Sorting Through the Noise
|
|
- Claude Ford
- 8 years ago
- Views:
Transcription
1 Sponsored by LogLogic Sorting Through the Noise SANS Eighth Annual 2012 Log and Event Management Survey Results May 2012 A SANS Whitepaper Written by: Jerry Shenk Advisors: Dave Shackleford & Barbara Filkins Why Collect Logs? Page 2 Changes in Log Collection and Analysis Page 4 Top Challenges: Sorting through the Noise Page 6 Learning from Logs Page 9 Survey Demographics Page 13
2 Executive Summary The key finding that stands out in SANS Eighth Annual Log and Event Management Survey is the inability of organizations to separate normal log data from actionable events. More than 600 respondents report that detecting and tracking suspicious behavior, supporting forensic analysis and meeting and proving regulatory compliance are the most important and problematic issues they are dealing with in using their logs. As attacks become more sophisticated, IT and security practitioners are identifying what they must do to not just keep up, but also to get proactive about their security practices. At the heart of this issue is log management. The survey respondents are also looking at more data, according to year-over-year survey results. As the log management industry continues to mature, organizations expect to get more meaningful and actionable results from log data. Nearly every product that manages logs now ships with one or more built-in processes for extracting, analyzing and alerting on data. In the survey, 58 percent of organizations report that they use a log manager to collect and analyze logs. Also, 37 percent said they are using a Security Information and Event Management (SIEM) system in some capacity, while 22 percent are collecting the logs and processing them entirely with their SIEM systems. A large percentage of organizations 22 percent of the respondents say they have little or no automation and no plans to change. The most common reasons given for not automating include lack of time and money resources that are closely intertwined. Respondents cited two additional reasons: the lack of management buy-in and insufficient time to evaluate the options available in different SIEM and log management products. As in the past two years, this year s survey responses indicate that organizations are trying to squeeze as much actionable data as they can out of their log management systems, so the convergence with SIEM / event management systems makes good sense. However, they are still struggling with advanced threats, and screening out actionable data from background noise on their networks. Even when we look at the 22 percent of respondents who are using SIEM for collecting logs and processing them, nearly the same percentage say it is difficult to prevent incidents and detect advanced threats. This similarity indicates that log and event management systems, or the way they are being used, have a long way to go in finding the critical needle in a haystack that organizations need during a network crisis. SANS Analyst Program 1 SANS Eighth Annual 2012 Log and Event Management Survey
3 Why Collect Logs? One of the biggest challenges for law enforcement and other agents responding to a breach is the inability to identify the attacker, according to the 2012 Verizon Data Breach Investigations Report. 1 The report shows that, in many cases, organizations cannot identify the attackers because of insufficient log data. This shortcoming directly corresponds to the top challenges our survey respondents reported. When asked what importance was placed on each of 12 reasons for collecting log data (Figure 1), the most critical was related to internal and external security issues. Respondents top reasons included detecting and tracking suspicious behavior (82 percent), supporting forensic analysis and correlation (65 percent) and preventing incidents (58 percent). Figure 1. Why Collect Logs? Detecting advanced threats was also important (54 percent), as was using logs to meet regulatory compliance with requirements (55 percent). These reasons have stayed consistent since we started asking these questions although the individual questions and options have changed enough to prevent year-by-year comparisons. 1 SANS Analyst Program 2 SANS Eighth Annual 2012 Log and Event Management Survey
4 Why Collect Logs? (CONTINUED) Many respondents are also collecting logs for operational and business improvements, including IT operations and support, application and system performance and monitoring service levels and other lines of business. These issues were identified as critical by 24 percent to 30 percent of respondents. One reason for log collection we have asked about ever since the first log management survey in 2005 pertains to compliance with various regulations, requirements and policies. This year, in a question about what reasons people have for collecting logs, 55 percent stated that compliance issues were a critical reason, 36 percent said compliance was important and the remaining nine percent said that compliance was not important. The final responses were related to costs, chargebacks and understanding customer behavior. These received positive responses of 17 percent to 11 percent, although30 percent to 40 percent said they were not important. Almost all respondents (except for.3 percent) said that detecting and tracking suspicious behavior was important. This has been the top reason for collecting logs since we started asking this question in SANS Analyst Program 3 SANS Eighth Annual 2012 Log and Event Management Survey
5 Changes in Log Collection and Analysis The same year SANS conducted its first Log Management Survey (2005), the term SIEM (Security Information and Event Management) was coined. 2 SIEM includes the collection of log data as well as correlation of different log events from various sources, together with suspicious event information. This data is correlated and presented through other features such as dashboards, real-time alerting and reports and charts, depending on a particular vendor s implementation. In 2005, respondents were running manual or automated scripts to constantly glean information from log data. Over the years, we have hypothesized that log management systems would eventually migrate to include more fully automated correlating, analysis and reporting functions. This year s survey shows that organizations are integrating their log systems into security and other event management systems for better analysis and reporting. This year we tried to determine the percentage of organizations primarily performing traditional log analysis versus the percentage using what they would call a SIEM. Of course, this is a hard line to define because of overlapping functions between the tools. For example, if an organization collects logs using syslog and uses scripts to count the number of inbound or outbound blocked ports, could that combination of processes be considered a SIEM? Probably not, but as the automation and intelligence gets deeper, at some point the combination might cross that line. To learn how respondents are analyzing and correlating log and security information, we asked them to identify their log collecting activities under one of the following categories: Collect data directly from hosts into a log manager Collect logs from syslog (UDP/TCP) into a log manager Use agents to collect data from sources into a log manager Use Security Information Event Management (SIEM) to correlate and analyze log data that is collected by other means (e.g., log servers) Use SIEM to collect, correlate and analyze log data None of the above 2 SANS Analyst Program 4 SANS Eighth Annual 2012 Log and Event Management Survey
6 Changes in Log Collection and Analysis (CONTINUED) The responses included a mix of sending logs directly to a log manager, or through syslog or agents. A good number, 22 percent, indicate that they are collecting and analyzing log data with their SIEM. Log Management systems are still in high use, however, with 58 percent using one of the three log management options, as shown in Figure 2. Figure 2. Methods of Collecting and Analyzing Log Data In a separate question about what type of log and event management software organizations are using, we found that many of them are using internally developed and commercial packages, so there is some overlap among these options chosen by respondents. The first three options (depicted in shades of blue) relate to log management, the fourth option is a hybrid with 15 percent and the fifth option (dark red) is solidly in the SIEM category. It will be interesting to see how these numbers change in the coming years. SANS Analyst Program 5 SANS Eighth Annual 2012 Log and Event Management Survey
7 Top Challenges: Sorting through the Noise Collecting and accessing logs are no longer a problem for most organizations as it was in the beginning years of this survey. For the past three years, about 90 percent of respondents have consistently indicated they are collecting logs. Because organizations are more aware of their logs and the value they can gain from them, we tried to learn more about how organizations want to use their logs. In the first question, we asked them to rank the top three challenges they face when integrating their logs with other tools in their organization s overall information infrastructure. First represents the most challenging and third represents the least challenging aspects. The issue that ranked most challenging and also had the highest total number of votes overall was Identification of key events from normal background activity, as shown in Figure 3. Figure 3. First, Second and Third Most Challenging Aspects of Log Management and Integration The second most cited challenge was Correlating events from multiple sources. Their third most problematic issue was Lack of analytics capabilities. One of the least challenging issues was Lack of native visualization capabilities, which indicates that dashboards are helpful and graphics can help identify trends and explain issues; however, the lack of concern about native visualization capabilities may also be a trending indicator signaling greatly improved visualization capabilities in current log monitoring and SIEM products, compared to similar products reviewed in previous years. What organizations really want is assistance with good, solid analysis. SANS Analyst Program 6 SANS Eighth Annual 2012 Log and Event Management Survey
8 Top Challenges: Sorting through the Noise (CONTINUED) Whether Advanced Persistent Threat (APT), or some other type of event, the identification of key events was clearly the largest pain point this year. One example of a key event would be a dramatic change in the size of logs or the size of specific types of logs. For example, if your firewall typically blocks 200 packets a day in your egress filtering and suddenly blocks 5,000 in one day, it would be worthwhile to look through those 5,000 events and see what internal computer is generating the traffic and what port it is trying to connect to. If your organization has multiple sites and tens of thousands of computers, you could split up your outbound block report by subnet so that you could have a quick on-line summary of blocked traffic for each subnet. A report like that could be reviewed on a normal daily review in about 10 seconds. This same process can be applied to most common events. Each organization will need to determine what common events are for them and customize the analytics to match the specifics of their network. Detecting APT style malware, detecting and tracking suspicious behavior and preventing incidents ranked highest among respondents problems with using their logs. Detecting and tracking suspicious behavior was also reported as the issue with the highest increase since last year (up from 65 percent last year to 83 percent this year). See Figure 4. Figure 4. Difficulties in Using Logs SANS Analyst Program 7 SANS Eighth Annual 2012 Log and Event Management Survey
9 Top Challenges: Sorting through the Noise (CONTINUED) Advanced Persistent Threat attacks have recently been in the news a lot and some have argued that this style of attack is getting blamed for attacks that are not advanced or persistent; however, there are also reports of organized attackers that have deeply infiltrated organizations for many years. One capability generally agreed upon is that log data should be giving organizations the information they need to help identify APT-style threats and other data-exfiltration attacks. In this year s survey, 90 percent of respondents indicated that APT-style threats were at least on their radar, with detecting suspicious behavior on the radar for virtually all respondents (98 percent). According to the newly released Verizon Data Breach Investigations Report 3 (DBIR) 85 percent of breaches took at least weeks to discover, 54 percent took months and two percent took years to discover. In a March 28, 2011, Open Source Security blog 4, Martin (no last name given) discusses using logs to detect APT, stressing the need to first collect all logs. Some suggestions for detecting APT include searching firewall logs for large outgoing sessions and for a high number of outgoing sessions to a single IP address. This requires researching network traffic to determine which IP addresses belong to valid business partners. Searching Domain Name System (DNS) server logs for lookups related to suspect domains can also be helpful. In some cases, logs can be cross-referenced with known Real-time Blacklists (RBLs) or internally-identified lists of suspect IP addresses and domain names. Some of the SIEM players have already started integrating reputation data into SIEM systems to inform organizations in case there is any communication with known bad IP addresses or domains. In another article about targeted attacks, Dark Reading s senior editor, Kelly Jackson Higgins, 5 Mandiant, 6 was quoted as saying that advanced attacks are only the tip of the iceberg. Higgins likens the security field to a weapon s race, so even as detection gets better, the attackers keep perfecting their trade. Automated analysis is critical and needed as a primary method for dealing with logs. However, with all that is at stake, log data needs to be monitored using a combination of analysis methods, including automated and manual analysis, with assistance from SIEM-type tools, and other available resources. Organizations that continuously collect, evaluate, and interpret log data will be in the best position to avoid hosting the next headline-grabbing attack SANS Analyst Program 8 SANS Eighth Annual 2012 Log and Event Management Survey
10 Learning from Logs Logs from each device produce different records that, when put together properly, can tell a story for auditors and responders. Respondents are collecting data from multiple devices, the most popular of which is Windows servers at 85 percent. Security and networking devices, and networking and security systems are also among the top sources, as shown in Figure 5. Figure 5. What Logs They Collect This year we expanded the choices for types of sources they use to collect log data. This expansion was based on write-in comments from last year. Some of the new items included Control systems for physical plant/operations with eight percent, Access controls for physical plant with 17 percent and Cloud-based or outsourced services/applications with eight percent. SANS Analyst Program 9 SANS Eighth Annual 2012 Log and Event Management Survey
11 Learning from Logs (CONTINUED) Every year, organizations collect more logs from increasingly different types of devices, but they also want to derive more actionable information from what they already have. One respondent noted that, We could collect more but we need to make the ones we have useful and really finish baselining... 7 This comment continued to specifically mention computer security specialist Dr. Anton Chuvakin s definition of baselining where organizations need to learn what normal (their baseline) is, and then act on any deviations from that norm. An example of this related to a website would be to track the number of individual error codes logged by the web server. Some web attacks require trying lots of different requests. If an organization sees an abnormally high number of successful hits, that is a red flag. Another indicator may be a dramatically higher instance of 400 or 500 range error codes, as they indicate failed authentication, invalid pages and server errors. A dramatic increase in any of these events could indicate that an attacker is performing some type of reconnaissance, or harvesting data from your site, or trying to guess at authentication and page layout. The next step in cases like these would be to examine the logs to determine if there is a pattern of IP addresses making the requests and if there is anything interesting about the timing of the request. Organizations say they want to be able to detect suspicious behavior. Yet, when asked how much time they normally spend on log data analysis, the largest group (35 percent) spent None to a few hours a week with their logs, as shown in Figure 6. Figure 6. Time Spent on Logs 7 SANS Analyst Program 10 SANS Eighth Annual 2012 Log and Event Management Survey
12 Learning from Logs (CONTINUED) Last year, 29 percent of respondents chose None to a few hours a week managing their logs. This six percent variation may indicate an improvement in log management systems and other management systems designed to automate the task of event management. It may also be that one of the two options added this year Integrated into normal workflow took 24 percent of the answers. Even when broken down by organizational size, more than 20 percent of respondents from enterprise organizations (defined as having more than 2,000 employees) selected this option. About 50 percent of the smaller organizations spent zero to just a few hours per week analyzing logs. That is really not very much time spent getting familiar with logs. Given the advanced threats they are struggling with, we would have expected the time organizations spend on log analysis to increase, not decrease. We cannot stress enough that the best way for organizations to quickly detect abnormalities is to gain an understanding of their baseline or normal activity by reviewing/analyzing log data on a regular basis. SIEM-type tools, including log management tools with analysis and reporting options, will help organize and identify patterns and activities that are generally recognized as indicators of problems. Yet, 58 percent of organizations are not anywhere close to that level of automation. At a minimum, these organizations need to keep to a consistent schedule for viewing and analyzing log data. For help analyzing logs, organizations like SANS also teach courses on log analysis 8 for IT security professionals. Even organizations with more automated log collection and analysis capabilities need to establish a baseline by analyzing logs regularly. Automated tools, although very useful, cannot substitute for the sixth sense log analysts develop when they spend some time each day getting familiar with their log data. As they become increasingly familiar with their log data, organizations will be better able to differentiate anomalies from baseline traffic much more efficiently. On the data collection front, the trend line is good; more organizations are collecting log data from increasingly diverse sources, which improves the prospects for creating accurate baselines and also provides the hard data necessary to identify areas in which improvements are needed. 8 SANS Analyst Program 12 SANS Eighth Annual 2012 Log and Event Management Survey
13 Survey Demographics This year, more than 600 professionals took the survey, representing a large number of organizations across a broad spectrum of industries including government, financial, technology, medical and pharmaceutical, as shown in Figure 7. Figure 7. Survey Demographics by Industry/Sector Organizations represented in the survey ranged in size from enterprise to small-business, with 57 percent representing enterprises of more than 2,000 employees, 30 percent with between 100 and 2,000 employees, and 13 percent with fewer than 100 employees. SANS Analyst Program 13 SANS Eighth Annual 2012 Log and Event Management Survey
14 Conclusion As this year s survey indicates, although organizations are collecting log data from most data sources, the issue has been getting usable and actionable information out of the data when they need it for detection and response. Organizations are connecting their log managers to SIEM and other management systems, or simply bypassing their log managers and collecting directly to their SIEM or third-party management systems. Log Management and SIEM systems are now capable of storing the data and allowing it to be recalled quickly. This year organizations are realizing new problems with detection, tracking and preventing suspicious behavior. Part of the reason for this realization may be related to the increased media coverage of extended network intrusions. Respondents indicate that their organizations need better integration and correlation among their systems to catch attacks that often try to hide in normal traffic. Log and SIEM systems that help familiarize and baseline normal log activity and that can support whitelisting will help filter out normal events from suspicious events. As log management systems continue to become more automated via enhanced log management systems and/or SIEM (or hybrid solution), organizations will always need to know and understand their logs. SANS Analyst Program 14 SANS Eighth Annual 2012 Log and Event Management Survey
15 About the Author Jerry Shenk currently serves as a senior analyst for the SANS Institute and is senior security analyst for Windstream Communications, working out of the company s Ephrata, Penn., location. Since 1984, he has consulted with companies and financial and educational institutions on issues of network design, security, forensic analysis and penetration testing. His experience spans networks of all sizes, from small homeoffice systems to global networks. Along with some vendor-specific certifications, Jerry holds six Global Information Assurance Certifications (GIACs), all completed with honors: GIAC-Certified Intrusion Analyst (GCIA), GIAC-Certified Incident Handler (GCIH), GIAC-Certified Firewall Analyst (GCFW), GIAC Systems and Network Auditor (GSNA), GIAC Penetration Tester (GPEN) and GIAC-Certified Forensic Analyst (GCFA). Five of his certifications are Gold certifications. SANS would like to thank its sponsors: SANS Analyst Program 15 SANS Eighth Annual 2012 Log and Event Management Survey
SANS Seventh Annual Log Management Survey Report
Sponsored by ArcSight SANS Seventh Annual Log Management Survey Report A SANS Whitepaper April 2011 Written by Jerry Shenk Survey Sample Why Companies Collect Log Data Users Want Better Log Data (and More
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationSecurity Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2
Sponsored by McAfee Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 May 2013 A SANS Whitepaper Written by Dave Shackleford The ESM Interface Page 2 Rapid Event
More informationTripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER
Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were
More informationAdvanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series
Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 2 Executive Summary Promotion
More informationScaling Analytics to Meet Real-Time Threats in Large Enterprises: A Deep Dive into LogRhythm s Security Analytics Platform
Sponsored by LogRhythm Scaling Analytics to Meet Real-Time Threats in Large Enterprises: A Deep Dive into LogRhythm s Security Analytics Platform September 2013 A SANS Analyst Program Review Written by
More informationBridging the gap between COTS tool alerting and raw data analysis
Article Bridging the gap between COTS tool alerting and raw data analysis An article on how the use of metadata in cybersecurity solutions raises the situational awareness of network activity, leading
More informationCombating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center
Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored. It takes an average
More informationInstilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization
WHITEPAPER Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization Understanding Why Automated Machine Learning Behavioral Analytics with Contextualization
More informationTripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER
Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationCombating a new generation of cybercriminal with in-depth security monitoring
Cybersecurity Services Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored.
More informationHow To Manage Log Management
: Leveraging the Best in Database Security, Security Event Management and Change Management to Achieve Transparency LogLogic, Inc 110 Rose Orchard Way, Ste. 200 San Jose, CA 95134 United States US Toll
More informationCyberArk Privileged Threat Analytics. Solution Brief
CyberArk Privileged Threat Analytics Solution Brief Table of Contents The New Security Battleground: Inside Your Network...3 Privileged Account Security...3 CyberArk Privileged Threat Analytics : Detect
More informationIBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer
IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.
More informationWebsite Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?
Datasheet: Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-ofbreed
More informationApplying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events
Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Abstract Effective Security Operations throughout both DoD and industry are requiring and consuming unprecedented
More informationTHE EVOLUTION OF SIEM
THE EVOLUTION OF SIEM WHY IT IS CRITICAL TO MOVE BEYOND LOGS Despite increasing investments in security, breaches are still occurring at an alarming rate. 43% Traditional SIEMs have not evolved to meet
More informationTake the Red Pill: Becoming One with Your Computing Environment using Security Intelligence
Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing
More informationWhat s New in Security Analytics 10.4. Be the Hunter.. Not the Hunted
What s New in Security Analytics 10.4 Be the Hunter.. Not the Hunted Attackers Are Outpacing Detection Attacker Capabilities Time To Discovery Source: VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 2 TRANSFORM
More informationThe SIEM Evaluator s Guide
Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationWHITE PAPER: THREAT INTELLIGENCE RANKING
WHITE PAPER: THREAT INTELLIGENCE RANKING SEPTEMBER 2015 2 HOW WELL DO YOU KNOW YOUR THREAT DATA? HOW THREAT INTELLIGENCE FEED MODELING CAN SAVE MONEY AND PREVENT BREACHES Who are the bad guys? What makes
More informationFight the Noise with SIEM
Fight the Noise with SIEM An Incident Response System Classified: Public An Indiana Bankers Association Preferred Service Provider! elmdemo.infotex.com Managed Security Services by infotex! Page 2 Incident
More informationA New Perspective on Protecting Critical Networks from Attack:
Whitepaper A New Perspective on Protecting Critical Networks from Attack: Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network 2014: A Year of Mega Breaches A Ponemon Study published
More informationPALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management
PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management INTRODUCTION Traditional perimeter defense solutions fail against sophisticated adversaries who target their
More informationWHITE PAPER WHAT HAPPENED?
WHITE PAPER WHAT HAPPENED? ENSURING YOU HAVE THE DATA YOU NEED FOR EFFECTIVE FORENSICS AFTER A DATA BREACH Over the past ten years there have been more than 75 data breaches in which a million or more
More informationIBM QRadar Security Intelligence April 2013
IBM QRadar Security Intelligence April 2013 1 2012 IBM Corporation Today s Challenges 2 Organizations Need an Intelligent View into Their Security Posture 3 What is Security Intelligence? Security Intelligence
More informationSecurity Information & Event Management (SIEM)
Security Information & Event Management (SIEM) Peter Helms, Senior Sales Engineer, CISA, CISSP September 6, 2012 1 McAfee Security Connected 2 September 6, 2012 Enterprise Security How? CAN? 3 Getting
More informationDetect & Investigate Threats. OVERVIEW
Detect & Investigate Threats. OVERVIEW HIGHLIGHTS Introducing RSA Security Analytics, Providing: Security monitoring Incident investigation Compliance reporting Providing Big Data Security Analytics Enterprise-wide
More informationSpeed Up Incident Response with Actionable Forensic Analytics
WHITEPAPER DATA SHEET Speed Up Incident Response with Actionable Forensic Analytics Close the Gap between Threat Detection and Effective Response with Continuous Monitoring January 15, 2015 Table of Contents
More informationThreatSTOP Technology Overview
ThreatSTOP Technology Overview The Five Parts to ThreatSTOP s Service We provide 5 integral services to protect your network and stop botnets from calling home ThreatSTOP s 5 Parts: 1 Multiple threat feeds
More informationSANS Security Analytics Survey
Sponsored by SolarWinds SANS Security Analytics Survey September 2013 A SANS Whitepaper Written by Dave Shackleford About the Respondents Page 2 Big Data and Security Analytics Page 4 Survey Results: Risks
More informationStaying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro
Staying Secure After Microsoft Windows Server 2003 Reaches End of Life Trevor Richmond, Sales Engineer Trend Micro Windows Server 2003 End of Life- Why Care? The next big vulnerability (Heartbleed/Shellshock)
More informationSecurity strategies to stay off the Børsen front page
Security strategies to stay off the Børsen front page Steve Durkin, Channel Director for Europe, Q1 Labs, an IBM Company 1 2012 IBM Corporation Given the dynamic nature of the challenge, measuring the
More informationWHITE PAPER SPLUNK SOFTWARE AS A SIEM
SPLUNK SOFTWARE AS A SIEM Improve your security posture by using Splunk as your SIEM HIGHLIGHTS Splunk software can be used to operate security operations centers (SOC) of any size (large, med, small)
More informationAchieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR
Achieving Actionable Situational Awareness... McAfee ESM Ad Quist, Sales Engineer NEEUR The Old SECURITY Model Is BROKEN 2 Advanced Targeted Attacks The Reality ADVANCED TARGETED ATTACKS COMPROMISE TO
More informationRethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council
Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council Advanced threats differ from conventional security threats along many dimensions, making them much more difficult
More informationGETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"
GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA" A Roadmap for "Big Data" in Security Analytics ESSENTIALS This paper examines: Escalating complexity of the security management environment, from threats
More informationDiscover & Investigate Advanced Threats. OVERVIEW
Discover & Investigate Advanced Threats. OVERVIEW HIGHLIGHTS Introducing RSA Security Analytics, Providing: Security monitoring Incident investigation Compliance reporting Providing Big Data Security Analytics
More informationAdvanced Threats: The New World Order
Advanced Threats: The New World Order Gary Lau Technology Consulting Manager Greater China gary.lau@rsa.com 1 Agenda Change of Threat Landscape and Business Impact Case Sharing Korean Incidents EMC CIRC
More informationEnterprise-Grade Security from the Cloud
Datasheet Website Security Enterprise-Grade Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed security
More informationHow to Define SIEM Strategy, Management and Success in the Enterprise
How to Define SIEM Strategy, Management and Success in the Enterprise Security information and event management (SIEM) projects continue to challenge enterprises. The editors at SearchSecurity.com have
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationUsing LYNXeon with NetFlow to Complete Your Cyber Security Picture
Using LYNXeon with NetFlow to Complete Your Cyber Security Picture 21CT.COM Combine NetFlow traffic with other data sources and see more of your network, over a longer period of time. Introduction Many
More informationSoftware that provides secure access to technology, everywhere.
Software that provides secure access to technology, everywhere. Joseph Patrick Schorr @JoeSchorr October, 2015 2015 BOMGAR CORPORATION ALL RIGHTS RESERVED WORLDWIDE 1 Agenda What are we dealing with? How
More informationEight Essential Elements for Effective Threat Intelligence Management May 2015
INTRODUCTION The most disruptive change to the IT security industry was ignited February 18, 2013 when a breach response company published the first research that pinned responsibility for Advanced Persistent
More informationDYNAMIC DNS: DATA EXFILTRATION
DYNAMIC DNS: DATA EXFILTRATION RSA Visibility Reconnaissance Weaponization Delivery Exploitation Installation C2 Action WHAT IS DATA EXFILTRATION? One of the most common goals of malicious actors is to
More informationEnd-to-End Application Security from the Cloud
Datasheet Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed
More informationAccenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges
Accenture Intelligent Security for the Digital Enterprise Archer s important role in solving today's pressing security challenges The opportunity to improve cyber security has never been greater 229 2,287
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources
More informationEXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE
EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE A reliable, high-performance network is critical to your IT infrastructure and organization. Equally important to network performance
More informationACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances
ACL WHITEPAPER Automating Fraud Detection: The Essential Guide John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances Contents EXECUTIVE SUMMARY..................................................................3
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationBREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT
BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT Rashmi Knowles RSA, The Security Division of EMC Session ID: Session Classification: SPO-W07 Intermediate APT1 maintained access to
More informationGIAC Certification. Enterprise Solution
E- Business & Web Solutions IT Solutions (Hardware, Software, Services) Business Process & Technology Outsourcing Enterprise Solution Professionals on Information and Network Global Information Assurance
More informationCyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.
Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control
More informationNiara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning
Niara Security Analytics Automatically detect attacks on the inside using machine learning Automatically detect attacks on the inside Supercharge analysts capabilities Enhance existing security investments
More informationIT Security Strategy and Priorities. Stefan Lager CTO Services stefan.lager@addpro.se
IT Security Strategy and Priorities Stefan Lager CTO Services stefan.lager@addpro.se Cyberthreat update Why would anyone want to hack me? I am not a bank! Security Incidents with Confirmed Data Loss Source:
More informationA Case for Managed Security
A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction
More informationTHE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.
THE 2014 THREAT DETECTION CHECKLIST Six ways to tell a criminal from a customer. Telling criminals from customers online isn t getting any easier. Attackers target the entire online user lifecycle from
More informationUnified Security, ATP and more
SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users
More informationWHAT S NEW IN WEBSENSE TRITON RELEASE 7.8
WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8 Overview Global organizations are constantly battling with advanced persistent threats (APTs) and targeted attacks focused on extracting intellectual property
More informationHow Lastline Has Better Breach Detection Capabilities. By David Strom December 2014 david@strom.com
How Lastline Has Better Breach Detection Capabilities By David Strom December 2014 david@strom.com The Internet is a nasty place, and getting nastier. Current breach detection products using traditional
More informationLOG INTELLIGENCE FOR SECURITY AND COMPLIANCE
PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become
More informationStop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats
Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats Jody C. Patilla The Johns Hopkins University Session ID: TECH-107 Session Classification: Intermediate Objectives Get more out
More informationMaking the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION
Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION MOST OF THE IMPORTANT DATA LOSS VECTORS DEPEND ON COPYING files in order to compromise
More informationSPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles
PNNL-24138 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton PK Pusey Prepared for the
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationRSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief
RSA Solution Brief RSA envision Platform Real-time Actionable Information, Streamlined Incident Handling, Effective Measures RSA Solution Brief The job of Operations, whether a large organization with
More informationFIVE PRACTICAL STEPS
WHITEPAPER FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach How Security Intelligence & Reducing Information Risk Play Strategic Roles in Driving Your Business CEOs, CIOs, CTOs, AND
More informationRSA Security Anatomy of an Attack Lessons learned
RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack
More informationFind the needle in the security haystack
Find the needle in the security haystack Gunnar Kristian Kopperud Principal Presales Consultant Security & Endpoint Management Technology Day Oslo 1 Find the needle in the security haystack Manually deep
More informationEnCase Analytics Product Overview
GUIDANCE SOFTWARE EnCase Analytics EnCase Analytics Product Overview Security Intelligence through Endpoint Analytics GUIDANCE SOFTWARE EnCase Analytics EnCase Analytics Key Benefits Find unknown and undiscovered
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More informationBreach Found. Did It Hurt?
ANALYST BRIEF Breach Found. Did It Hurt? INCIDENT RESPONSE PART 2: A PROCESS FOR ASSESSING LOSS Authors Christopher Morales, Jason Pappalexis Overview Malware infections impact every organization. Many
More informationIBM Advanced Threat Protection Solution
IBM Advanced Threat Protection Solution Fabio Panada IBM Security Tech Sales Leader 1 Advanced Threats is one of today s key mega-trends Advanced Threats Sophisticated, targeted attacks designed to gain
More informationEffective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention
Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Your Security Challenges Defending the Dynamic Network! Dynamic threats 䕬 䕬 䕬 䕬 Many threats
More informationEnterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security
More informationLog Management: 5 Steps to Success
Log Management: 5 Steps to Success LogLogic, Inc Worldwide Headquarters 110 Rose Orchard Way, Ste. 200 San Jose, CA 95134 United States US Toll Free: 888 347 3883 Tel: +1 408 215 5900 Fax: +1 408 321 8717
More informationServer Monitoring: Centralize and Win
Server Monitoring: Centralize and Win Table of Contents Introduction 2 Event & Performance Management 2 Troubleshooting 3 Health Reporting & Notification 3 Security Posture & Compliance Fulfillment 4 TNT
More informationSession 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness
Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness Wayne A. Wheeler The Aerospace Corporation GSAW 2015, Los Angeles, CA, March 2015 Agenda Emerging cyber
More informationI D C A N A L Y S T C O N N E C T I O N
I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM)
More informationEffective Methods to Detect Current Security Threats
terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Enrico Petrov Director Managed Security Services terreactive October 21 st, 2015 terreactive Background. About
More informationREVOLUTIONIZING ADVANCED THREAT PROTECTION
REVOLUTIONIZING ADVANCED THREAT PROTECTION A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group GRANT ASPLUND Senior Technology Evangelist 1 WHY DO I STAND ON MY DESK? "...I stand upon my
More informationCybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix
Cybercrime myths, challenges and how to protect our business Vladimir Kantchev Managing Partner Service Centrix Agenda Cybercrime today Sources and destinations of the attacks Breach techniques How to
More informationHigh End Information Security Services
High End Information Security Services Welcome Trion Logics Security Solutions was established after understanding the market's need for a high end - End to end security integration and consulting company.
More informationDetect, Contain and Control Cyberthreats
A SANS Whitepaper Written by Eric Cole, PhD June 2015 Sponsored by Raytheon Websense 2015 SANS Institute Introduction Dwell Time Relates to damage because the longer a system is compromised, the bigger
More informationThe Hillstone and Trend Micro Joint Solution
The Hillstone and Trend Micro Joint Solution Advanced Threat Defense Platform Overview Hillstone and Trend Micro offer a joint solution the Advanced Threat Defense Platform by integrating the industry
More informationAdvanced Threat Protection with Dell SecureWorks Security Services
Advanced Threat Protection with Dell SecureWorks Security Services Table of Contents Summary... 2 What are Advanced Threats?... 3 How do advanced threat actors operate?... 3 Addressing the Threat... 5
More informationCorreLog Alignment to PCI Security Standards Compliance
CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationLOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE
PRODUCT BRIEF LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE As part of the Tripwire VIA platform, Tripwire Log Center offers out-of-the-box integration with Tripwire Enterprise to offer visibility
More informationCLOSING THE GAP ON BREACH READINESS INSIGHTS FROM THE SECURITY FOR BUSINESS INNOVATION COUNCIL
CLOSING THE GAP ON BREACH READINESS INSIGHTS FROM THE SECURITY FOR BUSINESS INNOVATION COUNCIL OVERVIEW This e-book contains insights on breach readiness, response and resiliency based on in-depth interviews
More informationTHREAT VISIBILITY & VULNERABILITY ASSESSMENT
THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com TABLE OF CONTENTS 1 Key Findings
More informationdefending against advanced persistent threats: strategies for a new era of attacks agility made possible
defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been
More informationNiara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined
Niara Security Intelligence Threat Discovery and Incident Investigation Reimagined Niara enables Compromised user discovery Malicious insider discovery Threat hunting Incident investigation Overview In
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationIntel Security Certified Product Specialist Security Information Event Management (SIEM)
Intel Security Certified Product Specialist Security Information Event Management (SIEM) Why Get Intel Security Certified? As technology and security threats continue to evolve, organizations are looking
More information