MID_SIEM_Boubker_EN
Upcoming SlideShare
Loading in...5
×
 

MID_SIEM_Boubker_EN

on

  • 363 views

Презентация доклада ведущего разработчика McAfee, Бубкера Ель Муттахида. ...

Презентация доклада ведущего разработчика McAfee, Бубкера Ель Муттахида.
Доклад проходил на конференции McAfee&Intel DAY 15 октября в Киеве.

Statistics

Views

Total Views
363
Views on SlideShare
363
Embed Views
0

Actions

Likes
0
Downloads
22
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    MID_SIEM_Boubker_EN MID_SIEM_Boubker_EN Presentation Transcript

    • McAfee Security Connected Actionable Situational Awareness Boubker Elmouttahid, CISSP, CISM, CRISC Solution Architect, Management Platform October 17, 2013 Confidential McAfee Internal Use Only
    • Security Connected Platform NETWORK SECURITY Access Control Identity & Authentication Intrusion Prevention Network User Behavior Analysis Next Generation Firewall INFORMATION SECURITY Data Loss Prevention Email Security Encryption Web Security SECURITY MANAGEMENT Compliance Policy Auditing & Management Risk Management Security Operations Console SIEM Vulnerability Management ENDPOINT SECURITY Application Whitelisting Desktop Firewall Device Control Device Encryption Email Protection Embedded Device Protection Endpoint Web Protection Host Intrusion Protection Malware Protection Network Access Control On Chip (Silicon-Based) Security Server & Database Protection Smartphone & Tablet Protection Virtual Machine & VDI Protection PARTNER COMMUNITY Global Strategic Alliance Partners McAfee Connected Security Innovation Alliance (SIA) Confidential McAfee Internal Use Only
    • Partners and An Open, Full-Featured Platform Integrated Solutions Deliver Management z 3 Confidential McAfee Internal Use Only
    • McAfee Labs • Multi-discipline security research – Malware (viruses, spyware, rootkits, etc.) – Spam and Phishing – Web Security – Network and Host Intrusion Prevention – Vulnerabilities and Compliance Checks • 24 x 7 emergency response team 26 cities around the world 400+ researchers • Holds 118+ patents and 148+ pending patents Confidential McAfee Internal Use Only
    • What It Takes to Make An Organization Safe Global Threat Intelligence Threat Reputation Network IPS Firewall Web Gateway Mail Gateway Host AV Host IPS 3rd Party Feed . Confidential McAfee Internal Use Only
    • 112 Reputation Servers in 7 Data Centers DataStore London Chicago San Jose Atlanta Amsterdam Tokyo Hong Kong Confidential McAfee Internal Use Only
    • McAfee Threat Landscape The Core Problem Confidential McAfee Internal Use Only
    • Key Motivations Ego Financial Espionage Weaponry Purpose Confidential McAfee Internal Use Only
    • Key Threats MANUFACTURING MEDICAL DEVICE ENERGY DATA BASE SCADA MOBILE EMBEDDED RSA CONFICKER SILICON NIGHT DRAGON SMART CARS STUXNET AURORA SOCIAL MEDIA ZEUS ATM/KIOSK APPS ENTERTAINMENT RF/IR BLUETOOTH WEB VIRTUAL Confidential McAfee Internal Use Only
    • Total Malware Samples The McAfee “zoo” now contains more than 140 million unique malware samples. Total Malware Samples 160 000 000 140 000 000 120 000 000 100 000 000 80 000 000 60 000 000 40 000 000 20 000 000 0 Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Jan-13 Feb-13 Mar-13 Apr-13 May-13 Jun-13 16 Confidential McAfee Internal Use Only
    • Enterprise IT BIG Bets 2013  …. Enable “Situational Security Awareness” through Big Security Data • Situational Security Awareness trough Big Security Data • Less “Matching” more Trending PROCESSING DEMANDS • Long term analysis for “low and slow” DATA • Continuous compliance monitoring • Immediate information access USE CASES INSTRUMENTATION 2000 Perimeter Security Compliance Insider Threat Data Security 2013 …… Confidential McAfee Internal Use Only
    • Big Data vs. Big Security Data Big Data • Size of security data doubling annually • Advanced threats demand collecting more data • Legacy data management approaches failing • SIEM use shifting from compliance to security Datasets whose size and variety is beyond the ability of typical database software to capture, store, manage & analyse. Big SECURITY Data Understanding security data as big data. • How do I gather security context? • How do I manage big security information? • How do I make security information management work? Confidential McAfee Internal Use Only
    • “The Importance” of Big Security Data Old Attacks • Amateurs New • Noisy • Professionals • Curious/Mischievous • Stealthy • Script driven • For profit/intentional damage • Untargeted • Professionally developed • Targeted • Automated situational awareness • Global threat intelligence 19 Confidential McAfee Internal Use Only
    • The Big Security Data Challenge APTs Billions of Events Multi-dimensional Active Trending; Analysis Cloud Data Insider Large Volume Analysis Anomalies Compliance Historical Reporting Thousands of Events Perimeter Correlate Events Consolidate Logs Confidential McAfee Internal Use Only
    • The Big Security Data Challenge October 17, 2013 Confidential McAfee Internal Use Only
    • THINK FAST…ACT FAST Actionable Situational Awareness through Enhanced Data Management and Integration Move Fast Learn Quickly Act Decisively Purpose built data management engine that makes SIEM work, and is Security ‘Big Data’ ready Turns billions of “so what” events into Actionable Information via context, content and advanced analytics Leveraging the value of Security Connected for faster response whilst lowering cost of ownership Confidential McAfee Internal Use Only
    • MOVE FAST eDB: Purpose built data management engine that makes SIEM work McAfee ESM Extended Schema in 9.2, enabling… • Improved tracking of assets via GUID; increases accuracy as IP’s change eDB • More custom fields; increasing data collected, correlated and reported about an event • Ability to accumulate events (throughput, packets, URL’s, etc…) …without compromising performance! Confidential McAfee Internal Use Only
    • Learn Quickly Establishing baselines to identify deviations Defining abnormal Rolling Averages patterns of activity 24 Confidential McAfee Internal Use Only
    • Learn Quickly Establishing baselines to identify deviations Sum events and track averages Alert based on deviations from norm ID Anomalies 25 Eliminate the Guesswork Confidential McAfee Internal Use Only
    • Learn Quickly, Global Threat Intelligence and IP Reputation IP REPUTATION CHECK GOOD SUSPECT AUTOMATIC RISK ANALYSIS VIA ADVANCED CORRELATION ENGINE BAD Medium Risk High Risk EVENT AUTOMATIC IDENTIFICATION McAfee Labs IP Reputation Updates Botnet/ DDos Mail/ Spam Sending Web Access Malware Hosting Network Probing Network Probing Presence of Malware DNS Hosting Activity Intrusion Attacks Confidential McAfee Internal Use Only
    • Learn Quickly Correlating Both Flows and Events Correlate Event and Flow Flow 1 1 100 010011 10 1 0011 100 011 100 1 1 1 100 010011 100 10010001 1 1 100 010011 011 100 10010001 1 1 100 010011 100 10010001 1 1 100 010011 100 11 1 0011 100 011 100 110101 1 100 011 100 10010001 011 100 10010001 10010001 1 1 100 010011 1 1 100 010011 100 1 0011 100 011 100 1 1 1 100 010011 Advanced Correlation 11 001 100 010011 100 10010001 100110 11 1 110 10 110 00 1001 100110 100 010011 11 100 1 110 10 010011 001 100 110 001 100 010011 100 10010001 100110 11 1 110 10 110 Event Enhanced with GTI Identify spikes in activity Analyze Behavior of an Individual Host Monitor compliance via analysis of application data, protocol and user Detect zero-day threats through traffic profiling Confidential McAfee Internal Use Only
    • ACT DECISIVELY Leverage the power of the platform Global Threat Intelligence Vulnerability Manager Compliance Reporting Streamlined Investigations 1001 100110 01011 ePolicy Orchestrator Event Collection Policy Management Log Management Network Security Platform Advanced Correlation Integrated Security Platform Industry Leading Security Information and Event Management Confidential McAfee Internal Use Only
    • Organized Chaos Security Operating in Silo’s (Data interconnection Left & Right) SIEM Confidential McAfee Internal Use Only
    • LEARN QUICKLY & ACT DECISIVELY Security Connected - Intelligent Orchestration & Integration DLP GTI MAM Asset Inventory & On-demand scan Dynamic Enrichment MVM MEG ADM ESM FW MWG Endpoint & SIA Alerts & Policy Enforcement ePO Network Alerts & Quarantine NTBA DAM NSP Confidential McAfee Internal Use Only
    • ACT DECISIVELY Intelligent Orchestration and Integration NSM 11 001 100 010011 100 10010001 100110 11 1 110 10 110 10010001 100 1001 100110 100 010011 11 100 1 110 10 010011 001 100 110 10010001 11 001 100 010011 100 10010001 100110 11 1 110 10 110 ESM My Pal RT@aguyweknow Very Inspiring article Bit.ly/p0wn3d ! ePO ! ! Detect Connection Attempt Correlation Quarantine Endpoint Trigger Alarm Launch AV Scan Quarantine IP Increase Security
    • McAfee ESM • Unmatched Speed – Industry’s Fastest SIEM – 100x to 1,000x faster than current solutions – Queries, correlation and analysis in minutes, not hours • Unmatched Scale – – – – Collect all relevant data, not selected sub-sets Analyze months and years of data, not weeks Include higher layer context and content information Scales easily to billions of data records • Improves – Operational efficiencies and optimizes security • Enhances – Visibility & control on risk and helps you to stay compliant with regulations • Demonstrates – Measurable ROI and reduced TCO by delivering ease of use & Scalable NG SIEM solution
    • McAfee ESM 2013 market Leadership and Recognition  SIEM MQ “Visionary Leader” – Gartner 2012 & 2013 SIEM Magic Quadrant  “Fastest database in the business, truly creative front end” – SC Magazine, Excellent value for the money, February, 2012  “Best log management solution” – InfoWorld 2011 Technology of the Year, January, 2011  “ESM has attained tier-one status alongside larger organizations” – Ovum, Technology Audit, July, 2011  “One of the most useful and seamless incident response-focused SIEM products available today” – The 451 Group, Impact Report, June, 2010  “Top performance, 2nd lowest price” – Info-Tech Research Group Vendor Landscape, June, 2011
    • Summary Actionable Situational Awareness from McAfee ESM ESM ALLOWS YOU TO…. MOVE FAST LEARN QUICKLY ACT DECISIVELY Confidential McAfee Internal Use Only
    • Demo 35 October 17, 2013 Confidential McAfee Internal Use Only
    • Confidential McAfee Internal Use Only