Contenu connexe Similaire à Building Elastic into security operations (20) Plus de Elasticsearch (20) Building Elastic into security operations1. Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.
BUILDING ELASTIC INTO SECURITY
OPERATIONS
Todd Weber – CTO @ Optiv
2. Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.
Insert picture
2
Todd Weber
Chief Technology Officer
3. Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.3
4. Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.
Click to edit Master title style
Consulting
OEM
Tiered Support
Engagement
Scope
Program, Project Based, and Fusion Center
Remote off-premise services to manage, monitor and use
on or off premise technology
Solutions delivered to users over a network, hosted in the
cloud, with underlying technology obfuscated from end
client. Focused on outcomes and ease of use. Typically a
model driven through subscription, consumption, or
outcome.
Elastic Tech Any component of Elastic Ecosystem against any use case.
Elastic Stack – Data Fabric and Managed Elastic for
Security, ECE, Elastic Cloud
Elastic Cloud – Data Fabric, Elastic Stack in Cloud
XPACK All XPACK Features and All Subscription Levels Platinum Subscription Level Platinum Subscription Level
Value Prop
• SIEM / Security Analytics Replacement
• SIEM / Security Analytics Augmentation
• Data Lifecycle Management
• Infrastructure Analytics
• Business Analytics
• Data Value Extraction
• Application Development
• Big Data Ecosystem (Exploratory, Expository Analysis)
• SIEM / Security Analytics
• SIEM / Security Analytics Augmentation
• Business Analytics
• Data Value Extraction
• SIEM / Security Analytics
• Business Analytics
• Data Value Extraction
Co-Source
A value-driven consulting engagement
aimed to improve development
efficiency, security and quality of a
client’s organization.
Managed Service
An innovative engagement model that
maximizes outputs from outsourcing
management of technology and
outcomes.
As-a-Service
Solutions delivered to users over a network,
hosted in the cloud. Focused on outcomes
and ease of use. Typically a model driven
through subscription, consumption, or
outcome.
ASSESS IMPLEMENT MANAGE CONSUME ASSESS IMPLEMENT MANAGE CONSUME ASSESS IMPLEMENT MANAGE CONSUME
4
5. Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.
WHAT WERE THE COMMON PROBLEMS
WE ALL FACE?
COST EFFECTIVENESS
New operational frameworks can help lower
cost by operating more efficiently and reduced
platform maintenance costs. Don’t provide
tiered predictive data storage costs.
LACK OF FLEXIBILITY
Data Management solutions need to easily be
able to export raw data into new platforms or
formats or adding new log sources.
LACK OF EFFICIENCY & EFFICACY
It is inherently inefficient to review alerts
and gather data from several systems for
every new alert
DATA VISIBILITY
Missing data, uncrated data, lack of
visibility and observability, lack of
democratization and driving value,
data silos.
LACK OF EXTENSIBILITY
New sources or changes to
existing sources is gated by
vendor and support.
PERFORMANCE
Limited EPS into ingest and correlation
engine inhibits performance. Search
performance.
5
6. Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.
HOW THE INDUSTRY FEELS
6
Security Tools ExecutivesAnalysts
7. Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.
THE DATA FABRIC FRAMEWORK PROCESS
7
+
Set a Foundation Organize into Outcomes and
Integrate
Assemble and Run
=
Approach
8. Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.
DATA FABRIC
8
SIEM Data
Cloud Monitoring
Network
Endpoint
Vulnerabilities
Threat
TPRM
Business Data
(ex. Click-stream)
DATA SOURCES DATA LIFECYCLE
MANAGEMENT
SIEM/SEARCH/HUNT
OandA
NOTEBOOKS
DATA SCIENCE
ENGINE
DATA ENGINEER
SECURITY ANALYST
DATA SCIENTIST
CONTROL HUB
Data sources are identified for both security and
business use cases. Data pipelines pre-built many
different connectors, others are quickly developed and
reusable. Data collection agent(s) shipped with solution.
Data aggregated in Data Flow Management (DFM)
component. Pipelines are built and data management
alerts to handle data drift, data SLA components,
normalization, data enrichment, and conversion into
appropriate data model for organization consumption
into any relevant app.
Control Hub provides a management plane for data
engineers to create a low code or no code data lifecycle
management workflow for organizational analysts to
consume changes to upstream sources as organizations
evolve their consumption needs for security and
business.
Search/Hunt provides a centralized data repository to
enable low latency search and exploratory and
expository data analysis. Alerts, Anomaly detection,
Graph relationships, Monitoring, Logging,
Geo-Location, APM, and the Optiv 200 security use
cases included for SIEM aug or replace.
SIEM/Hunt comes with powerful visualizations. Optiv
provides out of the box visualizations to support many
security use cases and the ability to extend how users
consume data to solve for business needs of the CIO, CDO,
and other executive leadership initiatives.
SOAR is the orchestration engine that powers the DFSB
solution. Create playbooks to take action on data either
through security remediation or business specific logic.
Case management and end to end visibility of the security
program is provided through this capability.
A DSE enables security analytics for the DFSB solution.
Apply many out of the box machine learning algorithms to
security use cases. Manage and test and refine business
related streaming analytics. Capable of supporting large
data volumes and extremely fast speeds.
The analyst workbench combines the power of Machine
Learning and analytics with shareable visualizations and
workspaces to further refine extracting value of out
security and business data. Friendly and easy to use for
both developers and analysts.
Whether you are a security analyst, business analyst, data
scientist, data engineer, ops sme, or executive, the Optiv
DFSB has the power to provide you the capability and
answers needed to successfully solve for both security and
business data value extraction…and action.
EXTERNAL SECURITY TOOLS
OR TECHNOLOGIES
9. Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.
Client
On Premise
Log Sources
Optiv SOC and Intelligence Operations TeamsClient Cloud
Log Sources
Optiv SOC Detection and Response Team
ThreatDNATM
Data Lake
Tuning
Recommendations
Reputation
Management
Optiv Client Portal / API
Alternative Escalation and Notification Channels
Reporting
Incident
Handling
Escalation
Threat Blocking
and
Containment
Remediation
Recommendations
Proactive Threat
Hunting
SOC Dashboard
Data Trending and
Analysis
Optiv
ThreatDNATM
Platform
Cloud Suite
Email
IaaS/PaaS/SaaS
CASB
SIEM
Network
Endpoint
Optiv ThreatBeatSM
ThreatDNATM
Edge
ThreatDNATM
Edge
Event Triage and
Investigation
ThreatDNA™ REFERENCE ARCHITECTURE
9
11. Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.Proprietary and CONFIDENTIAL. Do Not Distribute. © 2020 Optiv Security Inc. All Rights Reserved.Proprietary and CONFIDENTIAL. Do Not Distribute. © 2019 Optiv Security Inc. All Rights Reserved.11