using securonix cloud siem to monitor your hybrid ......a data lake is a central location that can...
TRANSCRIPT
Using Securonix Cloud SIEM to Monitor Your Hybrid Infrastructure www.securonix.com
Security Analytics. Delivered. w w w.securonix.com2
The Changing Perception of CloudWhen cloud computing was introduced, the question was asked: “Will companies adopt cloud?” These days, the question has changed to: “How will companies move to the cloud?” In the 2018 Cloud Computing Survey published in October 2018, IDG revealed that over 77% of the organizations today have at least some part of their computing infrastructure in the cloud. This change is a direct result of organizations recognizing the value that they can realize from the array of cloud-supported applications available; along with the increased scalability and enhanced security that have emerged to build and sustain cloud ecosystems.
The Benefits of Cloud-to-Cloud Integration and MonitoringSecuronix Cloud SIEM extends security monitoring to cloud infrastructure, data, access, and applications. Securonix provides built-in APIs for all major cloud infrastructure and application technologies. A wide range of cloud connector frameworks allows the Securonix Cloud SIEM to integrate directly with other cloud infrastructure, applications, and services.
• Extend seamless security monitoring across your cloud environment without needing to rely on on-premise solutions that were not designed for the cloud.
• Eliminate blind spots when you can correlate between on-premises data and cloud data in order to analyze end-to-end activities and detect actionable threat patterns.
Figure 1: Cloud Connectors and Sample Use Cases
3
Highlights of Securonix Next-Gen SIEMSecuronix Next-Gen SIEM transforms big data into actionable security intelligence. It integrates log management, security incident and event management (SIEM), user and entity behavior analytics (UEBA), threat hunting, and automated incident response in a single solution.
Open Hadoop PlatformSecuronix Next-Gen SIEM is built on a Hadoop platform that is optimized for unlimited scalability, real-time analytics, and to process and store a large volume and variety of data. Data types range from structured transaction data to semi-structured and unstructured forms of information such as internet clickstream records, network device logs, endpoint logs, application events, non-technical data feeds, email logs, and more.
Data Lake A data lake is a central location that can be used to store all data, regardless of its source or format. Data lakes are typically built using Hadoop to store and perform analytics required for organizational decisions. Securonix’s cloud platform’s security data lake is a massively scalable and fault tolerant open-data platform that ingests hundreds of terabytes per day and supports long-term data retention.
Behavior Analytics Behavior analytics originated in early 2000’s as a tool to help marketing teams analyze and predict customer buying patterns. Securonix Next-Gen SIEM leverages sophisticated machine learning and behavior analytics to analyze and correlate interactions between users, system, applications, IP address and data. UEBA is used to detect advanced insider threats, cyber threats, fraud, and cloud data compromise.
Open Hadoop Platform
Data Lake
Securonix Cloud SIEM
SecuronixResponse Bot
Securonix ThreatResearch Advisory
• Unlimited Scale• Own Your Data
Behavior Analytics
• Machine Learning• Packaged Content
Threat Hunting
• Text-Based Search• Visual Link Analysis
Automated Response
• Incident Playbooks• Case Management
Reporting
• Data Insights• Reporting• Compliance
Figure 2: Securonix Next-Gen SIEM
Security Analytics. Delivered. w w w.securonix.com4
Threat HuntingThreat hunting is the human-driven, proactive, and iterative search through network endpoints or datasets in order to detect malicious, suspicious, or risky activities. Securonix Next-Gen SIEM utilizes Spotter—a lightning-fast, natural language search engine built on Apache Lucene—to hunt for indicators of compromise in order to build a comprehensive threat context. Results can be exhibited on a dashboard or exported in a standard data format.
Automated ResponseWith Securonix Next-Gen SIEM, you have the ability to apply incident response orchestration actions through built-in playbooks. These playbooks can be used to automate incident response workflows. You can launch playbooks in response to different types of threats, taking actions such as launching vulnerability scans.
Reporting Securonix Next-Gen SIEM can automate the reporting and dashboards, which minimizes the amount of manual effort required of the security team. Relevant metrics and insights can be created routinely in an automated fashion.
Response BotResponse Bot uses the power of machine learning to provide recommended actions to Tier 1 and 2 analysts for how to respond to threats based on previous actions performed by Tier 3 analysts. This helps you reduce the mean time required to respond to threats and saves the Tier 3 analysts’ time so they can focus on remediating new, unknown threats.
Securonix Threat Research Advisory With expert advice available when you need it, Securonix empowers your team to develop advanced threat hunting capabilities. Also, you receive the latest threat content based on lessons learned from recent cyberattacks. You can also access the latest threat models and use cases through your Securonix solution to make sure your environment is up-to-date.
5
Advantages of the Securonix Cloud PlatformOnce all the above algorithms kick in during real time proxy ingestion, the resulting output consists of super-enriched high-fidelity threats. Using Securonix tiered analytics, the proxy analyzer maximizes the number of true positives and increases the yield-to-hit ratio. In most engagements, we notice that from billions of events and thousands of endpoints the analyzer picks out a small number of endpoints and a few hundred associated events that are all high fidelity threats.
Accessibility• By hosting Securonix Next-Gen SIEM on the public cloud, it is accessible from
anywhere on any device – securely – without requiring a VPN • Supports cloud-based single sign-on (SSO) through standards such as Security
Assertion Markup Language (SAML) and OAuth.
Architecture• A multi-tenant architecture facilitates the logical segregation of data.• Every customer receives a dedicated application.• You have access to a dedicated graphical user interface (GUI) across the entire
application.
Security• SOC 2 Type 2 certification guarantees the safety of your data.• Encrypted secure channel for added safety.• On-premises to cloud data transfers are restricted to a single IP address.
Operations• SnyprEye enables the configuration and monitoring of infrastructure and
application components.• Provides continuous alerts on the health of the system, jobs, and other information.
Cloud and On-Premises Feeds• Cloud to cloud integrations are facilitated using API integrations.• On-premises data feed imports using remote ingestion nodes located in your
data center.• Allows for identity, human resource, threat intelligence, and other contextual data to be
included in data correlation.
6
Managed by Securonix• Access to the latest software version and patches. • Access to the latest threat models and use cases.• Best-in-class subject matter expert (SME) support with 24x7 operations and
management.
SNYPR Cloud Platform Architecture OverviewThe SNYPR Cloud Platform infrastructure provides a multi-tenant environment with high availability for each component of the infrastructure. This includes the optimization of all shared services, as well as the optimization of the dedicated components for each customer.
All access to the environment is secure, both in transit and at rest. A dedicated user interface is provided for each customer. Security event data ingestion into the cloud environment is performed through the Kafka messaging service using an on-premise remote ingestion node in your data center.
Kafka Messaging
Compute
Storage
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
tenant Redis
Ingestion9093
Hadoop Cluster
Search Cells
User Interface443
Indexer
SharedShared
Shared
Shared
Shared
Shared
Shared
Indexer
SharedShared
Shared
Shared
Shared
Shared
Shared
Indexer
SharedShared
Shared
Shared
Shared
Shared
Shared
Indexer
SharedShared
Shared
Shared
Shared
Shared
Shared
Infrastructure Services
SNYPR
EYE, VPN
, LDA
P
Figure 3: Logical Architecture of the SNYPR Cloud Platform Infrastructure
7
A Multi-Tenant Deployment
A multi-tenant architecture is an architecture in which a single instance of a software application serves multiple customers. Each customer is called a tenant. In a multi-tenant deployment each tenant (customer) will receive a user interface (UI) specifically designed for them, whereas the backend components are shared across the entire customer base. This significantly reduces the cost per tenant, resulting in a quicker time to value for our customers.
The SNYPR Cloud Platform provides disaster recovery across geographic regions.
Remote IngestionConnectors
syslog publisher
Remote IngestionConnectors
syslog publisher
Remote IngestionConnectors
syslog publisher
Remote IngestionConnectors
syslog publisher
Kafka Messaging
tenant Redis
tenant Redis
tenant Redis
tenant Redis
Securonix Cloud
Customer Data Centers Ingestion9093
User Interface443
Figure 4: Event Collection and Ingestion
Figure 5: Diagram of SNYPR Cloud Platform Deployment
8
Deploy & Configure
Centralized Operations & Management
Monitor Alert & Notify
Cloudera HadoopCloudera manager, YARN/HDFS/ZK/Namenodes/ HBase/Kafka
Other PackagesSOLR 6.6, Redis
SNYPR TenantConsole & Spark Apps/Kafka topics/HBase namespace/Redis database
Node monitoringCPU, Disk Utilization, Memory, Disk IO, Services
Cluster MonitoringRoles, Yarn Resources, Configuration
SNYPR MonitoringData Ingestion / Analytics
Node & Service IssuesCPU, Disk Utilization, Memory, Disk IO, Services
Deployment IssuesRoles, Yarn Resources
Ingestion & AnalyticsSetup, Data Ingestion, Analytics
SnyprEye: Simplify your OperationsSnyprEye is a sophisticated monitoring utility that ensures all system components, data ingestion, and analytical jobs in the SNYPR ecosystem are continuously running and meeting their desired SLAs. This allows the security team to spend more time on security, instead of maintenance.
The SnyprEye dashboard provides the security analyst with a user-friendly view of the alerts and notifications for node and service issues, deployment issues, data ingestion, and analytics. It also alleviates the burden on the security team by alerting the security operations center (SOC) team to any required platform changes in real time.
Why Use Securonix Cloud SIEM? Alignment with Cloud-First InitiativesAs you migrate assets and services to the cloud, Securonix Cloud SIEM provides a fully managed and hosted solution to align with your cloud strategy.
Improved Resource EfficiencyStreamlined resource allocation, focused on tool usage rather than configuration and management, effectively increases the value created per resource allocated.
Figure 6: SnyprEye Capabilities
9
Decreased Capital Expenditure Eliminating the need to maintain bulky databases on premises lets you move away from large up-front capital expenditures in favor of flexible operational expenditures.
Enhanced FlexibilityIncreased ease of adoption, deployment, and scalability, with minimal operational overhead.
Lower Time to ValueThe ability to deploy rapidly, instantly migrate from POC to production, and receive the latest content to keep your solution up to date, ensures that you recognize immediate return on your investment.
Instant Access to Latest Threat Content Automated updates provided by Securonix keep your environment abreast with the latest content in order to combat advanced cyber threats.
Cloud to Cloud Monitoring Monitor your cloud services through direct API integration and out-of-the-box content for all major cloud services and applications.
ABOUT SECURONIXSecuronix is redefining the next generation of security monitoring using the power of machine learning and big data. Built on Hadoop, the Securonix solution provides unlimited scalability and log management, behavior analytics-based advanced threat detection, and intelligent incident response on a single platform. Globally, customers use Securonix to address their insider threat, cyber threat, cloud security, fraud, and application security monitoring requirements.
CONTACT [email protected] | (310) 641-1000
0219
