Find the needle in the security haystack

Transcription

1 Find the needle in the security haystack Gunnar Kristian Kopperud Principal Presales Consultant Security & Endpoint Management Technology Day Oslo 1

2 Find the needle in the security haystack Manually deep dive into logs, or manage your risk with confidence? As we saw in the two previous sessions your servers and clients are under continuous attack. Most companies today have experienced incidents with malware, and many are even unaware that they have malware infected clients and servers in their network. This session will show how, related to the sessions above, one can automate and streamline analysis, correlation, alerting and reporting of incidents and deviations. Technology Day Oslo 2

3 Haystacks in the old days... Technology Day Oslo 3

4 Modern Haystacks Technology Day Oslo 4

5 Haystacking... Technology Day Oslo 5

6 Where is the needle... Technology Day Oslo 6

7 And more advanced threats Technology Day Oslo 7

8 IT Analytics for Symantec Endpoint Protection Technology Day Oslo 8

9 What is IT Analytics? Leverages Business Intelligence Expands on Traditional Reporting Leverages OLAP Cubes Utilizes Standard Technologies Advanced ad-hoc data-mining Analyze Trends and historical information Graphical dashboards and easy reporting User friendly custom reports Export to multiple formats Pivot tables and charts Business intelligence via multi-dimensional data exploration SQL 2005/2008 Analysis Services & Reporting Services Technology Day Oslo 9

10 Product Overview Alerts Cube 1 Traditional Reporting 2 IT Analytics 3 Robust Graphical Dashboard 4 Multi-Dimensional Ad-hoc/Pivot Table Reporting 5 Pivot Chart Functionality with Excel Export Technology Day Oslo 10

11 Client Dashboard Technology Day Oslo 11

12 Virus Alert Trend Report Technology Day Oslo 12

13 Scan Cube Pivot Table Technology Day Oslo 13

14 Key Performance Indicators Technology Day Oslo 14

15 Security Information & Event Management (SIEM) with Symantec Security Information Manager (SSIM) Technology Day Oslo 15

16 Aggregate and Prioritize Central Visibility to Critical Threats Reduced Prioritization Number of Prioritized Alerts Reports Remediation Incidents Data Normalized into Common Formats Aggregation and Correlation Multiple Data Sources Technology Day Oslo Network Access Control Device and Application Control Firewall Intrusion Prevention Millions of Unprioritized Antivirus Events Other log data 16

17 Symantec Security Information Manager All Inclusive Solution Collectors Syslog Windows Events Intrusion Prevention Firewall Other sources Universal Collector Infrastructure Components Correlation Manager Manager Console Pre-built Queries LiveUpdate Service Log Archiving Reports and Dashboards 150+ Pre-defined Reports Optional Intelligence Feed (GIN) Technology Day Oslo 17

18 Managed Security Services (MSS) with Symantec Technology Day Oslo 18

19 MSS is Making Security Simple The Symantec Difference Protect our customers proactively Provide actionable information relevant to Business Context Increase detection through Edge to Endpoint Visibility Service Governance to ensure mature, consistent delivery Provide a World Class Customer Engagement Share the unique perspective of our Global Intelligence Technology Day Oslo 19

20 The Keys to Successful Security Monitoring: Edge to Endpoint Visibility Network IDS Alerts Limited to activity identified by IDS vendor signatures Limited 0-day threat detection Endpoint Protection: Firewall Analysis Endpoint Protection: Host IDP Alerts Endpoint Protection: AV Alerts Network IDP Alerts Firewall Logs Increased trending capability Scan detection Emerging threat and early warning indicators Web Proxy Analysis: URL Reputation Proxy Logs Reputation-enabled analysis Identification of malicious web based activity Web Proxy Analysis: Custom Threat Signatures Firewall Analysis: Scan Detection Endpoint Alerts Confirmation of attack status Identification of malicious user activity. Firewall Analysis: Anomalous Traffic Detection Firewall Analysis: IP Reputation Firewall Analysis: Hot IP Detection Technology Day Oslo 20 20

21 Successful Monitoring: People, Process, Technology Web Proxy Endpoints OS & Apps Progressive Threat Model Expert Query Engine IDS Relational Database Data mine Security Analyst Firewalls Identification Validation Classification Incidents Escalated Technology Day Oslo 21

22 Security Operations Centers Reading, Chennai, Sydney, Hemdon Technology Day Oslo 22

23 Homepage Technology Day Oslo 23

24 Dashboard Technology Day Oslo 24

25 Search for Logs Managed Security Services (MSS) Logs Query Technology Day Oslo 25

26 Reporting Managed Security Services (MSS) Technology Day Oslo 26

27 Symantec Protection Center (SPC) Technology Day Oslo 27

28 Symantec Protection Center Solution Overview SPC Mobile Executive Security Dashboard Roles-Based Dashboards & Reports Security Metrics Symantec Connectors Business Asset System Central Data Repository Security Workflows 3 rd Party Connectors SPC Enterprise Data Collection and Analytics Platform Technology Day Oslo 28

29 Symantec Protection Center Enterprise Key Benefits Provide business centric analysis of security information Ensure a complete view by integrating your entire security portfolio Quick deployment with prebuilt security metrics and connectors Provide a central solution for roles based information sharing Automate security remediation via action plans Technology Day Oslo 29

30 From this... Technology Day Oslo 30

31 To this... Technology Day Oslo 31

32 To this with Symantec Protection Center Technology Day Oslo 32

33 Summary Be more PROACTIVE against advanced external threats Soft Appliance (on premise) Symantec Security Information Manager (SIEM) to manage/prioritize INTERNAL policies/rules Symantec Managed Security Services (MSS) to help you manage/prioritize EXTERNAL Threats Use HYBRID Solution when you need to do both internal policy/rules reporting and manage external threats Present security LEVEL to the business with Symantec Protection Center Technology Day Oslo 33

34 QUESTIONS? Technology Day Oslo 34

35 Symantec Protection Center Summary Executive Security Dashboard Evolving Threats Tablet based view of security metrics Facilitates communication with both IT and business peers Consolidates security data and applies advanced correlation and analysis Integrates DeepSight threat intelligence Better Intelligence Better Security Decisions Relevant to Business Boardroom Scrutiny Connect security information to business assets Clearly communicate key metrics by business Broad range of supported solutions Pre-built connectors and metrics for quick integration Fast, Flexible Integration Technology Day Oslo 35

36 DEMO Symantec Protection Center Mobile Technology Day Oslo 36

37 Technology Day Oslo 37

38 Technology Day Oslo 38

39 Technology Day Oslo 39

40 Technology Day Oslo 40

41 Find the needle in the security haystack Manually deep dive into logs, or manage your risk with confidence? As we saw in the two previous sessions your servers and clients are under continuous attack. Most companies today have experienced incidents with malware, and many are even unaware that they have malware infected clients and servers in their network. This session will show how, related to the sessions above, one can automate and streamline analysis, correlation, alerting and reporting of incidents and deviations. Technology Day Oslo 41

42 Kontakt oss på: Symantec Brukerforum Symantec Norge på Facebook Norton Norge på Facebook Symantec Norge på Twitter Lisenser og Support Tips: rapporter på web - ring etterpå Technology Day Oslo 42

43 Technology Day Oslo 43

44 Thank you! Gunnar Kristian Kopperud Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Technology Day Oslo 44