Selling Security OPPORTUNITY START PLATFORM INTERVIEW. Increase Income with Advanced SIEM. SIEM Defined. Partner Prospects

Transcription

1 Selling Security Security Information & Event Management Revenue Increase Income with Advanced SIEM Learn SIEM Defined OPPORTUNITY Partner Prospects START Getting Started Selling SIEM PLATFORM The Sensage Advantage INTERVIEW Sensage Partner Case Study Sponsored by:

2 Advanced SIEM He who knows not both knows neither. ~ Robert Frost Boost Your Service Revenue with Advanced SIEM Somewhere, a malicious attack is under way on your customers systems, preparing to steal intellectual property, customer data or bring down their business in the next day, next week or next month. These hackers are leaving traces of their activity scattered across business units or geographies in the form of security events. Your customers would be able to detect those attacks if you could help them collect the massive volumes of log data that are the clues to suspicious behaviors, both now and in the past. Log data is only useful if your customers can visualize those significant events. You could be providing them with a service that makes analysis simpler and more effective with role-based dashboards, reports and drill-down capabilities based on real-time and historical data. Understanding what secure looks like from a historical perspective makes it easier to: By Bob Scheier detect anomalies execute forensic investigations refine security policies comply with regulations Learn how you can offer all this, and more, with an advanced Security Information and Event Management (SIEM) solution that picks up where traditional SIEM technologies stop a platform that is purpose-built for massive event data collection with agentless collectors, affordable storage in a data warehouse delivering massively parallel processing and correlation capabilities, prebuilt reports and easy-to-create IntelliViews (dashboards and reports). A platform that moves you beyond small-scale, tactical SIEM implementations (that focus on real-time data) to ongoing, sticky and strategic services that make you a key contributor to the chief information security officer s (CISO) strategy for future security engagements. n No truer words have been spoken, especially when it comes to cybercrime investigations. If your customer is limited to real-time views of their security events, it s time to show them the other half of the picture. Sensage delivers advanced Security Information and Event Management, providing historical context and analysis across petabytes of raw event data from any source. The Sensage Event Data Warehouse is fully interoperable with HP ArcSight and other traditional real-time tools, so there is no need to consider a rip-and-replace strategy. Find out how you can become a Sensage partner and sell the full security picture: 3 thought leadership series Copyright 2012 Sensage, Inc. All rights reserved. Sensage is a trademark of Sensage, Inc. in the United States.

3 SIEM SIEM Defined SIEM Defined By Bob Scheier Security Information and Event Management (SIEM) systems collect, aggregate and analyze log data from sources such as firewalls, intrusion detection systems, databases, operating systems and network equipment. Their aim is to improve security and compliance by making it easier, faster and less expensive to analyze activity within the IT infrastructure. Modern SIEM systems combine security event management (SEM), which focused on real-time information, with security information management (SIM), which focused on historic information. This evolution has been enabled by new technologies that allow the cost-effective storage of ever-larger quantities of log data, and open interfaces that allow the easy analysis of this data using common business intelligence tools. The need to collect and analyze historic, as well as real-time, information is driven by the emergence of more complex threats that attack more systems over longer periods of time. These include the well-publicized breaches at Heartland Payment Systems (resulting in more than $140 million in damages) and at Sony (with $171 million in damage). In more than two-thirds of breaches, organizations could have found evidence of a breach in their log files, according to the 2011 Data Breach Investigations Report by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit. SIEM Components SIEM platforms help find such clues by first, gathering event data from any of the varied systems that can be targets of an attack. This data is gathered using adapters, or collectors, that link the monitored devices to the SIEM database. The log data collected can describe anything from packet flows to database access requests, actual (and failed) network and server log-ons, and changes in audit policy that might identify a hacker creating a vulnerability that can be exploited later. In choosing an SIEM platform, both the customer and partner should identify the adapters they will require now and in the future, how many of these are provided out of the box by the vendor, and how difficult it is to create new adapters. While the creation of adapters might seem to be an attractive revenue stream for partners, customers may be surprised by the need for, and the cost of, such work and not have budgeted for it. Choosing an SIEM platform that contains most of the required adapters, and/or that makes it easy to create them, can free the partner for services that drive a closer and longer-lasting customer relationship. Next, the current and historic log data must be stored, which can be a major and costly challenge due to the amount of data involved, the pace at which it is generated and the speed with which it must be accessed to identify potential threats. It is important for the partner to understand the performance and scalability of the database platform and how data will be deduplicated and compressed. SIEM data warehouses that require normalization of data from various sources can also introduce delays and possible loss of critical details. The third, and critical, component is the analysis of and reporting on both current and historic log data. This is where the customer identifies Availability of log evidence for forensics by percent of breaches.* 31% Unavailable 69% Available *Verizon caseload only Source: 2011 Data Breach Investigations Report by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit current threats, looks back in time to find their source, and measures the effectiveness of their security organization and tools. While previous generations of SIEM platforms used proprietary analysis and reporting tools, newer solutions provide open interfaces to industry-standard analytic tools already in use for other business needs. The New Face of SIEM The need to counter longer-lasting, more complex threats, combined with new technical capabilities, has created a new class of SIEM solutions that allow partners to drive much greater value for their customers. This advanced generation of SIEM is: Proactive, allowing organizations to use their knowledge of past events to set thresholds for acceptable behavior so that they identify suspicious events as they happen not just react to them after the fact. Unified, providing a single view of security events, and of security/compliance across thousands of sources, utilizing knowledge of any event with a time stamp. Accurate, providing security and compliance assessments based on measurements of actual events, not just based on policies that are developed without such insight. Customizable, providing dashboards and reports tailored to the needs of various security and business stakeholders. Complete, combining historical and real-time analysis for detection of long-term threats, and the development of baselines to aid future forensics. Standards-based, allowing the use of the open interfaces and third-party business intelligence tools organizations already use for business analytics, and User-friendly, allowing ongoing measurement and evaluation of security/compliance from both a business and technical perspective. Examples of the scale and scope of advanced SIEM include: A U.S. government agency consolidated its SIEM and log-management operations to better protect customer data through real-time alerting, forensic investigation, long-term analysis and FISMA compliance reporting. The project required scaling to support 1,000 Microsoft Windows servers, custom dashboards, out-of-the-box compliance reports and flexible query capabilities. A large European country s national health service consolidated SIEM and log management services for clinical and nonclinical data for more than 77 million patients. Key criteria included advanced threat detection, correlation and forensic analysis across vast amounts of data, including electronically protected health information (ephi), and extensive role-based access and controls required by mandates to separate clinical and nonclinical data. A U.S. government defense agency complemented its existing Cisco SIEM solution (MARS) with support for heterogeneous event data from multiple sources, comprehensive security monitoring, and long-term analysis to improve its insider threat detection and investigation capability. More than 100 analysts used an out-of-the-box BI tool to analyze events stored in the data warehouse. A European national telecommunications company implemented a corporatewide cybersecurity and log-management solution for law enforcement, internal fraud detection and internal security monitoring. This system collects and correlates log data from more than 180 sources, including 1.5 billion call detail records (CDRs) per day, to enable more immediate and expansive cyberthreat detection and response. Other key requirements included flexible and precise querying and correlation capabilities, and the ability to support a virtualized (private cloud) implementation to reduce operating and capital expenses. In addition to streamlining data retention and disposal, delivering rapid answers to investigators and addressing compliance needs, Sensage reduced storage needs by 314 Tbytes through an eightfold compression of data. n 5 thought leadership series thought leadership series 6

4 Partner opportunity The Partner/SI Opportunity Proactive SIEM Organizations Have Implemented Data Management Across A Wide Array Of Uses Within the context of security management, what data management solution(s) do you use today? Data warehousing-to collect and store event data Data Integration-to create consistency between all of the event data types 80% 83% Data Governance-to ensure that data fidelity is maintained for forensic purposes, used as evidence, etc. 75% Business Intelligence-to provide users with self-serve access to the event data 73% Advanced analytics-to dig further for anomalies, variances, trends, etc. 65% Base: 60 security decision-makers for large organizations currently using SIEM technologies or services (multiple responses accepted) The Partner/SI Opportunity Sensage delivers strategic value with the next generation SIEM. Bob Scheier More complex threats, stricter regulations, the proliferation of mobile devices, virtualization and the growing importance of tighter IT processes are all driving the need for smarter security solutions, in general, and next-generation SIEM in particular. Market researcher IDC predicts the security and vulnerability market will grow at a compound annual growth rate (CAGR) of 12.4 percent, reaching $5.2 billion worldwide by 2014, and that SIEM will be the fastest-growing segment, increasing at a 24.2 percent CAGR from $600 million in 2008 to $2.2 billion by Customer Pain Points Visibility: While all customers have a security infrastructure with at least minimal reporting capabilities, many are finding it harder to prove they are meeting rising business, legal and regulatory requirements to protect applications and data. This raises a pressing, and business-critical, need as well as an opportunity for partners with the proper skill sets and the appropriate SIEM solutions. Complex Dangers: Just a decade ago, security threats were relatively obvious, random and unsophisticated. However, attacks are now much more complex, more likely to be the work of a criminal or governmental organization, and often the product of sophisticated, long-term planning. They also can reach organizations through many more attack routes than ever before, ranging from wired networks to Wi-Fi or even cellular networks via smartphones or tablets. Correlation: Highly publicized data breaches, consumer fears of identity theft and even national security threats have imposed new legal and regulatory requirements on organizations. For example, a communication services provider may need to disclose to a law enforcement agency which calls were made to which phone numbers or how many visits were made to certain IP addresses. A health care organization caught in a privacy lawsuit may need to provide information about which employees or outsiders accessed which patient records, and for how long they had access to a specific database. Cases like these require rapid, cost-effective and in-depth analysis of the type of historical log data also required to assure security. Cross-silo analysis: Early log management systems and real-time intrusion-detection platforms gathered data primarily from network and server resources. But over time, these systems, and the data they generate, have become trapped in silos, defined by separate functions (such as log management, real-time monitoring and incident response), or by departments, business functions or geographies. The number and types of systems needing to be monitored have also risen. As a result, it has become much more difficult to identify and fight breaches that span multiple functions and geographies, and to effectively coordinate countermeasures. Beyond real-time: Many existing alerting systems only support the capture and analysis of real-time data. This makes it impossible to identify attacks that unfold over long periods of time, or to do forensic analysis for security, legal or compliance audit reasons. Data Fidelity: Some SIEM platforms require data from multiple sources to be normalized before it can be analyzed, which causes loss of fidelity as this process removes raw data elements needed for proper analysis. Cost: Finally, customers today must constantly balance security and compliance with the need to reduce costs such as for software licenses, storage, training and other professional services. Partner Opportunity While some solution integrators look to margins on their sales of SIEM software licenses, most partners find the greatest opportunity in the sale of associated professional services, which can average up to 10 times the amount of the software purchase. Experience implementing security solutions, while a plus, is not a requirement for partners looking to provide such services. In fact, some solution integrators that have experience in industry-standard analytics platforms such as Business Objects and Pentaho can become very successful providing professional services supporting SIEM implementations. The same skills partners used to develop reports for other business functions, such as marketing, can be put to work in the security analysis, documenting and analyzing historic IT data to create baselines and more quickly detect attacks. A recent Forrester Consulting survey found nearly two-thirds of customers have some 7 thought leadership series thought leadership series 8

5 Partner opportunity 24.2% The percentage of growth of SIEM by thought leadership series Proactive SIEM Organizations Are Still Looking For More Analytics From Their SIEM Tools What, if any, advanced analytics capabilities would you like to see more of from your SIEM tool or interoperable technologies? Greater flexibility to analyze data in multiple ways, nonstandard data analysis More sophisticated correlation/analysis across sliced processes and systems form of advanced analytics for their security measurement and operations. In developing security analytics, partners can use the same process they have used in other analytic projects, relying on subject matter experts (in this case, security administrators) to define the most critical metrics. Partners who have a deep understanding of their customers key business issues are often in the best position to provide the more flexible analysis of security data, which is desired by six out of 10 customers responding to the Forrester survey. Experience with risk assessment or compliance is also a major plus, as these can help the customer identify and develop the types of reports that will deliver the greatest business benefit. This is, again, an area where broad experience with the customer, and in their vertical market, can be as or more important than specific security experience. A major benefit of SIEM deployments is that they often require close and prolonged interaction between the partner and the customer about major strategic initiatives and business needs. This puts the partner at the decision-making table with an inside look at upcoming customer requirements the partner can help them to meet. Customer Benefits In the past, organizations made rough estimates of the likelihood and cost of various risks, and purchased security much as an automobile owner buys car insurance not really knowing how 62% Ability to access and analyze specific data not currently captured by our current SIEM tool 50% Deeper analysis of data, such as through statistical functions, deviations from baselines, etc. 47% Ability to store and analyze a greater quantity of data than our current SIEM can store/analyze 38% Mixing security data with business and other data 35% 60% None; we re happy with our current level of SIEM analytics 5% Base: 60 security decision-makers for large organizations currently using SIEM technologies or services (multiple responses accepted) much is enough. With the right SIEM solution, organizations can see in real-time and across the enterprise how many security attacks they are facing, how much they saved by preventing or stopping certain attacks, and even potential risks involved in a new initiative such as mobile deployment. This allows them to make informed decisions about future security spending, and to weigh the business benefits vs. the security risks of entering new markets. The real-time measurement and dashboards provided by modern SIEM platforms also allow business managers to, for the first time, measure and compare the security performance of various geographies or business units. As a result, they highlight areas of weakness, target remedies, and reward managers for meeting security and compliance goals much as they are rewarded for meeting sales or cost-cutting goals. For customers, deploying a modern SIEM platform such as Sensage is the first step toward managing security and compliance just as they would any other business metric such as sales, inventory or overhead. n 10 Ten Best Practices of Selling Advanced SIEM by John Hopkins Delivering strategic value with a next generation of Security Information and Event Management solution Security Information and Event Management is a confusing and cluttered category, partly because it grew from two very different set of technologies and use cases: Security Information Management (SIM) for specific event logging or compliance needs and Security Event Management (SEM) for real-time security alerts. Most resellers have already built businesses around one or two toolsets based on those definitions. However, today s cybercrime has forced a new set of requirements to be addressed from the amount and types of data that should be collected, to the length of time it needs to be stored, to the sophistication of analysis and investigation performed. The emerging opportunity advanced SIEM is something customers will be seeking if they have 1) recently been involved in a breach and were not able to research what occurred in a timely manner, if at all; or 2) committed to being a proactive security team and want a broader view of their landscape than their traditional tools can provide. In both cases, here are ten critical practices you can adopt to deliver strategic value as your customers move to a more advanced state of security management: 1Find the metrics-minded champion who wants to lead the way. In order to achieve the highest level of value from an advanced SIEM solution, your customer has to understand this is a big data challenge: from the way the data is collected to how it is analyzed, accessed, stored and disposed. 2Take a consultative approach. Customers who are ready for advanced SIEM will not have out of the box needs. Be comfortable leading white boarding sessions about what they already have in the way of security processes, what is working and where they have security gaps the answers will sometimes be very surprising. 3Collect everything. Your customer will not always know what they will want from their data until it s too late. Advise them to collect everything it s easier to do that then to try and piece together answers when the data doesn t exist. Besides, as they achieve more situational awareness, they can cut back on what they collect if they truly won t be using it. 4Expose the value of historical data. You don t need to wait for a breach to provide customers with evidence that their historical data is of value. Take data you have helped them collect and do basic analysis: average download volumes by employee, average number of failed log-ins by privileged users, etc. Seeing that information in dashboards and reports will give your customers a very solid foundation for changes they want to make in policies, real-time alerts and metrics refinement. 5Layer defenses. As you build out your customer s advanced SIEM, you don t have to break their real-time mechanism. If they are happy with their SEM tool, keep it in place collecting and normalizing the subset of data it can handle for alerts. Use the advanced SIEM solution to store the superset of data that can be drilled into for context during a real-time alert investigation and support long-range historical forensics. 6 Test your theories. After you have collected a few months of data and have established baselines your customer wants to monitor, demonstrate that anomalies will get spotted. Recruit a few trusted employees to behave oddly assign them tasks of logging in at unusual times, accessing systems with unauthorized devices, etc. This will validate whether your event management process is working or if basic suspicious events would will still go unnoticed. 7 Automate where possible. As more security intelligence is gathered, feed acceptable thresholds, as well as unacceptable variances, into your customers real-time rules engine, user and data access controls, as well as application and system policies. Now you are helping customers build smarter processes around known patterns and behaviors, as opposed to guesswork. 8 Don t be afraid to modify. This may seem contradictory to automation, but the reality is that advanced SIEM must be as dynamic as the threat landscape. No solution can be a onesize-fits-all and here s why: no attack is completely the same. If you walk away after your initial implementation, or you leave customers thinking this is a set-it-and-forget-it solution, you will be doing everyone a disservice. The iterative approach identifies new attack methods or vectors as they are attempted, uses the advanced SIEM platform to further analyze and validate them, then incorporates them into the relevant security 9process, if required. Build a clock. Your customer will face a serious challenge if you don t build in a loop for continuous improvement, which should prevail whether you are still involved or not. With any process, this is what separates a short-term fix from one that a customer will come to rely on at a strategic level. This commitment to a sustainable solution demonstrates to your customer that partnering with you was a worthy investment long after the deal was done. 10Learn and multiply. Every customer is unique but each advanced SIEM solution you deploy gives you foundational skills and practices that others can benefit from. Take what you have gathered from each and apply it to your next opportunity, whether that is in the form of customer education, pre-built dashboards and reports, or sophisticated consulting services. Sensage delivers an advanced SIEM solution powered by the only purpose-built event data warehouse on the market. Sensage can collect petabytes of data and store it in a raw format indefinitely with flexible access and analysis of that data through an open ODBC/JDBC interface and ad-hoc SQL querying. To learn more about the Sensage solution or our partner programs, please visit

6 SIEM Solutions Getting Started Getting Started By Bob Scheier Likely vertical customers for SIEM solutions include the government, communications service providers/ critical infrastructure and health care verticals. That is because these organizations typically have the most sensitive data and applications, the strictest legal and regulatory oversights, and the largest IT infrastructures and volumes of log data. However, any organization deploying major enterprisewide IT initiatives such as cloud, mobility, virtualization or new data centers can be an attractive candidate for an SIEM solution. That is because these projects involve such significant changes to the IT infrastructure, and to the business, that they, in turn, trigger reassessments of security needs and regulatory compliance strategies. For that reason, partners who help their customers with large infrastructure and business projects, such as data center consolidation or mobile device deployments, are in an ideal position to also sell SIEM solutions and services. A partner helping a customer choose a mobile infrastructure and develop the processes for provisioning those devices is also in an ideal position to ask how the customer is addressing the related security and compliance issues, and to describe how an SIEM solution can address them. The higher in an organization a partner sells, the better a position it is in to sell SIEM solutions and services. The more a partner knows about its customer and all the business and IT challenges it faces, the more opportunities it will find where SIEM can reduce risk and improve regulatory compliance. Another approach is to look for customers who are facing specific security/compliance challenges, such as: Using a lightweight SIEM tool that cannot handle the number of data sources, the amount of data and/or the depth and variety of security data the customer needs to analyze. Suffering a significant security or regulatory breach and needing to quickly find the cause and resolve it. Running into unacceptable delays or costs due to the need to normalize stored data before analyzing it. Implementing mobile strategies that require the collection and analysis of large amounts of security-related information, such as the physical locations of devices over time. Deploying new data centers or security operations centers (often the trigger for a reassessment of security data needs). Struggling with the challenges of providing security for a newly virtualized infrastructure or consolidated data centers. Struggling to meet compliance and/or legal requirements, or Deploying a large initiative (such as a cloudbased service, mobile enterprise or new data center) that requires an SIEM to monitor events at the heart of the infrastructure. Some complaints, when heard from customers, can signal that an SIEM solution might be a good fit. These include: Last week we had a security breach. Now, we re doing a review of what happened, and I don t have all the information I need to answer some key questions. If we were able to do more sophisticated queries on all the information we have, we could identify trends and maybe even do some predictive analysis. Last week, we were reviewing a top-tier security incident, and we found that there were a whole bunch of entries in the syslogs that pointed to the source of the attack. If only we d known about them at the time, we might have prevented the attack. I feel we re well covered when it comes to real-time security alerts. ARCSight takes care of that. But we don t have an ability to investigate an ARCSight alert, which would require drilling down into relevant information that we may have sitting in our data stores. Our budget cannot support one more set of regulations requiring customer data archiving. We run out of storage capacity on a regular basis. But we just got an audit that said we aren t collecting all the data we re supposed to. We went with the industry leader because they promised they could meet all our needs, but we re finding the system just fails under heavy loads. We thought we could develop our own SIEM system in-house, but it s really a kludge. We just keep struggling with consolidating data from multiple implementations and databases. If you need to educate prospects on SIEM, here are some scenarios to use in your presentations, white papers or sales calls. You ve probably already deployed realtime monitoring or event management tools. But you can t make the move to historical analysis of that data because it costs too much to store it, takes too long to normalize it, or it s too hard to use the proprietary analytics. Here s a list of the vulnerabilities you re facing without the historical analysis, and here s how quickly and easily we can start delivering it using Sensage. They include the theft of data by an insider, which often can t be spotted easily since it happens over long periods of time, and by an employee who does not appear to be behaving oddly. Another is an advanced persistent threat that takes a year or longer to evolve. You may think SIEM is too complex and expensive to even think about. But we and Sensage can jump-start your efforts by setting alerts around some quick and easy baselines. One example is writing a simple script triggering an alert if server or network logs are much longer or shorter than usual, signaling a possible attack. Another script could trigger an alert if, for example, an employee suddenly begins downloading five times more data per day than usual. You may be doing only daily log reviews because that s all you have the time, staff or data for. Here are some of the common attacks we re seeing that unfold over time, and that you might find if you also did weekly log reviews. And here, by the way, is how inexpensive, quickly and easily you can do those weekly reviews using Sensage. One final point: Given today s economy, customers may want more from their existing realtime alerting system and believe that a rip and replace strategy, while expensive, is the only way to go. A better approach is to suggest keeping the existing real-time analysis solution and adding a more modern SIEM platform that also supports the storage and analysis of large quantities of historical data. That allows the customer to keep getting value from their existing solution, and avoids embarrassing questions from senior management about its shortcomings. n 11 thought leadership series thought leadership series 12

7 SIEM Platform The Sensage Advantage The Sensage Advantage By Bob Scheier The Sensage SIEM platform uses historical log analysis, open architecture, and easily created reports and dashboards that let partners provide ongoing sticky and strategic professional services to their customers. Sensage frees partners from commodity technical services, such as coding queries, enabling them to provide more valuable analytics that drive more immediate business value for their customers. The Sensage advanced SIEM solution integrates silo processes through a sophisticated event data warehouse. Among the ongoing service opportunities Sensage makes possible for partners are: Providing new, and previously unavailable, metrics that measure the effectiveness of the customer s security team, based on current data. Reducing the cost, and speeding the provision of, security through automation. Providing continued improvements in security and compliance by refining policies, or expanding them to cover important newuse cases such as an employee s use of social media, and Using their knowledge of the customer s business, applications and culture to help drive the process changes required to improve security. Customers with particularly critical or complex requirements sometimes even request an on-site technical account manager to proactively identify and fight complex new threats. Sensage reduces the work and cost of analytics through its support for standard data access interfaces such as ODBC and JDBC. This allows any analyst to use familiar BI tools such as Business Objects rather than having to learn proprietary tools. Creating and tailoring reports does not require any knowledge of SQL, again reducing the need for specialized staff. Ease of use is also driven by Sensage s analytics console, which supports a SQL-driven query wizard, threshold, violation and investigation alerts, long-term trend analysis and monitoring of access to sensitive files. Sensage partners can speed auditing and compliance with predefined templates that meet regulatory formats such as SOX, PCI, FISMA and ISO Partners can also help their customers manage security more easily because Sensage easily integrates with systems that manage trouble tickets or measure compliance. Sensage provides superior real-time visibility into security and compliance with a new user interface that allows partners or customers to create multiple levels of intuitive dashboards for everyone from network administrators to the CEO. These dashboards can be shared among what have historically been siloed organizations, such as compliance reporting and threat management, or data centers in different geographies to improve efficiency and speed response. Sensage also reduces the cost of storing massive SIEM datasets, and eliminates the delays and inaccuracies associated with normalizing data from multiple sources, with its patented columnar Event Data Warehouse. This leverages massively parallel processing and the frequent repetition of common elements in log data to provide high compression ratios and superior performance. Because the native log data is captured and stored in its source-specific schema, there is no need to normalize it. This eliminates delays and assures the fidelity of the data to allow the most detailed analysis. Sensage s agentless log data collectors are easy and low-cost to build, reducing the complexity of deployments and customer sticker shock for added collectors. Sensage itself can be delivered as software or as a virtual appliance for maximum flexibility in meeting customers needs. For more information about how Sensage can drive value for you and your customers, visit We will schedule a demo and discussion to get things started. n 13 thought leadership series thought leadership series 14

8 Sometimes a historical viewpoint gives clarity to the road ahead Threats don t happen in real-time anymore so why should that be the focus of a security strategy? The largest, most sophisticated organizations in the world are taking a new, more effective approach to security management by analyzing historical data. With that context, they can: Understand (and articulate) what secure looks like Establish acceptable behaviors and baselines Develop informed alerts when deviations occur or thresholds are exceeded Reduce reactive security investigations Learn more. Visit and get a copy of the whitepaper, A Practical Guide to Next-Generation SIEM Create policies that drive appropriate behaviors Continuously improve security management based on logical metrics/measurements Copyright 2012 Sensage, Inc. All rights reserved. Sensage is a trademark of Sensage, Inc. in the United States.

9 Partners A brief interview with AIRNET CEO Rukhsar Khan On their Partnership with Sensage Sensage and Airnet Partnership Delivers Advanced SIEM to Mainstream Market By Sensage Sensage is not a onesize-fits-all, and this is critical when I am dealing with complex security frameworks. 1. What is your business coverage/practice? AIRNET specializes in Security Monitoring and Log Management. We deliver sales, consulting and integration services to security teams in the leading law enforcement, financial services and telecommunication industries. We also provide information security and networking technology training classes and publish books and reports on information security and networking technology, including The Efficiency of Security Monitoring and Log Management IT Systems and Services Under Attack and What IT Security and Kidnapping of Minors have in Common True Incidents and Experiences from the Life of the Author Rukhsar Khan. These publications will be released on Sept. 30th in German and on Dec. 31st in English. 2. What drove your interest in selling/implementing Sensage? Our customers have to comply with many regulations for ISMS and ISO 27001/ We were being asked to address their very sophisticated requirements for event monitoring and logging, which were not available in real-time solutions. We found Sensage to have capabilities for capturing and storing large data sets, as well as highly sophisticated analytic capabilities. We reached out to their corporate team, who immediately put together a package for a law enforcement agency opportunity we had, which we won and deployed within a month. 3. How does it give you a competitive advantage? First, the technology is truly different than the real-time engines most customers have deployed. In fact, we can implement Sensage alongside those tools, giving a customer two ways to measure their security effectiveness. Next, Sensage is very competitive and motivated to make me successful. With every deal, they support my pricing negotiations and ensure that, if we want the business, we win it. Finally, Sensage is not a one-size-fits-all, and this is critical when I am dealing with complex security frameworks. There are many value-added services I am able to offer that make Sensage a logical choice for my customers. 4. What are the benefits your customers have derived from their Sensage solution? We believe customers get two advantages: They can quickly respond to an investigation to understand what truly happened in their environment months or years ago that includes drilling down from a real-time alert into the full data to get better context. They can use historical analysis to establish very realistic baselines that make their real-time alerts more useful. In both cases, customers look to AIRNET as a valuable partner because we give them a new level of security intelligence they could not achieve before. 5. How easy is Sensage to do business with? From our early meetings, to the level of enablement they offered my team, to the engagements we have on planning our business together, Sensage has demonstrated that they want to be an exceptional partner. n 17 thought leadership series