SlideShare a Scribd company logo

2012-12-12 Seminar McAfee ESM

Pinewood
Pinewood

In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.

Technology
1 of 16
Download to read offline
McAfee ESM Fulfilling the Promise of SIEM Jan Hereijgers Enterprise Account Manager, SIEM December 13, 2012 1 McAfee Confidential—Internal Use Only
The State of SIEM SIEM Promise: Turns Security Data Into Provides an Intelligent Supports Management Actionable Information Investigation Platform and Demonstration of Compliance Legacy SIEM REALITY: 00001001001111 11010101110101 10001010010100 VS 00101011101101 Antiquated Architectures Events Alone Do Not Complex Usability and Force Choices Between Provide Enough Context Implementation Have Time-to-Data and Intelligence to Combat Today’s Threats Caused Costs To Skyrocket 2 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
The Big Security Data Challenge Billions of Events APTs Multi-dimensional Active Cloud Trending; LT Analysis Data Insider Anomalies Large Volume Analysis Compliance Historical Reporting Thousands of Events Correlate Events Perimeter Consolidate Logs 3 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM: Delivering on the Promise Meaningful Rapid Intelligence Response Big Security Data DB Continuous Exceptional Compliance Value 4 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Different From Ground Up … The McAfee SIEM Event Database  High-speed database ssed extensively throughout the US DOD and DOE  Award winning Sage/AdaSage technology  15 years and over $30M invested in development at the Idaho National Laboratory (INL)  Purpose-built ( for rapid streaming of security events  Up to 100,000 database insertion per second  Custom fields & data definition specific to security events 010011 100 1001 100110 11 100 1 110  Rich event taxonomy with 16 indexes 10 010011 001 100 1101  Provides event-data warehousing with minimal HW foot print 10101 110 1  Facilitates real-time Business Intelligence for Security & Compliance  Perfected during ~300 man-years of joint development McAfee Confidential—Internal Use Only
Log Management and Search • See log frequencies Investigate • Search for logs Log Management INVESTIGATE LOGS AFTER THE FACT 6 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Legacy SIEM Visualize, Investigate • See log frequencies • Search for logs • Correlate events Device and Events from Authentication User Application Log Security Devices Location and IAM Identity Files and Endpoints VA Scan Data Network Flows Time OS Events Traditional Context Log Management DETECTION OF KNOWN SUSPICIOUS PATTERNS 7 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Content Awareness Visualize, Investigate, Respond • See log frequencies • Search for logs • Flows indicate frequency but miss the • Correlate events what, who and how • What data is involved? • Application and Database complete the picture • Who is doing it? • Application logging inhibited by performance • Database logging inhibited by politics Content Aware Applications Traditional Context Database Log Management 8 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content Content Aware Traditional Context Log Management 9 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies OPTIMIZED • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content 1.Shut down bad actor 2.Analyze last years events 3.Compliance issue identified Content Aware 4.Investigate high risk system Applications Traditional Context Database Big Log Management High Speed Security Intelligent Data DB Scalable Architecture Correlation 10 NitroSecurity Next-generation SIEM McAfee Confidential—Internal Use Only
GTI with SIEM Delivers Even Greater Value Sorting Through a Sea of Events… Have I Been Communicating With Bad Actors? 200M events 18,000 alerts Which Communication Was Not Blocked? and logs Dozens of What Specific Servers/Endpoints/ Devices Were Breached? endpoints Handful Which User Accounts Were Compromised? of users Specific files What Occurred With Those Accounts? breached (if any) Optimized RESPOND How Should I Respond? response 11 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Scalable and Intelligent Architecture Intelligence and GTI ePO MRA SIA Operational efficiency Adaptive Risk Analysis & McAfee Advanced Correlation Engine Historical Correlation McAfee Enterprise Security Manager Integrated SIEM McAfee Enterprise Log Manager & Log Management McAfee Application McAfee Database Rich App & Data Monitor Event Monitor DB Context Big Scalable Collection & McAfee Receivers Security Data DB Distributed Correlation 12 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
McAfee ESM (NitroSecurity) Summary Overview Gartner SIEM MQ  Founded: 1999  Description: Nitro develops the industry's fastest analytical tools to identify, correlate and remediate information security threats in minutes instead of hours  Employees: 120 employees  Headquarters: Portsmouth, NH. R&D facilities in Idaho Falls.  Customers: 700+ Active Customers. 30 in Fortune 500. 60% of business through channel. 50% of business in US Federal  Acquisitions: Acquired Rippletech (log collection and reporting technology) and LogMatrix (analytics technology)  Financials: 2010 Bookings = $25MM; 50% Growth YoY for trailing 3 years Notable Customers McAfee Confidential—Internal Use Only
Customer Case Study McAfee OPPORTUNITY DECISION McAfee • “Nitro” and Q1 shortlisted (pre-acquisition) • POC consisted of replicating original deployment plan • Q1Labs exhibited same performance issues as existing solution • Internal security / compliance (Plano, TX) • Nitro is selected • Major SIEM installed for two years RESULTS • “Never completed the initial deployment plan even with multiple $000,000’s • Deployed and delivering value in 30 days of pro services” • 2 appliances outperformed 32 core SIEM deployment • “Can get the log data in, • Eliminated consulting and instrumentation spend on but CANNOT get useful making SIEM work information out” 14 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM: True Situational Awareness GREATEST ACCURACY IN PINPOINTING THREATS FASTEST TIME-TO-RESPOND CONTINUOUS COMPLIANCE MONITORING COST EFFECTIVE THROUGH LOW TCO AND RAPID TIME-TO-VALUE 15 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
McAfee Confidential—Internal Use Only

Recommended

Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 

Recommended

Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Cloud Security Strategy by McAfee
Cloud Security Strategy by McAfeeCloud Security Strategy by McAfee
Cloud Security Strategy by McAfeeCristian Garcia G.
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEMPatten John
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited ResourcesLogRhythm
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...
[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...
[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...☁️ Gustavo Magella
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalManageEngine EventLog Analyzer
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)Osama Ellahi
 
IBM Qradar
IBM QradarIBM Qradar
IBM QradarCoenraad Smith
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
Introduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssIntroduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssAndrew Wong
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilientPrime Infoserv
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptxAjit Wadhawan
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center SecuritySzymon Dowgwillowicz-Nowicki
 

More Related Content

What's hot

What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
Cloud Security Strategy by McAfee
Cloud Security Strategy by McAfeeCloud Security Strategy by McAfee
Cloud Security Strategy by McAfeeCristian Garcia G.
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited ResourcesLogRhythm
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...
[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...
[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...☁️ Gustavo Magella
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)Osama Ellahi
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
Introduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssIntroduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssAndrew Wong
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilientPrime Infoserv
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 

What's hot (20)

What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
Cloud Security Strategy by McAfee
Cloud Security Strategy by McAfeeCloud Security Strategy by McAfee
Cloud Security Strategy by McAfee
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...
[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...
[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
Introduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssIntroduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for Businesss
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 

Similar to 2012-12-12 Seminar McAfee ESM

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalArrow ECS UK
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRaffael Marty
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceAndris Soroka
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonUlf Mattsson
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutionsakshayvreddy
 
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012Nicolai Henriksen
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012Symantec
 
SolarWinds Log & Event Manager vs Splunk. What's the Difference?
SolarWinds Log & Event Manager vs Splunk. What's the Difference?SolarWinds Log & Event Manager vs Splunk. What's the Difference?
SolarWinds Log & Event Manager vs Splunk. What's the Difference?SolarWinds
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 

Similar to 2012-12-12 Seminar McAfee ESM (20)

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
 
Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutions
 
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012
 
SolarWinds Log & Event Manager vs Splunk. What's the Difference?
SolarWinds Log & Event Manager vs Splunk. What's the Difference?SolarWinds Log & Event Manager vs Splunk. What's the Difference?
SolarWinds Log & Event Manager vs Splunk. What's the Difference?
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

2012-12-12 Seminar McAfee ESM

  • 1. McAfee ESM Fulfilling the Promise of SIEM Jan Hereijgers Enterprise Account Manager, SIEM December 13, 2012 1 McAfee Confidential—Internal Use Only
  • 2. The State of SIEM SIEM Promise: Turns Security Data Into Provides an Intelligent Supports Management Actionable Information Investigation Platform and Demonstration of Compliance Legacy SIEM REALITY: 00001001001111 11010101110101 10001010010100 VS 00101011101101 Antiquated Architectures Events Alone Do Not Complex Usability and Force Choices Between Provide Enough Context Implementation Have Time-to-Data and Intelligence to Combat Today’s Threats Caused Costs To Skyrocket 2 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 3. The Big Security Data Challenge Billions of Events APTs Multi-dimensional Active Cloud Trending; LT Analysis Data Insider Anomalies Large Volume Analysis Compliance Historical Reporting Thousands of Events Correlate Events Perimeter Consolidate Logs 3 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 4. ESM: Delivering on the Promise Meaningful Rapid Intelligence Response Big Security Data DB Continuous Exceptional Compliance Value 4 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 5. Different From Ground Up … The McAfee SIEM Event Database  High-speed database ssed extensively throughout the US DOD and DOE  Award winning Sage/AdaSage technology  15 years and over $30M invested in development at the Idaho National Laboratory (INL)  Purpose-built ( for rapid streaming of security events  Up to 100,000 database insertion per second  Custom fields & data definition specific to security events 010011 100 1001 100110 11 100 1 110  Rich event taxonomy with 16 indexes 10 010011 001 100 1101  Provides event-data warehousing with minimal HW foot print 10101 110 1  Facilitates real-time Business Intelligence for Security & Compliance  Perfected during ~300 man-years of joint development McAfee Confidential—Internal Use Only
  • 6. Log Management and Search • See log frequencies Investigate • Search for logs Log Management INVESTIGATE LOGS AFTER THE FACT 6 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 7. Legacy SIEM Visualize, Investigate • See log frequencies • Search for logs • Correlate events Device and Events from Authentication User Application Log Security Devices Location and IAM Identity Files and Endpoints VA Scan Data Network Flows Time OS Events Traditional Context Log Management DETECTION OF KNOWN SUSPICIOUS PATTERNS 7 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 8. Content Awareness Visualize, Investigate, Respond • See log frequencies • Search for logs • Flows indicate frequency but miss the • Correlate events what, who and how • What data is involved? • Application and Database complete the picture • Who is doing it? • Application logging inhibited by performance • Database logging inhibited by politics Content Aware Applications Traditional Context Database Log Management 8 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 9. ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content Content Aware Traditional Context Log Management 9 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 10. ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies OPTIMIZED • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content 1.Shut down bad actor 2.Analyze last years events 3.Compliance issue identified Content Aware 4.Investigate high risk system Applications Traditional Context Database Big Log Management High Speed Security Intelligent Data DB Scalable Architecture Correlation 10 NitroSecurity Next-generation SIEM McAfee Confidential—Internal Use Only
  • 11. GTI with SIEM Delivers Even Greater Value Sorting Through a Sea of Events… Have I Been Communicating With Bad Actors? 200M events 18,000 alerts Which Communication Was Not Blocked? and logs Dozens of What Specific Servers/Endpoints/ Devices Were Breached? endpoints Handful Which User Accounts Were Compromised? of users Specific files What Occurred With Those Accounts? breached (if any) Optimized RESPOND How Should I Respond? response 11 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 12. Scalable and Intelligent Architecture Intelligence and GTI ePO MRA SIA Operational efficiency Adaptive Risk Analysis & McAfee Advanced Correlation Engine Historical Correlation McAfee Enterprise Security Manager Integrated SIEM McAfee Enterprise Log Manager & Log Management McAfee Application McAfee Database Rich App & Data Monitor Event Monitor DB Context Big Scalable Collection & McAfee Receivers Security Data DB Distributed Correlation 12 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 13. McAfee ESM (NitroSecurity) Summary Overview Gartner SIEM MQ  Founded: 1999  Description: Nitro develops the industry's fastest analytical tools to identify, correlate and remediate information security threats in minutes instead of hours  Employees: 120 employees  Headquarters: Portsmouth, NH. R&D facilities in Idaho Falls.  Customers: 700+ Active Customers. 30 in Fortune 500. 60% of business through channel. 50% of business in US Federal  Acquisitions: Acquired Rippletech (log collection and reporting technology) and LogMatrix (analytics technology)  Financials: 2010 Bookings = $25MM; 50% Growth YoY for trailing 3 years Notable Customers McAfee Confidential—Internal Use Only
  • 14. Customer Case Study McAfee OPPORTUNITY DECISION McAfee • “Nitro” and Q1 shortlisted (pre-acquisition) • POC consisted of replicating original deployment plan • Q1Labs exhibited same performance issues as existing solution • Internal security / compliance (Plano, TX) • Nitro is selected • Major SIEM installed for two years RESULTS • “Never completed the initial deployment plan even with multiple $000,000’s • Deployed and delivering value in 30 days of pro services” • 2 appliances outperformed 32 core SIEM deployment • “Can get the log data in, • Eliminated consulting and instrumentation spend on but CANNOT get useful making SIEM work information out” 14 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 15. ESM: True Situational Awareness GREATEST ACCURACY IN PINPOINTING THREATS FASTEST TIME-TO-RESPOND CONTINUOUS COMPLIANCE MONITORING COST EFFECTIVE THROUGH LOW TCO AND RAPID TIME-TO-VALUE 15 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only