CAS8489 Delivering Security as a Service (SIEMaaS) November 2014 Usman Choudhary Senior Director usman@netiq.com Rajeev Khanolkar CEO SecurView
Agenda What is Security Monitoring? Definition & concepts SIEM as a Service (SIEMaaS) Definition Market Size & Opportunity SIEM as-a-service with Sentinel 7 NetIQ Sentinel TM Product Overview Customer Use Cases Technology preview Q&A 2 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Information is the Lifeblood of the organization Must presume you re under Attack 3 2012 NetIQ Corporation. All rights reserved.
Protecting Information Assets is a Challenge New, Persistent Threats Expanding Computing Environment Staff Stretched Thin Business / Mission Keeps Moving Constant change & complexity results in lack of control and visibility 4 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Security as a Service Perimeter defense & vulnerability scanning IDS/IPS, DDoS protection, messaging gateways, etc Vulnerability and/or threat notification services, etc powered by NetIQ Log Management and Analysis Log collection and compliance reporting Forensic analysis Security Monitoring and Analysis Security Information and Event Monitoring Threat analysis & incident management Assess compliance with and change from best practice configuration Blended solutions IAM + Security monitoring, Perimeter defense, vulnerability scanning, etc 5 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
SIEM as-a-service
SIEM as-a-service Enterprise Business Drivers Attacks expose gaps in security, process and policy Gaining actionable information requires expertise most don t have Low-cost alternative to capital security investment 7 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
SIEM as-a-service Market Numbers By 2015, over 30% of SIEM deployments will include servicebased event monitoring or SIEM management components, up from less than 5% today (Gartner 2012: Predicts 2013: Cloud and Services Security) The global cloud based security service market is estimated to grow from $2.5 billion in 2013 to $4.2 billion by 2016 SIEM as a service, IAM in the cloud, and remote vulnerability assessments show the highest growth. (Gartner 2013: Security Services Market Trends) Gartner 2013: Security Services Market Trends 8 2013 NetIQ Corporation. Confidential and Proprietary Information release subject to NDA. Note: Dates shown are subject to change.
SIEM as-a-service Definition Service Providers that continuously: Monitor in near real-time (24x7x365) state of customers perimeter devices and enterprise services and correlate/analyze information stream to identify threats and impact to assets Manage incidents using the remote Security Operations Center teams Report on compliance to security and regulatory controls Pay as you grow business model 9 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
SIEM as-a-service Adoption Stages / Service levels Stage 1: Stage 2: Stage 3: Stage 4: Monitor internal infrastructure and as-a-service offerings Compliance Monitoring as-aservice Log Management Reporting & Analysis IT Security Monitoring as-aservice Complete SIEM capabilities Real-time monitor perimeter devices and servers Business Operations Security Monitoring as-a-service Configuration Scanning Change Monitoring Identity Tracking Privileged User Activity 10 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
SIEM as-a-service Methodology Baseline Normal Behavior Define Critical System and Users Analyze Evaluate Risks Define Controls Implement Architecture Security controls Monitoring controls Monitor Real-time Risk Management Security Intelligence Incident Management Configuration & Vulnerability scans Audits Business Requirements Deploy Measure 11 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
SIEM as-a-service: Delivery Model 12 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Sentinel 7 - Product Capabilities
Identity-Powered Security Minimize rights Monitor user activity Enforce access controls
NetIQ Sentinel Classify, enrich and correlate real-time event data across disparate information sources to detect internal and external threats in order to prevent breaches, reduce business disruption 15 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
NetIQ Sentinel Tell me where I need to look 16 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Sentinel 7 Threat Event Lifecycle Devices - Log sources - Native protocols - Configuration - Confidentiality - Throughput Custom? Processing - Parsing - Normalization - Classification Log Storage - Compression - Speed - Data retention - Data disposal - Raw data - Exports Analytics - Correlation rules - Anomaly rules - Context, priority - Asset, Identity - Vuln, Exploit - Custom? Collect Noise reduction System Tuning Knowledgebase New integration Criticality Next Steps Decisions Knowledge Share Alerting Export Automation Forensics - Search - Reporting - Context - Asset, CMDB - Identity - Vuln, Exploit Incident SIEM Workflow Handoff Permissions External Teams External Case Mgmt 17 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Types of Monitoring with Sentinel 7 18 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Types of Monitoring with Sentinel 7 19 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Identify Bad Sources & Targets with Correlation + Anomaly Rules 20 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Eliminate False Positives with Context Identity Enrichment: Enhanced Identity based user activity monitoring Mobile Device Identity Enrichment: Context from Cisco ISE/pxGrid Threat + Vulnerability: Positively differentiate between an attack/attempt Change Alerts: Deep Insight of configuration change auditing CISCO ISE pxgrid Context Sharing 21 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Analyze Advanced Targeted Attack Real-time Views of Trends, Alert Dashboards 22 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Sentinel (SIEMaaS) Architecture
Sentinel Architecture Deployment Flexibility Provider Low-touch collection Agent-based collection Local collection Federated Data Endpoints Network Servers Endpoints Network Servers Endpoints Network Servers Endpoints Network Servers 24 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Sentinel Architecture Multi-tenancy Provider Shared instance Migrate to dedicated instance Dedicated instance per tenant Endpoints Network Servers Endpoints Network Servers Endpoints Network Servers Endpoints Network Servers 25 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
SIEMaaS with NetIQ Sentinel
Why Sentinel for SIEM as-a-service? Business Ready to support providers business development and sales Will not compete with our own offering Flexibility pricing. Can adjust model to fit how provider charges customers Pay as you grow, no immediate upfront investment Technology Identity-based monitoring Flexible architecture & multi-tenancy Extensible solution SDK / APIs Easy to use analysis, search and reporting Efficient integration of threat, identity and other context Early Adopter program 27 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Success Story: Atos High Performance Security powered by NetIQ Sentinel TM
2008 Beijing Olympic Games 2008 Beijing Olympic Games: AHPS takes millions of raw events and via intelligent processing and correlation reduces them to a few critical events. This reduces manpower requirements and improves operational efficiency, and results in zero downtime, zero business effect. 443k Correlated Events 1,500 Alarms 201m Filtered Events 90 Critical Events 29 ATOS HIGH PERFORMANCE SECURITY www.atosorigin.com/security
2012 London Olympic Games Four billion people watching, zero security breaches Atos SIEM platform (powered by NetIQ Sentinel) 255 million messages received during the Olympics 4.5 million correlated events, 5,324 incident, 686 tickets Zero security incidents impacted live competition 30 ATOS HIGH PERFORMANCE SECURITY www.atosorigin.com/security
Customer Examples
NetIQ SIEMaaS Customer Examples ATOS High Performance Security (AHPS) Thales (France) Level 3 Verizon Terremark Rackspace SecureView Alcatel-Lucent Huawei CWT (Taiwan) Scitum (Mexico) 32 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
33 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
Don t miss the Identity-Powered Experience in IT Central. Thank you. 34 2014 NetIQ Corporation. All rights reserved.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright 2014 NetIQ Corporation and its affiliates. All Rights Reserved. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.