Security Information Management (SIM)



Similar documents
Best Practices for Building a Security Operations Center

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

IBM Global Technology Services Preemptive security products and services

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

QRadar SIEM and FireEye MPS Integration

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Real-time Network Monitoring and Security Platform for Securing Next-Generation Network. Assoc. Prof. Dr. Sureswaran Ramadass

IBM Internet Security Systems products and services

How To Monitor Your Entire It Environment

How PatchLink Meets the Top 10 Requirements for Enterprise Patch and Vulnerability Management. White Paper Sept. 2006

The Critical Importance of Three Dimensional Protection (3DP) in an Intrusion Prevention System

Managed Security Services for Data

CAS8489 Delivering Security as a Service (SIEMaaS) November 2014

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015

Scalability in Log Management

Helping Corporations Defend Enterprise Attacks through Security Awareness & Desktop Security

The Value of Vulnerability Management*

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

IBM Security QRadar Risk Manager

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Network Instruments white paper

End-user Security Analytics Strengthens Protection with ArcSight

Extreme Networks Security Analytics G2 Risk Manager

The SIEM Evaluator s Guide

Overcoming PCI Compliance Challenges

CLOUD GUARD UNIFIED ENTERPRISE

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

IBM Tivoli Netcool Configuration Manager

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

ABB s approach concerning IS Security for Automation Systems

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Information Technology Policy

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

IBM Security QRadar Risk Manager

SANS Top 20 Critical Controls for Effective Cyber Defense

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Current IBAT Endorsed Services

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

How To Create Situational Awareness

Enterprise Security. Moving from Chaos to Control with Integrated Security Management. Yanet Manzano. Florida State University.

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013

AUTOMATED PENETRATION TESTING PRODUCTS

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Clavister InSight TM. Protecting Values

UNDERSTANDING EVENT CORRELATION AND THE NEED FOR SECURITY INFORMATION MANAGEMENT

IBM QRadar Security Intelligence April 2013

Der Weg, wie die Verantwortung getragen werden kann!

Tivoli Security Information and Event Manager V1.0

TRIPWIRE NERC SOLUTION SUITE

Enterprise Security Solutions

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

AUTOMATED PENETRATION TESTING PRODUCTS

Boosting enterprise security with integrated log management

Information & Asset Protection with SIEM and DLP

Network Intrusion Prevention Systems Justification and ROI

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

External Supplier Control Requirements

Attachment A. Identification of Risks/Cybersecurity Governance

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

SIEM 2.0: AN IANS INTERACTIVE PHONE CONFERENCE INTEGRATING FIVE KEY REQUIREMENTS MISSING IN 1ST GEN SOLUTIONS SUMMARY OF FINDINGS

Security Data Analytics Platform

QRadar SIEM 6.3 Datasheet

THE TOP 4 CONTROLS.

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

How To Test For Security On A Network Without Being Hacked

Data Center Security in a World Without Perimeters

SapphireIMS 4.0 BSM Feature Specification

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Managed Security Services

HP and netforensics Security Information Management solutions. Business blueprint

IQware's Approach to Software and IT security Issues

The webinar will begin shortly

Payment Card Industry Data Security Standard

How To Manage Security On A Networked Computer System

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

RSA Security Analytics

IBM SECURITY QRADAR INCIDENT FORENSICS

Technology Blueprint. Protect Your VoIP/SIP Servers. Insulating your voice network and its servers from attacks and disruption

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Automation Suite for. 201 CMR Compliance

The Leading Provider of Endpoint Security Solutions

IBM Security IBM Corporation IBM Corporation

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

The monsters under the bed are real World Tour

Cisco Advanced Malware Protection for Endpoints

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Adaptive IPS Security in a changing world. Dave Venman Security Engineer, UK & Ireland

Securing your IT infrastructure with SOC/NOC collaboration

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Transcription:

1. A few general security slides 2. What is a SIM and why is it needed 3. What are the features and functions of a SIM 4. SIM evaluation criteria 5. First Q&A 6. SIM Case Studies 7. Final Q&A Brian T. Contos, CISSP Chief Security Officer - ArcSight Inc. 02.15.2005

Over confidence in existing security measures: GAMMA GUPPY NSA eavesdrop program in the Soviet Union during the Cold War Complexity of security beyond the bits & bytes Multi-Billion Dollar, International Company based in California + Corporate e-mail server for European employees in France + German citizen that was an executive in Germany + a breach of the e-mail server from a Dutch facility = Global Jurisdiction. History of threats The 80s through 90s brought us: viruses, worms and DOS attacks that impacted organizations and individuals. The late 90s through 2004 has brought us more of the same, plus Blended Threats, Limited Warhol Threats, Worm-Driven DDOS, and Infrastructure Hacking that has spread to a Regional and Sector Level. Predictions for the near future are Flash Threats, Massive Worm Driven DDOS and Critical Infrastructure attacks that will have a global impact with little to know warning. Source: The Executive Guide to Information Security

Blended Threats: Capable of utilizing multiple paths (e-mail, network shares, web, wireless, cell phones, Bluetooth, etc) to spread and exploit. To date, most attacks take days or even months to spread and the time between discovering a vulnerability and an exploit being available is months. Blended threats like Nimda and Code Red changed all that with attacks propagating in just hours; this pushed the upper limits of human response, even though these threats had a vulnerability window of many months. Warhol Threats: In 2002 Nicholas Weaver at UC Berkeley published a theoretical paper called Warhol Worms, describing how the entire Internet could be brought down in 15-minutes. The Slammer Worm incorporated these theories and spread quickly doubling its infection rate every 8.5-seconds, and within 10-minutes 90% of all vulnerable hosts were compromised (75,000 hosts causing massive outages especially in the financial and airline industries.) Even patches to protect from Slammer were available months before the attack, but if you weren t secure - human response was very difficult. Flash Threats: This has not happened yet. Human response is impossible, only automated response. They will spread very quickly within seconds to minutes, and the vulnerability window will be less than a day. Currently the smallest vulnerability window has been the Witty Worm with a 2-day vulnerability window. These attacks also may be targeted not general such as Nimda and Klez Worms that still did a significant amount of damage. The vulnerability window will decrease. Savvy Programmer: Weeks Months Organized Crime and Terrorist Organizations: Days Nation/State Threats: Hours Source: The Executive Guide to Information Security

Source: http://www.kkipc.com NGC Security Cisco Systems

Risk discovery Vulnerability assessment Correlation of relevant information SIM in a Nutshell Allowing for comprehensive, real time, expert security information analysis A vehicle to communicate compliance A mechanism for remediation

Why is SIM needed? That depends on where you want to go with it? Would you tell me, please, which way I ought to go from here? That depends a good deal on where you want to get. I don t much care where. Then it doesn t matter which way you go. -Lewis Carroll Through the Looking Glass

Some Common Business Drivers My job has expanded from keeping our business safe to convincing people that our business is trustworthy. Fortune 500 Chief Security Officer Protect Critical Business Assets Revenue Generation Employee Retention Too Much Information Reduce Risk and Measure Security is required by partners and customers Competitive Differentiator Regulatory Compliance Security is now 24/7 Mission-Critical Reduced Operational Cost and Increased ROI Not having a SIM costs too much time and money Comprehensive Executive Reporting on Overall Security Posture Cross-departmental Security Incident Workflow Management and Tracking

Logs Security Information Management (SIM) Some Common Technical Drivers Asset & Vulnerability Management Watch for and remediate malicious traffic Less console face time Alerting & Notification Event Visualization Detailed Reporting Policy Monitoring and Enforcement More & Complex Attacks at an Increasing Rate Reproducible Incident Response Forensics and Real-time Investigation

SIM Features & Functions 25,000 View of a SIM Architecture SIM Manager Discovery Reporting Correlation Backups

Monolithic, Geographically Distributed and HA deployment options Deploy without modifying the existing infrastructure Normalize every alarm and alert into a common security schema for holistic crossvendor correlation Set severity according to a common taxonomy Aggregation & Filtering to reduce unwanted traffic Security Information Management (SIM) SIM Features & Functions Event Collection and Storage Features Support a full range of device types, protocols and vendors and add additional support in days to week Intelligently manage bandwidth to minimize network traffic

Real time events from heterogeneous devices Results of vulnerability scans & threat data Device value, role, application, data, organization Security Information Management (SIM) SIM Features & Functions Event Processing Three Dimensional Correlation Risk Management Assets AND the target is a financial application server, is subject to Sarbanes-Oxley and is mission critical Event Validation Vulnerabilities AND there is 100% confidence that the target is vulnerable Cross Device Intelligence Events The IDS indicated a buffer overflow, the firewall indicated a FTP Response

SIM Evaluation Criteria Buzz words and marketing material make it hard to differentiate make the SIM prove it: Talk to customer references Read independent reviews (Network Computing, Network World, Info World, etc) Ask for a product demonstration Evaluate not just the product, but the vendor s reputation, financial status, and support SIM deployment should be in phases; also there may be a desire not to use every SIM feature on day 1 Based on your organizational goals, decide what features, functions & benefits you need. Here are some common examples: Scalability, scalability, scalability Support of current and future point devices (security products, network gear, servers, physical security devices, access control systems, proprietary or legacy equipment, wireless, telephony Runs on platforms that the IT staff is comfortable managing (Solaris, Windows, Linux, AIX, Mac) Correlation Assets, Vulnerabilities, & Disparate Events with Prioritization & Categorization Linkage between technical and business drivers and integration into an overall security posture including incident work flow case management, policies, procedures, remediation, audits Executive Reporting and ad-hoc reporting Integration with preexisting network management, ticketing and notification systems Real Time and Forensic Analysis going back x-months

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information