.

More information

QRadar SIEM and Zscaler Nanolog Streaming Service

QRadar SIEM and Zscaler Nanolog Streaming Service QRadar SIEM and Zscaler Nanolog Streaming Service February 2014 1 QRadar SIEM: Security Intelligence Platform QRadar SIEM provides full visibility and actionable insight to protect networks and IT assets

More information

IBM Security QRadar SIEM Product Overview

IBM Security QRadar SIEM Product Overview IBM Security QRadar SIEM Product Overview Alex Kioni IBM Security Systems Technical Consultant 1 2012 IBM Corporation The importance of integrated, all source analysis cannot be overstated. Without it,

More information

What is Security Intelligence?

What is Security Intelligence? 2 What is Security Intelligence? Security Intelligence --noun 1. the real-time collection, normalization, and analytics of the data generated by users, applications and infrastructure that impacts the

More information

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE PRODUCT BRIEF LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE As part of the Tripwire VIA platform, Tripwire Log Center offers out-of-the-box integration with Tripwire Enterprise to offer visibility

More information

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR Achieving Actionable Situational Awareness... McAfee ESM Ad Quist, Sales Engineer NEEUR The Old SECURITY Model Is BROKEN 2 Advanced Targeted Attacks The Reality ADVANCED TARGETED ATTACKS COMPROMISE TO

More information

Vulnerability Management

Vulnerability Management Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other

More information

IBM Security. 2013 IBM Corporation. 2013 IBM Corporation

IBM Security. 2013 IBM Corporation. 2013 IBM Corporation IBM Security Security Intelligence What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure

More information

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking

More information

QRadar Security Intelligence Platform Appliances

QRadar Security Intelligence Platform Appliances DATASHEET Total Security Intelligence An IBM Company QRadar Security Intelligence Platform Appliances QRadar Security Intelligence Platform appliances combine typically disparate network and security management

More information

Strengthen security with intelligent identity and access management

Strengthen security with intelligent identity and access management Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers

More information

Extreme Networks Security Analytics G2 Vulnerability Manager

Extreme Networks Security Analytics G2 Vulnerability Manager DATA SHEET Extreme Networks Security Analytics G2 Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution HIGHLIGHTS Help prevent security breaches by discovering

More information

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE PRODUCT BRIEF LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE The Tripwire VIA platform delivers system state intelligence, a continuous approach to security that provides leading indicators of breach

More information

QRadar SIEM 6.3 Datasheet

QRadar SIEM 6.3 Datasheet QRadar SIEM 6.3 Datasheet Overview Q1 Labs flagship solution QRadar SIEM is unrivaled in its ability to provide an organization centralized IT security command and control. The unique capabilities of QRadar

More information

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time Technology Blueprint Assess Your Vulnerabilities Maintain a continuous understanding of assets and manage vulnerabilities in real time LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL 1

More information

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security SIEM Optimization 101 ReliaQuest E-Book Fully Integrated and Optimized IT Security Introduction SIEM solutions are effective security measures that mitigate security breaches and increase the awareness

More information

Information Technology Policy

Information Technology Policy Information Technology Policy Security Information and Event Management Policy ITP Number Effective Date ITP-SEC021 October 10, 2006 Category Supersedes Recommended Policy Contact Scheduled Review RA-ITCentral@pa.gov

More information

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing

More information

Boosting enterprise security with integrated log management

Boosting enterprise security with integrated log management IBM Software Thought Leadership White Paper May 2013 Boosting enterprise security with integrated log management Reduce security risks and improve compliance across diverse IT environments 2 Boosting enterprise

More information

Vendor Landscape: Security Information & Event Management (SIEM)

Vendor Landscape: Security Information & Event Management (SIEM) Vendor Landscape: Security Information & Event Management (SIEM) Optimize IT security management and simplify compliance with SIEM tools., Inc. Is a global leader in providing IT research and advice. Info-Tech

More information

The SIEM Evaluator s Guide

The SIEM Evaluator s Guide Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,

More information

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture

More information

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief RSA Solution Brief RSA envision Platform Real-time Actionable Information, Streamlined Incident Handling, Effective Measures RSA Solution Brief The job of Operations, whether a large organization with

More information

Extreme Networks Security Analytics G2 SIEM

Extreme Networks Security Analytics G2 SIEM DATA SHEET Security Analytics G2 SIEM Boost compliance & threat protection through integrated Security Information and Event Management, Log Management, and Network Behavioral Analysis HIGHLIGHTS Integrate

More information

What is SIEM? Security Information and Event Management. Comes in a software format or as an appliance.

What is SIEM? Security Information and Event Management. Comes in a software format or as an appliance. Ross Spooner Cyber Security for Government Conference 6 August 2013 What is SIEM? Security Information and Event Management Centralised security log management Long term storage, analysis and reporting

More information

IBM SECURITY QRADAR INCIDENT FORENSICS

IBM SECURITY QRADAR INCIDENT FORENSICS IBM SECURITY QRADAR INCIDENT FORENSICS DELIVERING CLARITY TO CYBER SECURITY INVESTIGATIONS Gyenese Péter Channel Sales Leader, CEE IBM Security Systems 12014 IBM Corporation Harsh realities for many enterprise

More information

IBM Security QRadar Vulnerability Manager

IBM Security QRadar Vulnerability Manager IBM Security QRadar Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution Highlights Help prevent security breaches by discovering and highlighting high-risk

More information

Find the intruders using correlation and context Ofer Shezaf

Find the intruders using correlation and context Ofer Shezaf Find the intruders using correlation and context Ofer Shezaf Agenda The changing threat landscape What can you do to find intruders? Best practices for timely detection and mitigation HP ArcSight 2 Find

More information

Vulnerability. Management

Vulnerability. Management Solutions.01 Vulnerability Management.02 Enterprise Security Monitoring.03 Log Analysis & Management.04 Network Access Control.05 Compliance Monitoring Rewterz provides a diverse range of industry centric

More information

SP Monitor. nfx One gives MSPs the agility and power they need to confidently grow their security services business. NFX FOR MSP SOLUTION BRIEF

SP Monitor. nfx One gives MSPs the agility and power they need to confidently grow their security services business. NFX FOR MSP SOLUTION BRIEF NFX FOR MSP SOLUTION BRIEF SP Monitor Jump Start Security-as-a-Service Designed to give you everything you need to get started immediately providing security-as-a service, SP Monitor is a real-time event

More information

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Protect the data that drives our customers business. Data Security. Imperva s mission is simple: The Imperva Story Who We Are Imperva is the global leader in data security. Thousands of the world s leading businesses, government organizations, and service providers rely on Imperva solutions to prevent

More information

End-user Security Analytics Strengthens Protection with ArcSight

End-user Security Analytics Strengthens Protection with ArcSight Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

IBM QRadar as a Service

IBM QRadar as a Service Government Efficiency through Innovative Reform IBM QRadar as a Service Service Definition Copyright IBM Corporation 2014 Table of Contents IBM Cloud Overview... 2 IBM/Sentinel PaaS... 2 QRadar... 2 Major

More information

IBM QRadar Security Intelligence Platform appliances

IBM QRadar Security Intelligence Platform appliances IBM QRadar Security Intelligence Platform Comprehensive, state-of-the-art solutions providing next-generation security intelligence Highlights Get integrated log management, security information and event

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

Security Information & Event Management (SIEM)

Security Information & Event Management (SIEM) Security Information & Event Management (SIEM) Peter Helms, Senior Sales Engineer, CISA, CISSP September 6, 2012 1 McAfee Security Connected 2 September 6, 2012 Enterprise Security How? CAN? 3 Getting

More information

IBM Security Intelligence Strategy

IBM Security Intelligence Strategy IBM Security Intelligence Strategy Delivering Insight with Agility October 17, 2014 Victor Margina Security Solutions Accent Electronic 12013 IBM Corporation We are in an era of continuous breaches Operational

More information

IBM QRadar Security Intelligence April 2013

IBM QRadar Security Intelligence April 2013 IBM QRadar Security Intelligence April 2013 1 2012 IBM Corporation Today s Challenges 2 Organizations Need an Intelligent View into Their Security Posture 3 What is Security Intelligence? Security Intelligence

More information

Clavister InSight TM. Protecting Values

Clavister InSight TM. Protecting Values Clavister InSight TM Clavister SSP Security Services Platform firewall VPN termination intrusion prevention anti-virus anti-spam content filtering traffic shaping authentication Protecting Values & Enterprise-wide

More information

Detect & Investigate Threats. OVERVIEW

Detect & Investigate Threats. OVERVIEW Detect & Investigate Threats. OVERVIEW HIGHLIGHTS Introducing RSA Security Analytics, Providing: Security monitoring Incident investigation Compliance reporting Providing Big Data Security Analytics Enterprise-wide

More information

Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2

Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 Sponsored by McAfee Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 May 2013 A SANS Whitepaper Written by Dave Shackleford The ESM Interface Page 2 Rapid Event

More information

Total Protection for Compliance: Unified IT Policy Auditing

Total Protection for Compliance: Unified IT Policy Auditing Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.

More information

AccelOps NOC and SOC Analytics in a Single Pane of Glass Date: March 2016 Author: Tony Palmer, Senior ESG Lab Analyst

AccelOps NOC and SOC Analytics in a Single Pane of Glass Date: March 2016 Author: Tony Palmer, Senior ESG Lab Analyst ESG Lab Spotlight AccelOps NOC and SOC Analytics in a Single Pane of Glass Date: March 2016 Author: Tony Palmer, Senior ESG Lab Analyst Abstract: This ESG Lab Spotlight details ESG s hands-on testing of

More information

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security

More information

IBM Security QRadar Risk Manager

IBM Security QRadar Risk Manager IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Collect network security device configuration data to

More information

Mucho Big Data y La Seguridad para cuándo?

Mucho Big Data y La Seguridad para cuándo? Mucho Big Data y La Seguridad para cuándo? Juan Carlos Vázquez Sales Systems Engineer, LTAM mayo 9, 2013 Agenda Business Drivers Big Security Data GTI Integration SIEM Architecture & Offering Why McAfee

More information

QRadar Security Management Appliances

QRadar Security Management Appliances QRadar Security Management Appliances Q1 Labs QRadar network security management appliances and related software provide enterprises with an integrated framework that combines typically disparate network

More information

Securing your IT infrastructure with SOC/NOC collaboration

Securing your IT infrastructure with SOC/NOC collaboration Technical white paper Securing your IT infrastructure with SOC/NOC collaboration Universal log management for IT operations Table of contents Executive summary 2 IT operations: Handle IT incidents and

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

Magic Quadrant for Security Information and Event Management

Magic Quadrant for Security Information and Event Management Magic Quadrant for Security Information and Event Management 25 June 2014 ID:G00261641 Analyst(s): Kelly M. Kavanagh, Mark Nicolett, Oliver Rochford VIEW SUMMARY EVIDENCE Broad adoption of SIEM technology

More information

Scalability in Log Management

Scalability in Log Management Whitepaper Scalability in Log Management Research 010-021609-02 ArcSight, Inc. 5 Results Way, Cupertino, CA 95014, USA www.arcsight.com info@arcsight.com Corporate Headquarters: 1-888-415-ARST EMEA Headquarters:

More information

The Cloud App Visibility Blindspot

The Cloud App Visibility Blindspot The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before

More information

Securing and protecting the organization s most sensitive data

Securing and protecting the organization s most sensitive data Securing and protecting the organization s most sensitive data A comprehensive solution using IBM InfoSphere Guardium Data Activity Monitoring and InfoSphere Guardium Data Encryption to provide layered

More information

VISIBLY BETTER RISK AND SECURITY MANAGEMENT

VISIBLY BETTER RISK AND SECURITY MANAGEMENT VISIBLY BETTER RISK AND SECURITY MANAGEMENT Mason Hooper Practice Manager, SIEM Solutions, McAfee APAC December 13, 2012 Oct 17 10:00:27, Application=smtp, Oct 17 10:00:27, Application=smtp, Event='Email

More information

Log management & SIEM: QRadar Security Intelligence Platform

Log management & SIEM: QRadar Security Intelligence Platform Log management & SIEM: QRadar Security Intelligence Platform Tibor Bősze Security Architect for CEE+RCIS tibor.boesze@hu.ibm.com The Security Intelligence Leader Who is Q1Labs: Innovative Security Intelligence

More information

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Extreme Networks: A SOLUTION WHITE PAPER

Extreme Networks: A SOLUTION WHITE PAPER Extreme Networks: The Purview Solution Integration with SIEM Integrating Application Management and Business Analytics into other IT management systems A SOLUTION WHITE PAPER WHITE PAPER Introduction Purview

More information

The Purview Solution Integration With Splunk

The Purview Solution Integration With Splunk The Purview Solution Integration With Splunk Integrating Application Management and Business Analytics With Other IT Management Systems A SOLUTION WHITE PAPER WHITE PAPER Introduction Purview Integration

More information

SecureVue Product Brochure

SecureVue Product Brochure SecureVue unifies next-generation SIEM, security configuration auditing, compliance automation and contextual forensic analysis into a single platform, delivering situational awareness, operational efficiency

More information

Analyzing HTTP/HTTPS Traffic Logs

Analyzing HTTP/HTTPS Traffic Logs Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that

More information

Continuous Network Monitoring

Continuous Network Monitoring Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment

More information

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds. ENTERPRISE MONITORING & LIFECYCLE MANAGEMENT Unify IT Operations Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid

More information

Caretower s SIEM Managed Security Services

Caretower s SIEM Managed Security Services Caretower s SIEM Managed Security Services Enterprise Security Manager MSS -TRUE 24/7 Service I.T. Security Specialists Caretower s SIEM Managed Security Services 1 Challenges & Solution Challenges During

More information

Discover & Investigate Advanced Threats. OVERVIEW

Discover & Investigate Advanced Threats. OVERVIEW Discover & Investigate Advanced Threats. OVERVIEW HIGHLIGHTS Introducing RSA Security Analytics, Providing: Security monitoring Incident investigation Compliance reporting Providing Big Data Security Analytics

More information

End-to-End Application Security from the Cloud

End-to-End Application Security from the Cloud Datasheet Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed

More information

How to Choose the Right Security Information and Event Management (SIEM) Solution

How to Choose the Right Security Information and Event Management (SIEM) Solution How to Choose the Right Security Information and Event Management (SIEM) Solution John Burnham Director, Strategic Communications and Analyst Relations IBM Security Chris Meenan Director, Security Intelligence

More information

Demonstrating the ROI for SIEM: Tales from the Trenches

Demonstrating the ROI for SIEM: Tales from the Trenches Whitepaper Demonstrating the ROI for SIEM: Tales from the Trenches Research 018-101409-01 ArcSight, Inc. 5 Results Way, Cupertino, CA 95014, USA www.arcsight.com info@arcsight.com Corporate Headquarters:

More information

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats Executive Summary Palo Alto Networks strategic partnership with Splunk brings the power of our next generation

More information

Detecting Anomalous Behavior with the Business Data Lake. Reference Architecture and Enterprise Approaches.

Detecting Anomalous Behavior with the Business Data Lake. Reference Architecture and Enterprise Approaches. Detecting Anomalous Behavior with the Business Data Lake Reference Architecture and Enterprise Approaches. 2 Detecting Anomalous Behavior with the Business Data Lake Pivotal the way we see it Reference

More information

IBM Security QRadar Risk Manager

IBM Security QRadar Risk Manager IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Visualize current and potential network traffic patterns

More information

BlackStratus for Managed Service Providers

BlackStratus for Managed Service Providers BLACKSTRATUS FOR MSP SOLUTION GUIDE PAGE TM BlackStratus for Managed Service Providers With BlackStratus MSP suite of solutions, you can quickly and effectively ramp up customer security offerings and

More information

The Sumo Logic Solution: Security and Compliance

The Sumo Logic Solution: Security and Compliance The Sumo Logic Solution: Security and Compliance Introduction With the number of security threats on the rise and the sophistication of attacks evolving, the inability to analyze terabytes of logs using

More information

DEMONSTRATING THE ROI FOR SIEM

DEMONSTRATING THE ROI FOR SIEM DEMONSTRATING THE ROI FOR SIEM Tales from the Trenches HP Enterprise Security Business Whitepaper Introduction Security professionals sometimes struggle to demonstrate the return on investment for new

More information

Introducing IBM s Advanced Threat Protection Platform

Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM

More information

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were

More information

Enterprise Security Solutions

Enterprise Security Solutions Enterprise Security Solutions World-class technical solutions, professional services and training from experts you can trust ISOCORP is a Value-Added Reseller (VAR) and services provider for best in class

More information

Unified Security, ATP and more

Unified Security, ATP and more SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users

More information

Feature. Log Management: A Pragmatic Approach to PCI DSS

Feature. Log Management: A Pragmatic Approach to PCI DSS Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who

More information

Safeguarding the cloud with IBM Dynamic Cloud Security

Safeguarding the cloud with IBM Dynamic Cloud Security Safeguarding the cloud with IBM Dynamic Cloud Security Maintain visibility and control with proven security solutions for public, private and hybrid clouds Highlights Extend enterprise-class security from

More information

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.

More information

Know your security in mission critical environments Petr Hněvkovský, Senior Security Consultant, HP Enterprise Security Products

Know your security in mission critical environments Petr Hněvkovský, Senior Security Consultant, HP Enterprise Security Products Know your security in mission critical environments Petr Hněvkovský, Senior Security Consultant, HP Enterprise Security Products Threat landscape Riskier Enterprises + Advanced Attackers = More Attacks

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements

White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements The benefits of QRadar for protective monitoring of government systems as required by the UK Government Connect

More information

REV: 0.1.1 (July 2011) McAfee Security: Intrusion Prevention System

REV: 0.1.1 (July 2011) McAfee Security: Intrusion Prevention System McAfee Security: Intrusion Prevention System REV: 0.1.1 (July 2011) 1 Contents 1. McAfee Network Security Platform...3 2. McAfee Host Intrusion Prevention for Server...4 2.1 Network IPS...4 2.2 Workload

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information