Real-time Detection and Reaction to User Behavior ActiveInsight for SIEM ACTIVE INSIGHT

Background Successful SIEM deployments have been collecting data and events from infrastructure and security devices

Successful SIEM deployments have been collecting data and events from infrastructure and security devices

Background Various regulations and business needs require application-level event collection , audit trail and correlation (FISMA, HIPPA, PCI, 357/257, etc.)

Various regulations and business needs require application-level event collection , audit trail and correlation (FISMA, HIPPA, PCI, 357/257, etc.)

Background The business application tier is where actual business events occur and where damage can be done “ Application layer monitoring for fraud detection or internal threat management is emerging as a new use case for SIEM technology ” Gartner Magic Quadrant for Security Information and Event Management, 2008.

The business application tier is where actual business events occur and where damage can be done

“ Application layer monitoring for fraud detection or internal threat management is emerging as a new use case for SIEM technology ”

Gartner Magic Quadrant for Security Information and Event Management, 2008.

The Business Need Application level audit trail Detailed user-session-application level data Real-time visibility of user behavior and application events Real-time, value-based, event detection and reaction “ Zero-touch” application event detection (no code modifications or complex log configuration and management) “ Zero-impact” on application performance and user experience Quick deployment

Application level audit trail

Detailed user-session-application level data

Real-time visibility of user behavior and application events

Real-time, value-based, event detection and reaction

“ Zero-touch” application event detection (no code modifications or complex log configuration and management)

“ Zero-impact” on application performance and user experience

Quick deployment

ACTIVE INSIGHT External Users System Mgmt Risk Mgmt SIEM Fraud Detection Internal Users Device API ACTIVE INSIGHT Detect React

ActiveInsight Unique Value Proposition Deeper, richer user-application level data Non-intrusive, event driven architecture Zero-touch, zero-impact deployment Real-time visibility and reactions Minimized integration efforts Multiple feeders for various risk mgmt applications Computational, I/O and log management off-loading

Deeper, richer user-application level data

Non-intrusive, event driven architecture

Zero-touch, zero-impact deployment

Real-time visibility and reactions

Minimized integration efforts

Multiple feeders for various risk mgmt applications

Computational, I/O and log management off-loading

Main Technological Challenges Detecting relevant user-application events, in real-time , without harming application performance and availability Reacting to relevant events by feeding SIEM or other security/risk management applications or initiating defensive actions Offloading application servers and provide a central log source bus Providing a simple , flexible and non-intrusive solution that can be deployed without requiring application code changes

Detecting relevant user-application events, in real-time , without harming application performance and availability

Reacting to relevant events by feeding SIEM or other security/risk management applications or initiating defensive actions

Offloading application servers and provide a central log source bus

Providing a simple , flexible and non-intrusive solution that can be deployed without requiring application code changes

Technology Distributed, high-performance, extreme transaction processing technology Integrated in-memory distributed data caching Unlimited server scale-out (scalable by design) A-sync or sync (w/o time-out) processing Low latency computational de-coupling Unique and simple, xml based, “behavioral processing language” Asynchronous, multi target feeders Real-time, pattern based, 2-way user interaction

Distributed, high-performance, extreme transaction processing technology

Integrated in-memory distributed data caching

Unlimited server scale-out (scalable by design)

A-sync or sync (w/o time-out) processing

Low latency computational de-coupling

Unique and simple, xml based, “behavioral processing language”

Asynchronous, multi target feeders

Real-time, pattern based, 2-way user interaction

Summary

Q&A Thank you! http://www. activeinsight .net