Security Integration Splunk and ArcSight

Similar documents

End-user Security Analytics Strengthens Protection with ArcSight

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

SANS Top 20 Critical Controls for Effective Cyber Defense

Obtaining Enterprise Cybersituational

Symantec Endpoint Protection Analyzer Report

APPLICATION PROGRAMMING INTERFACE

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Endpoint Security for DeltaV Systems

IBM QRadar Security Intelligence April 2013

Best practices and use cases for consistent, enterprise-wide SIEM security policy management

Raytheon Oakley Systems

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

SAP Security Monitoring with agilesi. agilesi tm Solution Brief Product Specification July 2012 Version 1.1

The Cloud App Visibility Blindspot

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

Tenable for Google Cloud Platform

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Security Information & Event Management (SIEM)

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

High End Information Security Services

Securing Remote Vendor Access with Privileged Account Security

Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

What is Security Intelligence?

Defining, building, and making use cases work

RSA Security Analytics

Guidance Regarding Skype and Other P2P VoIP Solutions

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Analyzing HTTP/HTTPS Traffic Logs

Network Metrics Content Pack for VMware vrealize Log Insight

KEYW uses acquired Sensage technology to form Hexis Cyber Solutions

Security Analytics The Beginning of the End(Point)

From the Bottom to the Top: The Evolution of Application Monitoring

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

What s New in Security Analytics Be the Hunter.. Not the Hunted

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Nessus and Mobile Device Scanning. November 7, 2014 (Revision 12)

Ben Hall Technical Pre-Sales Manager Barry Kew Pre-Sales Consultant

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Q1 Labs Corporate Overview

Find the needle in the security haystack

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Automate the Hunt. Rapid IOC Detection and Remediation WHITE PAPER WP-ATH

End-to-End Application Security from the Cloud

Uncover security risks on your enterprise network

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

The Role of Security Monitoring & SIEM in Risk Management

Security Operations Metrics Definitions for Management and Operations Teams

Bridging the gap between COTS tool alerting and raw data analysis

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Under the Hood of the IBM Threat Protection System

Evolution Of Cyber Threats & Defense Approaches

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

IBM Security Strategy

Security Intelligence Services.

Symantec Protection Center Enterprise 3.0. Release Notes

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Cloud Security:Threats & Mitgations

An Analytics-based Approach to Cybersecurity

Secret Server Splunk Integration Guide

Know your security in mission critical environments Petr Hněvkovský, Senior Security Consultant, HP Enterprise Security Products

The Purview Solution Integration With Splunk

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Chapter 9 Firewalls and Intrusion Prevention Systems

Dealing with Big Data in Cyber Intelligence

Fortinet FortiGate App for Splunk

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Vulnerability Management

Practical Threat Intelligence. with Bromium LAVA

IBM Security X-Force Threat Intelligence

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Where every interaction matters.

Security Information and

Information Technology Policy

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

How To Protect Your Mobile Device From Attack

Transcription:

Security Integration Splunk and ArcSight Data Integration for IT security Wednesday 14 th January 2015 IT Analytics 15

Agenda Welcome Ray Bruni Eric Blavier Splunk & Nexthink Mostafa Soliman ArcSight & Nexthink

Splunk and Nexthink Welcome Eric

Introduction Eric Blavier work for Nexthink since 2005 - IT security specialist Security projects using Nexthink financial institutions industry governements military Europe / US / Asia

Nexthink security metrics Nexthink V5 generates ~200 datapoints ~50% are in real- time Security metrics Nexthink Security Solution Pack (NSSP) Security Cockpit Web&Cloud

NSSP V5 Specific set of out- of- the- box investigations for Endpoint Security o Dynamic inventory o Unauthorized applications o Identity & access management o Vulnerability management & protection o Secure network configuration o Indicators of compromise

NSSP Web&Cloud Specific set of out- of- the- box investigations for Web & Security (through Nexthink Library)

Splunk Splunk Collect and index many machine- generated data from many source or location in real time Correlate events spanning many diverse data sources Can be used as a Security Information and Event Management (SIEM) Nexthink DATA

Data integration Nexthink Engine - > Splunk Using NXQL 2.0 direct Web API direct access to Nexthink Engine Database https://demo.nexthink.com:1671/2/query?query=(select%20(id%20name %20last_seen)%20(from%20device%20(with%20device_activity%20(between %20now- 7d%20now))))%20&format=csv new Nexthink Query Language Web interface

Data integration Adding Data in Splunk curl https://<engine_ip>:1671/2/query?query=nxt_investigation update Data interval

SIEM Security information and event management system collects real- time data from IT infrastructure analyzes, correlates and provides reporting to further a responsive action provides a clear insight into the security posture of a company Need notable events and behavior from ENDPOINTS (Nexthink)

Security dashboard Security posture high level insight of «notable events» across many security domains Example of notable security events from Nexthink Endpoint Host(s) with multiple infections Critical priority Host(s) with malware detected Access Insecure or cleartext authentication access detected Default Account activity detected

Nexthink & Splunk Nexthink NSSP investigations

Nexthink & Splunk Nexthink NSSP investigations Get details with Nexthink Finder

ArcSight and Nexthink Welcome Mostafa

from Dedication to Excellence. The Next Big Thing: A case study in utilizing End- User Real- Time Analytics tools in the SOC Mostafa Soliman Mannai Trading Company www.mannai.com

Introduction Mostafa Soliman (mostafa.soliman@mannai.com.qa) Home: Alexandria, Egypt Nexthink Consultant since 2011 ArcSight Consultant since 2012 Senior Security Consultant based in Doha, Qatar since 2011 Presented HP-ArcSight & Nexthink integration in HP Protect 2014 (Washington D.C.) www.mannai.com

Who is Mannai? www.mannai.com

Who is Mannai? www.mannai.com

Where is Mannai? www.mannai.com

Where is Mannai? www.mannai.com

Where is Mannai? www.mannai.com

What do we do? Design, Consultancy, Implementation, Testing, and Support Services for Security Operations Analytics www.mannai.com

Mannai Security Solutions Partners www.mannai.com

Endpoint Monitoring with ArcSight Challenge: Endpoints are the entry point for most of the threats to the organization. Security & event logs do not always contain meaningful information. Some custom monitoring can be done using scripts on endpoints however this doesn t detect all endpoint or enduser activities and requires high maintenance. Conclusion: Endpoints are always a blind spot for ArcSight. Leverage ArcSight by integrating it with endpoint monitoring. www.mannai.com

Nexthink + ArcSight Nexthink and ArcSight Integration enhances detecting and investigating endpoint anomalies. www.mannai.com

Nexthink Data in ArcSight www.mannai.com

Integration Use Cases Endpoints with malicious behavior. Endpoints running files from removable drive. Endpoints bypassing the proxy to connect to the Internet. Endpoints doing port scans. Endpoints accessing well known malicious URLs. Endpoints with disabled and/or out-of-date antivirus. Endpoints using Internet broadband connections. Endpoints executing non-compliant software (IM, P2P, etc.) www.mannai.com

Q & A www.mannai.com

Remember Integration Push and/or Pull APIs, Email, Syslog Extend, Enhance, and Compliment Data Analyze Visualize

Thank You! For more information Contact your partner or sales rep