SlideShare a Scribd company logo

2012-12-12 Seminar McAfee ESM

Pinewood
Pinewood

In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.

Technology
1 of 16
Download to read offline
McAfee ESM Fulfilling the Promise of SIEM Jan Hereijgers Enterprise Account Manager, SIEM December 13, 2012 1 McAfee Confidential—Internal Use Only
The State of SIEM SIEM Promise: Turns Security Data Into Provides an Intelligent Supports Management Actionable Information Investigation Platform and Demonstration of Compliance Legacy SIEM REALITY: 00001001001111 11010101110101 10001010010100 VS 00101011101101 Antiquated Architectures Events Alone Do Not Complex Usability and Force Choices Between Provide Enough Context Implementation Have Time-to-Data and Intelligence to Combat Today’s Threats Caused Costs To Skyrocket 2 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
The Big Security Data Challenge Billions of Events APTs Multi-dimensional Active Cloud Trending; LT Analysis Data Insider Anomalies Large Volume Analysis Compliance Historical Reporting Thousands of Events Correlate Events Perimeter Consolidate Logs 3 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM: Delivering on the Promise Meaningful Rapid Intelligence Response Big Security Data DB Continuous Exceptional Compliance Value 4 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Different From Ground Up … The McAfee SIEM Event Database  High-speed database ssed extensively throughout the US DOD and DOE  Award winning Sage/AdaSage technology  15 years and over $30M invested in development at the Idaho National Laboratory (INL)  Purpose-built ( for rapid streaming of security events  Up to 100,000 database insertion per second  Custom fields & data definition specific to security events 010011 100 1001 100110 11 100 1 110  Rich event taxonomy with 16 indexes 10 010011 001 100 1101  Provides event-data warehousing with minimal HW foot print 10101 110 1  Facilitates real-time Business Intelligence for Security & Compliance  Perfected during ~300 man-years of joint development McAfee Confidential—Internal Use Only
Log Management and Search • See log frequencies Investigate • Search for logs Log Management INVESTIGATE LOGS AFTER THE FACT 6 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Legacy SIEM Visualize, Investigate • See log frequencies • Search for logs • Correlate events Device and Events from Authentication User Application Log Security Devices Location and IAM Identity Files and Endpoints VA Scan Data Network Flows Time OS Events Traditional Context Log Management DETECTION OF KNOWN SUSPICIOUS PATTERNS 7 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Content Awareness Visualize, Investigate, Respond • See log frequencies • Search for logs • Flows indicate frequency but miss the • Correlate events what, who and how • What data is involved? • Application and Database complete the picture • Who is doing it? • Application logging inhibited by performance • Database logging inhibited by politics Content Aware Applications Traditional Context Database Log Management 8 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content Content Aware Traditional Context Log Management 9 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies OPTIMIZED • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content 1.Shut down bad actor 2.Analyze last years events 3.Compliance issue identified Content Aware 4.Investigate high risk system Applications Traditional Context Database Big Log Management High Speed Security Intelligent Data DB Scalable Architecture Correlation 10 NitroSecurity Next-generation SIEM McAfee Confidential—Internal Use Only
GTI with SIEM Delivers Even Greater Value Sorting Through a Sea of Events… Have I Been Communicating With Bad Actors? 200M events 18,000 alerts Which Communication Was Not Blocked? and logs Dozens of What Specific Servers/Endpoints/ Devices Were Breached? endpoints Handful Which User Accounts Were Compromised? of users Specific files What Occurred With Those Accounts? breached (if any) Optimized RESPOND How Should I Respond? response 11 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Scalable and Intelligent Architecture Intelligence and GTI ePO MRA SIA Operational efficiency Adaptive Risk Analysis & McAfee Advanced Correlation Engine Historical Correlation McAfee Enterprise Security Manager Integrated SIEM McAfee Enterprise Log Manager & Log Management McAfee Application McAfee Database Rich App & Data Monitor Event Monitor DB Context Big Scalable Collection & McAfee Receivers Security Data DB Distributed Correlation 12 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
McAfee ESM (NitroSecurity) Summary Overview Gartner SIEM MQ  Founded: 1999  Description: Nitro develops the industry's fastest analytical tools to identify, correlate and remediate information security threats in minutes instead of hours  Employees: 120 employees  Headquarters: Portsmouth, NH. R&D facilities in Idaho Falls.  Customers: 700+ Active Customers. 30 in Fortune 500. 60% of business through channel. 50% of business in US Federal  Acquisitions: Acquired Rippletech (log collection and reporting technology) and LogMatrix (analytics technology)  Financials: 2010 Bookings = $25MM; 50% Growth YoY for trailing 3 years Notable Customers McAfee Confidential—Internal Use Only
Customer Case Study McAfee OPPORTUNITY DECISION McAfee • “Nitro” and Q1 shortlisted (pre-acquisition) • POC consisted of replicating original deployment plan • Q1Labs exhibited same performance issues as existing solution • Internal security / compliance (Plano, TX) • Nitro is selected • Major SIEM installed for two years RESULTS • “Never completed the initial deployment plan even with multiple $000,000’s • Deployed and delivering value in 30 days of pro services” • 2 appliances outperformed 32 core SIEM deployment • “Can get the log data in, • Eliminated consulting and instrumentation spend on but CANNOT get useful making SIEM work information out” 14 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM: True Situational Awareness GREATEST ACCURACY IN PINPOINTING THREATS FASTEST TIME-TO-RESPOND CONTINUOUS COMPLIANCE MONITORING COST EFFECTIVE THROUGH LOW TCO AND RAPID TIME-TO-VALUE 15 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
McAfee Confidential—Internal Use Only

Recommended

McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Siem ppt
Siem pptSiem ppt
Siem pptkmehul
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 

Recommended

McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Siem ppt
Siem pptSiem ppt
Siem pptkmehul
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
IBM Qradar
IBM QradarIBM Qradar
IBM QradarCoenraad Smith
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)Osama Ellahi
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&EOwais Ahmad
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM SuccessAlienVault
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
 
SIEM and SOC
SIEM and SOCSIEM and SOC
SIEM and SOCAbolfazl Naderi
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center SecuritySzymon Dowgwillowicz-Nowicki
 

More Related Content

What's hot

SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)Osama Ellahi
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&EOwais Ahmad
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM SuccessAlienVault
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
 

What's hot (20)

SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
 
SIEM and SOC
SIEM and SOCSIEM and SOC
SIEM and SOC
 

Similar to 2012-12-12 Seminar McAfee ESM

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalArrow ECS UK
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRaffael Marty
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceAndris Soroka
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonUlf Mattsson
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutionsakshayvreddy
 
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012Nicolai Henriksen
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012Symantec
 
SolarWinds Log & Event Manager vs Splunk. What's the Difference?
SolarWinds Log & Event Manager vs Splunk. What's the Difference?SolarWinds Log & Event Manager vs Splunk. What's the Difference?
SolarWinds Log & Event Manager vs Splunk. What's the Difference?SolarWinds
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 

Similar to 2012-12-12 Seminar McAfee ESM (20)

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
 
Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutions
 
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012
 
SolarWinds Log & Event Manager vs Splunk. What's the Difference?
SolarWinds Log & Event Manager vs Splunk. What's the Difference?SolarWinds Log & Event Manager vs Splunk. What's the Difference?
SolarWinds Log & Event Manager vs Splunk. What's the Difference?
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

2012-12-12 Seminar McAfee ESM

  • 1. McAfee ESM Fulfilling the Promise of SIEM Jan Hereijgers Enterprise Account Manager, SIEM December 13, 2012 1 McAfee Confidential—Internal Use Only
  • 2. The State of SIEM SIEM Promise: Turns Security Data Into Provides an Intelligent Supports Management Actionable Information Investigation Platform and Demonstration of Compliance Legacy SIEM REALITY: 00001001001111 11010101110101 10001010010100 VS 00101011101101 Antiquated Architectures Events Alone Do Not Complex Usability and Force Choices Between Provide Enough Context Implementation Have Time-to-Data and Intelligence to Combat Today’s Threats Caused Costs To Skyrocket 2 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 3. The Big Security Data Challenge Billions of Events APTs Multi-dimensional Active Cloud Trending; LT Analysis Data Insider Anomalies Large Volume Analysis Compliance Historical Reporting Thousands of Events Correlate Events Perimeter Consolidate Logs 3 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 4. ESM: Delivering on the Promise Meaningful Rapid Intelligence Response Big Security Data DB Continuous Exceptional Compliance Value 4 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 5. Different From Ground Up … The McAfee SIEM Event Database  High-speed database ssed extensively throughout the US DOD and DOE  Award winning Sage/AdaSage technology  15 years and over $30M invested in development at the Idaho National Laboratory (INL)  Purpose-built ( for rapid streaming of security events  Up to 100,000 database insertion per second  Custom fields & data definition specific to security events 010011 100 1001 100110 11 100 1 110  Rich event taxonomy with 16 indexes 10 010011 001 100 1101  Provides event-data warehousing with minimal HW foot print 10101 110 1  Facilitates real-time Business Intelligence for Security & Compliance  Perfected during ~300 man-years of joint development McAfee Confidential—Internal Use Only
  • 6. Log Management and Search • See log frequencies Investigate • Search for logs Log Management INVESTIGATE LOGS AFTER THE FACT 6 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 7. Legacy SIEM Visualize, Investigate • See log frequencies • Search for logs • Correlate events Device and Events from Authentication User Application Log Security Devices Location and IAM Identity Files and Endpoints VA Scan Data Network Flows Time OS Events Traditional Context Log Management DETECTION OF KNOWN SUSPICIOUS PATTERNS 7 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 8. Content Awareness Visualize, Investigate, Respond • See log frequencies • Search for logs • Flows indicate frequency but miss the • Correlate events what, who and how • What data is involved? • Application and Database complete the picture • Who is doing it? • Application logging inhibited by performance • Database logging inhibited by politics Content Aware Applications Traditional Context Database Log Management 8 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 9. ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content Content Aware Traditional Context Log Management 9 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 10. ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies OPTIMIZED • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content 1.Shut down bad actor 2.Analyze last years events 3.Compliance issue identified Content Aware 4.Investigate high risk system Applications Traditional Context Database Big Log Management High Speed Security Intelligent Data DB Scalable Architecture Correlation 10 NitroSecurity Next-generation SIEM McAfee Confidential—Internal Use Only
  • 11. GTI with SIEM Delivers Even Greater Value Sorting Through a Sea of Events… Have I Been Communicating With Bad Actors? 200M events 18,000 alerts Which Communication Was Not Blocked? and logs Dozens of What Specific Servers/Endpoints/ Devices Were Breached? endpoints Handful Which User Accounts Were Compromised? of users Specific files What Occurred With Those Accounts? breached (if any) Optimized RESPOND How Should I Respond? response 11 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 12. Scalable and Intelligent Architecture Intelligence and GTI ePO MRA SIA Operational efficiency Adaptive Risk Analysis & McAfee Advanced Correlation Engine Historical Correlation McAfee Enterprise Security Manager Integrated SIEM McAfee Enterprise Log Manager & Log Management McAfee Application McAfee Database Rich App & Data Monitor Event Monitor DB Context Big Scalable Collection & McAfee Receivers Security Data DB Distributed Correlation 12 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 13. McAfee ESM (NitroSecurity) Summary Overview Gartner SIEM MQ  Founded: 1999  Description: Nitro develops the industry's fastest analytical tools to identify, correlate and remediate information security threats in minutes instead of hours  Employees: 120 employees  Headquarters: Portsmouth, NH. R&D facilities in Idaho Falls.  Customers: 700+ Active Customers. 30 in Fortune 500. 60% of business through channel. 50% of business in US Federal  Acquisitions: Acquired Rippletech (log collection and reporting technology) and LogMatrix (analytics technology)  Financials: 2010 Bookings = $25MM; 50% Growth YoY for trailing 3 years Notable Customers McAfee Confidential—Internal Use Only
  • 14. Customer Case Study McAfee OPPORTUNITY DECISION McAfee • “Nitro” and Q1 shortlisted (pre-acquisition) • POC consisted of replicating original deployment plan • Q1Labs exhibited same performance issues as existing solution • Internal security / compliance (Plano, TX) • Nitro is selected • Major SIEM installed for two years RESULTS • “Never completed the initial deployment plan even with multiple $000,000’s • Deployed and delivering value in 30 days of pro services” • 2 appliances outperformed 32 core SIEM deployment • “Can get the log data in, • Eliminated consulting and instrumentation spend on but CANNOT get useful making SIEM work information out” 14 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 15. ESM: True Situational Awareness GREATEST ACCURACY IN PINPOINTING THREATS FASTEST TIME-TO-RESPOND CONTINUOUS COMPLIANCE MONITORING COST EFFECTIVE THROUGH LOW TCO AND RAPID TIME-TO-VALUE 15 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only