Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
•Transferir como PPTX, PDF•
1 gostou•1,922 visualizações
Webinar: Vulnerability Management leicht gemacht mit Splunk und Qualys
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (17)
Semelhante a Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Semelhante a Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys (20)
Mais de Georg Knon
Mais de Georg Knon (20)
Último
Último (20)
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
- 1. Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk, Inc. Vulnerability Management leicht gemacht mit Splunk und Qualys
- 2. Copyright © 2014 Splunk, Inc. Ihr Webcast Team 2 Kai-Ping Seidenschnur Senior Sales Engineer kseidenschnur@splunk.com Thomas Wendt Technical Account Manager twendt@qualys.com
- 3. Copyright © 2014 Splunk, Inc. Agenda 3 • Splunk kurzer Überblick • Qualys Vulnerability Management • Demo Qualys VM • Demo Auswertung mit Splunk • Q&A
- 4. Copyright © 2014 Splunk, Inc. GPS, RFID, Hypervisor, Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases Splunk: Platform For Machine Data Report and analyze Custom dashboards Monitor and alert Ad hoc search Splunk storage Real-time Machine Data Sensors, Telematics, Storage, Servers, Security devices, Desktops, CDRs Developer Platform Other Big Data stores 4
- 5. Copyright © 2014 Splunk, Inc. Splunk is Used Across IT and the Business IT Ops Security Compliance App Mgmt Web Intelligence Business Analytics 5
- 6. Copyright © 2014 Splunk, Inc. Splunk Security Use Cases More than a SIEM; a Security Intelligence Platform 6 IT Operations Applicatio n Delivery Business Analytics Industrial Data and Internet of Things Business Analytics Industrial Data and Internet of Things Security, Compliance, and Fraud SECURITY & COMPLIANCE REPORTING MONITORING OF KNOWN THREATS ADVANCED THREAT DETECTION INCIDENT INVESTIGATIO NS & FORENSICS FRAUD DETECTION INSIDER THREAT AV CLEAN UP VERIFICATIO N USER ACTIVITY MONITORING ALERT & MALWARE VALIDATIO N MALWARE & MALICIOUS CALLBACKS EMAIL ATTACK DETECTION
- 7. Copyright © 2014 Splunk, Inc. 120+ security appsSplunk App for Enterprise Security Products: Splunk Enterprise + Apps Palo Alto Networks Qualys App FireEye Blue Coat Proxy SGTHOR Cisco Security Suite Active Directory F5 Security Juniper Sourcefire Snort Asset Discovery 7
- 8. Copyright © 2014 Splunk, Inc. Warum zeitnahes Patchen? 8
- 9. Copyright © 2014 Splunk, Inc. Qualys Introduction
- 10. Corporate Presentation Thomas Wendt Continuous Security for a Global World
- 11. Qualys at a Glance 11 6,700+ Customers 100+ Countries $108M 2013 Revenues QualysGuard Cloud Platform & Suite of Integrated Solutions
- 12. Continuous and Unified View of Security and Compliance Application Engines ASSET DISCOVERY NETWORK SECURITY WEB APP SECURITY THREAT PROTECTION COMPLIANC E MONITORIN G Passive Physical Virtual Cloud Mobile Agent Sensors
- 13. Delivering Continuous Security Physical Data Centers Virtual Data Centers Remote Offices Mobile Users Cloud Data Centers
- 14. Qualys Cloud Platform On Premise Same Codebase Qualys Managed Disconnected (2015) On EC2 and AZURE (2015) VMware ESX and ESXi 24x7x365 Monitoring and Support Daily Vulnerability Feeds Bi-quarterly Platform Updates SOC
- 15. Platform Evolution Vulnerability Management Policy Compliance PCI Compliance Web Application Scanning Web Application Firewall 16
- 16. Qualys Extensible Cloud Back-End 1+ Billion scans 50+ Billion detections 400+ Billion security data points
- 17. 2015 New Services Delivery 18 CONTINUOUS ASSET DISCOVERY NETWORK SECURITY WEB APP SECURITY THREAT PROTECTION COMPLIANCE MONITORING Gartner (June) - Continuous Asset Discovery and Categorization Module with integration with CMDB (ServiceNow) February - Continuous Monitoring of Critical Assets (Internal) March – Splunk Integration RSA (April) – Cloud Agent for VM (Windows servers and clients) February – Progressive Scanning for large Web Applications RSA (April) – Web Application Firewall 2.0 with virtual patching and dedicated hardware appliance Gartner (June) - Log Management and Data Analytics Module BlackHat (July) – Advanced Malware Protection Service with sandboxing, automated malware analysis and asset correlation RSA (April) – Cloud Agent for Policy Compliance
- 18. New Products 19 Cloud Agent Provides a new platform for continuous assessment of your security posture on laptops, workstations and servers, leveraging existing Qualys Cloud Suite applications such as VM, PC, and CM. Log Management Our security-focused SIEM which aligns with our threat protection initiative, allowing for a single-pane of glass view of events captured by our various sensors. Malware Protection Service Opens a new chapter for the detection of malware and the many advantages Qualys provides by correlating results with other data sources from the rich suite of products Passive Scanning A new paradigm on asset discovery ensuring an accurate method for network discovery and automated asset classification dynamically re-building your logical platform while multiplying the feature set of options available in the Qualys platform Updates run on a new cycle every weeks ensuring at the very minimum new version iterations every calendar year. 8 6
- 19. Continuous Perimeter Monitoring New paradigm for VM Data/Event Alerts 20
- 20. Qualys Cloud Agent Platform Visibility Across Globally Distributed Networks 2 1 • Light-weight agent (1MB) for on premise systems dynamic cloud environments mobile endpoints built to scale to millions of devices • Centrally managed, self updating 2 1
- 21. Unique Advantages of a Cloud Based Delivery Model GLOBAL DELIVERYUNIFIED BEST OF BREED SOLUTIONS CONTEXTUAL CORRELATION SPEED & ACCURACY LOWER TCO FASTER TIME TO MARKET 2 2
- 22. Thank You
- 23. Copyright © 2014 Splunk, Inc. Qualys Demo
- 24. Copyright © 2014 Splunk, Inc. Challenges Vulnerabillity Management is often a manuel proccess in Organizations Vulnerability Management is most of the time seen as responsability of one departement Often priorities of other topics are on top The risk is not always seen or properly scored No correlation of vulnerable systems to other security solutions 25
- 25. Copyright © 2014 Splunk, Inc. Splunk, The Platform For Machine Data Report and analyze Custom dashboards Monitor and alert Ad hoc search Real-time Machine Data 26 Developer Platform Lookups & Context Threat feeds Asset Info Employee Info Data stores Network Segments / Honeypots
- 26. Copyright © 2014 Splunk, Inc. Qualys App for Splunk Enterprise 27 • Single pane of glass visual of Qualys scans & data • Built-in sample Reports/Dashboards • Search VM scan data and corresponding meta-data • Leverage Splunk search to find trends and correlate with other data sources
- 27. Copyright © 2014 Splunk, Inc. Splunk Demo
- 28. Copyright © 2014 Splunk, Inc. Qualys & Splunk 29 Real-time monitoring of Vulnerability scans data in Splunk Enterprise Correlation of Qualys scan data with other data sources in Splunk – Improve Security Posture: Risk scores, KSI – Mitigate against threat vectors
- 29. Copyright © 2014 Splunk, Inc. Qualys & Splunk Benefits Splunk Enterprise Security can be used as consistent, repeatable and measurable proccess. Vulnerability Management and awareness can be distributed to system owners for reaction and management with Security KPI‘s for monitoring Attacks from IDS/IPS Solutions against vulnerable systems can be correlated and risk can be made visible (you‘ll see a visualization from NASDAQ in a minute) 30
- 30. Copyright © 2014 Splunk, Inc. Sample Nasdaq - Heartbleed
- 31. Copyright © 2014 Splunk, Inc. Contact Us 32 Kai-Ping Seidenschnur Senior Sales Engineer kseidenschnur@splunk.com Thomas Wendt Technical Account Manager twendt@qualys.com Free Qualys Trial: www.qualys.com Free Qualys Splunk App: Apps.splunk.com
- 32. Copyright © 2014 Splunk, Inc. Thank you!
Notas do Editor
- Splunk can ingest any type of machine data, from any source in real time. These are listed here on the left and are flowing into Splunk for indexing. Once indexed, users can perform the use cases on the top right on the data. They can search through the data, monitor the data and be alerted in real-time if scheduled search parameters are met. The raw data can be aggregated in seconds for custom reports and dashboards. Also Splunk is a platform that developers can build on. It uses a well documented Rest API and several SDKs so developers and external; applications can directly access and act on the data within Splunk. Lastly, besides indexing raw data into its flat file data store, Splunk can also retrieve and index data that resides in other data stores such as a SQL database or Hadoop.
- Splunk enables many use cases. We are drilling into the red box, or security. Key is you put data into Splunk *once* and then use it for many use cases. This enables a strong ROI.
- Make sure to stress we are a Security Intelligence Platform and we can meet their needs these use cases plus more. We are more than a SIEM in that we are much more flexible and also can be used for use cases outside of security. Highlight that many customers already have a SIEM and are generally happy with it. But they do have some pain with current SIEM….maybe it struggles getting in non-security data, maybe it has limited search/reporting capabilities, etc. In these cases, Splunk can happily complement their SIEM. They perhaps use their existing SIEM for alerting, and they then log into Splunk to do the investigation, etc. But key point is that we can easily complement or replace a SIEM.
- 1 solution for Splunk for Security, but 3 offerings. At bottom is Splunk Enterprise, our core product. Every Splunk deployment includes this as this is where the core indexing and searching resides. Many customers build their own searches/reports/dashboards on top of it. On top of it, optional Apps can be installed. Apps are basically a collection of reports, dashboards, and searches purpose-built for a specific use case or product. Can be built by Splunk, customer, partners and all but a few are free on Splunkbase. Apps are great for customers who want out-of-the-box content and do want to have to build it themselves, and want to extend point solutions. One key App is the Splunk-built Enterprise Security app. It is basically an out-of-the-box SIEM with reports, dashboards, correlation rules, and workflow for security use cases. (It does have a cost though) Besides this app there are over 80 security-centric free Apps on Splunkbase. These are offering 3 and includes the Splunk App for PAN which is in the red box.
- Information from the Verizon Data Breach Report 2015 99,9% of the exploited vulnerabilities seen did focus on vulnerabilities that have been known 1 year or longer. In the line diagram you can see how long it takes once a CVE is published until the first exploitations can be seen. In generel to be on the safe side you need to patch as soon as possible – but best is within the first 1-2 weeks as the properbility of a exploit goes up each week.
- Qualys is focused on providing security and compliance solutions to Enterprises around the world Qualys reported $91 million in revenues for 2012 and now has over 6,000 enterprise customers in over 100 countries What distinguishes Qualys? Cloud platform and SaaS business model
- Talk about sensors
- This year, Qualys will be bringing several new product initiatives into production: Qualys also has an internal process for improving existing products enhancing synergies among applications.
- What is it?
- Splunk can ingest any type of machine data, from any source in real time. These are listed here on the left and are flowing into Splunk for indexing. Once indexed, users can perform the use cases on the top right on the data. They can search through the data, monitor the data and be alerted in real-time if scheduled search parameters are met. The raw data can be aggregated in seconds for custom reports and dashboards. Also Splunk is a platform that developers can build on. It uses a well documented Rest API and several SDKs so developers and external; applications can directly access and act on the data within Splunk. Also, besides indexing raw data into its flat file data store, Splunk can also retrieve and index data that resides in other data stores such as a SQL database or Hadoop. Splunk can easily ingest external data to enrich existing data Splunk has indexed to increase accuracy and reduce false positives. This external could come from a wide range of sources outlined on this slide. It includes employee information from AD, asset information from a CMDB, blacklists of bad external IPs from 3rd-party threat intelligence feeds, IP ranges of critical internal networks (like a PCI-related credit cardholder environment) or a decoy honeypot, NetFlow data in Hadoop, and more. Correlation searches can include this external content. So for example Splunk can alert you if a low-level employee accesses a file share with critical data, but not if the file share has harmless data. Or Splunk can alert you if a user name is used specifically for an employee who no longer works for your organization. These are especially high-risk events. The Splunk for security offerings start with our big data core platform called Splunk Enterprise. On top of this platform, Apps can be installed. Apps contain pre-built searches, reports, and visualizations for third-party security products or specific use cases. Over 600 Apps are available for free via Splunk.com, with more than 200 specifically for security.
- Real-time monitoring of Vulnerability scans data in Splunk Enterprise eliminate vulnerabilities patch cycles Correlation of Qualys scan data with other data sources in Splunk Improve Security Posture: Risk scores, KSI track performance of patches against attacks