SOLUTION BRIEF. An ArcSight Management Solution



Similar documents
SOLUTION BRIEF. TIBCO LogLogic A Splunk Management Solution

SOLUTION BRIEF. How to Centralize Your Logs with Logging as a Service: Solving Logging Challenges in the Face of Big Data

TIBCO Cyber Security Platform. Atif Chaughtai

End-to-end Processing with TIBCO Managed File Transfer (MFT) Improving Performance and Security during Internet File Transfer

Log Management Solution for IT Big Data

Integration Maturity Model Capability #1: Connectivity How improving integration supplies greater agility, cost savings, and revenue opportunity

Integration Maturity Model Capability #5: Infrastructure and Operations

TIBCO StreamBase High Availability Deploy Mission-Critical TIBCO StreamBase Applications in a Fault Tolerant Configuration

Extending the Benefits of SOA beyond the Enterprise

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Predictive Straight- Through Processing

TIBCO ActiveSpaces Use Cases How in-memory computing supercharges your infrastructure

Streaming Analytics and the Internet of Things: Transportation and Logistics

TIBCO Live Datamart: Push-Based Real-Time Analytics

TIBCO Managed File Transfer Suite

whitepaper The Evolutionary Steps to Master Data Management

Scalability in Log Management

WHITEPAPER. Beyond Infrastructure Virtualization Platform Virtualization, PaaS and DevOps

SOLUTION BRIEF. TIBCO StreamBase for Algorithmic Trading

Service Mediation. The Role of an Enterprise Service Bus in an SOA

Predictive Customer Interaction Management

whitepaper Five Principles for Integrating Software as a Service Applications

A Guide Through the BPM Maze

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Implementing TIBCO Nimbus with Microsoft SharePoint

Combating Fraud, Waste, and Abuse in Healthcare

Dynamic Claims Processing

Service-Oriented Integration: Managed File Transfer within an SOA (Service- Oriented Architecture)

Partner Collaboration Blueprint for ICD-10 Transition

Automating the Back Office. How BPM can help improve productivity in the back office

TIBCO Foresight Transaction Insight

Introduction to TIBCO MDM

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

Integration: Why Good Enough Doesn t Cut It 13 ways to mess with success

SOLUTION BRIEF. TIBCO StreamBase for Foreign Exchange

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Moving Beyond Proxies

Guideline on Firewall

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Security Operations Metrics Definitions for Management and Operations Teams

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Second-generation (GenII) honeypots

Predictive Customer Interaction Management for Insurance Companies

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Resource Sizing: Spotfire for AWS

TIBCO Nimbus Cloud Service

VMware Integrated Partner Solutions for Networking and Security

Whitepaper. Controlling the Network Edge to Accommodate Increasing Demand

Why Choose Integrated VPN/Firewall Solutions over Stand-alone VPNs

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

SOFTNIX LOGGER Centralized Logs Management

MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS

Demonstrating the ROI for SIEM: Tales from the Trenches

Transaction Modernization Solutions for Healthcare

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

BTIP BCO ipro M cess Suite

SANS Top 20 Critical Controls for Effective Cyber Defense

Secure VoIP for optimal business communication

Airline Disruption Management

Detecting Anomalous Behavior with the Business Data Lake. Reference Architecture and Enterprise Approaches.

A Technical Review of TIBCO Patterns Search

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Detect & Investigate Threats. OVERVIEW

The Global Attacker Security Intelligence Service Explained

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Transition Networks White Paper. Network Security. Why Authentication Matters YOUR NETWORK. OUR CONNECTION.

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

The Application Front End Understanding Next-Generation Load Balancing Appliances

The Power of Predictive Analytics

TIBCO Industry Analytics: Consumer Packaged Goods and Retail Solutions

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

Security Event and Log Management Service:

SECURE WEB GATEWAY DEPLOYMENT METHODOLOGIES

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Network Security Forensics

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Securing your IT infrastructure with SOC/NOC collaboration

On-Premises DDoS Mitigation for the Enterprise

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Cyber Security Services: Data Loss Prevention Monitoring Overview

Network Services in the SDN Data Center

Transcription:

SOLUTION BRIEF TIBCO LogLogic An Management Solution

Table of Contents 3 State of Affairs 3 The Challenges 5 The Solution 6 How it Works 7 Solution Benefits

TIBCO LogLogic An Management Solution State of Affairs Every successful enterprise requires a myriad of information technologies to function. Whether these are applications, networks, or security devices, every platform is generating a continuous stream of log data. This log data contains vital information about your business, but most of it will go unnoticed. The sheer amount of data makes it difficult to use. This problem, machine big data, can lead to unnecessary spending, complexity, and risk. As with every form of vital information, machine big data needs to be collected, stored, and distributed to the systems and people who need it. These systems or people have a variety of uses for this data such as security, operational intelligence, compliance, development, and business needs. One such consumer is the Security Event Manager () platform. As with most security event manager products, consumes machine data and uses complex rules to correlate multiple pieces of realtime data into a security event. For example, if you visit a company s corporate web page, at a minimum, a firewall, IDS/IPS, and a web server will log your access attempt. A security event manager has the ability to consume the logs from those three devices and by means of a rule, correlate it into a single event. That event is then analyzed and categorized as either normal behavior or something potentially malicious. Anything potentially malicious would in turn be alerted on so the event could be verified or dismissed by a security professional. The Challenges One of the main challenges with using, and most security event manager platforms, is scalability. The problem of scalability arises from the complexity and processing requirements that are inherent to security event correlation. At a high level, first the data must be consumed, then parsed and normalized, matched against a list of complex rules stored in-memory, categorized as an event, and alerted on, if applicable. Time becomes a variable in this process as well, because not all data being consumed that may help classify an event will be generated simultaneously or even in rapid succession. Additionally, statistical correlation may be used, which establishes baselines and looks for anomalies and deviations from the baselines. Because of the processing and storage load generated, has created other solutions to offload some of the processing. The first is, which can be deployed as software or an appliance, and acts as an initial consumer of machine data. This product performs some parsing and normalization of the data to a proprietary format known as Common Event Format (CEF). then forward the normalized data to for correlation. Because cannot retain the data for historical analysis or compliance requirements, the data is usually also forwarded to a third platform known as Logger. Logger can act as an intermediary between and. Finally, Threat Response Manager is needed to manage the events generated by multiple platforms. A typical enterprise deployment is depicted below. 3

TRM Security Logger Compliance Logger Operations Logger Development Finance As pictured, the deployment can become quite complex and difficult to manage. Even more management overhead is generated by the full-time employees (FTEs) needed to manage the complex correlation rules. Such complex correlation rules need constant fine-tuning to lessen the amount of false positive alerts that are sure to be generated in any environment. Storage will also be a major factor to consider. As mentioned, normalize machine data into CEF, greatly increasing the size of messages. Some messages are increased 10 times in size, which means that even if an excellent storage compression ratio of 10:1 is achieved, it is of negligible benefit. Also, if there are compliance requirements in the enterprise, most likely a copy of the raw or native message must be kept as well. This means that each message will be stored twice, once in native format and once in CEF. An additional challenge arises because the solution is licensed based on how much data it ingests. The challenge of volume-based licensing is that a fixed cost can rarely be established. As the deployment expands and the enterprise grows with the Internet of Things continuing to generate more machine data, the licensing cost grows as well. Many times unforeseen events, such as a denial of service (DOS) attack, can cause these costs to increase rapidly. These unknown costs and unforeseen events can pose a real challenge to managing an deployment in the enterprise. Also, as pictured above, is mainly a security tool with some limited compliance applications. Yet the information contained in an enterprise s machine big data can have benefit for a variety of use cases across all departments. These concerns can add to the budgetary challenge of managing an deployment because in most instances other departments will have their own solution for analyzing the machine data that they need. 4

To summarize the challenges being faced by enterprises trying to deploy, it mainly comes down to cost. In addition to the cost of a volume-based license and its unpredictable growth are factors like procurement, maintenance, and storage. There s also the cost of FTEs that deploy the platforms and continuously fine-tune the correlation rules. On top of these costs is the chance for unforeseen events that create huge spikes in the amount of machine data being generated. With this in mind, the need for volume management solution becomes clear. The Solution Just as normal Internet traffic needs to be routed, filtered, and secured, the same is true for machine big data. Similar to a proxy server, load balancer, or any other network device, a true machine big data solution needs to not only collect this data, but also filter and securely forward it to its destination. The TIBCO LogLogic solution is unique in its filtering and forwarding functionality as well as its enterprise scalability. These features are some of the reasons why many companies choose LogLogic for enterprise logging as a service (LaaS). How can TIBCO LogLogic s LaaS solution manage an deployment? By using LogLogic as the collection and storage layer for machine big data, you can securely and transparently filter and forward the machine data that consumers, such as, receive. This approach will help reduce the costs of an deployment. By filtering and limiting the required data that needs to meet your enterprise s security use cases, you no longer need to use Logger as a machine data management solution, creating a fixed cost surrounding your license and TCO. As depicted in the following graphic, this tactic means less maintenance and a much smaller footprint. Connections Security Connections Operations TIBCO LogLogic Compliance Development Finance 5

How it Works The TIBCO LogLogic platform can securely collect machine big data via a variety of methods as required by the log source. For example, data may be transmitted through a secure shell (SSH) connection or retrieved via a secure copy (SCP) file transfer. Once the machine big data is collected, the LogLogic system performs a secure hash algorithm (SHA-256) of the data to prove integrity. Additionally, granular data retention policies allow for custom retention periods for different sets of log data so that only the data your enterprise needs is retained. This data can be retained on the LogLogic system for up to 10 years, as well as searched, reported, and alerted on. Most enterprises will also need this data filtered and forwarded in real time to a variety of destinations or consumers, including. Some other examples of machine data consumers include: Security operations centers (SOC) Managed security service providers (MSSPs) Governance, risk, and compliance (GRC) applications Data analytics software such as Splunk Network monitoring solutions Software development tools The TIBCO LogLogic filtering and forwarding functionality allows for the creation of rules to securelyroute the machine big data to any destination in real time. Now anyone within the enterprise has the capability to access the data they need when they need it, and without a large deployment that only benefits security and compliance. Mar 7 04:20:00 avas CROND[11372]: (cronjob) CMD (/usr/bin Mar 7 04:15:00 avas CROND[11352]: (mailman) CMD (/usr/local/bi Mar 7 04:15:00 avas CROND[11351]: (cronjob) CMD (/usr/bin/mrtg /et Mar 7 04:10:00 avas CROND[11255]: (mailman) CMD (/usr/local/bin/pytho Mar 7 04:10:00 avas CROND[11257]: (cronjob) CMD (/sbin/dcccollect.sh) Mar 7 04:10:00 avas CROND[11254]: (cronjob) CMD (/usr/lib/sa/sa1 1 1) Mar 7 04:10:00 avas CROND[11253]: (cronjob) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Mar 7 04:05:00 avas CROND[11234]: (mailma Mar 7 04:05:00 avas CROND[11234]: (mailman) CMD (/usr/local/b Mar 7 04:05:00 avas CROND[11233]: (cronjob) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) n) CMD 18.4.5.14 - - [21/Feb/2012 23:45:59] "GET /search_by_subject?search_learn_e0 66.12.71.25 - - [21/Feb/2012 23:45:21] "GET /course/19/detail HTTP/1.1" 200 68 66.12.71.21 - - [21/Feb/2012 23:44:39] "GET /search_by_author?search_le 66.12.71.25 - - [21/Feb/2012 23:44:11] "GET /course/1894/detail HTTP/1.1 Mar 7 04:20:00 avas CROND[11372]: (cronjob) CMD (/usr/bin/c Mar 7 04:15:00 avas CROND[11352]: (mailman) CMD (/usr/local/bin/p Mar 7 04:15:00 avas CROND[11351]: (cronjob) CMD (/usr/bin/mrtg /et) Mar 7 04:10:00 avas CROND[11255]: (mailman) CMD (/usr/local/bin/python -S Mar 7 04:10:00 avas CROND[11257]: (cronjob) CMD (/sbin/dcccollect.sh) Mar 7 04:10:00 avas CROND[11254]: (cronjob) CMD (/usr/lib/sa/sa1 1 1) Mar 7 04:05:00 avas CROND[11234]: (mailman) CMD (/usr/local/bin/python -S /usr/local/mailman/cro Mar 7 04:05:00 avas CROND[11234]: (mailma Mar 7 04:10:00 avas CROND[11253]: (cronjob) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Mar 7 04:05:00 avas CROND[11233]: (cronjob) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) n) CMD 18.4.5.14 - - [21/Feb/2012 23:45:59] "GET /search_by_subject?search_learn_exp=al 66.12.71.25 - - [21/Feb/2012 23:45:21] "GET /course/19/detail HTTP/1.1" 200 685 66.12.71.21 - - [21/Feb/2012 23:44:39] "GET /search_by_author?search_lear 66.12.71.25 - - [21/Feb/2012 23:44:11] "GET /course/1894/detail HTTP/ Mar 29 2004 09:54:39: %PIX-6-302005: Built UDP connection for Mar 29 2004 09:54:33: %PIX-6-106015: Deny TCP (no connectio Mar 7 04:10:00 avas CROND[11255]: (mailman) CMD (/usr/local/bi8.2 Mar 7 04:10:00 avas CROND[11257]: (cronjob) CMD (/sbin/dcccollect.sh) Compliance Mar 7 04:10:00 avas CROND[11254]: (cronjob) CMD (/usr/lib/sa/sa1 1 1) Mar 7 04:10:00 avas CROND[11253]: (cronjob) CMD (/usr/bin/mrtg /etc/mrtg/mr Mar 7 04:05:00 avas CROND[11234]: (mailman) CMD (/usr/local/bin/python -S /usr/loca 18.4.5.14 - - [21/Feb/2012 23:45:59] "GET /search_by_subject?search_learn_exp=algebra-ii-examples HT Mar 7 04:05:00 avas CROND[11234]: (mailma Mar 7 04:05:00 avas CROND[11233]: (cronjob) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) 66.12.71.25 - - [21/Feb/2012 23:45:21] "GET /course/19/detail HTTP/1.1" 200 6851 0.1213 n) CMD 66.12.71.21 - - [21/Feb/2012 23:44:39] "GET /search_by_author?search_learn_exp=my 66.12.71.25 - - [21/Feb/2012 23:44:11] "GET /course/1894/detail HTTP/1.1" 200 70 Mar 29 2004 09:54:39: %PIX-6-302005: Built UDP connection for faddr 194. Mar 29 2004 09:54:39: %PIX-6-106015: Deny TCP (no connection) fro SEM Mar 29 2004 09:54:38: %PIX-6-302005: Built UDP connection f Additionally, each destination will only receive the data it needs, helping to avoid overloading the consumer or over-extending its licensing. The end result is a streamlined LaaS architecture that reduces enterprise costs in many ways including by affecting management overhead, network congestion, storage requirements, data security, and licensing needs. 6

Solution Benefits TIBCO LogLogic s LaaS platform does not have any volume-based licensing so you never have to worry about unpredictable costs. The LogLogic LaaS solution has a fixed cost that in most cases provides proven savings and ROI in under two years, especially when used to manage your deployment. In many scenarios, a single LogLogic appliance can ingest machine data at a rate that requires three to six loggers. The following value model shows this scenario. TIBCO LogLogic & Cost Cost ($) Lower Higher Low GBs of Indexed Data per Day High Only with LogLogic Since LogLogic is now managing your machine big data, you no longer have to worry about massive storage requirements driven by the explosive size of the CEF and the need to store every message twice. Your data retention policies are now quickly and easily managed using LogLogic granular retention rules. Additionally, indexed machine data retention policies can be separated from raw machine data retention policies. This separation means improved use of storage resources and the ability to search through compressed raw machine data during time periods outside of your index retention period. The TIBCO LogLogic LaaS platform offers an effortless lifecycle and is truly plug and play. Setup of the solution is quick and easy, and it does not require an FTE to manage it. With this ease and flexibility, it is never too late to put the brakes on an deployment that is growing too rapidly or becoming too costly to scale. A TIBCO LogLogic appliance can be inserted into your environment in front of machine data sources to immediately stem the flow of too much data being sent to. Additionally, while the TIBCO LogLogic solution can parse and normalize machine data, it always stores 100 percent of the raw machine data, so it can act as your machine big data system of record. Furthermore, any data modification can occur at the machine data consumer, in this case. LogLogic also contains many enterprise features such as high availability so you never have to worry about losing machine data. Look to TIBCO LogLogic as a true LaaS platform that will provide an management solution while managing all of your machine big data, making sure it is delivered to your machine data consumers in real time. TIBCO Software Inc. (NASDAQ: TIBX) is a global leader in infrastructure and business intelligence software. Whether it s optimizing inventory, cross-selling products, or averting crisis before it happens, TIBCO uniquely delivers the Two-Second Advantage the ability to capture the right information at the right time and act on it preemptively for a competitive advantage. With a broad mix of innovative products and services, customers around the world trust TIBCO as their strategic technology partner. Learn more about TIBCO at www.tibco.com. Global Headquarters 3307 Hillview Avenue Palo Alto, CA 94304 Tel: +1 650-846-1000 +1 800-420-8450 Fax: +1 650-846-1005 www.tibco.com 2014, TIBCO Software Inc. All rights reserved. TIBCO, the TIBCO logo, TIBCO Software, and TIBCO LogLogic are trademarks or registered trademarks of TIBCO Software Inc. or its subsidiaries in the United States and/or other countries. All other product and company names and marks in this document are the property of their respective owners and mentioned for identification purposes only. 7 exported29apr2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information