220 likes | 736 Views
Redefining SIEM to Real Time Security Intelligence . Terry Seymour Field Sales Account Manager Dinesh Mistry SIEM Solution Expert. About McAfee SIEM. Real time Security & Compliance Integrated SIEM & Log Management Unmatched speed and scale Unique database & application monitors
E N D
Redefining SIEM to Real Time Security Intelligence Terry Seymour Field Sales Account Manager Dinesh Mistry SIEM Solution Expert
About McAfee SIEM • Real time Security & Compliance • Integrated SIEM & Log Management • Unmatched speed and scale • Unique database & application monitors • Only content aware SIEM • Certified for defense and critical infrastructure • Rapid Growth • Doubled SIEM sales in 2011 • Over 700 enterprise and government customers • Industry recognized • NIST/FIPS and Common Criteria Certified
Industry Recognition April, 2011 Ranked #1 January, 2011 Best Log Mgmt “Tech of the Year”
Industry Recognition April, 2011 The fastest database in the business, a truly creative front end, What more could you ask for in a SIEM? January, 2011 “An analyst’s power tool, strong SIEM capabilities in a highly configurable dashboard”
Key Market Segments & Customers Primary Industry Verticals and Representative Customers Government Financial Enterprise Education Energy Healthcare
Nitro Security History Leading supplier of unified information security solutions that protects corporate IT networks and data with the industry’s highest performing, most cost effective integrated product suite for SIEM, log management, database activity monitoring, network analysis and intrusion prevention • Founded in 1999 by engineers from Idaho National Laboratories • Headquarters: Portsmouth, NH, R&D: Idaho Falls, Conshohocken PA • Worldwide sales, service & support, Global partner presence • Developed the NitroEDB Data Engine first! • No DBA required – Self healing closed system • 10-100 times faster than any competitor’s back-end database • Bursts to 128,000 Inserts/Retrievals Per Second, Industry fastest rate • Deployed on all NitroView system components
McAfee ESM & Event Reporter McAfee ELM McAfee ESM • Unified Visibility • Correlation & Analysis • Compliance & Reporting • Policy Management • Log Management • Compliant Log Storage • McAfee Receiver • Third Party Logs • WMI, Syslog, etc… McAfee ADM McAfee DB Solutions McAfee ACE McAfee Network Solutions • Application Data Monitor • Layer 7 Decode • Full Meta-Data Collection • Database Session Monitor • Database Log Generation • Session Audit • Advanced Correlation • Risk-Based Correlation • Historical Correlation • Intrusion Detection/ Prevention • Flow Collection Application Visibility 100s of applications and 500+ document types Database Visibility Data trafficfrom leading databases Risk Scoring Detect potential threats Network Visibility Analysis of network traffic and events & flows • Asset information/context • Vulnerability Information • Which assets are most at-risk • ePO • Global Threat Intelligence • McAfee Risk Advisor • Malware, Trojans, Viruses • Exploits, Vulnerabilities • Network Flows
Global Threat Intelligence File Reputation IP Reputation Web Reputation GTI Message Reputation EVENT, LOG AND COMPLIANCE RISK AWARENESS CONTENT CONTEXT GTI
Situational Aware Risk Management ePO Security Data GTI Feed SIEM Event Data MFE Risk Advisor Countermeasure Analysis Actionable Security Policies
McAfee Receivers DBM agent McAfee DBM McAfee ADM Integrated Database & Application Security Event correlation Incidence response VA integration User activity profiling Central policy & mgt Analysis & forensics Reporting, notification SOC/NOC Compliance DBA’s Management Monitor all OS security events - users logging in/out, access/change to Database, config files & backups McAfee ESM Block exploits and SQL Injection attacks before they reach the network core McAfee ELM Secure Segregation of Logged events for Compliance and Reporting. McAfee IPS Log local DBA console activity Full-session capture of SQL activity, db content use, db server discovery Monitor potential leakage of sensitive content via email, chat, web, P2P
Sample Use Cases Content-Aware Forensics & Breach Discovery Discovering an HTTP Command and Control Spambot
Content-Aware Forensics& Breach Discovery User extracts sensitive data from a SQL Server. Data access policy violation is detected - 1000 row threshold exceeded. User copies SQL results to a document and sends the sensitive data using webmail to an external address. User discusses sensitive data over IM with external user.
Content-Aware Forensics & Breach Discovery User receives an email with attachment from an IP address on the GTI blacklist Potential Malware Infection HIPS agent identifies an unknown application but fails to quarantine the threat Potential Compromised Endpoint Compromised system is seen having multiple failed authentication attempts with enterprise systems. Historical analysis reveals multiple compromised hosts. Attack Proliferation
Discovering an HTTP Command and Control Spambot Content-Aware SIEM Feature: Utilize the broad correlation, normalization, and content awareness capability of a Content-Aware SIEM to detect advanced security threats
Discovering an HTTP Command and Control Spambot CorrelatedSourceEvents