Security Information & Event Management (SIEM) Peter Helms, Senior Sales Engineer, CISA, CISSP September 6, 2012 1
McAfee Security Connected 2 September 6, 2012
Enterprise Security How? CAN? 3
Getting to Optimized: The Maturity Model of Enterprise Security REACTIVE COMPLIANT/PROACTIVE OPTIMIZED (~3% of IT Budget on Security) (~8% of IT Budget on Security) (~4% of IT Budget on Security) TCO (CapEx + OpEx) SECURITY POSTURE SECURITY OPTIMIZATION 4
Technology Architecture for Security How Connected Is Your Security? Host IPS Agent DLP Agent Encryption Antivirus Agent NAC Audit Agent Systems Management Agent EVERY SOLUTION HAS AN AGENT EVERY AGENT HAS A CONSOLE EVERY CONSOLE REQUIRES A SERVER EVERY SERVER REQUIRES AN OS/DB EVERY OS/DB REQUIRES PEOPLE, MAINTENANCE, PATCHING WHERE DOES IT END? 5
Technology Architecture for Security How Connected Is Your Security? McAfee epo Server (AV, Host IPS, DLP, NAC, Application Control, Encryption, MOVE-AV, Deep Command, Deep Defender Policy Auditor, Risk Advisor, SiteAdvisor, AV for NetApp, AV for SAP Netweaver) SINGLE AGENT SINGLE CONSOLE 6
McAfee Security Connected Solution Platform NETWORK SECURITY High Assurance Firewall Network Intrusion Prevention Network Access Control Network Behavior Analysis INFORMATION SECURITY Email Security Web Security Data Loss Prevention Encryption Identity & Access Management API and Web Services Security SECURITY MANAGEMENT Security Operations Mgmt Policy Auditing & Management Vulnerability Management Risk Management Compliance Management ENDPOINT SECURITY Malware Protection Device Encryption Application Whitelisting Desktop Firewall Device Control Email Protection Network Access Control Endpoint Web Protection Host Intrusion Protection Mobile Device Management Server & Database Protection Hardware Assisted Security Smartphone and Tablet Protection Virtual Machine and VDI Protection Embedded Device Protection PARTNER COMMUNITY Security Innovation Alliance McAfee Connected Global Strategic Alliance Partners 7 September 6, 2012
McAfee s Open Platform for Security Risk Management Industry Leadership to Drive Better Protection, Greater Compliance and Lower TCO
What It Takes to Make an Organization Safe Global Threat Intelligence Threat Reputation Network IPS Firewall 300M IPS attacks/mo. 300M IPS attacks/mo. Web Gateway Mail Gateway 2B Botnet C&C IP Reputation Queries/mo. 20B Message Reputation Queries/mo. Host AV 2.5B Malware Reputation Queries/mo.. Host IPS 300M IPS Attacks/mo. 3rd Party Feed Geo location feeds 9
McAfee Threats Report Q2, 2012 Ransomware http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2012.pdf 10 September 6, 2012
McAfee Threats Report Q2, 2012 Network Threats http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2012.pdf 11 September 6, 2012
What is SIEM? SIEM is the Evolution and Integration of Two Distinct Technologies Security Event Management (SEM) Primarily focused on Collecting and Aggregating Security Events Security Information Management (SIM) Primarily focused on the Enrichment, Normalization, and Correlation of Security Events Security Information & Event Management (SIEM) is a Set of Technologies for: Log Data Collection Correlation Aggregation Normalization Retention Analysis and Workflow Three Major Factors Driving the Majority of SIEM Implementations Real-Time Threat Visibility Security 1 2 Operational 3 Efficiency Compliance and/or Log Management Requirements 12 September 6, 2012
Krav og logning i ISO27002 & DS484 DS484-10.10 Logning og overvågning Informationsbehandlingssystemer skal overvåges og sikkerhedsrelaterede hændelser skal registreres. Der skal være en logning, som sikrer, at uønskede forhold konstateres. ISO27002-10.10 Monitoring Systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems are identified. 13 September 6, 2012
Log Management and Search See log frequencies Search for logs Investigate Log Management INVESTIGATE LOGS AFTER THE FACT
SIEM is Still Evolving Beyond Logs What else happened at this time? Near this time? What is the time zone? DNS name, Windows name, Other names? Whois info? Organization owner? Where does the IP originate from (geo location info)? What else happened on this host? Which other hosts did this IP communicate with? What is this service? What other messages did it produce? What other systems does it run on? What is the hosts IP address? Other names? Location on the network/datacenter? Who is the admin? Is this system vulnerable to exploits? Who is this user? What is the users access-level? What is the users real name, department, location? What other events from this user? What is this port? Is this a normal port for this service? What else is this service being used for? What does this number mean? Is this documented somewhere?
The Big Security Data Challenge APTs Cloud Data Insider Billions of Events Multi-dimensional Active Trending; LT Analysis Anomalies Large Volume Analysis Compliance Historical Reporting Perimeter Thousands of Events Correlate Events Consolidate Logs
The SIEM Catch 22 Fundamental Problem 80% of threats come from insiders 39% of threats target software, applications, and services 66% of those involved did not know the data was on the system Source: Forrester, Verizon 17 September 6, 2012
Broad Context Correlation Device & Application Log Files APP Application Content Authentication & IAM Events from Security Devices & Endpoints User Identity Location VA Scan Data Network Flows Time OS Events Database Transactions 010011 100 1001 100110 11 100 1 110 10 010011 001 100 1101 10101 110 1 CONTEXT CONTENT EVENT, LOG AND COMPLIANCE
Content Aware @ 010011 100 1001 100110 11 100 1 110 10 010011 001 100 1101 10101 110 1 P2P File Sharing Web Access (HTTP) Protocol Anomalies WebMail Email IM, Chat CONTENT EVENT, LOG AND COMPLIANCE
Situational Aware Risk Management 010011 100 1001 100110 11 100 1 110 10 010011 001 100 1101 10101 110 1 RISK AWARENESS CONTEXT CONTENT EVENT, LOG AND COMPLIANCE 20 September 6, 2012
Today s SIEM Needs See log frequencies Search for logs Correlate events What data is involved? Who is doing it? Are they a bad actor? What is the risk of the system? What is the risk of the user? Visualize, Investigate, Respond Advanced Correlation Engine GLOBAL THREAT LANDSCAPE Threat intelligence feed Immediate alerting Historical Analysis ENTERPRISE RISK LANDSCAPE Vulnerabilities Countermeasures Individuals Risk Advisor epolicy Orchestrator Dynamic Content Content Aware Traditional Context Log Management
GTI (*) with SIEM delivers even greater value Sorting Through a Sea of Events Have I Been Communicating With Bad Actors? 200M events Which Communication Was Not Blocked? 18,000 alerts and logs What Specific Servers/Endpoints/ Devices Were Breached? Dozens of endpoints RESPOND Which User Accounts Were Compromised? What Occurred With Those Accounts? How Should I Respond? Handful of users Specific files breached (if any) Optimized response (*) GTI = McAfee Global Threat Intelligence
Example: Repeated failed login attempts 23 Login Failed: sssaaa Login Failed: sssaab Login Failed: sssaac Login Failed: sssaba NitroSecurity Active Directory Description: Monitor for repeated failed logins to various systems and during short and long time spans. (One source to many destinations.) Method: Alert Receiver: SOC Action: Investigate and report Purpose: Proactively stop security incidents Data Sources: Active Directory (Global & XDS), Identity Manager (Sun), {Server Specific}, {Database specific}, {Application specific} Data Status Partly ready, depending on scope. Console (Alert)
Industry Recognition Placed in the Leaders quadrant in Gartner s latest SIEM Magic Quadrant Ranked in the top 3 for Critical Capabilities We have been able to validate Nitro s high performance with large production deployments Winner of InfoWorld s prestigious 2011 Technology of the Year Award for NitroView ESM and ELM solutions This honor is the result of NitroSecurity s #1 ranking, outscoring six other vendors to achieve the highest overall score The best and fastest database in the security industry Very advanced technology and the vision to apply it in a threat management environment An analyst s power tool that provides strong SIEM capabilities in a highly configurable dashboard approach NitroSecurity offers one of the most useful and seamless incident response-focused ESIM products available today The rate at which the NitroEDB can insert and recall data is without a doubt one of the key differentiators offered by NitroSecurity 24 September 6, 2012
SIEM Magic Quadrant May 2012
Sample Customers Government Financial Enterprise Healthcare Education Energy 26 September 6, 2012