active insight for siem (security information and event management)
DESCRIPTION
ActiveInsight provides real-time, value-based detection and reaction to event patterns and behavior. In this presentation we discuss how ActiveInsight helps SIEM deployments detect and react to critical application level data and events. For more information see http://www.activeinsight.netTRANSCRIPT
www.activeinsight.net
www.activeinsight.net
Real-time Detection and Reaction to User Behavior
ActiveInsight for SIEM
ACTIVE INSIGHT
Background
Successful SIEM deployments have been
collecting data and events from infrastructure
and security devices
Background
Various regulations and business needs
require application-level event collection,
audit trail and correlation (FISMA, HIPPA, PCI,
357/257, etc.)
Background
The business application tier is where actual
business events occur and where damage can
be done
“Application layer monitoring for fraud detection or internal
threat management is emerging as a new use case for SIEM
technology” Gartner Magic Quadrant for Security Information and Event Management, 2008.
The Business Need Application level audit trail Detailed user-session-application level data Real-time visibility of user behavior and application
events Real-time, value-based, event detection and reaction “Zero-touch” application event detection (no code
modifications or complex log configuration and management)
“Zero-impact” on application performance and user experience
Quick deployment
7
ACTIVE INSIGHT
ExternalUsers
System Mgmt
Risk Mgmt
SIEM
Fraud Detection
ACTIVE INSIGHT
Detect React
InternalUsers
Device API
ActiveInsight Unique Value Proposition
Deeper, richer user-application level data
Non-intrusive, event driven architecture
Zero-touch, zero-impact deployment
Real-time visibility and reactions
Minimized integration efforts
Multiple feeders for various risk mgmt applications
Computational, I/O and log management off-loading
Main Technological Challenges
Detecting relevant user-application events, in real-time, without
harming application performance and availability
Reacting to relevant events by feeding SIEM or other security/risk
management applications or initiating defensive actions
Offloading application servers and provide a central log source bus
Providing a simple, flexible and non-intrusive solution that can be
deployed without requiring application code changes
Technology Distributed, high-performance, extreme transaction processing
technology
Integrated in-memory distributed data caching
Unlimited server scale-out (scalable by design)
A-sync or sync (w/o time-out) processing
Low latency computational de-coupling
Unique and simple, xml based, “behavioral processing language”
Asynchronous, multi target feeders
Real-time, pattern based, 2-way user interaction
Summary
Q&A
Thank you!
http://www.activeinsight.net