join the siem revolution - information security summit 2017 1 - track 2.3 - hp enterprise.pdf ·...
TRANSCRIPT
Join the SIEM Revolution
Vasant Kumar Regional Customer Success Manager - APJ HPE Security
Agenda
–The Current Threat Landscape
–HPE ArcSight Solution Portfolio
–Q&A
3
Volatile Uncertain Complex Ambiguity
Managing risk in today’s digital enterprise
Rapid transformation of enterprise IT
Shift to hybrid
Mobile connectivity
Big data explosion
Cost and complexity of regulatory pressures
Compliance
Privacy
Data protection
Increasingly sophisticated cyber attacks
More sophisticated
More frequent
More damaging
Cyber Timeline
Ashley
Madison 2014
Benesse 2014
Yahoo 2013
Loss/Stolen Data Rise of CyberCrime Professional / Hacktivism Advanced Persistent Threat
2010 2011 2012 2004 2005 2006 2008 2007 2009 2013
StuxNet 2010
AOL 2004
TJ Maxx 2010
UK Revenue
& Customs 2006
Heartland 2009
Evernote 2013
NASA Shuttle
Plans Dec 2006
Estonia Dark May 2007
Buckshot
Yankee Nov 2008
GhostNet Mar 2009
Sony PSN Dec 2010
Target Aug 2013
WSJ - SEA Aug 2013
Apple Aug 2011
Red October Dec 2010
2013
Living
Social 2013
Shamoon Aug 2012
Tamper Data June 2012
2014
Video
Conferencin
g Aug 2012 DigiNotar
Sept 2011
Kernel.org Aug 2011
Code Spaces 2014
Sony
Pictures 2014
Controversial whether it is
an internal job or a
hacktivist group, some
might even say state-
sponsored, 100TB of
confidential data has been
exfiltrated
Dairy Queen 2014
.CN Aug 2013
Michaels 2014
UPS 2014
Kmart 2014
GoodWill 2014
Stuxnet, was designed to seek
out certain industrial control
systems made by Siemens.
Stuxnet took advantage of four
zero-day vulnerabilities and
appeared to be targeted at a
uranium enrichment program in
Iran.
The Russian firm
Kaspersky discovered a
worldwide cyber-attack
dubbed “Red October,” that
had been operating since
at least 2007. Hackers
gathered information
through vulnerabilities in
Microsoft’s Word and Excel
programmes
Heartland, stealing 100
million credit cards.
Cost 140M$
Shamoon - The virus has
been noted as unique for
having differing behavior
from other malware cyber
espionage
attacks. Shamoon is
capable of spreading to
other computers on the
network, through
exploitation of shared hard
drives
The most significant breach
of U.S. computer security .
infected flash drive.
Creation of US
CyberCommand.
PlayStation network,
stealing or misusing the
personal information of at
least 77 million users. Sony
estimated that fallout from
the hack cost at least $170
million.
2015
Anthem /
Premera 2015
Hacking
Team 2015
mSpy 2015
Nation State
Experian 2015
U.S
Government 2015
22 million current and
former federal
employees that included
the fingerprints of about
5 million.
largest breach of
medical records
(11M)
Things we have seen in 2015
• In most of the attacks, the attackers have been inside, sometimes for about a year.
• U.S Government was breached with over 22M personal files.
• Several of the more secure companies have been breached.
• There is a focus on attaining complete customer detailes
6
229 days
of breaches occur at the
of breaches reported by a
Average time bad guys are inside a network before detection
Average time to resolve a
Cyber Attack
45 Days
10%
80%
67% Percentage of
malware alerts
application layer
56% of organizations have been the
target of a Cyber
attack
60% of Organizations spend more time and money on
reactive measures 3rd party deemed to be reliable
Source: HP internal data, Forrester Research, Ponemon Institute, Gartner
Security trends & implications
Key Points
• Cybersecurity has catapulted to
the top of boards’ list of
concerns
• Security leadership is under
pressure
• Cybercrime is booming
• Internet of Things will just make
things worse
• Need for greater visibility of
business risks
• Need to make security investment
choices
Global Spend on Security
8 Source: HP internal data, Forrester Research, Ponemon Institute, Coleman Parkes Research, Markets & Markets & Gartner
8% of total IT budget spent on security
Global Security Spend
in 2015 was $77B Global Security market will
reach $120B by 2017
Security Market estimated worth $170B by 2020
77% of Budget spent on
blocking (Perimeter
Technologies such as
Firewall, IDS/IPS, Proxy,
Sandboxes…)
80% of attacks are
taking place at the
application layer
40% of Security jobs unfulfilled in the market
Resolving an incident requires a significant time And the longer the resolution time, the more expensive it is per day
Average days to resolve an incident by attack type(1)
9 (1) 2015 Cost of Cyber Crime Study, Ponemon Institute
The value of Security intelligence to the organization(1)
10
(1) 2015 Cost of Cyber Crime Study, Ponemon Institute
Intelligent Security Operations
11
• Security Operations Centers face an increasing amount of information to process
• Effectiveness depends on narrowing the funnel, and accelerating the throughput
• Lower false positives and less noise allows analysts to focus on the critical events and IOCs
# logs & events increases
exponentially
Alerts identified
Increase speed to detection
Speed up investigation
Servers
Users
Firewalls
NW Devices
End-points
Investigation
Hunt
IOCs*
Key Points
Proactively detecting and managing breaches
IOC: Indicator of Compromised
Logs & Events Alerts Alerts
2017 State of Security Operations 4th annual report
82% of organizations are not meeting their business goals
27% of SOCs are failing to achieve minimum security monitoring capabilities
183 assessments
Read the full report at hpe.com/software/StateOfSecOps
ArcSight Portfolio Elements Overview
What is HPE Security ArcSight?
2:
Normalize data from various
vendors into a
industry
accepted
common event
format
3:
Enrich collected data
with taxonomy,
network and
assets specific
details
1:
Collect machine data from
almost any source
5:
Search with a simple and
easy to use user
interface
4:
Store Years’ worth of
data through a
high compression
ratio of up to 10:1
7:
Analyze Identify and trace
the patterns of
threats or
breaches or even
suspicious
behaviors
6:
Detect Anomalies and
cyber threats with
use cases
ArcSight monitors, analyzes and detects threats and risks across organizations and enterprises
HPE Security - ArcSight Portfolio Today
15
Users Endpoints Network Servers & Workloads Apps Cloud IoT
ArcSight Data Platform Threat Intel
ArcSight Marketplace Framework for Security Operations providing essential use cases and processes
ArcSight ESM ArcSight User
Behavior Analytics ArcSight DMA
ArcSight App Analytics
Analytics SIEM
ArcSight Data Platform (ADP) Next-generation data collection and storage engine
• Comprised of Logger, ArcMC
and SmartConnectors.
• Capture data at rates of up to
400,000 events per second
• Compresses and stores up to
4.8PB of data
• Executes searches at millions
of events per second
• Connector Appliance ingests
raw data up to 25,000 EPS
• Leverages off the shelf
connectors and Common
Event Format (CEF)
• Universal resilient and secure collection
• Data normalization and enrichment
• High volume low cost long term retention
• Simple web based analytics and out of the box
compliance
• Central management
• Appliance and software form factors
Collect machine data from any source
Enterprise security
management
User behavior analytics
Hadoop
Third party application
Hunt tools
Visualization
Network
Servers
Mobile devices
Data centers
Applications
Network Traffic streams
Web 2.0
Security devices
Rich media
Storage
Social networks
Scalable, high performance data engine
16
Intelligent Event Broker architecture allows connector IP to be built in
Making ingestion deployment much easier in the future
17
Event Consumers
Event Producers Long-term Storage
Hercules Search Application
ArcMC Manage, Monitor, Admin
Hercules Portal Install, Deploy, Elastic Scale
Other Applications
ArcSight Logger/ESM
Other Consumers
ArcSight Connectors
(GDPR)
Other Event Sources
FIPS IPv6 TLS
EB Web Service EB Web Service EB Web Service
Kafka Kafka Event Transform Stream Process
EB Stream Processing (Virtual Connectors)
Streams
Kafka Kafka Event Routing Stream Process
EB Streaming Platform
Kafka Kafka Schema Registry
CEF
AVRO
Intelligent Event Broker an enterprise message bus
‒ Destination routing
‒ Format conversion
‒ Scale out cluster
Intellectual Property built-in ‒ Normalization, categorization &
enrichment
‒ Vastly simplified implementation
‒ Multi vendor connector support
‒ Managed with ArcMC
Investigate Investigate
HPE Enterprise Security Manager (ESM)
– SIEM is the foundation for intelligent security operations • Flexible hierarchical
deployment for unlimited
expansion.
• Workflow and notification
engine.
• Event level access control and
multi-tenancy support.
• Rich context model for
networks, assets, users and
vulnerabilities.
• Flexible APIs to integrate with
your operational, IT and
security systems
• High performance real-time correlations
• Contextual investigation for faster resolution
• Incident management and workflow for
faster remediation
• Pattern discovery and visualization
facilitating hunt
The
Power of
SIEM and
Analytics
High Performance Real Time Correlation Engine
18
• Streamlined investigation through risk-
ranked threats
• Enable more efficient threat hunting
and faster remediation
The Power
of
Advanced
Analytics
Detects malicious users and processes
with user behavior analytics • Fast event resolution with user activity reports
• Identify high risk data exfiltration
• Prioritization of high risk users
• 5:1 ROI Impact
ArcSight - User Behavior Analytics (UBA) Detecting abnormal behavior fast
19
Application Defender providing app insights and analytics Real time visibility into application activity & vulnerability exploits
20 20
Analysts can investigate with
visualization that greatly
improves efficiency and
speed to remediation
Target Application
App Defender Agent
JVM/CLR
ESM with App Defender content
Logging & Protection Events
Application Defender
Visual exploration of large sets of
data to discover unknown
patterns in the event base Application activity logs and real-time
exploit event data are analyzed
Identify critical app events
App data is provided to ArcSight in
Common Event Format
Analyze DNS traffic to identify
unknown infected hosts invisible to
perimeter or security products
Operationally proven via HP Labs
The
Power of
SIEM and
Analytics
ArcSight - Marketplace Out of the box use cases, best practices
21
• Out of the box use cases, best practices, tools
and utilities all accelerate SIEM benefits so
analysts can be more efficient
• Enhances ArcSight capabilities through new use
cases
• Dedicated learning center to understand best
practices
Accelerate
time to
business
value for
SIEM and
Analytics
investments
App Store to get the latest security and compliance
use cases freeing up from custom programming
• Centralized location for trusted security packages
• Partner integrations that speed deployment
• Utilities and tools saving time for security operations
ArcSight Investigate Introducing
ArcSight 3000 Customers Around the World 15 years a Leader in Gartner 5 out 10 Biggest Banks 5 out of 10 Biggest Defense and Aerospace 5 out of 10 Biggest Utilities
SOC today…
Matt Smith Lv2. Security Analyst
Sophia Rodriguez SOC Manager
Cindy Lee Lv1. Security Analyst
Matt Smith Lv2. Security Analyst
How can I manage my workforce efficiently?
Too many alerts!
Don’t know where to start
Do I need to learn a
query language?
Search result is too long.
How I can find insight here?
So many manual
tasks to get context
Hard to find skilled talent
Sophia Rodriguez SOC Manager
Cindy Lee Lv1. Security Analyst
search is slow!
Facing many challenges…
Search
ArcSight Investigate: 4 Major Capabilities
Data
Analysis Live Open
Move data to Hadoop and perform search and analytics in open data format
Integration
with Hadoop
Hot Data
• Most frequent queries
• Fast ad-hoc analysis • Best Performance
• For data accessed less frequently
• Cheap storage • Holds long-range data
Cold Data
ArcSight Investigate
Vertica
Hot Data
Days
45
180 90
270
Single screen for all your investigations
ArcSight product portfolio overview
ARCSIGHT INVESTIGATE Investigation | Entity Profiling | Hunt |
ARCSIGHT ESM 24x7 Real-time
Monitoring & Correlation
ARCSIGHT UBA User & Entity
Behavior Analytics
ARCSIGHT DMA Advanced Analytics for
Malware Detection
ARCSIGHT DATA PLATFORM Connectors | Event Broker | Management Console | Compliance (Logger)
User Cloud App Servers & Workloads
Network Endpoints IoT
ARCSIGHT MARKETPLACE HPE and Expert Community Developed Use Cases and Connectors
Next generation security search and investigation
Industry-leading search speed at scale
10x faster search using HPE Vertica as an embedded high-performance database
Pre defined data analysis for security investigation
Create powerful charts and dashboard with a few clicks
Seamless integration with Hadoop
A single UI provides easy access to a full range of historical data
ESP Technology Partners
Partners
DDoS
GRC
SIEM
Application
Security
Threat
Intelligence
ESP
Technology
30
ArcSight Differentiators and Benefits
Real time Correlation with
Context
Out of the box tailoring for your
environment
Proven technology for any size organization
1
2
3
• ArcSight maintains contextual information, allowing for real-time correlation and prioritization.
• Reduces time to detection with efficient processing.
• Implement use cases for the threats that matter.
• Highly configurable, with hundreds of connectors, built-in filters and templates to quickly tailor to your environment and workflow.
• Tailoring identifies specific IOCs an analyst needs to look at, reducing false positives.
• Integrates with your operational, IT and security systems.
• ArcSight is used for real SOCs
• HPE SIOC practice helped many of those start.
• Fits any organizational structure & size.
Thank You