Version 4.7
Agenda What are the challenges? What is Security Information Manager? How does Security Information Manager work? Why? 2
Security Management Challenges 3
Managing IT Security PREVENT INFORM COMPLY Monitor user access violations Prioritize attacks as they occur Reduce impact through quicker remediation Assist forensic investigations Establish metrics and trends Correlate to global threat activity Collect, query and analyze log data Meet long term log retention requirements Provide on demand audit information 4
What is Security Information Manager? Broad and customizable High volume processing Meaningful normalization Assured reliability Collection Storage Flexible capacity Archive segmentations Quick queries/searches Retention Policy Automation Security Information Manager Pattern based rules Global Intelligence Network integration Asset groupings Over 400 out of box queries Correlation Reporting Customizable consoles Web based portals Raw event data viewer Over 150 out of the box compliance reports 5
Why Symantec Security Information Manager? 6
All Inclusive Solution Collectors Syslog Windows Events Intrusion Prevention Infrastructure Components Correlation Manager Manager LiveUpdate Service Reports and Dashboards Optional Intelligence Feed (GIN) Firewall Other sources Console Pre-built Queries Log Archiving 150+ Universal Collector Pre-defined Reports Only 1 optional component No excessive add-on costs Single deployment supports evolving needs 7
Key Advantages Lower acquisition and maintenance costs Rapid Deployment = Faster time to value Lower maintenance overhead Dynamic correlation with updated external intelligence content (GIN) Expands external attack information for bots, worms and IP addresses Improves posture for proactive protection Flat file data structure Faster querying More economical archiving and storage Automated updates to remediation and workflow guidance Attack descriptions Optimal safeguard details and mitigation steps Single solution for log and event management Does not require two separate infrastructures Same infrastructure can expand with requirements 8
What to ask yourself What is the required deployment timeframe for your SIM? What staff resources and expertise will be available to maintain database tuning and correlation rule development? What are your requirements for true real time processing of events? Can your SIM detect malicious IPs coming in or targeting your network? Can your SIM detect malicious traffic coming from your network to a malicious IP source? Can your SIM determine when malicious IP traffic is actually coming from an internal address in your own network? Can your SIM make recommendations for best safeguards and mitigation steps and provide current attack descriptions? 9
Typical SIM s focus ONLY on INTERNAL activities OS Firewall breaches Infected systems Virus outbreaks Privileged user activities Other internal events Antivirus Mail and Groupware Corporate Network Syslogs Databases Firewalls IDS/IPS Other sources Vulnerability Scanners 10
EXTERNAL activities are becoming increasingly important. OS Additional Intelligence on: Malicious IPs Botnet IPs Firewall breaches Infected systems Virus outbreaks Privileged user activities Antivirus Mail and Groupware Corporate Network Database Firewalls Worm IPs Other internal events Syslogs Comprehensive Visibility Other sources Vulnerability Scanners IDS/IPS 11
Malicious Traffic Why Is This Important? Coming to or targeting your network Incoming Botnet commands and controls from a malicious host Port scans against the network Coming from your network to a malicious source Bot communicating information back to a malicious host Proprietary data leaks Originating malicious IP is an internal address Network used as a proxy by hackers to conduct their business Network bandwidth compromised 12
How Does It Work? 13
True Integration Integrated Global Intelligence console information: Latest global threat trends and statistics Current vulnerability and attack pattern details Up to date threat resolution details and recommended safeguards Dedicated Global Intelligence rules: IP Watchlist Source IP Watchlist Destination Organization IP in Watchlist Global Intelligence integration into multi-conditional rules Combines internal activities with external intelligence to conclude incidents 14
Intelligence Console 15
IP Watchlist Source Rule 16
Indicating Source IP Activity Red indicates Malicious IP 17
IP Watchlist Destination Rule 18
Indicating Target IP Activity Red indicates Malicious IP 19
Organization IP in Watchlist Activity 20
Indicating IP Watchlist Activity from Inside the Network Red indicates Malicious IP 21
Making a Good Thing Better Advanced Capabilities Symantec Security Information Manager Every Other SIM Do you know if there s malicious traffic being sourced from your network? Yes? Can you identify known Worm IPs communicating with your network? Yes? Can you identify resources in your network communicating information back to a known malicious host? Yes? Can you detect when your network is being used as a proxy by hackers to conduct their business? Yes? Can you preemptively correlate external malicious activities to internal incidents? Yes? Can you integrate global intelligence into rules for combining internal events with external data? Yes? 22
Summary Unified log Management and Correlation Advanced Intelligence Comprehensive Analysis Broad and Customizable Data Collection Flexible Storage Options and Automated Archiving Easy and Scalable Implementation 23
Appendix
Event Collectors - Over 220 Supported Products Intrusion Detection/Prevention Symantec Network Security (SNS) Symantec HIDS Symantec ITA Snort Symantec Sygate Symantec Critical System Protection Cisco IDS Cisco Security Agents TippingPoint NIPS Enterasys Network Dragon eeye Retina JuniperIDP ISS Siteprotector McAfee Intrushield SourceFire Web servers, Filters and Proxies Apache Web Server IBM Websphere Bluecoat Proxy Microsoft ISA Microsoft IIS Sun One WebServer Vulnerability/Policy/Config Scanners Symantec ESM Symantec CCS Nessus ncircle Qualys QualysGuard StillSecure VAM Tripwire Ecora Databases Oracle Security Logs (9i & 10g) MS SQL Server Logs Firewalls Symantec Gateway Security Cisco PIX Cisco FWSM Nokia FW Juniper NetScreen Firewall Checkpoint Firewall-1 Nortel Contivity Fortinet Fortigate SunScreen Microsoft Windows Firewall Microsoft ISA SideWinder G2 StoneSoft Stonegate Operating systems Microsoft Windows Event Log Solaris OS Collector Sun BSM SUSE Linux Debian Linux RedHat Linux IBM AIX HP/UX Tandem RACF SMF SELinux IPTables Novell Netware IBM System i (AS/400) Snare for Windows Identity Management Microsoft Windows DHCP Microsoft Operations Manager Microsoft Active Directory RSA SecurID Cisco ACS Routers, Switches and VPN Cisco IOS Juniper VPN CyberGuard Cisco VPN 3000 Concentrator Air Defense Enterprise AV Solutions Symantec AntiVirus 8, 9, 10 Symantec Endpoint Security 11 Symantec Mail Security for Exchange Symantec Mail Security for Lotus Domino Symantec Mail Security for SMTP Symantec Mail Security Cisco IronPort McAfee EPO McAfee GroupShield McAfee VirusScan Kaspersky AV F-Secure AV Sophos AV CA AntiVirus Trend Micro Control Manager (TMCM) Trend Server Protect Information Server Trend Interscan Messaging Security Suite Trend Scanmail Trend Interscan Viruswall Trend Interscan Web Security Suite Other Cisco Netflow Fox Server Control Blue Lance LT Auditor PassGo UPM Kiwi Syslog Generic Syslog Symantec Cyberwolf Mazu Profiler 25
Data Collection Key Benefits Access valuable data from both existing and new security investments Minimize overhead in data collection process Create meaningful associations to enrich data value Maintain ongoing process reliability 26
Data Storage Key Benefits Maintain efficient and adaptable capacity for changing volume requirements Optimize data organization for quick and easy access Reduce overhead associated with managing varying retention period requirements Assure integrity of stored data 27
Data Correlation Key Benefits Maintain consistent data analysis standards without compromising staff resources and productivity Leverage intelligence from distributed sources and investments Utilize data for proactive prevention instead of just reactive response Draw immediate conclusions based on business impact Conduct real time inquiries and research 28
Data Presentation Key Benefits Provide self service to key stakeholders reducing IT staff disruptions Easily fulfill forensic reporting requirements Automate report distributions Validate security investments 29
NEW! Built in Compliance Reports 30