Software EMEA Performance Tour 2013 Berlin, Germany 17-19 June
360 Security Monitoring - Erkennen, Analysieren, Agieren Thorsten Mandau, ESP Solution Architect Enterprise Security Products, ArcSight
Today s agenda The security market has changed A risk based, adversary-centric approach is needed HP ESP security solutions 3
The security market has changed HP s perspective on the evolution of the security and risk landscape
Customers struggle to manage the security challenge Primary Challenges 1 Nature & Motivation of Attacks (Fame fortune, market adversary) Today, A new market security adversary is a board-level agenda item Research Infiltration Discovery Capture Exfiltration 5
Customers struggle to manage the security challenge Primary Challenges 1 Nature & Motivation of Attacks (Fame fortune, market adversary) Delivery A new market adversary Traditional DC Private Cloud Managed Cloud Public Cloud 2 Transformation of Enterprise IT (Delivery and consumption changes) Network Storage Servers Research Infiltration Discovery Consumption Capture Exfiltration Virtual Desktops Notebooks Tablets Smart phones 6
Customers struggle to manage the security challenge Primary Challenges 1 Nature & Motivation of Attacks (Fame fortune, market adversary) Policies Delivery and regulations Traditional DC Private Cloud Managed Cloud Public Cloud 2 3 Transformation of Enterprise IT (Delivery and consumption changes) Regulatory Pressures (Increasing cost and complexity) Network Storage Servers Basel III Consumption Virtual Desktops Notebooks Tablets Smart phones DoD 8500.1 7
A new approach is needed A risk-based, adversary-centric approach
A new approach: Risk based, adversary-centric The Attack Security policies and capabilities Research Improved security awareness and counter intelligence Infiltration Systems to proactively monitor, improve, and protect Discovery Ability to track and remediate Capture Controls to protect target assets internally and externally Exfiltration Damage remediation and counter intelligence 9
ESP Security Solutions How does HP deliver security?
HP ArcSight solution architecture A comprehensive platform for monitoring modern threats and risks, augmented by services expertise and the most advanced security user community, Protect724 User Monitoring Fraud Monitoring Event Correlation Data Capture Log Management Controls Monitoring App Monitoring Establish complete visibility Analyze events in real time to deliver insight Respond quickly to prevent loss Measure security effectiveness across people, process, and technology to improve over time 11
HP ArcSight enables complete visibility Collect, store and analyze: - Any log from any system - User and application activity - Business, compliance and security context 12
HP ArcSight Does Four Things Better Than Anyone Collection Consolidation Correlation Collaboration Enterprise Data Collection Collect events from any device on the network Raw, or categorized for better analysis Extend to new data types whenever needed, without ArcSight involvement 13 Today s choices will not limit tomorrow s strategy
Quantity and Quality Collection 14 Access and Identity Anti-Virus Applications Content Security Database Data Security Firewalls Honeypot Host IDS/IPS Network IDS/IPS Integrated Security Log Consolidation Mail Filtering Mail Server Mainframe NBAD Network Management Policy Management Router Vulnerability Mgmt Web Cache Network Monitoring Security Management Web Filtering Net Traffic Analysis Switch Web Server Operating System VPN Wireless
Normalization OS/390 Failed Login Event UNIX Failed Login Event Oracle Failed Login Event Windows Failed Login Event Badge Reader Entry Denied 15
Categorization Without Jun 17 2010 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside Jun 17 2010 14:53:16 drop gw.foobar.com >eth0 product VPN-1 & Firewall-1 src xxx.xxx.146.12 s_port 2523 dst xxx.xxx.10.2 service ms-sql-m proto udp rule 49 With Time (Event Time) Name Device Vendor Device Product Category Behavior Category Device Group Category Outcome Category Significance 6/17/2010 12:16:03 Deny Cisco PIX /Access /Firewall /Failure 6/17/2010 14:53:16 Drop Checkpoint Firewall-1/VPN-1 /Access/Start /Firewall /Failure /Informational/ Warning /Informational/ Warning 16 Benefit: Future proofing, fast and efficient forensic analysis
Robust Collection Centralized Encrypted & Compressed Updates/Upgrades Event Stream Bandwidth Heartbeat Connection Management ArcSight Connector Appliances / All-In-One Physical Virtual ArcSight Express Follows NIST 800-92 Log Aggregation Guidelines 17
General Architecture Connector ESM/ Express Logger Connector Logger ESM Connector ESM/ Express Logger 18
HP ArcSight Does Four Things Better Than Anyone Collection Consolidation Correlation Collaboration Universal Log Management Complete management of any data to support security, compliance and IT operations Search + report on years of data to investigate outages and incidents quickly and easily Cut SAN/storage cost with cheap simple management of petabytes of log data 19 Deploy one solution to manage enterprise-wide log data
Universal Log Management that Scales Security Compliance IT Opps Logger Logger Logger Apps 20
HP ArcSight Logger Deployment Options Syslog Connector File-Based Logs 3 rd Party Logs Supports many logs and log formats Connector Log collection: centralized, distributed or Agentless Logger 21
Analyze Anything Google like search interface for all enterprise logs ( ISO/NIST Pre-packaged regulatory content (PCI, SOX, Forensics on the fly (dashboards, reports, searches, alerts) ArcSight Cybersecurity survey: More than 75% said they very rarely or hardly ever knew what exactly to look for when researching a cyber attack Benefit: Business intelligence at your fingertips 22
Use Everywhere Fast collection (100K EPS collection rate) Storage efficiency and flexibility (42 TB/instance, NAS/DAS/SAN) Quick analysis (Millions of EPS) ArcSight Logger Data Center Appliance SAN-based Appliance SMB/Regional Appliance Multiple software deployment options Benefit: Optimal price / performance for deployments of any size 23
HP ArcSight Does Four Things Better Than Anyone Collection Consolidation Correlation Collaboration Cutting-edge Threat Analysis ThreatDetector Pattern recognition and anomaly detection to identify new threats Analyze roles, identities, histories and trends to detect business risk violations The more you collect, the smarter it gets Detect and then prevent attacks you can t predict 24
Not All Correlation is Created Equal Traditional Correlation Event Correlation Threshold Correlation Statistical Correlation 25
Not All Correlation is Created Equal HP ArcSight Correlation Event Correlation Threshold Correlation Statistical Correlation Product Agnostic Correlation Threat Agnostic Correlation Vulnerability Correlation Asset Correlation Session Correlation Active List Correlation Dynamic & Static Identity Correlation Roles & Attributes & Accounts IP Address Attribution Location Correlation Physical & Logical Anomaly Correlation Historical Correlation Multistage Correlation Transaction Correlation 26
Out of the Box Content for Common Use Cases 27 Understand Network Usage Top Bandwidth Users Top Protocols Top Domains and Zones Monitor Privileged Users Privileged User Administration Successful and Failed Logins User Session Monitoring Protect Your Data Database Errors and Warnings Database Successful and Failed Logins Database Configuration Changes Prevent Intrusions Top Attackers and Internal Targets IPS / IDS Alert Metrics Intrusion Alert Counts Top Alert Sources and Destinations Top Attackers and Internal Targets Control User Access User Authentication Across Hosts Authentication Success and Failures User Administration Configuration Changes Top External Destinations Top External Sources Control Network Devices Network Device Errors and Critical Events Network Device Status and Down Notifications Configuration Changes by User and Change Type Successful and Failed Logins Monitor VPN / Remote Access VPN Authentication Errors Connection Counts Connection Durations Connections Accepted and Denied Prevent Viruses Top Infected Systems All AV Errors AV Signature Update Stats Guard the Perimeter Firewall Monitoring Denied Inbound Connections Denied Outbound Connections Successful / Failed Login Activity Successful and Failed Logins Top Connections Top Bandwidth Users VPN Configuration Changes Consolidated Virus Activity AV Configuration Changes
Correlation with Context Asset Context Vulnerabilities Attack History Criticality User Context Roles Attributes Accounts Location Context Physical 28 Logical Badge Swipes Database Queries USB Files Saved VPN Logins Files Accessed Emails Sent Screen Prints Web Surfing Hosted Apps
Role Violation Monitoring Access CRM Application via Portal OKAY Logon directly to Finance Department Server VIOLATION Sales Financial Server Are the controls I have in place working? 29
Shared Account Usage Root/Pa$$wd Root/Pa$$wd Root/Pa$$wd Root/Pa$$wd ID: Root PWD: Pa$$wd Who entered the fraudulent transaction? 30
Identity Correlation Correlate identity attributes such as roles, email address, badge ID, phone with any device or application Associate IP addresses and network activity to an identity, even if no username is present in the event Identifiers rjackson 348924323 jackson@arc.com robertj rjackson_dba 510-555-1212 Identity Robert Jackson 31 31
Powerful and Flexible Reporting Out-of-box compliance reporting Long-term trend analysis Events, policy violations, risk, or any other data Robust ad hoc report development Build custom graphical reports GUI-based - no programming needed Multiple distribution formats PDF, HTML, RTF, XLS, CSV, Email 32
Activity Profiling with ThreatDetector Sophisticated data mining techniques create baselines of good and bad activity A vital tool for preventative maintenance and early detection Scheduled and ad hoc discovery stays ahead of evolving exploit behavior Take action on newly discovered patterns 33
Analyze and Investigate 34
Simplified and Automated Compliance NIST ISO FISMA PCI DSS NERC SOX / JSOX Alerts Dashboards Reports Workflow Retention 35
HP ArcSight Product Family HP ArcSight Enterprise User Monitoring Fraud Detection Customer Needs HP ArcSight Logger Log Management Log Collection HP ArcSight Express Real Time Correlation Flow Monitoring User Monitoring Log Management Log Collection Real Time Correlation Pattern Detection Flow Monitoring Log Management Log Collection 36 Universal Log Management All-in-One Security and Compliance Real-Time Detection Capabilities Enterprise-Wide Threat and Risk Management
HP ArcSight Does Four Things Better Than Anyone Collection Consolidation Correlation Collaboration Better together Incorporates application security from HP Fortify Integrates reputation data from HP DVLabs Cloud Connections Program to get visibility into cloud data in addition to physical and virtual layers Bi-directional integration with HP BSM products First-Class Integration 37
Adaptive Web Application Firewall (WAF) Technology Adaptive technology to protect web applications HP WebInspect Scan 1 What it is Advanced web application scanning to uncover vulnerabilities combined with adaptive IPS response WebInspect information passed to WebAppDV to autogenerate IPS filters for virtual vulnerability patch Benefits Protection for custom and commercial web applications Inspection of encrypted and non-encrypted traffic (ideal for web commerce apps) Elimination of tuning required by legacy WAFs SSL IPS Internet 3 4 2 Vulnerability Report 38 Vulnerability Page and Parameter
HP ArcSight Application Security Monitor (AppSM) AppSM Runtime: Default RTA rules pre-configured in connector to detect standard security threats and forward them to ArcSight ESM AppSM Content: Simple default ArcSight ESM Dashboard and Reports for viewing standard threats in applications Web-App #1 AppSM Runtime Fortify Runtime Target API AppSM Rule-Pack HP ArcSight Syslog Connector AppSM Content HPArcSight ESM Web-App #2 AppSM Runtime 39
ArcSight AppSM Dashboard Moving Avg. of Application Attacks Top Applications Attacked Attacks from Internal Systems Attacks from External Systems Top Application Attack Types Attacks detected from other sources Top 20 Attacks ordered by Priority 40
HP ArcSight and Operations Management 360º view of security and IT events WHAT IT IS Bi-directional integration between OM/NNM/NNMi and HP ArcSight ESM/Logger BENEFITS Complete visibility into anomalies and threats Single pane of glass view of security, compliance and IT ops Reduced gap between NOC and SOC Security and compliance related KPIs to IT operations service health dashboards Automate business process and workflows to enable effective business risk management FW, VPN, IPS, AV, OS, db, App, etc ESM SmartConnectors Logger SmartConnectors OM/OMi/NNMi CPU, memory, I/O, storage, latency, fan speed, temp, HA, etc. 41
Summary Riskier enterprises, smarter attackers and siloed approach to security results in undetected threats Enterprises need a different approach to detect advanced threats and meet with compliance needs HP ArcSight provides complete visibility with comprehensive collection, unmatched consolidation, world-class correlation and exclusive collaboration 42
Thank you Thorsten Mandau Enterprise Solution Architect, HP Enterprise Security thorsten.mandau@hp.com