SlideShare a Scribd company logo

2012-12-12 Seminar McAfee ESM

Pinewood
Pinewood

In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.

Technology
1 of 16
Download to read offline
McAfee ESM Fulfilling the Promise of SIEM Jan Hereijgers Enterprise Account Manager, SIEM December 13, 2012 1 McAfee Confidential—Internal Use Only
The State of SIEM SIEM Promise: Turns Security Data Into Provides an Intelligent Supports Management Actionable Information Investigation Platform and Demonstration of Compliance Legacy SIEM REALITY: 00001001001111 11010101110101 10001010010100 VS 00101011101101 Antiquated Architectures Events Alone Do Not Complex Usability and Force Choices Between Provide Enough Context Implementation Have Time-to-Data and Intelligence to Combat Today’s Threats Caused Costs To Skyrocket 2 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
The Big Security Data Challenge Billions of Events APTs Multi-dimensional Active Cloud Trending; LT Analysis Data Insider Anomalies Large Volume Analysis Compliance Historical Reporting Thousands of Events Correlate Events Perimeter Consolidate Logs 3 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM: Delivering on the Promise Meaningful Rapid Intelligence Response Big Security Data DB Continuous Exceptional Compliance Value 4 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Different From Ground Up … The McAfee SIEM Event Database  High-speed database ssed extensively throughout the US DOD and DOE  Award winning Sage/AdaSage technology  15 years and over $30M invested in development at the Idaho National Laboratory (INL)  Purpose-built ( for rapid streaming of security events  Up to 100,000 database insertion per second  Custom fields & data definition specific to security events 010011 100 1001 100110 11 100 1 110  Rich event taxonomy with 16 indexes 10 010011 001 100 1101  Provides event-data warehousing with minimal HW foot print 10101 110 1  Facilitates real-time Business Intelligence for Security & Compliance  Perfected during ~300 man-years of joint development McAfee Confidential—Internal Use Only
Log Management and Search • See log frequencies Investigate • Search for logs Log Management INVESTIGATE LOGS AFTER THE FACT 6 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Legacy SIEM Visualize, Investigate • See log frequencies • Search for logs • Correlate events Device and Events from Authentication User Application Log Security Devices Location and IAM Identity Files and Endpoints VA Scan Data Network Flows Time OS Events Traditional Context Log Management DETECTION OF KNOWN SUSPICIOUS PATTERNS 7 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Content Awareness Visualize, Investigate, Respond • See log frequencies • Search for logs • Flows indicate frequency but miss the • Correlate events what, who and how • What data is involved? • Application and Database complete the picture • Who is doing it? • Application logging inhibited by performance • Database logging inhibited by politics Content Aware Applications Traditional Context Database Log Management 8 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content Content Aware Traditional Context Log Management 9 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies OPTIMIZED • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content 1.Shut down bad actor 2.Analyze last years events 3.Compliance issue identified Content Aware 4.Investigate high risk system Applications Traditional Context Database Big Log Management High Speed Security Intelligent Data DB Scalable Architecture Correlation 10 NitroSecurity Next-generation SIEM McAfee Confidential—Internal Use Only
GTI with SIEM Delivers Even Greater Value Sorting Through a Sea of Events… Have I Been Communicating With Bad Actors? 200M events 18,000 alerts Which Communication Was Not Blocked? and logs Dozens of What Specific Servers/Endpoints/ Devices Were Breached? endpoints Handful Which User Accounts Were Compromised? of users Specific files What Occurred With Those Accounts? breached (if any) Optimized RESPOND How Should I Respond? response 11 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
Scalable and Intelligent Architecture Intelligence and GTI ePO MRA SIA Operational efficiency Adaptive Risk Analysis & McAfee Advanced Correlation Engine Historical Correlation McAfee Enterprise Security Manager Integrated SIEM McAfee Enterprise Log Manager & Log Management McAfee Application McAfee Database Rich App & Data Monitor Event Monitor DB Context Big Scalable Collection & McAfee Receivers Security Data DB Distributed Correlation 12 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
McAfee ESM (NitroSecurity) Summary Overview Gartner SIEM MQ  Founded: 1999  Description: Nitro develops the industry's fastest analytical tools to identify, correlate and remediate information security threats in minutes instead of hours  Employees: 120 employees  Headquarters: Portsmouth, NH. R&D facilities in Idaho Falls.  Customers: 700+ Active Customers. 30 in Fortune 500. 60% of business through channel. 50% of business in US Federal  Acquisitions: Acquired Rippletech (log collection and reporting technology) and LogMatrix (analytics technology)  Financials: 2010 Bookings = $25MM; 50% Growth YoY for trailing 3 years Notable Customers McAfee Confidential—Internal Use Only
Customer Case Study McAfee OPPORTUNITY DECISION McAfee • “Nitro” and Q1 shortlisted (pre-acquisition) • POC consisted of replicating original deployment plan • Q1Labs exhibited same performance issues as existing solution • Internal security / compliance (Plano, TX) • Nitro is selected • Major SIEM installed for two years RESULTS • “Never completed the initial deployment plan even with multiple $000,000’s • Deployed and delivering value in 30 days of pro services” • 2 appliances outperformed 32 core SIEM deployment • “Can get the log data in, • Eliminated consulting and instrumentation spend on but CANNOT get useful making SIEM work information out” 14 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
ESM: True Situational Awareness GREATEST ACCURACY IN PINPOINTING THREATS FASTEST TIME-TO-RESPOND CONTINUOUS COMPLIANCE MONITORING COST EFFECTIVE THROUGH LOW TCO AND RAPID TIME-TO-VALUE 15 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
McAfee Confidential—Internal Use Only

Recommended

Siem ppt
Siem pptSiem ppt
Siem ppt
kmehul
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
Owais Ahmad
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 

Recommended

Siem ppt
Siem pptSiem ppt
Siem ppt
kmehul
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
Owais Ahmad
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
Osama Ellahi
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
neoalt
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
Kangaroot
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEM
Iftikhar Ali Iqbal
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
Vikas Jain
 
SIEM
SIEMSIEM
SIEM
vikasraina
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
David J Rosenthal
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
Iftikhar Ali Iqbal
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
Brendaly Marcano
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
Szymon Dowgwillowicz-Nowicki
 

More Related Content

What's hot

SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 

What's hot (20)

SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEM
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
 
SIEM
SIEMSIEM
SIEM
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
 

Similar to 2012-12-12 Seminar McAfee ESM

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
Brendaly Marcano
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
Arrow ECS UK
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
Symantec
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
Andrew Wong
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Andris Soroka
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
Anindya Ghosh,
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
Q1 Labs
 

Similar to 2012-12-12 Seminar McAfee ESM (20)

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
 
Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutions
 
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012
 
SolarWinds Log & Event Manager vs Splunk. What's the Difference?
SolarWinds Log & Event Manager vs Splunk. What's the Difference?SolarWinds Log & Event Manager vs Splunk. What's the Difference?
SolarWinds Log & Event Manager vs Splunk. What's the Difference?
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

2012-12-12 Seminar McAfee ESM

  • 1. McAfee ESM Fulfilling the Promise of SIEM Jan Hereijgers Enterprise Account Manager, SIEM December 13, 2012 1 McAfee Confidential—Internal Use Only
  • 2. The State of SIEM SIEM Promise: Turns Security Data Into Provides an Intelligent Supports Management Actionable Information Investigation Platform and Demonstration of Compliance Legacy SIEM REALITY: 00001001001111 11010101110101 10001010010100 VS 00101011101101 Antiquated Architectures Events Alone Do Not Complex Usability and Force Choices Between Provide Enough Context Implementation Have Time-to-Data and Intelligence to Combat Today’s Threats Caused Costs To Skyrocket 2 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 3. The Big Security Data Challenge Billions of Events APTs Multi-dimensional Active Cloud Trending; LT Analysis Data Insider Anomalies Large Volume Analysis Compliance Historical Reporting Thousands of Events Correlate Events Perimeter Consolidate Logs 3 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 4. ESM: Delivering on the Promise Meaningful Rapid Intelligence Response Big Security Data DB Continuous Exceptional Compliance Value 4 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 5. Different From Ground Up … The McAfee SIEM Event Database  High-speed database ssed extensively throughout the US DOD and DOE  Award winning Sage/AdaSage technology  15 years and over $30M invested in development at the Idaho National Laboratory (INL)  Purpose-built ( for rapid streaming of security events  Up to 100,000 database insertion per second  Custom fields & data definition specific to security events 010011 100 1001 100110 11 100 1 110  Rich event taxonomy with 16 indexes 10 010011 001 100 1101  Provides event-data warehousing with minimal HW foot print 10101 110 1  Facilitates real-time Business Intelligence for Security & Compliance  Perfected during ~300 man-years of joint development McAfee Confidential—Internal Use Only
  • 6. Log Management and Search • See log frequencies Investigate • Search for logs Log Management INVESTIGATE LOGS AFTER THE FACT 6 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 7. Legacy SIEM Visualize, Investigate • See log frequencies • Search for logs • Correlate events Device and Events from Authentication User Application Log Security Devices Location and IAM Identity Files and Endpoints VA Scan Data Network Flows Time OS Events Traditional Context Log Management DETECTION OF KNOWN SUSPICIOUS PATTERNS 7 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 8. Content Awareness Visualize, Investigate, Respond • See log frequencies • Search for logs • Flows indicate frequency but miss the • Correlate events what, who and how • What data is involved? • Application and Database complete the picture • Who is doing it? • Application logging inhibited by performance • Database logging inhibited by politics Content Aware Applications Traditional Context Database Log Management 8 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 9. ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content Content Aware Traditional Context Log Management 9 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 10. ESM Fulfills Today’s SIEM Needs Visualize, Investigate, Respond • See log frequencies OPTIMIZED • Search for logs Advanced Correlation Engine • Correlate events GLOBAL THREAT ENTERPRISE RISK • What data is involved? LANDSCAPE LANDSCAPE • Who is doing it? • Threat intelligence feed • Vulnerabilities • Are they • Immediate alerting • Countermeasures a bad actor? • Historical Analysis • Individuals • What is the risk Risk ePolicy of the system? Advisor Orchestrator • What is the risk of the user? Dynamic Content 1.Shut down bad actor 2.Analyze last years events 3.Compliance issue identified Content Aware 4.Investigate high risk system Applications Traditional Context Database Big Log Management High Speed Security Intelligent Data DB Scalable Architecture Correlation 10 NitroSecurity Next-generation SIEM McAfee Confidential—Internal Use Only
  • 11. GTI with SIEM Delivers Even Greater Value Sorting Through a Sea of Events… Have I Been Communicating With Bad Actors? 200M events 18,000 alerts Which Communication Was Not Blocked? and logs Dozens of What Specific Servers/Endpoints/ Devices Were Breached? endpoints Handful Which User Accounts Were Compromised? of users Specific files What Occurred With Those Accounts? breached (if any) Optimized RESPOND How Should I Respond? response 11 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 12. Scalable and Intelligent Architecture Intelligence and GTI ePO MRA SIA Operational efficiency Adaptive Risk Analysis & McAfee Advanced Correlation Engine Historical Correlation McAfee Enterprise Security Manager Integrated SIEM McAfee Enterprise Log Manager & Log Management McAfee Application McAfee Database Rich App & Data Monitor Event Monitor DB Context Big Scalable Collection & McAfee Receivers Security Data DB Distributed Correlation 12 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 13. McAfee ESM (NitroSecurity) Summary Overview Gartner SIEM MQ  Founded: 1999  Description: Nitro develops the industry's fastest analytical tools to identify, correlate and remediate information security threats in minutes instead of hours  Employees: 120 employees  Headquarters: Portsmouth, NH. R&D facilities in Idaho Falls.  Customers: 700+ Active Customers. 30 in Fortune 500. 60% of business through channel. 50% of business in US Federal  Acquisitions: Acquired Rippletech (log collection and reporting technology) and LogMatrix (analytics technology)  Financials: 2010 Bookings = $25MM; 50% Growth YoY for trailing 3 years Notable Customers McAfee Confidential—Internal Use Only
  • 14. Customer Case Study McAfee OPPORTUNITY DECISION McAfee • “Nitro” and Q1 shortlisted (pre-acquisition) • POC consisted of replicating original deployment plan • Q1Labs exhibited same performance issues as existing solution • Internal security / compliance (Plano, TX) • Nitro is selected • Major SIEM installed for two years RESULTS • “Never completed the initial deployment plan even with multiple $000,000’s • Deployed and delivering value in 30 days of pro services” • 2 appliances outperformed 32 core SIEM deployment • “Can get the log data in, • Eliminated consulting and instrumentation spend on but CANNOT get useful making SIEM work information out” 14 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only
  • 15. ESM: True Situational Awareness GREATEST ACCURACY IN PINPOINTING THREATS FASTEST TIME-TO-RESPOND CONTINUOUS COMPLIANCE MONITORING COST EFFECTIVE THROUGH LOW TCO AND RAPID TIME-TO-VALUE 15 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only