VISIBLY BETTER RISK AND SECURITY MANAGEMENT

Transcription

1 VISIBLY BETTER RISK AND SECURITY MANAGEMENT Mason Hooper Practice Manager, SIEM Solutions, McAfee APAC December 13, 2012

2 Oct 17 10:00:27, Application=smtp, Oct 17 10:00:27, Application=smtp, Event=' Status', Event=' Status', size=25140, size=25140, source=( ), reputation=49, source=( ), reputation=49, tls=1tls=1 10/17/ :00:27, TRAFFIC, end, , , Monitor 10/17/ :00:27, TRAFFIC, end, , , Monitor SPAN Port, Tap Zone, ethernet1/12, SPAN Port, Tap Zone, ethernet1/12, 83752, 83752, 1, 59404, 25,25,tcp, allow, 1, 59404, tcp, allow, anyany 10/17/ :02:52 10:02:52 PM,PM, Deleted 10/17/2011 Deleted (detection isn't cleanable), (detection isn't cleanable), W7MANG\host35 C:\Program W7MANG\host35 C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.1\vmwareFiles\VMware\Infrastructure\Virtua vmrc.exe, Infrastructure Client\4.1\vmwareC:\Users\brogers\Desktop\455_23_setu vmrc.exe, p.exe Generic.dx!bbfq C:\Users\brogers\Desktop\455_23_se up.exe Generic.dx!bbfq Oct Oct :00:26, Src , , 10:00:26, Src s_port 4523, dst , s_port 4523, dst , service smtp, proto tcp, xlatesrc service smtp, proto tcp, xlatesrc RESPOND

3 The State of SIEM SIEM Promise: Turns Security Data Into Actionable Information Provides an Intelligent Investigation Platform Supports Management and Demonstration of Compliance Legacy SIEM REALITY: VS Antiquated Architectures Force Choices Between Speed and Intelligence Events Alone Do Not Provide Enough Context to Combat Today s Threats Complex Usability and Implementation Have Caused Costs To Skyrocket 3 December 13, 2012

4 History of SIEM Originally designed to correlate events from IDS and Firewalls Authentication and IAM VA Scan Data Events from Security Devices and Endpoints Network Flows Time User Identity + Device and Application Log Files OS Events Location SEM Traditionally RDBMS SIM Traditionally Flat File Based 5 December 13, 2012

5 Legacy Intelligent and Slow SIEM (COTS DB Based) What are we filtering? Database Queries? Firewall Allows? Infection Indicators User Events? Information access? Filtering 95,000 EPS Billion per Day! ESM Appliance Max 5000 EPS Logging Appliance Max 100,000 EPS 6 December 13, 2012

6 Legacy Fast and Unintelligent SIEM Hybrid Flat File Relational Database Model Traditional Log Manager with Database to provide correlation. Fast at log management and collection Slow reporting over expanded periods Inflexible correlation Basic analysis capability 7 December 13, 2012

7 The Big Security Data Challenge APTs Cloud Data Insider Anomalies Billions of Events Multi-dimensional Active Trending; Analysis Large Volume Analysis Compliance Historical Reporting Perimeter Thousands of Events Correlate Events Consolidate Logs 8

8 ESM: Delivering on the Promise Meaningful Intelligence Rapid Response Big Security Data DB Continuous Compliance Exceptional Value 9 December 13, 2012

9 Gartner 2012 McAfee Enterprise Security Manager is a good choice for organizations that require highperformance analytics under high-event-rate conditions. Customer references have validated very high scalability and query performance levels for the McAfee Enterprise Security Manager event data store. The McAfee Enterprise Security Manager ADM component provides application and data access monitoring from network-based packet inspection, which augments log-based monitoring. 10 December 13, 2012

10 ESM Fulfills Today s SIEM Needs See log frequencies Search for logs Correlate events What data is involved? Who is doing it? Are they a bad actor? What is the risk of the system? What is the risk of the user? GLOBAL THREAT LANDSCAPE Threat intelligence feed Immediate alerting Historical Analysis Visualize, Investigate, Respond Advanced Correlation Engine ENTERPRISE RISK LANDSCAPE Vulnerabilities Countermeasures Individuals Risk Advisor epolicy Orchestrator Dynamic Content Content Aware Traditional Context Log Management 11 December 13, 2012

11 ESM Fulfills Today s SIEM Needs See log frequencies Search for logs Correlate events What data is involved? Who is doing it? Are they a bad actor? What is the risk of the system? What is the risk of the user? GLOBAL THREAT LANDSCAPE Threat intelligence feed Immediate alerting Historical Analysis Visualize, Investigate, Respond Advanced Correlation Engine ENTERPRISE RISK LANDSCAPE Vulnerabilities Countermeasures Individuals Risk Advisor epolicy Orchestrator OPTIMIZED Dynamic Content 1.Shut down bad actor 2.Analyze last years events 3.Compliance issue identified 4.Investigate high risk system Content Aware Big Security Data DB Applications Traditional Context Log Management Database High Speed Intelligent Correlation 12 Scalable Architecture

12 Compliance Based Reporting and Analysis Sorting Through a Sea of Events Have I Been Communicating With Bad Actors? 200M events Which Communication Was Not Blocked? 18,000 alerts and logs What Specific Servers/Endpoints/ Devices Were Breached? Dozens of endpoints Which User Accounts Were Compromised? Handful of users RESPOND What Occurred With Those Accounts? How Should I Respond? Specific files breached (if any) Optimized response 13 December 13, 2012

13 Compliance Based Reporting and Analysis Integration of NitroView normalization with UCF Provides quick access to compliance based data Allows for filtering based on both UCF normalization and specific compliance frameworks Events NitroView Normalization UCF Normalization Compliance Frameworks 14 December 13, 2012

14 Single Pane-of-Glass Device and Application Log Files Application Contents Authentication and IAM Events from Security Devices User Identity Database Transactions OS Events VA Scan Data Location

15 Demo 1 - Identify Slow and Low Data Exfiltration Content-Aware SIEM Feature: Utilize the capability of a Content-Aware SIEM to easily compare current events with weeks, months and even years of data to detect anomalous behavior 19 December 13, 2012

16 Identify Slow and Low Data Exfiltration Weak Investigate Passwords Policy Top Top Offender Violations Normalized 20 December 13, 2012

17 Identify Slow and Low Data Exfiltration Associated Interesting Investigate Events Filtered Large File by IP Normalized Transfer 21 December 13, 2012

18 Identify Slow and Low Data Exfiltration Geo-IP Large File Transfer to China 22 December 13, 2012

19 Identify Slow and Low Data Exfiltration HTTP POST Pivoting Events and Flows Filter Still Applied Bytes Transferred Advanced Details Large File Session Details Transfer to China Large File Session Details Transfer to China Session Details Misspelled User Agent 23

20 Identify Slow and Low Data Exfiltration Flows Summary by Total Bytes Pattern: Every Night At 1:00 AM Flows Summary by Total Bytes Bytes Transferred to China 24 December 13, 2012

21 Situational Awareness and Response Threat Intelligence Real-Time Command & Control High Performance Database SIEM Correlation Engine EVENT LOG AUDIT/COMP. CONTEXT CONTENT COUNTER MEASURES 58 December 13, 2012

22 Summary Put us to the test - Talk to your McAfee Account Manager or Reseller Organise a demonstration Read about McAfee ESM in the 2012 Gartner Magic Quadrant Visit the McAfee SIEM webpage [email protected] 59 December 13, 2012

23