2012-12-12 seminar mcafee esm
DESCRIPTION
In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.TRANSCRIPT
McAfee Confidential—Internal Use Only
McAfee ESM Fulfilling the Promise of SIEM
December 13, 2012
1
Jan Hereijgers
Enterprise Account Manager, SIEM
McAfee Confidential—Internal Use Only
The State of SIEM
Antiquated Architectures
Force Choices Between
Time-to-Data and Intelligence
Events Alone Do Not
Provide Enough Context
to Combat Today’s Threats
Complex Usability and
Implementation Have
Caused Costs To Skyrocket
00001001001111
11010101110101
10001010010100
00101011101101 VS
Legacy SIEM REALITY:
Turns Security Data Into
Actionable Information
Provides an Intelligent
Investigation Platform
Supports Management
and
Demonstration of Compliance
SIEM Promise:
2 NitroSecurity Next Generation SIEM
McAfee Confidential—Internal Use Only NitroSecurity Next Generation SIEM
Correlate Events
Consolidate Logs Perimeter
Thousands of Events
APTs
Cloud
Data
Insider
Compliance Historical Reporting
The Big Security Data Challenge
Anomalies Large Volume Analysis
Multi-dimensional Active
Trending; LT Analysis
Billions of Events
3
McAfee Confidential—Internal Use Only
ESM: Delivering on the Promise
Meaningful
Intelligence
Rapid
Response
Exceptional
Value
Big
Security
Data DB
Continuous
Compliance
4 NitroSecurity Next Generation SIEM
McAfee Confidential—Internal Use Only
010011 100
1001 100110
11 100 1 110
10 010011
001 100 1101
10101 110 1
Different From Ground Up … The McAfee SIEM Event Database
High-speed database ssed extensively throughout the US
DOD and DOE
Award winning Sage/AdaSage technology
15 years and over $30M invested in development at the Idaho
National Laboratory (INL)
Purpose-built ( for rapid streaming of security events
Up to 100,000 database insertion per second
Custom fields & data definition specific to security events
Rich event taxonomy with 16 indexes
Provides event-data warehousing with minimal HW foot print
Facilitates real-time Business Intelligence for Security &
Compliance
Perfected during ~300 man-years of joint development
McAfee Confidential—Internal Use Only
Log Management
INVESTIGATE LOGS AFTER THE FACT
Investigate
Log Management and Search
• See log frequencies
• Search for logs
NitroSecurity Next Generation SIEM 6
McAfee Confidential—Internal Use Only
Legacy SIEM
Device and
Application Log
Files
Authentication
and IAM
Events from
Security Devices
and Endpoints
User
Identity Location
VA Scan Data Network Flows Time OS Events
DETECTION OF KNOWN SUSPICIOUS PATTERNS
Log Management
Visualize, Investigate
Traditional Context
• See log frequencies
• Search for logs
• Correlate events
7 NitroSecurity Next Generation SIEM
McAfee Confidential—Internal Use Only
Content Awareness
Log Management
Traditional Context
Content Aware
VA Scan Data Network Flows Time OS Events
Applications Database
• Flows indicate frequency but miss the
what, who and how
• Application and Database complete
the picture
• Application logging inhibited
by performance
• Database logging inhibited by politics
• See log frequencies
• Search for logs
• Correlate events
• What data is involved?
• Who is doing it?
Visualize, Investigate, Respond
8 NitroSecurity Next Generation SIEM
McAfee Confidential—Internal Use Only
ESM Fulfills Today’s SIEM Needs
Log Management
Traditional Context
Content Aware
Dynamic Content
Visualize, Investigate, Respond
GLOBAL THREAT
LANDSCAPE
ENTERPRISE RISK
LANDSCAPE
ePolicy Orchestrator
Risk Advisor
Advanced Correlation Engine • See log frequencies
• Search for logs
• Correlate events
• What data
is involved?
• Who is doing it?
• Are they
a bad actor?
• What is the risk
of the system?
• What is the risk
of the user?
• Threat intelligence feed
• Immediate alerting
• Historical Analysis
• Vulnerabilities
• Countermeasures
• Individuals
NitroSecurity Next Generation SIEM 9
McAfee Confidential—Internal Use Only 10 NitroSecurity Next-generation SIEM Scalable Architecture
ESM Fulfills Today’s SIEM Needs
Log Management
Traditional Context
Content Aware
Dynamic Content
Visualize, Investigate, Respond
GLOBAL THREAT
LANDSCAPE
ENTERPRISE RISK
LANDSCAPE
ePolicy Orchestrator
Risk Advisor
Advanced Correlation Engine
Big
Security
Data DB
High Speed
Intelligent
Correlation
Applications Database
OPTIMIZED • See log frequencies
• Search for logs
• Correlate events
• What data
is involved?
• Who is doing it?
• Are they
a bad actor?
• What is the risk
of the system?
• What is the risk
of the user?
1.Shut down bad actor
2.Analyze last years events
3.Compliance issue identified
4.Investigate high risk system
• Threat intelligence feed
• Immediate alerting
• Historical Analysis
• Vulnerabilities
• Countermeasures
• Individuals
McAfee Confidential—Internal Use Only
GTI with SIEM Delivers Even Greater Value
Sorting Through a Sea of Events…
200M events
18,000 alerts
and logs
Dozens of
endpoints
Handful
of users
Specific files
breached
(if any)
Optimized
response RESPOND
Have I Been Communicating With Bad Actors?
Which Communication Was Not Blocked?
What Specific Servers/Endpoints/ Devices Were Breached?
Which User Accounts Were Compromised?
What Occurred With Those Accounts?
How Should I Respond?
11 NitroSecurity Next Generation SIEM
McAfee Confidential—Internal Use Only
Scalable and Intelligent Architecture
McAfee Enterprise Security Manager McAfee Enterprise Log Manager
McAfee Application Data Monitor
McAfee Database Event Monitor
McAfee Advanced Correlation Engine
McAfee Receivers
Big
Security
Data DB
Adaptive Risk Analysis &
Historical Correlation
Integrated SIEM
& Log Management
Rich App &
DB Context
Scalable Collection &
Distributed Correlation
Intelligence and
Operational efficiency MRA SIA ePO GTI
12 NitroSecurity Next Generation SIEM
McAfee Confidential—Internal Use Only
Summary Overview Founded: 1999
Description: Nitro develops the industry's fastest analytical
tools to identify, correlate and remediate information security
threats in minutes instead of hours
Employees: 120 employees
Headquarters: Portsmouth, NH. R&D facilities in Idaho Falls.
Customers: 700+ Active Customers. 30 in Fortune 500. 60%
of business through channel. 50% of business in US Federal
Acquisitions: Acquired Rippletech (log collection and
reporting technology) and LogMatrix (analytics technology)
Financials: 2010 Bookings = $25MM; 50% Growth YoY for
trailing 3 years
McAfee ESM (NitroSecurity)
Notable Customers
Gartner SIEM MQ
McAfee Confidential—Internal Use Only
Customer Case Study McAfee
OPPORTUNITY
• Internal security /
compliance (Plano, TX)
• Major SIEM
installed for two years
• “Never completed the
initial deployment plan even
with multiple $000,000’s
of pro services”
• “Can get the log data in,
but CANNOT get useful
information out”
DECISION
• “Nitro” and Q1 shortlisted
• POC consisted of replicating original deployment plan
• Q1Labs exhibited same performance issues
as existing solution
• Nitro is selected
RESULTS
• Deployed and delivering value in 30 days
• 2 appliances outperformed 32 core SIEM deployment
• Eliminated consulting and instrumentation spend on
making SIEM work
McAfee
(pre-acquisition)
14 NitroSecurity Next Generation SIEM
McAfee Confidential—Internal Use Only
ESM: True Situational Awareness
GREATEST ACCURACY IN
PINPOINTING THREATS
FASTEST TIME-TO-RESPOND
CONTINUOUS COMPLIANCE MONITORING
COST EFFECTIVE THROUGH
LOW TCO AND RAPID
TIME-TO-VALUE
15 NitroSecurity Next Generation SIEM
McAfee Confidential—Internal Use Only