Get Real-Time Cyber Threat Protection with Risk Management and SIEM
-
Upload
rapid7 -
Category
Technology
-
view
127 -
download
1
description
Transcript of Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Rapid7 & LogRythym Webcast:
Get Real-Time Cyber Threat
Protection with Risk Management
and SIEM
Dana Wolf
Director of
Products, Rapid7
Presenters
2
Seth Goldhammer
Director of Product
Management,
LogRhythym
Speed With Control
Dana Wolf, Director of Products
Meaningful progress in security?
4
5
Challenges to Forward Progress
Lack of relevant, right-time information
6
Lack of decision-making framework
7
Hard to get others to take action or change
8
IT Guy
You mean patch
ADOBE?
Fix CVE 456?
Under resourced and over stretched
9
10
Visibility through the chaos
11
The Rapid7 Solution: Speed with Control for You
12
Brain-dead Simple Remediation Time-Saving Automation
Rapid7’s Solution: Security Programs
13
Decision Making Frameworks (Real Risk, Policy & Compliance)
Offensive Security
Infrastructure
Fingerprinting
Applications
Configuration,
Vulnerability
Content
Remediation
Guidance
Security Program Trending Securi
ty
Test
ing
Business
Context
Securi
ty P
rogra
ms
Threat &
Exploit
Information
Rapid7 & LogRhythm Joint solutions
Efficiency & Right-Time information in Monitoring
14
Rapid7 focused on assessing the risk in your organization
based on state of the environment
LogRhythm focused on monitoring activities in real-time
Content from Rapid7’s portfolio adds context to
LogRhythm’s monitoring analytics
• OS, Vulnerability, Services, Applications, etc.
• Exploits, Malware kits, etc.
Assessment & Monitoring
15
Let Us Get You Started
16
Get Real-Time Cyber Threat
Protection with Risk
Management and SIEM
LogRhythm
Rapid7
2012 Verizon Breach Report – Key Stats
• The number of compromised records across these incidents
skyrocketed
• “We will likely continue to see the perpetrators utilize such
vulnerabilities as the path of least resistance to gain
unauthorized entry”
• “92% of incidents were discovered by a third party” (Up 6%
from previous year)
• “Monitor and mine event logs” critical for large organizations
• “Anomaly detection is active in the conversation and growing
in importance.”
5/25/2011 9:07 AM TYPE=SuccessAudit USER=SANDBOX\trent.heisler COMP=VENUS SORC=Security CATG=Logon/Logoff EVID=540
MESG=Successful Network Logon:
User Name: trent.heisler Domain: SANDBOX Logon ID: (0x0,0x9BDC1AFD) Logon Type: 3 Logon Process:
Kerberos Authentication
Package: Kerberos Workstation Name: Logon GUID: {0e9506c5-1c90-769c-d69f-933db4f52454} Caller User Name: - Caller
Domain: - Caller Logon
ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port:
5/25/2011 9:07 AM TYPE=SuccessAudit USER=SANDBOX\bryce.griswold COMP=VENUS SORC=Security CATG=Logon/Logoff EVID=540
MESG=Successful Network Logon:
User Name: bryce.griswold Domain: SANDBOX Logon ID: (0x0,0x9BDC1B32) Logon Type: 3 Logon Process:
Kerberos Authentication
Package: Kerberos Workstation Name: Logon GUID: {b3316e08-8233-678a-c81f-6bbf37db136c} Caller User Name: - Caller
Domain: - Caller
Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: -
5/25/2011 9:08 AM TYPE=SuccessAudit USER=SANDBOX\anthony.mack COMP=VENUS SORC=Security CATG=Logon/Logoff EVID=540
MESG=Successful Network Logon:
User Name: anthony.mack Domain: SANDBOX Logon ID: (0x0,0x9BDC8651) Logon Type: 3 Logon Process:
Kerberos Authentication
Package: Kerberos Workstation Name: Logon GUID: {4899467d-7bea-9b95-1da5-ff948b893b4e} Caller User Name: - Caller
Domain: - Caller
Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port:
5/25/2011 9:08 AM TYPE=SuccessAudit USER=SANDBOX\anthony.mack COMP=VENUS SORC=Security CATG=Logon/Logoff EVID=540
MESG=Successful Network Logon:
User Name: anthony.mack Domain: SANDBOX Logon ID: (0x0,0x9BDC8651) Logon Type: 3 Logon Process:
Kerberos Authentication
Package: Kerberos Workstation Name: Logon GUID: {4899467d-7bea-9b95-1da5-ff948b893b4e} Caller User Name: - Caller
Domain: - Caller
Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port:
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110101010110101010101001001001001001000011
010010100110010011100110010010010101001110010010101100100100100100110010101001110
101010
010010100110010011100110010010010101001110010010101100100100100100110010101001110
101010
Compromised Credentials
Suspicious Privileged User Activity Reconnaissance Followed by Attack
Critical Service Failed
Brute Force Attack
Malicious Content Observed
Unauthorized Network Connection Opened
Zero Day Exploit Detected
Host Compromised
Medical Records Breached
Credit Card Data Transferred Unauthorized Access of ePHI
Understanding ‘Normal’
User Identity Access
Privilege
External Context Threat Intelligence
IP Reputation GeoLocation
Application Access
Transactions Error
Behavior
Host Process Access
File Activity Resources
Internal Context Business Value
Asset Classification Risk Rating
Vulnerability
Network Connection Direction Content Volume
Manual discovery of what’s
normal network activity is
impractical due to the sheer
volume of data across multiple
types of dimensions.
An unmanageable volume of false positives
based on benign anomalies
Significant blind spots / false negatives
Need an automated technology
to learn behavioral attributes
across multiple dimensions
Normal
What is multi-dimensional?
• Multiple dimensions of behavior can be observed
• Multiple techniques through which behavior can be modeled
• Multiple behaviors can be modeled in a single rule
Why is this important
• We can align the behavior we want to model with the ideal analysis technique.
• We can reduce false positives by identifying multiple behavioral changes indicating
a highly corroborated event.
• We enable customers to see behavioral changes they’ve been blind to, enabling the
detection of a new class of events.
Multi-Dimensional Behavioral Analytics(MDBA)
Log
Manager
Log
Manager
LogRhythm Components
Network and Security Devices Routers
Switches
Next Gen Firewalls
IDS/IPS
VPN
Flow
Hosts and Applications Operating System
Applications
Databases
Others
Vulnerability Data
Physical Card Access
Point of Sale
Etc.
Log
Managers
LogRhythm System Monitor File Integrity Monitoring
File Activity Monitoring
Database Activity Monitoring
Process Monitoring
Network Connection Monitoring
Event
Manager
Events
Advanced
Intelligence
Engine
All Log, Flow and
Event Data
Events
Intelligence
Alerts
SmartResponse™
• In memory processing of all log and flow data • Correlation, pattern recognition, and behavioral analysis • No blind spots – accurate recognition of compromised accounts and hosts, fraud, misuse,
data exfiltration, etc
Reports
Real-Time Big Data Security Analysis
1. Vulnerability data collected from Rapid7
Nexpose and Metasploit products
2. For every message, LogRhythm:
• Collects
• Classifies
• GeoTags
• Recognizes Events
• Assigns Risk Prioritization
• Stores log and event data for long term retention
• Applies behavioral analysis techniques
• Performs correlation across data sources
3. Triggers SmartResponse actions when applicable
Integration
Use Cases:
• Security Risk Assessment
• Sophisticated Intrusions
• Zero Day Confirmation
• Compliance Violations
Quick Investigations and Forensics
• Invaluable insight into internal behavior, potential risks and imminent threats
• Quick root cause analysis; Identify sources of attacks
• Recognize breach scope
• Appropriate presentation for key stake holders
Knowledge Experts in:
Advanced threat detection & response
Industry and governmental regulations
Compliance automation and assurance
Log and event taxonomies and normalization
Advanced correlation and rules development
Incident response
Providing Out-of-the-Box & Continuously Updated Embedded Expertise
Layouts designed to present the right information to the right people at the right time
Executive Views
Compliance-specific Dashboards
Role-based Analyst Screens
Pre-defined forensic investigations accelerate root cause analysis and impact discovery
Comprehensive library of ready-to-use analytic rule sets & alarms enables immediate use for the detection of threats, breaches and compliance
violations
SmartResponse™ plug-ins accelerate response and reduce the impact of actionable events
Example Use Cases
Prioritizing Attack Data
Identify Zero Day Attacks
Quick Remediation
Identifies vulnerability state of
host
Correlates IDS and Malware to detected
vulnerabilities
Alert on attacks to known vulnerabilities
Recognizes susceptible attacks
Scans for attack behavior pattern
Alert on matches for attempted attacks
Maintains library of custom, accurate remediation steps
Identifies highly suspicious series of
anomalies
Triggers immediate scan with associated, specific
remediation steps