MID_SIEM_Boubker_EN
-
Upload
vladislav-radetskiy -
Category
Technology
-
view
536 -
download
0
description
Transcript of MID_SIEM_Boubker_EN
![Page 1: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/1.jpg)
Confidential McAfee Internal Use Only
October 17, 2013
McAfee Security ConnectedActionable Situational Awareness
Boubker Elmouttahid, CISSP, CISM, CRISC
Solution Architect, Management Platform
![Page 2: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/2.jpg)
Confidential McAfee Internal Use Only
Security Connected Platform
INFORMATION SECURITY
Data Loss Prevention
Email Security
Encryption
Web Security
SECURITY MANAGEMENT
Compliance
Policy Auditing & Management
Risk Management
Security Operations Console
SIEM
Vulnerability Management
PARTNER COMMUNITY
McAfee Connected
Security Innovation Alliance (SIA)
Global Strategic Alliance Partners
Access Control
Identity & Authentication
Intrusion Prevention
Network User Behavior Analysis
NETWORK SECURITY
Next Generation Firewall
Network Access Control
Server & Database Protection
Smartphone & Tablet Protection
On Chip (Silicon-Based) Security
Virtual Machine & VDI Protection
ENDPOINT SECURITY
Application Whitelisting
Desktop Firewall
Device Control
Device Encryption
Email Protection
Embedded Device Protection
Endpoint Web Protection
Host Intrusion Protection
Malware Protection
![Page 3: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/3.jpg)
Confidential McAfee Internal Use Only
z
Management
Partners and An Open, Full-Featured PlatformIntegrated Solutions Deliver
3
![Page 4: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/4.jpg)
Confidential McAfee Internal Use Only
McAfee Labs
• Multi-discipline security research
– Malware (viruses, spyware, rootkits, etc.)
– Spam and Phishing
– Web Security
– Network and Host Intrusion Prevention
– Vulnerabilities and Compliance Checks
• 24 x 7 emergency response team
• Holds 118+ patents and 148+ pending patents
26 cities around the world
400+ researchers
![Page 5: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/5.jpg)
Confidential McAfee Internal Use Only
What It Takes to Make An Organization SafeGlobal Threat Intelligence
.
Threat
Reputation
Network IPS FirewallWeb
Gateway Host AVMail Gateway Host IPS 3rd Party Feed
![Page 6: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/6.jpg)
Confidential McAfee Internal Use Only
Atlanta
Tokyo
London
Hong KongSan Jose
AmsterdamChicago
DataStore
112 Reputation Servers in 7 Data Centers
![Page 7: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/7.jpg)
Confidential McAfee Internal Use Only
McAfee Threat LandscapeThe Core Problem
![Page 8: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/8.jpg)
Confidential McAfee Internal Use Only
Key Motivations
PurposeEspionageFinancial WeaponryEgo
![Page 9: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/9.jpg)
Confidential McAfee Internal Use Only
Key ThreatsMANU-
FACTURING
RF/IR
BLUETOOTH
SCADA
WEBVIRTUAL
ZEUS
APPS
SOCIAL
MEDIA
EMBEDDED
NIGHT
DRAGON
MEDICAL
DEVICE
AURORA
STUXNET
ENTERTAINMENT
ATM/KIOSK
ENERGY
MOBILE
SILICON
DATA
BASE
SMART CARS
CONFICKERRSA
![Page 10: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/10.jpg)
Confidential McAfee Internal Use Only
Total Malware Samples
16
The McAfee “zoo” now contains more than 140 million unique malware samples.
Total Malware Samples
0
20 000 000
40 000 000
60 000 000
80 000 000
100 000 000
120 000 000
140 000 000
160 000 000
Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Jan-13 Feb-13 Mar-13 Apr-13 May-13 Jun-13
![Page 11: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/11.jpg)
Confidential McAfee Internal Use Only
Enterprise IT BIG Bets 2013 …. Enable “Situational Security Awareness” through Big Security Data
2000 2013 ……
PROCESSING
DEMANDS
DATA
USE CASES
INSTRUMENTATION
• Situational Security Awareness trough Big Security
Data
• Less “Matching” more Trending
• Long term analysis for “low and slow”
• Continuous compliance monitoring
• Immediate information access
Perimeter
Security
Compliance Insider
ThreatData
Security
![Page 12: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/12.jpg)
Confidential McAfee Internal Use Only
Big Data vs. Big Security Data
Big Data
Datasets whose size and variety is beyond the ability of
typical database software to capture, store, manage &
analyse.
Big SECURITY Data
Understanding security data as big data.
• How do I gather security context?
• How do I manage big security information?
• How do I make security information management work?
• Size of security data doubling
annually
• Advanced threats demand
collecting more data
• Legacy data management
approaches failing
• SIEM use shifting from
compliance to security
![Page 13: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/13.jpg)
Confidential McAfee Internal Use Only
“The Importance” of Big Security Data
Old Attacks
• Amateurs
• Noisy
• Curious/Mischievous
• Script driven
• Untargeted
New• Professionals
• Stealthy
• For profit/intentional damage
• Professionally developed
• Targeted
• Automated situational awareness
• Global threat intelligence
19
![Page 14: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/14.jpg)
Confidential McAfee Internal Use Only
Correlate Events
Consolidate LogsPerimeter
Thousands of Events
APTs
Cloud
Data
Insider
Compliance Historical Reporting
The Big Security Data Challenge
Anomalies Large Volume Analysis
Multi-dimensional Active Trending; LT
Analysis
Billions of Events
![Page 15: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/15.jpg)
Confidential McAfee Internal Use Only
The Big Security Data Challenge
October 17, 2013
![Page 16: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/16.jpg)
Confidential McAfee Internal Use Only
Learn Quickly
Turns billions of
“so what” events
into Actionable
Information via
context, content
and advanced
analytics
Move Fast
Purpose built data
management
engine that makes
SIEM work, and is
Security ‘Big Data’
ready
Act Decisively
Leveraging the
value of Security
Connected for
faster response
whilst lowering
cost of ownership
THINK FAST…ACT FASTActionable Situational Awareness through Enhanced Data Management and Integration
![Page 17: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/17.jpg)
Confidential McAfee Internal Use Only
McAfee ESM
MOVE FASTeDB: Purpose built data management engine that makes SIEM work
eDB
Extended Schema in 9.2, enabling…
• Improved tracking of assets via GUID;
increases accuracy as IP’s change
• More custom fields; increasing data collected,
correlated and reported about an event
• Ability to accumulate events (throughput,
packets, URL’s, etc…)
…without compromising performance!
![Page 18: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/18.jpg)
Confidential McAfee Internal Use Only24
Rolling AveragesDefining abnormal patterns of activity
Learn QuicklyEstablishing baselines to identify deviations
![Page 19: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/19.jpg)
Confidential McAfee Internal Use Only25
Eliminate the Guesswork
Alert based on deviations from norm
Sum events and
track averages
ID Anomalies
Learn QuicklyEstablishing baselines to identify deviations
![Page 20: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/20.jpg)
Confidential McAfee Internal Use Only
Medium Risk High Risk
Learn Quickly, Global Threat Intelligence and IP Reputation
McAfee Labs IP Reputation Updates
GOOD SUSPECT BAD
IP REPUTATION CHECK
Botnet/
DDos
Mail/
Spam
Sending
Web Access Malware
Hosting
Network
Probing
Network
Probing
Presence of
Malware
DNS Hosting
Activity
Intrusion
Attacks
EVENT
AUTOMATIC IDENTIFICATION
AUTOMATIC RISK ANALYSIS VIA ADVANCED CORRELATION
ENGINE
![Page 21: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/21.jpg)
Confidential McAfee Internal Use Only
Learn QuicklyCorrelating Both Flows and Events
1 1 100 010011 10
1 0011 100 011 100 1
1 1 100 010011 100
10010001 1 1 100 010011
011 100 10010001
1 1 100 010011
1 0011 100 011 100 1
1 1 100 010011 100
10010001 1 1 100 010011
011 100 10010001
1 1 100 010011 100 10010001 1 1 100 010011 100 11
1 0011 100 011 100 110101 1 100 011 100 10010001
Flow
Event
Correlate Event and
Flow
Advanced Correlation
11 001 100 010011 100 10010001
100110 11 1 110 10 110
00 1001 100110 100 010011 11 100
1 110 10 010011 001 100 110
001 100 010011 100 10010001
100110 11 1 110 10 110
Enhanced with GTI
Identify spikes in
activity
Analyze Behavior of an
Individual Host
Detect zero-day
threats through traffic
profiling
Monitor compliance
via analysis of
application data,
protocol and user
![Page 22: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/22.jpg)
Confidential McAfee Internal Use Only
Event
Collection
Compliance
Reporting
Streamlined
Investigations
Policy
Management
Advanced
Correlation
Log
ManagementePolicy
Orchestrator
Network
Security
Platform
Integrated Security Platform
Global
Threat
Intelligence
Vulnerability
Manager
ACT DECISIVELY Leverage the power of the platform
Industry Leading Security Information and Event Management
10
01
10
01
10
01
01
1
![Page 23: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/23.jpg)
Confidential McAfee Internal Use Only
Organized ChaosSecurity Operating in Silo’s (Data interconnection Left & Right)
SIEM
![Page 24: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/24.jpg)
Confidential McAfee Internal Use Only
Dynamic Enrichment
GTI
Endpoint & SIA Alerts
& Policy Enforcement
ePO
Network Alerts
& Quarantine
NSP
Asset Inventory &
On-demand scan
MVM
ADM
FW
DLP
MWG
MEG
MAM
NTBA
DAM
ESM
LEARN QUICKLY & ACT DECISIVELYSecurity Connected - Intelligent Orchestration & Integration
![Page 25: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/25.jpg)
ACT DECISIVELY Intelligent Orchestration and Integration
My Pal
RT@aguyweknow Very Inspiring article Bit.ly/p0wn3d
11 001 100 010011 100 10010001
100110 11 1 110 10 110
100 1001 100110 100 010011 11 100 1
110 10 010011 001 100 110
11 001 100 010011 100 10010001
100110 11 1 110 10 110
ESM
10010001 10010001
Trigger Alarm
Quarantine IP
Correlation
!
10010001
!!
Quarantine Endpoint
Launch AV Scan
Increase Security
Detect Connection
Attempt
ePO
NSM
![Page 26: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/26.jpg)
McAfee ESM
• Unmatched Speed– Industry’s Fastest SIEM
– 100x to 1,000x faster than current solutions
– Queries, correlation and analysis in minutes, not hours
• Unmatched Scale– Collect all relevant data, not selected sub-sets
– Analyze months and years of data, not weeks
– Include higher layer context and content information
– Scales easily to billions of data records
• Improves– Operational efficiencies and optimizes security
• Enhances– Visibility & control on risk and helps you to stay compliant with regulations
• Demonstrates– Measurable ROI and reduced TCO by delivering ease of use & Scalable
NG SIEM solution
![Page 27: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/27.jpg)
McAfee ESM2013 market Leadership and Recognition
SIEM MQ “Visionary Leader”
– Gartner 2012 & 2013 SIEM Magic Quadrant
“Fastest database in the business, truly creative front end”
– SC Magazine, Excellent value for the money, February, 2012
“Best log management solution”
– InfoWorld 2011 Technology of the Year, January, 2011
“ESM has attained tier-one status alongside larger organizations”
– Ovum, Technology Audit, July, 2011
“One of the most useful and seamless incident response-focused
SIEM products available today”
– The 451 Group, Impact Report, June, 2010
“Top performance, 2nd lowest price”
– Info-Tech Research Group Vendor Landscape, June, 2011
![Page 28: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/28.jpg)
Confidential McAfee Internal Use Only
SummaryActionable Situational Awareness from McAfee ESM
ESM ALLOWS YOU TO….
MOVE FAST LEARN QUICKLY ACT DECISIVELY
![Page 29: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/29.jpg)
Confidential McAfee Internal Use Only
Demo
October 17, 201335
![Page 30: MID_SIEM_Boubker_EN](https://reader038.fdocuments.net/reader038/viewer/2022110118/554d3180b4c905ca208b57c7/html5/thumbnails/30.jpg)
Confidential McAfee Internal Use Only