2012-12-12 Seminar McAfee ESM

3,864 views

Published on

In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,864
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
195
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

2012-12-12 Seminar McAfee ESM

  1. 1. McAfee ESM Fulfilling the Promise of SIEM Jan Hereijgers Enterprise Account Manager, SIEM December 13, 20121 McAfee Confidential—Internal Use Only
  2. 2. The State of SIEM SIEM Promise: Turns Security Data Into Provides an Intelligent Supports Management Actionable Information Investigation Platform and Demonstration of Compliance Legacy SIEM REALITY: 00001001001111 11010101110101 10001010010100 VS 00101011101101 Antiquated Architectures Events Alone Do Not Complex Usability and Force Choices Between Provide Enough Context Implementation Have Time-to-Data and Intelligence to Combat Today’s Threats Caused Costs To Skyrocket2 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  3. 3. The Big Security Data Challenge Billions of Events APTs Multi-dimensional Active Cloud Trending; LT Analysis Data Insider Anomalies Large Volume Analysis Compliance Historical Reporting Thousands of Events Correlate Events Perimeter Consolidate Logs3 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  4. 4. ESM: Delivering on the Promise Meaningful Rapid Intelligence Response Big Security Data DB Continuous Exceptional Compliance Value4 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  5. 5. Different From Ground Up …The McAfee SIEM Event Database  High-speed database ssed extensively throughout the US DOD and DOE  Award winning Sage/AdaSage technology  15 years and over $30M invested in development at the Idaho National Laboratory (INL)  Purpose-built ( for rapid streaming of security events  Up to 100,000 database insertion per second  Custom fields & data definition specific to security events 010011 100 1001 100110 11 100 1 110  Rich event taxonomy with 16 indexes 10 010011 001 100 1101  Provides event-data warehousing with minimal HW foot print 10101 110 1  Facilitates real-time Business Intelligence for Security & Compliance  Perfected during ~300 man-years of joint development McAfee Confidential—Internal Use Only
  6. 6. Log Management and Search• See log frequencies Investigate• Search for logs Log Management INVESTIGATE LOGS AFTER THE FACT6 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  7. 7. Legacy SIEM Visualize, Investigate• See log frequencies• Search for logs• Correlate events Device and Events from Authentication User Application Log Security Devices Location and IAM Identity Files and Endpoints VA Scan Data Network Flows Time OS Events Traditional Context Log Management DETECTION OF KNOWN SUSPICIOUS PATTERNS7 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  8. 8. Content Awareness Visualize, Investigate, Respond• See log frequencies• Search for logs • Flows indicate frequency but miss the• Correlate events what, who and how• What data is involved? • Application and Database complete the picture• Who is doing it? • Application logging inhibited by performance • Database logging inhibited by politics Content Aware Applications Traditional Context Database Log Management 8 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  9. 9. ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond• See log frequencies• Search for logs Advanced Correlation Engine• Correlate events GLOBAL THREAT ENTERPRISE RISK• What data is involved? LANDSCAPE LANDSCAPE• Who is doing it? • Threat intelligence feed • Vulnerabilities• Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals• What is the risk Risk ePolicy of the system? Advisor Orchestrator• What is the risk of the user? Dynamic Content Content Aware Traditional Context Log Management 9 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  10. 10. ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond• See log frequencies OPTIMIZED• Search for logs Advanced Correlation Engine• Correlate events GLOBAL THREAT ENTERPRISE RISK• What data is involved? LANDSCAPE LANDSCAPE• Who is doing it? • Threat intelligence feed • Vulnerabilities• Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals• What is the risk Risk ePolicy of the system? Advisor Orchestrator• What is the risk of the user? Dynamic Content 1.Shut down bad actor 2.Analyze last years events 3.Compliance issue identified Content Aware 4.Investigate high risk system Applications Traditional Context Database Big Log Management High SpeedSecurity IntelligentData DB Scalable Architecture Correlation 10 NitroSecurity Next-generation SIEM McAfee Confidential—Internal Use Only
  11. 11. GTI with SIEM Delivers Even Greater Value Sorting Through a Sea of Events… Have I Been Communicating With Bad Actors? 200M events 18,000 alerts Which Communication Was Not Blocked? and logs Dozens of What Specific Servers/Endpoints/ Devices Were Breached? endpoints Handful Which User Accounts Were Compromised? of users Specific files What Occurred With Those Accounts? breached (if any) Optimized RESPOND How Should I Respond? response11 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  12. 12. Scalable and Intelligent Architecture Intelligence and GTI ePO MRA SIA Operational efficiency Adaptive Risk Analysis & McAfee Advanced Correlation Engine Historical Correlation McAfee Enterprise Security Manager Integrated SIEM McAfee Enterprise Log Manager & Log Management McAfee Application McAfee Database Rich App & Data Monitor Event Monitor DB Context Big Scalable Collection & McAfee Receivers Security Data DB Distributed Correlation12 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  13. 13. McAfee ESM (NitroSecurity)Summary Overview Gartner SIEM MQ Founded: 1999 Description: Nitro develops the industrys fastest analytical tools to identify, correlate and remediate information security threats in minutes instead of hours Employees: 120 employees Headquarters: Portsmouth, NH. R&D facilities in Idaho Falls. Customers: 700+ Active Customers. 30 in Fortune 500. 60% of business through channel. 50% of business in US Federal Acquisitions: Acquired Rippletech (log collection and reporting technology) and LogMatrix (analytics technology) Financials: 2010 Bookings = $25MM; 50% Growth YoY for trailing 3 yearsNotable Customers McAfee Confidential—Internal Use Only
  14. 14. Customer Case Study McAfee OPPORTUNITY DECISION McAfee • “Nitro” and Q1 shortlisted (pre-acquisition) • POC consisted of replicating original deployment plan • Q1Labs exhibited same performance issues as existing solution • Internal security / compliance (Plano, TX) • Nitro is selected • Major SIEM installed for two years RESULTS • “Never completed the initial deployment plan even with multiple $000,000’s • Deployed and delivering value in 30 days of pro services” • 2 appliances outperformed 32 core SIEM deployment • “Can get the log data in, • Eliminated consulting and instrumentation spend on but CANNOT get useful making SIEM work information out”14 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  15. 15. ESM: True Situational Awareness GREATEST ACCURACY IN PINPOINTING THREATS FASTEST TIME-TO-RESPOND CONTINUOUS COMPLIANCE MONITORING COST EFFECTIVE THROUGH LOW TCO AND RAPID TIME-TO-VALUE15 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  16. 16. McAfee Confidential—Internal Use Only

×