ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

Similar documents
ClearSkies. Re-Defining SIEM

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

IBM Security X-Force Threat Intelligence

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Concierge SIEM Reporting Overview

IBM Security IBM Corporation IBM Corporation

IBM QRadar Security Intelligence April 2013

Boosting enterprise security with integrated log management

IBM Security QRadar Vulnerability Manager

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

I D C A N A L Y S T C O N N E C T I O N

Vulnerability Management

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

The SIEM Evaluator s Guide

Continuous Network Monitoring

Cenzic Product Guide. Cloud, Mobile and Web Application Security

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Cisco Remote Management Services for Security

Information Technology Policy

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

SANS Top 20 Critical Controls for Effective Cyber Defense

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Extreme Networks Security Analytics G2 Vulnerability Manager

Bridging the gap between COTS tool alerting and raw data analysis

Analyzing HTTP/HTTPS Traffic Logs

How To Manage Security On A Networked Computer System

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Unified Security, ATP and more

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Security Analytics for Smart Grid

The Importance of Cyber Threat Intelligence to a Strong Security Posture

Unified Security Management and Open Threat Exchange

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

End-user Security Analytics Strengthens Protection with ArcSight

Caretower s SIEM Managed Security Services

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

The Sophos Security Heartbeat:

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Find the needle in the security haystack

IBM Security QRadar Risk Manager

QRadar SIEM and FireEye MPS Integration

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Speed Up Incident Response with Actionable Forensic Analytics

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

e2e Secure Cloud Connect Service - Service Definition Document

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

1 Introduction Product Description Strengths and Challenges Copyright... 5

North American Electric Reliability Corporation (NERC) Cyber Security Standard

IBM Security QRadar Risk Manager

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Cisco Advanced Malware Protection for Endpoints

Windows Server 2003 End of Support. What does it mean? What are my options?

A HELPING HAND TO PROTECT YOUR REPUTATION

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

Cisco Advanced Malware Protection for Endpoints

Strengthen security with intelligent identity and access management

What s New in Security Analytics Be the Hunter.. Not the Hunted

Secure Your Mobile Workplace

Critical Controls for Cyber Security.

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

PCI DSS Reporting WHITEPAPER

Top 20 Critical Security Controls

BlackStratus for Managed Service Providers

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

The Emergence of Security Business Intelligence: Risk

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Payment Card Industry Data Security Standard

The Benefits of an Integrated Approach to Security in the Cloud

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Solutions and IT services for Oil-Gas & Energy markets

The Hillstone and Trend Micro Joint Solution

Information Technology Solutions

The Sumo Logic Solution: Security and Compliance

Where every interaction matters.

Find the intruders using correlation and context Ofer Shezaf

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

IBM Security Intelligence Strategy

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Uncover security risks on your enterprise network

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

CLOUD GUARD UNIFIED ENTERPRISE

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Transcription:

1 ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

About the Presenters Ms. Irene Selia, Product Manager, ClearSkies SecaaS SIEM Contact: iselia@odysseyconsultants.com, w: +357 22463600 Mr. Angelos Printezis, ITHACA Labs Team Leader Researcher/Analyst Contact: aprintezis@odysseyconsultants.com, w: +30 2106565200 2

Agenda 1 2 3 4 5 6 7 The Service in a Nutshell Challenges Faced by Organizations Today Addressing Challenges with ClearSkies SecaaS SIEM ClearSkies SecaaS SIEM overview ClearSkies SIEM Architecture Service Offerings Building Blocks 8 Threat Intelligence powered by ITHACA Labs 9 Supported Vendors 10 Q&A 3

The Service in a Nutshell Efficient and effective Security Information and Event Management (SIEM) is no longer an expensive information security tool that can be afforded only by large and resource-rich organizations. ClearSkies Security-as-a-Service (SecaaS) SIEM platform, addresses the need of organizations of any size or industry, to manage the wealth of information generated by their networks, systems and applications. It does so, in a holistic manner and over the cloud, enabling you to effectively and cost efficiently enhance your information security and regulatory compliance operations across the board and with virtually zero upfront investment. 4

Challenges Faced by Organizations Today Increase in frequency, complexity and sophistication of threats and attacks against your networks, systems and applications The complexity of Internet & Intranet applications Comply with Legal and Regulatory frameworks and reporting requirements Maintain in-house Information Security expertise. As a result...minimize the Risk of Information Security loss. 5

Addressing Challenges with ClearSkies SecaaS SIEM Security, over the private-cloud, access to a feature-rich SIEM platform, which addresses the needs of organizations irrespective of their size, industry, extent and complexity of their existing information security infrastructure, or in-house level of expertise Fast and intuitive deployment allowing organizations to reap the benefits of the ClearSkies SecaaS SIEM services in no time Access to - and utilization of - our Analysis and Correlation engines, which are constantly updated and enriched with the threat intelligence and knowledge gathered and developed within ITHACA Labs, our very own world class Information Security Research and Threat Intelligence Center Zero up-front investment 6

What ClearSkies SecaaS SIEM will help you achieve Functional Log and Event Management with clear view of your overall information security posture at any time Instant transformation of raw data into information security intelligence, useful in making informed decisions Early identification of suspected or actual incidents and ability to address and follow up on them through a structured process Effortlessly prepare both specialized as well as ad-hoc reports in no time. Enhance your compliance and business decision support processes. Maximize your knowledge of latest information security threats and trends by tapping into a unique Information Security and Threat Intelligence knowledge pool 7

ClearSkies SecaaS SIEM Overview Provides organizations, which otherwise would not have the necessary resources to maintain an adequate SIEM SecaaS infrastructure in-house, the opportunity to gain access to such capability in the cloud. Enables organizations to: Collect, Archive, Normalize, Analyze and Correlate the logs generated from a number of diverse systems and applications Effectively and efficiently Monitor and Raised/Assign Incidents for abnormal behavior and suspected threats Generate the reports require to demonstrate compliance with legal and regulatory obligations 8

ClearSkies Architecture Single Site Customer Premises Odyssey s Private Cloud Environment Workstation Log Storage Threat Inteligence Database ClearSkies Secure Web Portal Server Log Collector(s) Switch/Router Event Management & Incident Escalation Firewall Analysis & Correlation Database 9

Service Offerings A holistic approach to Security Information and Event Management Security As A Service SecaaS (perform Log Review, Analysis and Event Management) Security As A Service SecaaS with 24/7/365 Log Analysis and Event Management (Managed Security Services in a Hybrid model) ClearSkies SIEM Standard ClearSkies SIEM Plus ClearSkies SIEM Premium Security As A Service SecaaS with Daily Log Review (with Daily Log Review, Analysis and Event Management) 10

11 Building Blocks

Building Blocks - Collect Collect Raw Logs generated from diverse systems, applications and/or security devices: Syslogs SNMP messages Database Windows Security NetFlow Other. Development/updating of our collection mechanism for supporting either in house/custom applications or other log sources/formats 12

Building Blocks - Archive Archive of raw logs collected: During this process the Archive mechanism Compress and Digitally Signs the raw logs collected. Note: Raw logs collected compression ratio up to 5 to 1 (80%) Then the Compressed file checksum is calculated using a hashing algorithm (SHA-1, MD5). The checksum is encrypted with Collector s Private. The encrypted checksum is saved to a database for future use. At any given time, it can be verified that the Raw Logs collected are intact ( not tampered)by using the Public Key 13

Building Blocks - Normalize Logs from different network, systems and applications and vendors are formatted in different ways, even if these events are semantically equivalent. Logs collected are normalized and stored into a common schema at time of data collection for further processing and ad hoc search and reporting. Analysis and Correlation is designed to present these logs in a unified view across heterogeneous vendor data formats. 14

Building Blocks- Analyze Actuate the process of Threat Intelligence for Analysis. What is Threat Intelligence (TI)? Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. Threat Intelligence is all about collecting, refining, analyzing, and prioritizing vast quantities of data in order to enable a tactical decision to be made about your defenses. 15

Building Blocks- Threat Analysis through Intelligence Perform an evidence-based evaluation of the security events for detecting and responding to threats effectively. Key benefits: Focus on the most severe security events based on their actual technical and business impact. Evaluate the risks based on evidence and decide on what precautions need to be taken. Continuously evaluate the effectiveness of the current security controls against emerging threats. 16

Building Blocks- Threat Intelligence Methodology Obtain evidence-based intelligence on events and activities for estimating the business risk. Risk calculation Threat mitigation Global Reputation Suspicious characteristics Vulnerability Exposure (NVD, VA Scans) Asset Value Reporting module (FW, IPS, Endpoint) Automated actions (Block, Detect, Quarantine) Affected products CVE References Exploitability Duration 17

Building Blocks Analyze (Pre Correlation) 1/2 During the analysis, the following data activities are performed: Link: Delivers insights above and beyond those of individual feeds stored independently. Enrich: Enables us to do linking and relating better and also provides a way to validate weak TI signals. Relate: Discover new threat activities and expand the scope of the organization s response process. 18

Building Blocks Analyze (Pre Correlation) 2/2 Data activities continued.. Validate: TI is matched to known industry black lists which enable us to either promote or demote some pieces of intelligence. Contextualize: Make TI data more relevant to the organization. Tag: Collected Events (logs) are tagged with this information such as Relevant/Not Relevant to the Target Host. Risk Calculation: Risk Index is calculated based on the outcome of the above process. 19

Building Blocks Correlate Correlate Normalized Logs to identify Malicious and/or Misuse activity based on: Threat Intelligence - Analysis Phase CVSS 2.0 ( Common Vulnerability Scoring System ) Analysis Phase Vulnerabilities that may exist on the target Host - Vulnerability Information from Nessus and Acunetix. Support for other Vulnerability Assessment tools, - Statistical & Behavioral Analysis, - The output of the Analysis phase is used during the correlation phase.. 20

Building Blocks Correlation Methodology Threat Intelligence: IP Reputation Malware sites Anonymous Proxies 1st step: Number of events Detected within a time interval 3 rd Step: Asset Vulnerabilities Vs Attacks 5 th Step: Use existing Correlation rules provided, or develop your own Edit, Add Correlation Rules 2 nd Step: Pattern/Behavior Identification, DOS Web Specific Service Probing 4 th Step: Continuous monitoring of suspicious activity Including IP, type...etc.. 21

Building Blocks Incident Escalation Incidents raised must be assigned to specific user(s) or Group of Users By default, when an incident is assigned to specific User(s) or Group, an email message is sent to these Users providing detailed information. User(s) or Group of Users could be configured to receive Push Notifications on their ios and Android Smart Phones and/or Tablets using Odyssey s App* *The ios and Android App could be downloaded from itunes and Google Play Stores or by visiting our web site http://www.odysseyconsultants.com/whoweare/companyoverview/tools/ 22

Building Blocks Summary 23 Collect Raw Logs generated from diverse systems, applications and/or security devices Archive of Raw Logs collected: During this process the Collector Digitally Sign and Compress the Raw Logs collected using a high ratio compression rate up to 80%. Normalize the Raw Logs collected ( Prepare the logs for Analysis ) Analyze the Normalized Logs in regards to ( Threat Intelligence provided by ITHACALabs ): IP Reputation Anonymous Proxies Malware Bot/Zombies (Command & Control) Dymamic DNS Assignment (NoIP) Correlate the Normalize Logs to identify Malicious and/or Misuse activities based on: Threat intelligence ( the outcome of the Analysis phase ) CVSS 2.0 ( Common Vulnerability Scoring System ) Relativity of the attack based on the Asset Information/Characteristics ( Operating System, Application Vendor and Version, Vulnerabilities Present ) Statistical & Behavioral Analysis Incident Escalation

24

Supported Vendors/Devices for Log Collection 25

Do You Have Any Questions? 26

27 THANK YOU!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information