siem - your complete it security arsenal

SIEMYour Complete IT Security Arsenal8 Things You Should Know About Choosing an SIEM Solution

Joel FernandesSr. Product Marketing AnalystSIEM SolutionsManageEngine

joeljohn.f@manageengine.com

Speaker

Webinar “Housekeeping” Tips

• Use the “question” box in the lower right corner to submit your questions

• Questions will be answered during the Q&A session at the end of the webinar

• We will do our best to answer as many questions as possible in the allotted time

• This webinar is getting recorded and will be shared to you via email

Agenda

• About ManageEngine• Log management challenges• What is SIEM?• Why is SIEM necessary?• 2012 Data Breach Analysis• Typical working of an SIEM solution• 8 critical things you should know about choosing an SIEM solution• Business benefits of SIEM solutions• ManageEngine SIEM product offering – Overview• Quick Demo - ManageEngine SIEM product offering • Conclusion• Q&A

About ManageEngine

– IT Management Software division of Zoho Corporation

– Established in 2002– ManageEngine covers the complete

gamut of IT solutions• 21 Products | 20 Free tools | 2 SAAS

offerings– Trusted by over 72,000 customers

across 200+ countries – 3 out of every 5 Fortune 500 companies

are ManageEngine customers

Log Management Challenges

• Analyzing Logs for Relevant Security Intelligence

• Centralizing Log Collection• Meeting IT Compliance Requirements• Conducting Effective Root Cause

Analysis• Making Log Data More Meaningful• Tracking Suspicious User Behavior

What is SIEM?

• The term ‘SIEM’ was coined by Mark Nicolett and Amrit Williams (Gartner Analysts) in 2005

• In simple words, SIEM is a combination of two different types of technologies:

– SIM (Security Information Management) that focuses on log collection and report generation

– SEM (Security Event Manager) that analyzes events in real-time using event correlation and alerting mechanism

• SIEM technology provides network security intelligence and real-time monitoring for network devices, systems, and applications

Typical Working of an SIEM Solution

Why is SIEM necessary? Rise in data breaches due to internal and external threats Attackers are smart and traditional security tools just don’t suffice Mitigate sophisticated cyber-attacks Manage increasing volumes of logs from multiple sources Meet stringent compliance requirements

Biggest Data Breaches in 2013

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

2012 Data Breach Analysis

Source: Verizon 2013 Data Breach Investigations Report

Threat categories over time Victims

8 Things You Should Know About Choosing an SIEM Solution

#1. Log Collection

• Universal Log Collection to collect logs from heterogeneous sources (Windows systems, Unix/Linux systems, applications, databases, routers, switches, and other devices)

• Log collection method - agent-based or agentless

– Both Recommended

• Centralized log collection• Events Per Second (EPS) – Rate at

which your IT infrastructure sends events.

– If not calculated properly the SIEM solution will start dropping events before they are stored in the database leading to incorrect reports, search results, alerts, and correlation.

#2. User Activity Monitoring

• SIEM solutions should have Out-of-the-box user activity monitoring, Privileged user monitoring and audit (PUMA) reporting feature

• Ensure that the SIEM solution gives the ‘Complete audit trail’

– Know which user performed the action, what was the result of the action, on what server it happened, and user workstation/device from where the action was triggered.

#3. Real Time Event Correlation• Real-time event correlation is all about

proactively dealing with threats• Correlation boosts network security by

processing millions of events simultaneously to detect anomalous events on the network

• Correlation can be based on log search, rules and alerts

– Predefined rules and alerts are not sufficient. Custom rule and alert builder is a must for every SIEM solution.

– Ensure that the process of correlating events is easy.

#4. Log Retention

• SIEM solutions should automatically archive all log data from systems, devices & applications to a ‘centralized’ repository

• Ensure that the SIEM solution has ‘Tamper Proof’ feature which ‘encrypts’ and ‘time stamps’ them for compliance and forensics purposes

• Ease of retrieving and analyzing archived log data

#5. IT Compliance Reports

• IT compliance is the core of every SIEM solution

• Ensure that the SIEM solution has out-of-the-box regulatory compliance reports such as PCI DSS, FISMA, GLBA, SOX, HIPAA, etc.

• SIEM solutions should also have the capability to customize and build new compliance reports to comply with future regulatory acts

#6. File Integrity Monitoring

• File integrity monitoring helps security professionals in monitoring business critical files and folders.

• Ensure that the SIEM solution tracks and reports on all changes happening such as when files and folders are created, accessed, viewed, deleted, modified, renamed and much more.

• The SIEM solution should also send real-time alerts when unauthorized users access critical files and folders

#7. Log Forensics

• SIEM solutions should allow users to track down a intruder or the event activity using log search capability

• The log search capability should be very intuitive and user-friendly, allowing IT administrators to search through the raw log data quickly

#8. Dashboards

• Dashboards drive SIEM solutions and help IT administrators take timely action and make the right decisions during network anomalies.

• Security data must be presented in a very intuitive and user-friendly manner.

• The dashboard must be fully customizable so that IT administrators can configure the security information they wish to see.

8 Critical Things – At a glance

Business Benefits of SIEM Solutions

• Real-time Monitoring– For operational efficiency

and IT security purposes

• Cost Saving• Compliance• Reporting• Rapid ROI

ManageEngine’s SIEM Offering

– Easy of deploy– Cost-effective– Customizable

dashboard with drag and drop widgets

– Uses both Agent and Agentless log collection mechanism

Universal Log Collection

– Supports heterogeneous log sources

– Universal log collection capability helps index any type of log regardless of the format and source

– Allows you to index log data and generate reports for custom in-house/proprietary applications

Real Time Event Correlation and Log Forensics

– Correlation using Search: Correlate events using log search with Wild-cards, Phrases and Boolean operators

– Correlation using Alerts: Correlate events using custom and predefined alerts to mitigate threats in real-time

– Notifications are send in real-time via Email and SMS

– Conduct root cause analysis by diving into raw logs and generate forensic reports in minutes!

5,000+ customers across 110+ countries

Get your 30 Day Free Trial Now!www.eventloganalyzer.com

Quick Glance

Conclusion

• A SIEM solution can provide enormous security benefits to the company by protecting the network with real-time log analysis.

• Most organizations think that SIEM solutions have a steep learning curve and are expensive, complex, and hard to deploy.

• This claim may be true about many SIEM vendors. However, the right SIEM solution is one that can be easily deployed, is cost-effective, and meets all your IT security needs with a single tool.

Q&A