Security Integration Splunk and ArcSight

Transcription

1 Security Integration Splunk and ArcSight Data Integration for IT security Wednesday 14 th January 2015 IT Analytics 15

2 Agenda Welcome Ray Bruni Eric Blavier Splunk & Nexthink Mostafa Soliman ArcSight & Nexthink

3 Splunk and Nexthink Welcome Eric

4 Introduction Eric Blavier work for Nexthink since IT security specialist Security projects using Nexthink financial institutions industry governements military Europe / US / Asia

5 Nexthink security metrics Nexthink V5 generates ~200 datapoints ~50% are in real- time Security metrics Nexthink Security Solution Pack (NSSP) Security Cockpit Web&Cloud

6 NSSP V5 Specific set of out- of- the- box investigations for Endpoint Security o Dynamic inventory o Unauthorized applications o Identity & access management o Vulnerability management & protection o Secure network configuration o Indicators of compromise

7 NSSP Web&Cloud Specific set of out- of- the- box investigations for Web & Security (through Nexthink Library)

8 Splunk Splunk Collect and index many machine- generated data from many source or location in real time Correlate events spanning many diverse data sources Can be used as a Security Information and Event Management (SIEM) Nexthink DATA

9 Data integration Nexthink Engine - > Splunk Using NXQL 2.0 direct Web API direct access to Nexthink Engine Database %20last_seen)%20(from%20device%20(with%20device_activity%20(between %20now- 7d%20now))))%20&format=csv new Nexthink Query Language Web interface

10 Data integration Adding Data in Splunk curl update Data interval

11 SIEM Security information and event management system collects real- time data from IT infrastructure analyzes, correlates and provides reporting to further a responsive action provides a clear insight into the security posture of a company Need notable events and behavior from ENDPOINTS (Nexthink)

12 Security dashboard Security posture high level insight of «notable events» across many security domains Example of notable security events from Nexthink Endpoint Host(s) with multiple infections Critical priority Host(s) with malware detected Access Insecure or cleartext authentication access detected Default Account activity detected

13 Nexthink & Splunk Nexthink NSSP investigations

14 Nexthink & Splunk Nexthink NSSP investigations Get details with Nexthink Finder

15 ArcSight and Nexthink Welcome Mostafa

16 from Dedication to Excellence. The Next Big Thing: A case study in utilizing End- User Real- Time Analytics tools in the SOC Mostafa Soliman Mannai Trading Company

17 Introduction Mostafa Soliman Home: Alexandria, Egypt Nexthink Consultant since 2011 ArcSight Consultant since 2012 Senior Security Consultant based in Doha, Qatar since 2011 Presented HP-ArcSight & Nexthink integration in HP Protect 2014 (Washington D.C.)

18 Who is Mannai?

19 Who is Mannai?

20 Where is Mannai?

21 Where is Mannai?

22 Where is Mannai?

23 What do we do? Design, Consultancy, Implementation, Testing, and Support Services for Security Operations Analytics

24 Mannai Security Solutions Partners

25 Endpoint Monitoring with ArcSight Challenge: Endpoints are the entry point for most of the threats to the organization. Security & event logs do not always contain meaningful information. Some custom monitoring can be done using scripts on endpoints however this doesn t detect all endpoint or enduser activities and requires high maintenance. Conclusion: Endpoints are always a blind spot for ArcSight. Leverage ArcSight by integrating it with endpoint monitoring.

26 Nexthink + ArcSight Nexthink and ArcSight Integration enhances detecting and investigating endpoint anomalies.

27 Nexthink Data in ArcSight

28 Integration Use Cases Endpoints with malicious behavior. Endpoints running files from removable drive. Endpoints bypassing the proxy to connect to the Internet. Endpoints doing port scans. Endpoints accessing well known malicious URLs. Endpoints with disabled and/or out-of-date antivirus. Endpoints using Internet broadband connections. Endpoints executing non-compliant software (IM, P2P, etc.)

29 Q & A

30 Remember Integration Push and/or Pull APIs, , Syslog Extend, Enhance, and Compliment Data Analyze Visualize

31 Thank You! For more information Contact your partner or sales rep