VISIBLY BETTER RISK AND SECURITY MANAGEMENT Mason Hooper Practice Manager, SIEM Solutions, McAfee APAC December 13, 2012
Oct 17 10:00:27, Application=smtp, Oct 17 10:00:27, Application=smtp, Event='Email Status', Event='Email Status', From=billf1223@gmail.com, size=25140, From=billf1223@gmail.com, size=25140, source=(66.55.23.4), reputation=49, source=(66.55.23.4), reputation=49, tls=1tls=1 10/17/2011 10:00:27, TRAFFIC, end, 66.55.23.4, 192.168.46.15, Monitor 10/17/2011 10:00:27, TRAFFIC, end, 66.55.23.4, 192.168.46.15, Monitor SPAN Port, Tap Zone, ethernet1/12, SPAN Port, Tap Zone, ethernet1/12, 83752, 83752, 1, 59404, 25,25,tcp, allow, 1, 59404, tcp, allow, anyany 10/17/2011 10:02:52 10:02:52 PM,PM, Deleted 10/17/2011 Deleted (detection isn't cleanable), (detection isn't cleanable), W7MANG\host35 C:\Program W7MANG\host35 C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.1\vmwareFiles\VMware\Infrastructure\Virtua vmrc.exe, Infrastructure Client\4.1\vmwareC:\Users\brogers\Desktop\455_23_setu vmrc.exe, p.exe Generic.dx!bbfq C:\Users\brogers\Desktop\455_23_se up.exe Generic.dx!bbfq Oct Oct 17 17 10:00:26, Src66.55.23.4, 66.55.23.4, 10:00:26, Src s_port 4523, dst 192.168.46.15, s_port 4523, dst 192.168.46.15, service smtp, proto tcp, xlatesrc service smtp, proto tcp, xlatesrc RESPOND
The State of SIEM SIEM Promise: Turns Security Data Into Actionable Information Provides an Intelligent Investigation Platform Supports Management and Demonstration of Compliance Legacy SIEM REALITY: 00001001001111 11010101110101 10001010010100 00101011101101 VS Antiquated Architectures Force Choices Between Speed and Intelligence Events Alone Do Not Provide Enough Context to Combat Today s Threats Complex Usability and Implementation Have Caused Costs To Skyrocket 3 December 13, 2012
History of SIEM Originally designed to correlate events from IDS and Firewalls Authentication and IAM VA Scan Data Events from Security Devices and Endpoints Network Flows Time User Identity + Device and Application Log Files OS Events Location SEM Traditionally RDBMS SIM Traditionally Flat File Based 5 December 13, 2012
Legacy Intelligent and Slow SIEM (COTS DB Based) What are we filtering? Database Queries? Firewall Allows? Infection Indicators User Events? Information access? Filtering 95,000 EPS 8.208 Billion per Day! ESM Appliance Max 5000 EPS Logging Appliance Max 100,000 EPS 6 December 13, 2012
Legacy Fast and Unintelligent SIEM Hybrid Flat File Relational Database Model Traditional Log Manager with Database to provide correlation. Fast at log management and collection Slow reporting over expanded periods Inflexible correlation Basic analysis capability 7 December 13, 2012
The Big Security Data Challenge APTs Cloud Data Insider Anomalies Billions of Events Multi-dimensional Active Trending; Analysis Large Volume Analysis Compliance Historical Reporting Perimeter Thousands of Events Correlate Events Consolidate Logs 8
ESM: Delivering on the Promise Meaningful Intelligence Rapid Response Big Security Data DB Continuous Compliance Exceptional Value 9 December 13, 2012
Gartner 2012 McAfee Enterprise Security Manager is a good choice for organizations that require highperformance analytics under high-event-rate conditions. Customer references have validated very high scalability and query performance levels for the McAfee Enterprise Security Manager event data store. The McAfee Enterprise Security Manager ADM component provides application and data access monitoring from network-based packet inspection, which augments log-based monitoring. 10 December 13, 2012
ESM Fulfills Today s SIEM Needs See log frequencies Search for logs Correlate events What data is involved? Who is doing it? Are they a bad actor? What is the risk of the system? What is the risk of the user? GLOBAL THREAT LANDSCAPE Threat intelligence feed Immediate alerting Historical Analysis Visualize, Investigate, Respond Advanced Correlation Engine ENTERPRISE RISK LANDSCAPE Vulnerabilities Countermeasures Individuals Risk Advisor epolicy Orchestrator Dynamic Content Content Aware Traditional Context Log Management 11 December 13, 2012
ESM Fulfills Today s SIEM Needs See log frequencies Search for logs Correlate events What data is involved? Who is doing it? Are they a bad actor? What is the risk of the system? What is the risk of the user? GLOBAL THREAT LANDSCAPE Threat intelligence feed Immediate alerting Historical Analysis Visualize, Investigate, Respond Advanced Correlation Engine ENTERPRISE RISK LANDSCAPE Vulnerabilities Countermeasures Individuals Risk Advisor epolicy Orchestrator OPTIMIZED Dynamic Content 1.Shut down bad actor 2.Analyze last years events 3.Compliance issue identified 4.Investigate high risk system Content Aware Big Security Data DB Applications Traditional Context Log Management Database High Speed Intelligent Correlation 12 Scalable Architecture
Compliance Based Reporting and Analysis Sorting Through a Sea of Events Have I Been Communicating With Bad Actors? 200M events Which Communication Was Not Blocked? 18,000 alerts and logs What Specific Servers/Endpoints/ Devices Were Breached? Dozens of endpoints Which User Accounts Were Compromised? Handful of users RESPOND What Occurred With Those Accounts? How Should I Respond? Specific files breached (if any) Optimized response 13 December 13, 2012
Compliance Based Reporting and Analysis Integration of NitroView normalization with UCF Provides quick access to compliance based data Allows for filtering based on both UCF normalization and specific compliance frameworks Events NitroView Normalization UCF Normalization Compliance Frameworks 14 December 13, 2012
Single Pane-of-Glass Device and Application Log Files Application Contents Authentication and IAM Events from Security Devices User Identity Database Transactions OS Events VA Scan Data Location
Demo 1 - Identify Slow and Low Data Exfiltration Content-Aware SIEM Feature: Utilize the capability of a Content-Aware SIEM to easily compare current events with weeks, months and even years of data to detect anomalous behavior 19 December 13, 2012
Identify Slow and Low Data Exfiltration Weak Investigate Passwords Policy Top Top Offender Violations Normalized 20 December 13, 2012
Identify Slow and Low Data Exfiltration Associated Interesting Investigate Events Filtered Large File by IP Normalized Transfer 21 December 13, 2012
Identify Slow and Low Data Exfiltration Geo-IP Large File Transfer to China 22 December 13, 2012
Identify Slow and Low Data Exfiltration HTTP POST Pivoting Events and Flows Filter Still Applied Bytes Transferred Advanced Details Large File Session Details Transfer to China Large File Session Details Transfer to China Session Details Misspelled User Agent 23
Identify Slow and Low Data Exfiltration Flows Summary by Total Bytes Pattern: Every Night At 1:00 AM Flows Summary by Total Bytes Bytes Transferred to China 24 December 13, 2012
Situational Awareness and Response Threat Intelligence Real-Time Command & Control High Performance Database SIEM Correlation Engine EVENT LOG AUDIT/COMP. CONTEXT 11 001 100 010011 100 10010001 100110 11 1 100 110100110 10 110 100 1001 100110 100 001111010011 11 100 CONTENT COUNTER MEASURES 58 December 13, 2012
Summary Put us to the test - Talk to your McAfee Account Manager or Reseller Organise a demonstration Read about McAfee ESM in the 2012 Gartner Magic Quadrant http://www.mcafee.com/siemmagicquadrant Visit the McAfee SIEM webpage http://www.mcafee.com/us/products/siem Email: mason_hooper@mcafee.com 59 December 13, 2012