Your SlideShare is downloading. ×
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013   SIEM based …
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …


Published on

World's #1 SIEM technology in GRC (Governance, Risk, Compliance). QRadar Risk Manager provides organizations with a pre-exploit solution that allows network security professionals to assess what risks …

World's #1 SIEM technology in GRC (Governance, Risk, Compliance). QRadar Risk Manager provides organizations with a pre-exploit solution that allows network security professionals to assess what risks exist during and after an attack, while also answering many "What if?" questions ahead of time, which can greatly improve operational efficiency and reduce network security risks.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Together with
  • 2. “Data Security Solutions” brief introSpecialization – IT SecurityIT Security consulting(vulnerability assessmenttests, security audit, newsystems integration, HRtraining, technical support)Innovative & selectedsoftware / hardware & hybridsolutions from leadingtechnology vendors fromover 10 different countries
  • 3. It doesn’t matter what framework and standard Youare working with as an auditorIt doesn’t matter if You are internal or externalauditor, CSO, CIO, technical or business personAutomated and real time «Security Intelligence» iswhat You need as mandatory for GRC –Risk Assessment & ManagementIT Security Governance & ManagementControl of activities and environmentPerformance measurement and improvementBenefits from better alignment with business(costs saving, efficiency etc.)
  • 4. AgendaIntroductionSecurity Information and Events Management (SIEM)Use cases of SIEMSIEM based Risk ManagementQ&A
  • 5. Around 1500 IT Security vendors forEndpoint SecurityPlatforms and point solutionsData Security & EncryptionDLP suites and point solutionsNetwork SecurityGateway solutionsNAC, visibility, NBAAuthentication, authorization etc.Traditional and next generation’sIdentity protectionVirtualization and cloud securityIT Security governanceOperational management & SecurityMobile Security
  • 6. Network and securityprofessionals focus tends to beon preventing bad things fromhappening on the networkThere is aleready significantamount of spending on toolsdesigned to prevent bad thingsfrom getting in the networkWhen things go bad, it isbecause the network andsecurity practitioner doesn’t knowwhat they don’t know
  • 7. User and System ActivityRunaway ApplicationCustomer TransactionEmail BCCFailed LogonSecurity BreachFile Up/DownloadCredit CardData AccessInformation LeakPrivileges Assigned/Changed50%?
  • 8. What logs –Audit logsTransaction logsIntrusion logsConnection logsSystem performancerecordsUser activity logsBusiness systems alertsand different other systemsmessagesFrom where -Firewalls / IntrusionpreventionRouters / SwitchesIntrusion detectionServers, desktops, mainframesBusiness applicationsDatabasesAntivirus softwareVPN’sThere is no standard format, transportation method forlogs, there are more than 800 log file formats used..
  • 9. Security Intelligence provides actionable and comprehensive insightfor managing risks and threats from protection and detectionthrough remediation. It could be even called as Security Mega-System.Security Intelligence--noun1. the real-time collection, normalization, and analytics of thedata generated by users, applications and infrastructure thatimpacts the IT security and risk posture of an enterprise
  • 10. AnalyzeActMonitorAuto-discovery of logsources, applications andassetsAsset auto-groupingCentralized log mgmt.Automated configurationauditsAuto-tuningAuto-detect threatsThousands of pre-defined rules androle based reportsEasy-to-use event filteringAdvanced security analyticsAsset-based prioritizationAuto-update of threatsAuto-responseDirected remediation
  • 11. • Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM• Integrated log, threat, risk & compliance mgmt.• Sophisticated event analytics• Asset profiling and flow analytics• Offense management and workflow• Predictive threat modeling & simulation• Scalable configuration monitoring and audit• Advanced threat visualization and impact analysis• Network analytics• Behavior and anomaly detection• Fully integrated with SIEM• Layer 7 application monitoring• Content capture• Physical and virtual environmentsSIEMLog ManagementRiskManagementNetwork Activity& AnomalyDetectionNetwork andApplicationVisibilityOne Console SecurityBuilt on a Single Data Architecture
  • 12. What was theattack?Who wasresponsible?How manytargetsinvolved?Was itsuccessful?Where do I findthem?Are any of themvulnerable?How valuable arethey to the business?Where is all theevidence?Clear & concise delivery of the most relevant information …
  • 13. IRC on port 80?QFlow enables detection of a covert channel.Irrefutable Botnet CommunicationLayer 7 data contains botnet command and controlinstructions.Potential Botnet Detected?This is as far as traditional SIEM can go.
  • 14. Authentication FailuresPerhaps a user who forgot theirpassword?Brute Force PasswordAttackNumerous failed login attempts againstdifferent user accounts.Host CompromisedAll this followed by a successful login.Automatically detected, no customtuning required.
  • 15. Sounds Nasty…But how to we know this?The evidence is a single click away.Buffer OverflowExploit attempt seen by SnortNetwork ScanDetected by QFlowTargeted Host VulnerableDetected by NessusTotal VisibilityConvergence of Network, Event and Vulnerability data.
  • 16. Potential Data Loss?Who? What? Where?Who?An internal userWhat?Oracle dataWhere?Gmail
  • 17. Assessing the risks =Log management +Event management +Network activity monitoring +Configuration +Most successful attacks are result of poorconfigurationConfiguration audits are expensive, labor intensiveand time consumingConfig files are inconsistent accross the vendors andproduct / technology typesCompliance is mandatory in many industriesVulnerability Assessment +VA scanners don’t prioritize based on network contextVulnerability prioritization is historically complex
  • 18. SIEM is a foundation to security management in 21stCentury for provides mostly the post-exploit valueRisk Manager based on SIEM gives detailed assessment ofnetwork security risk using broad risk indicators such as:WHAT HAS HAPPENED? (from network activity data andbehaviour analysis)WHAT CAN HAPPEN? (from topology and configuration)WHAT HAS BEEN ATTEPMTED? (from events andcontect data)WHAT IS VULNERABLE AND AT RISK? (from scanners)
  • 19. Prediction & Prevention Reaction & RemediationIBM Security IntelligenceSimulation of incidentsError & anomaly detectionAttack path visualizationCompliance automationRisk AssessmentContinuous real time auditSingle consoleIntegrated IntelligenceVizualizationHighest level of protection
  • 20. PredictRiskDetectInsiderFraudConsolidateData SilosExceedRegulation MandatesDetectThreatsOthersMiss
  • 21. /