This document discusses RuSIEM Analytics, a product that provides log management, security information and event management, and real-time analytics capabilities. It aims to automate business processes, detect security incidents, analyze business metrics, and provide a single interface for employees. The product is already in use by many enterprise customers. It collects data from various sources, normalizes it, stores it for analysis, and ensures continuous data collection. It also provides security incident detection and prevention, reporting, and compliance functions. Real-time analytics are performed to detect incidents, establish baselines, and analyze multiple algorithms. The solution has various applications for IT, security, business units, and other teams.

1. RuSIEM Analytics
From SIEM to business processes
CEO, Co-founder RuSIEM
Olesya Shelestova
oshelestova@rusiem.com

2. Imagine: You bring a robot into the company
What are the first steps you take?
2

3. Step-by-step. T-PDCA.
• Teach him to "basic functions“
• Teach it to the “compound functions”
• Try it in a real process
• Define its tasks
• Continue to "teach him" for a real process
• Periodically, the necessary improvements
Try on  Plan  Do  Check  Act
3

4. What the customer wants
• Big red auto-button
• Automation and cost reduction for processes and employees
• Know everything that happens in real time
• Timely prevention of incidents affecting the business
• Staff wants to feel their importance in business and their careers
• All important and required information should be available from a
single location
• Have process evaluation indicators
God mode ON
4

5. Our team
• Development since from 2014
• All team members have extensive experience in developing
• Product architects have experience in development other SIEM
• The product technology based on practical experience and the use of SIEM/LM
• The product has already been successfully used in many enterprise companies
5

6. #Team
6
7 members of the current team:
• 2 – php, JS, backbone
• 2 – c+ STL linux
• 1 – agent for windows, c#/.net
• 1 – Analytics: java/scala/apps for Apache Storm
• 1 – Analytic for KB (correlation rule, integrations, symptomatic,
normalizations rule)

7. #Why_need_investments
• The product is already ready
• We have successful implementation and sales
• There is already an RuSIEM Analytics working on the customer side,
without cloud
• In a short period of time, we were able to realize much more than
large companies with large resources
7
And it really works already stably!

8. Past year Last 2 year With labor costs
over < 1 month
With labor costs
1-3 month
All tasks 308 734 490 244
Original features > 26 > 60 16 44
Customers cases 163 207 84 123
Bugs 54 137 116 21
Bugs from
customers
11 24 14 10
Successful
implementation
> 23 > 50
RvSIEM free version
installed at
customers
693 online unique installations around the world
(by statistics of requested updates on 02 june 2017)
8

9. • All companies want automation: processes, employees, detect of the
incidents
• Existing solutions AI / ML can not work at low hardware power
• As the business is tied heavily on IT - necessary processing and
analysis in real time
9

10. What tasks are solved by our product
• Ensuring continuity of IT infrastructure
• Detection of incidents of information security
• Detection of incidents affecting on business processes
• Analysis of business process metrics
• Interfacing units and employees through the built-in workflow
• Identifying incidents without the need for correlation rules
• All detection processes in real time
• Increase the chance of detecting an incident through multiple sources of
events
• Real-time big data without a scalability limit
• No cloud solution is required, limited hardware resources are used
10

11. 5+ stage of product development
LM SIEM Analytics Business AnalyticsEmployee Profiling
11

12. Why need LM
LM SIEM
12
Employee Profiling Business AnalyticsAnalytics
LM:
• Collection of states from various sources (events, surveys)
• Connectors to many different systems
• Event normalization (single taxonomy, key: value)
• Saving to big data for further analysis and queries
• Ensuring continuity of the collection and the absence of loss events

13. Why need SIEM
LM SIEM
13
Employee Profiling Business AnalyticsAnalytics
SIEM:
• Managed Correlation for real-time Incident Detection and Prevention
• Incident recording and timely notification
• Proactive actions - running the script, blocking ip ...
• Reports on processes, incident management, unloading of events,
compliance with standards
• Correlation rules help to reduce the number of false positives from
Analytics

14. Analytics
Analytics:
Complex calculations and reports
Baseline indicators
Real-time analysis of multiple user-controlled algorithms
Managed and user-configurable analytics
Elimination of "heavy" and historical analyzes from correlation for real-time
Detection of threats without the need to create many of correlation rules (by
case)
Provide data sets for quick access
14
LM SIEM Employee Profiling Business AnalyticsAnalytics

15. Auxiliary objectives of SIEM Analytics
• Provide a quick demo to the customer
• Ensure rapid implementation and successful installation
• A wide range of detected incidents without correlation rules
• Providing complex calculations and algorithms (back-end for
correlations and reports)
15

16. Personal profiling
• What is the employee's: pass, logins, access rights, email addresses,
where he enters the system
• Interests, queries, social pages, social circle, etc.
• What systems did I enter into, what did I do
• Change of activities and current activities that can affect the company
and its business
Pre-enrichment of the selected entities in real time
from a data set that already exists in the system.
16

17. Business analytics, part 1
• Description and formalization of business processes
• Assessing the impact of IT and IS components on the business process
(vulnerabilities, personnel, staff actions, infrastructure errors, unauthorized
actions, etc.) in real time:
• Formalization and understanding of what is affected by a separate server, windows
service, account
• Incidents are not about IT components, but with an assessment of the impact on the
business process
• Continuity, process availability and information integrity
• Prioritization of tasks and incidents for effective work of the units
• Valuation of works, measures
• Risks, their financial assessment depending on the processes
17

18. Business analytics, part 2
• Description and formalization of business processes in information systems in real
time
• Evaluation of business performance in real time:
• Movement of financial flows, trends
• Account balances
• Targeting (targeted services and offers)
• Customer refusals from orders on portals and their interests
• The success of PR actions and news about the company / products
• Assessment of trends (baseline) with the registration of bursts and deviations, violations of
processes, inaccessibility of services.
• If the IT component fails, notify the unavailability of the process in which it is involved.
• Analysis for the purpose of stopping the service on a historical and current trend -
when it is possible to carry out technical work with minimal financial and
reputation losses
18

19. Needs and consumers
LM SIEM Analytics Profiling BA
IT IS Business units PR & Marketing Security
19

20. Sales model
20
• Sales through partners (integrators, software distributors)
• Rare sales directly to key customers and partners (example: partner located in
other country)
• Clients: any sphere of activity of the companies in which the business depends
on IT infrastructure
• A solution out of the box, or an adaptation for solving customer cases (if it is
not yet supported and can be scaled for other customers)
• Technical support is provided by our company, or partners as the first line of
support
• Integration is carried out by the partners, or RuSIEM (if the partner does not
have its own qualified specialists)

21. Market
• Not only SIEM. SIEM is an outdated term.
• Currently 15 companies have been implementing
• Over 25 customers in 2017 already awaiting implementation
• For 2018-2019 already planned more than 190 implementations for
customers (we do not have marketing)
• Our partners and customers are located: Russia, Spain, Italy, Norway,
Brazil.
• Over the past month, we have more than 10 customers wishing to
switch from free RvSIEM to a commercial version
21

22. Thank you for attention
CEO, Co-founder RuSIEM
Olesya Shelestova
oshelestova@rusiem.com
22

23. Why did we do LM / SIEM
• Each component is a separate product
• Sets of the modules - can be used as separate products for solving
various tasks
• Real-time analytics just require what LM / SIEM does:
• Data collection from a variety of sources for comprehensive analysis
• The reduction to the same type of format (key: value and taxonomy)
• Interpretation to various levels of representations (machine, operator,
analyst, logical connections)
• Removing unnecessary data from an event
• A stream of normalized events to analytics in real time
23