Road Show - Arcsight ETRM


Published on

A Plataforma ArcSight ETRM captura dados, gerencia e retém todos os eventos, analisa os eventos em tempo real, identifica comportamentos anômalos e responde rapidamente, para prevenir perdas.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • We believe that monitoring for threats and risks is harder than ever. To do it successfully, you need to see a lot of things, including which systems are on your network, new malware that hits and spreads, what happens in confidential databases, what users are doing, connections coming in from third parties, and so on. The info is not easy to process and so you have little visibility into what’s going on.
  • And the result of this challenging task is continued growth in cybercrime. Some of the splashier breaches we’ve read about recently all came about when management didn’t have visibility into threats on the network. Taken together, just these four resulted in hundreds of million of accounts breaches and hundreds of millions of dollars lost. And these are just small handful, just the tip of the iceberg. If Google, one of the very most technically sophisticated organizations on the planet, could get hacked, what is the impact to the thousands of other firms that aren’t as secure as Google? But the most interesting thing about these breaches is not just the impact, but also how they happened…
  • In fact, they all shared the same pattern, one that has become very common among modern threats. First, the hacker used malware to attack a specific company, to penetrate the outer defenses and hop from system to system. So, perimeter security didn’t really help. Next, they hopped around until they could find a machine with privileged account access to the systems and data they wanted. So, the impact took some time, this isn’t a smash-and-grab of whatever you can take quickly. Finally, once the breach started, it went on for a while, slowly siphoning off valuable information. The point is that early detection mattered in these cases; if you detected the breach early, you could prevent most of the loss.
  • The point of all this is that today’s cybercrime is very different from what we have seen before. The attacks are different; they are driven by smart humans guiding sophisticated technology against specific high value targets. This is not indiscriminate malware attack against anyone who downloads a bot through a greeting card. The defenses are different; AV signatures are not very effective. The attacks either change too quickly and so signatures can’t be generated, or else the attacks unfold too slowly and can’t be detected. And even if the signatures were working well, the rise of borderless networks means you have few choke points to apply signatures. And so the vulnerabilities are also different; systems that were formerly considered “internal” and protected are left unmonitored and exposed. And privileged users with privileged access to those systems are left unwatched and takeover of that access is undetected. To sum it up in three points, you face more risk then ever, what you used to do won’t work, and so you need a fundamentally different approach.
  • And this visibility is important because you can’t fight what you can’t see. And it’s harder to see what you need to defend against.
  • With ArcSight, you get instant detection of activities affecting everything on your network, new zero day outbreaks as they spread, your confidential databases, your key users, everything. You see the patterns and the connections and get the context you need to take action.
  • ArcSight is that fundamentally different solution. The ArcSight platform is the only solution for monitoring threats and risks in an environment of borderless networks, persistent threats, and enterprise risks. It enables you to capture data from any and every thing on your network, devices, applications, transactions, users, config changes, everything. You can manage and store all that data for years, supporting any reporting, audit, or investigation. As the data is generated, you can analyze it in real time to find threats quickly, since as we mentioned, threats take time to have impact. You can use pattern detection and historical trending to monitor unusual behavior of people or applications. And if a problem is detected, the platform supports automatic response to shut down the threat, important because we discussed, early detection matters in modern cybercrime. So this platform gives you a level of visibility and understanding of modern enterprise threats and risks that you can’t get anywhere else.
  • And we do that better than anyone in three ways. First, universal data collection. We enable you to collect information from anything and everything, safely and securely. We maintain hundreds of prebuilt connectors off the shelf. You can keep it raw or parse it for better analysis, your choice. Most importantly, you can extend this collection to any new type of device whenever you need to, even without our involvement, using our toolkit. This means that the choices you make today for monitoring won’t limit your information strategy tomorrow.
  • Remember when I said earlier that to get the big picture, you have to collect from everything? I mean everything. Firewalls, routers, servers, desktops, app servers, and so on. There are two key points that set us apart in data collection. The first is that we make it happen faster and easier. We have 300 off the shelf connectors, and a connector toolkit that has been used to create over a thousand other custom connectors. This is important because what happens when you want to collect from a system that we’ve never seen before? Well, the biggest complaint we hear from prospects that have competitors’ products is that it takes 4-6 weeks to get a connector built, and it requires the vendor’s engineering team. For ArcSight, you can build it yourself with our toolkit, in as little as a day, with no involvement or cost from us. The second point is that our architecture future-proofs you. We collect from hundreds of sources and we normalize it all to a common and categorized format, which you then build your analysis and rules against. The key thing is that this insulates your analysis from your technology choices. If you want to swap out your Cisco and put in Juniper, your reports still work. So, we lessen your dependency on the device vendors. This future-proofs your risk analysis. This is unique and very critical. You don’t get this level of insulation from other vendors. [next slide]
  • Next Enterprise wide log management to handle all that data that you collect. The platform supports management of raw and structured data for any type of usage in any department. You can store, search and report on years worth of data very quickly, and you can dramatically cut the cost of storing years of data using our leading compression and storage mechanisms. This allows you to deploy a single solution to manage al log data across your enterprise. This matters because the kinds of questions managers now want to ask require information that cuts across departments. For example, investigating a breach, you may find that a user visited a site, inadvertently downloaded malware, which then stole credentials, accessed a database, queried credit card records, phoned home and sent out the numbers. To see this, you need logs from your web team, IT, security, identity management, etc. You need universal log management.
  • Finally, cutting edge threat analysis via advanced correlation, packaged in a simple and automated form. We use modern techniques to detect modern cybercrime. These include our patented ThreatDetector engine, a pattern matching and anomaly detection system which can find very subtle and sophisticated threats including zero-day outbreaks and fraud. It includes correlating user roles and trends to determine who is violating policies and putting the business at risk. We are the only company that can correlate across WHO-WHAT-WHERE, that is, roles, logs and flows, to understand not only what’s happening but if it’s really a problem. And the best part is that the more info you collect and store, the smarter the system gets. The net result is that with ArcSight you can detect and therefore prevent not only the basic stuff, but especially the attacks that you can’t predict.
  • The competition just cannot stack up. In terms of collection, we give you a toolkit and you can build your own connectors if you want. Competitors require their R&D to get involved, and we are hearing quotes of 4-6 weeks per connector of R&D time from competitors. This means that the other vendor controls your ability to roll out new monitoring. In terms of consolidation, others are either too expensive, charging you over $3 million to collect 100,000 eps, or else the others can’t scale up and therefore you have limited data retained. Which means your investigations will fail. And finally, in terms of correlation, we parse out 200+ fields in the log data we collect. That means you can execute rules against any and all of those fields. Others parse out maybe a dozen fields, which means you can only write basic rules. Which means basic threat detection only. But as we’ve already seen, the basic stuff isn’t the problem anymore. So with others, you are at huge risk of breach and loss. This is why ArcSight leads the market in every measure you can think of.
  • And while we deliver this as an integrated platform, we also package the pieces into different products that you can buy separately and lock together as needed.
  • For data capture and correlation, there is ArcSight ESM. For capture and log management/search, there is ArcSight Logger. For all of it packaged into an all in one option, there is ArcSight Express. You can extend these with IdentityView for privileged user and process monitoring or FraudView for online financial fraud monitoring. You can also extend these with out auditors apps for regulatory controls such as SOX, HIPAA, PCI, etc. We have applications to monitor ERP apps such as SAP. And across all of this, you can add automatic response when threats are detected, via ArcSight TRM. Buy seprately or together as a platform.
  • And that platform connects to the other key initiatives you have completed or are thinking about, such as DLP, cloud, virtualization, storage management, and so forth. ArcSight extends each of these, connecting them to better understand the risk in any of these areas at any time. So, we have talked about using ArcSight to better monitor security, to find threat and risk on the security side. But there is another benefit to this platform. We find that customers use it not only to protect the business, but also to improve the business…
  • For example, a utility applied the ArcSight platform to automate SOX reporting. It saved over $4.5 million in three years but cutting thousands of contractor hours. The system improved audit reporting and paid for itself in a month. Or a credit union applied the ArcSight platform as compensating controls that enabled it to push off an $8 million application rewrite to address shared account controls. The system paid for itself in a few weeks. Or a regional bank that applied the ArcSight platform to detect wire fraud in its online banking systems. It detected a million dollars in the first week and the system paid for itself by Wednesday. So this is how you can use the platform to protect your business against modern threats, but also to improve your business’ ability to operate in a modern environment.
  • And we see this in practice today. For a large retail broker, it looks like monitoring transactions and traders to prevent fraud. They track millions of stock trades per day and use correlation to sift out fraud. For a large intelligence agency, it looks like tracking employees to prevent data theft. Here they correlate actions and data access to determine if confidential data is slipping out. [next slide]
  • And other customers are doing traditional network security. For example, at FAA they monitor their networks to catch intrusions. They use ArcSight to find problems early and get incident response down from 8 hours to 8 minutes. More recently, they now operate a managed service to monitor the Dept of energy, dept of transportation, and the dept of education. The Dept of Ed moves more money, via student loans, than Fort Knox, so this is a big solution. At a national electronics chain, it looks like PCI and SOX controls. ArcSight is used to monitor access to customer credit card data and monitor privileged users. For example, the DBA might have access to the customer database, let’s make sure he’s not looking at credit card numbers while he’s there. So, monitoring networks and people on those networks is happening already, at leading companies today. They all bought ArcSight to help protect their businesses. [next slide]
  • And proof of these three abilities is our customer base. ArcSight is currently deployed at: Most of the F500 All of the US Intelligence community More than 20 government agencies More than 150 banks globally 25 US Federal agencies More than 25% of states in U.S.
  • So let me summarize. I hope I have shown that due to modern cybercrime, business faces more risk than ever, what used to work won’t work going forward, and something very different is required. ArcSight provides the only platform that can detect, manage and minimize modern threats. With Arcsight you get completed visibility into who’s affecting your business, your systems are safer and therefore have better uptime, and you have better compliance with less effort. I look forward to talking through the products in more detail and to show exactly how each product can meet your needs.
  • ArcSight is a ten year old leader in the security information management market We have grown rapidly and now have a global presence including offices worldwide. That has resulted in nearly 2000 customers, serviced both directly and via our 35 MSSP partners Our 2008 IPO, based on the strength of our business, combined with our ongoing profitability and cash generation allows us to continue to evolve the company and product set. Those products have won many awards, most recently winning the reader’s choice gold award for SIM in Information Security Magazine. On the analyst side, IDC has us as the market share leader for the third year in a row, with our business growing twice as fast as the SIM market. The InfoPro, a quantitative analysis firm, has us as the #1 in-use vendor for both log and event management. Finally, Gartner has us in the Leader quadrant of its magic quadrant for the sixth year in a row. [next slide]
  • And the Gartner point is especially relevant, in three ways: First, we are the only vendor to be in the leader quadrant for the entire time the MQ has been produced Second, we are surrounded by much larger competitors, EMC, IBM, Cisco, etc. We are able to win there because of the strength of our solutions. Third, we are the most visionary vendor on the quadrant. The main component of “vision” is the ability to listen to customers and give them what they need. This is important because our customers’ business continues to change… [next slide]
  • This is the “Transition” slide design. Use this slide to clearly break up sections of your presentation. Title is Arial Bold in 23 pt., initial cap and flushed right.
  • Road Show - Arcsight ETRM

    1. 1. ArcSight Plataforma de Gerenciamento de Riscos e Ameaças - ETRM Luiz Zanardo CISSP, CISA, CFE Senior Sales Engineer, América Latina e Caribe
    2. 2. Monitorar está mais desafiador do que nunca © 2010 ArcSight Confidential Você precisa entender… … Sistemas na Rede … Ameaças “0 Day” … Dados Críticos … Violações de Conformidades … Usuários Privilegiados … Conexões de Rede … Técnicas de Fraude … Risco de Aplicações
    3. 3. Cybercrime Continua Crescendo © 2010 ArcSight Confidential 100 Milhões Cartões de Créditos $130 Milhões em Perdas 45 Milhões Cartões de Crédito $250 Milhões em Perdas 1.5 Milhões Cartões de Débito Processo de revogar cartões Contas Afetadas: Desconhecido $12.5 Bilhões Perdas de Capital
    4. 4. Ataques Modernos Compartilham um Padrão © 2010 ArcSight Confidential Identifica o alvo, modela o ataque, “bypass” (Controles Perímetrais não ajudam) Escala acesso privilegiado em ativos críticos (Impacto longo) Executa crime por longo periodo de tempo (Importância da Detecção rápida)
    5. 5. O Cybercrime de hoje é diferente Ataque Defesas Vulnerabilidades © 2010 ArcSight Confidential Empresas enfrentam mais riscos do que nunca. Controles tradicionais não são suficientes. Uma abordagem diferente se faz necessária. Pessoas Focadas Alvos de alto valor Assinaturas não efetivas Redes sem fronteiras Principais sistemas não assistidos Principais usuários não monitorados
    6. 6. Não podemos lutar contra o que não conhecemos Desconhecido… © 2010 ArcSight Confidential … Sistemas na Rede … Ameaças “0 Day” … Dados Críticos … Violações de Conformidades … Usuários Privilegiados … Conexões de Rede … Técnicas de Fraude … Risco de Aplicações
    7. 7. ArcSight Permite Completa Visibilidade Detectando… © 2010 ArcSight Confidential … Sistemas na Rede … Ameaças “0 Day” … Dados Críticos … Violações de Conformidades … Usuários Privilegiados … Conexões de Rede … Técnicas de Fraude … Risco de Aplicações
    8. 8. ArcSight é a única solução <ul><li>Plataforma ArcSight ETRM </li></ul><ul><li>Uma plataforma para monitoração de riscos e ameaças modernas </li></ul><ul><li>Captura qualquer tipo de dados de qualquer sistema </li></ul><ul><li>Gerencia e retem todos os eventos </li></ul><ul><li>Analisa os eventos em tempo real </li></ul><ul><li>Identifica comportamentos anômalos </li></ul><ul><li>Responde rapidamente para prevenir perdas </li></ul>
    9. 9. ArcSight Faz 3 Coisas Melhor que Qualquer um © 2010 ArcSight Confidential <ul><li>Coleta eventos de qualquer ativo da rede </li></ul><ul><li>RAW ou categorizado para melhor análise </li></ul><ul><li>Analisa eventos de novos tipos de dados sem a necessidade de serviços ArcSight </li></ul>Coleta de dados Universal As escolhas de hoje não limitam a estratégia futura Coleta Consolida Correlaciona
    10. 10. Collection: Gather Any Data, Anytime © 2009 ArcSight Confidential Future Proof: Swap out products without breaking your alerts, reports and dashboards. Common Event Format
    11. 11. ArcSight Faz 3 Coisas Melhor que Qualquer um © 2010 ArcSight Confidential <ul><li>Gerenciamento completo de qualquer tipo de dado, para atender segurança, conformidade e operação de TI </li></ul><ul><li>Busca e relatório de anos de informação para análise forense </li></ul><ul><li>Reduz o custo com SAN/storage para o gerenciamento simples de petabyte de logs </li></ul>Gestão de LOG Uma solução para gerenciar grandes volumes de log Correlaciona Consolida Coleta
    12. 12. ArcSight Faz 3 Coisas Melhor que Qualquer um © 2010 ArcSight Confidential <ul><li>ThreatDetector – Reconhecimento de padrões </li></ul><ul><li>Analisa perfís, identidades, históricos e tendências para detectar risco de negócio </li></ul><ul><li>Quanto mais informação coletada, mais inteligente se torna </li></ul>A Vanguarda da Análise de Ameaças Detecta e previne ataques imprevisíveis Consolida Correlaciona Coleta
    13. 13. Apenas ArcSight pode identificar ameaças modernas <ul><li>Não possui toolkit para criação de novos coletores </li></ul><ul><li>4-6 semanas de desenvolvimento </li></ul><ul><li>O fabricante controla sua habilidade de monitoração </li></ul><ul><li>Alto investimento ($3 milhões por 100,000 EPS) </li></ul><ul><li>Escalabilidade limitada </li></ul><ul><li>Investigações produzem resultados ruins </li></ul><ul><li>Poucos campos a serem correlacionados </li></ul><ul><li>Correlação básica significa detecção de ameaças básicas </li></ul><ul><li>Continua com alto risco de perdas e novas ameaças </li></ul>A Concorrência © 2010 ArcSight Confidential
    14. 14. Produtos para empresas de todos tamanhos © 2010 ArcSight Confidential
    15. 15. Produtos para empresas de todos os tamanhos © 2010 ArcSight Confidential Correlação de Eventos Gestão de Log Captura de Dados ArcSight ESM ArcSight Logger ArcSight Express Controls Monitoring User Monitoring Fraud Monitoring App Monitoring IdentityView FraudView Auditor Apps SAP Auditor ArcSight TRM/NCM
    16. 16. <ul><li>ArcSight Conecta, Melhora e Protege a Infraestrutura Crítica: </li></ul><ul><li>Data Leak Protection </li></ul><ul><li>Mobilidade/Gerenciamento de Ativos </li></ul><ul><li>Storage e backup </li></ul><ul><li>Uptime /Disponibilidade </li></ul><ul><li>Ciclo de vida da Identidade </li></ul><ul><li>Cloud /virtualização </li></ul><ul><li>Configuração/Gerenciamento de Sistemas </li></ul><ul><li>Endpoint /Gerenciamento de patch </li></ul><ul><li> Resultando em compliance como: PCI, SOX, Basel I, Basel II, 3380 BaCen, IT Governance, COBIT, 27000 Family, HIPAA, CVM, NERC & FISMA. </li></ul>ArcSight e o Ecosystem de TI © 2010 ArcSight Confidential
    17. 17. Mais que Segurança: Melhorando Operações de Negócio © 2010 ArcSight Confidential Monitoração de Aplicações Legadas Western Union Benefício: $8 Milhões em economia de desenvolvimento Retorno: 3 Semanas Automatização de Relatórios SOX GE Benefício: $4.6 Milhões em 3 anos reduzindo mais de 7600 horas de trabalho Retorno: 39 Dias Prevenção de Fraude em Tranferências Internacionais Bank of America Benefício: $900K em eliminação de fraude em uma semana Retorno: 3 Dias
    18. 18. ArcSight em Ação © 2009 ArcSight Confidential Agência de Inteligência Ameaça Interna <ul><li>Monitorar acessos de agentes por seus clearences </li></ul><ul><li>Escalas desconhecidas </li></ul><ul><li>Benefício </li></ul><ul><ul><li>Controlar acesso a informação classificada </li></ul></ul>Wire Fraud & Comportamento de Traders <ul><li>Monitorar 50,000 wire transfers em busca de fraudes </li></ul><ul><li>Pump’n’dump </li></ul><ul><li>Análise de 3 milhões de stocks por dia </li></ul><ul><li>Benefício </li></ul><ul><ul><li>Redução de Fraudes </li></ul></ul>CME
    19. 19. ArcSight em Ação © 2009 ArcSight Confidential Segurança de Rede e Anomalias em Vôo <ul><li>Proteger a rede e os vôos </li></ul><ul><li>2.4 Milhões Pacotes/Segundo, 95,000 Alertas/Dia </li></ul><ul><li>Benefício </li></ul><ul><ul><li>Reposta a incidentes reduziu de 8 horas para 8 minutos </li></ul></ul>FAA PCI e SOX Compliance Best Buy $1.7M $.88M <ul><li>Monitorar usuários privilegiados </li></ul><ul><li>800+ lojas nos EUA, China e Canadá </li></ul><ul><li>Benefício – Prevenir multas </li></ul>
    20. 20. Atendendo as principais empresas do mundo © 2010 ArcSight Confidential Saúde Finanças Educação Governo Energia Telecom Manufatura Lojas
    21. 21. Plataforma ArcSight ETRM Uma abordagem diferentes se faz necessária. Empresas enfrentam mais riscos do que nunca. Controles tradicionais não são suficientes. © 2010 ArcSight Confidential A única solução para detectar, gerenciar e minimizar ameaças modernas e riscos. <ul><li>Visibilidade completa </li></ul><ul><li>Melhorar tempo de resposta </li></ul><ul><li>Conformidade em tempo-real </li></ul>
    22. 22. Líder de Mercado Reconhecimento de Analistas Sobre a Empresa <ul><li>Fundada em Maio de 2000 </li></ul><ul><li>2000+ clientes </li></ul><ul><li>500+ funcionários </li></ul><ul><li>NASDAQ: ARST (agora HP) </li></ul><ul><li>IN-Q-TEL (CIA) </li></ul>#1 In-use para SIEM e Gerencia de Log #1 in Market Share – ultimos 3 relatórios SIEM Leader’s Quadrant - A sete anos como líder Reconhecimento do Mercado © 2010 ArcSight Confidential
    23. 23. IDC 2009 (SIEM Market Share)
    24. 24. Gartner MQ – SETE anos no quadrante de líder (HP)
    25. 25. Perguntas?