Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6
|
|
- June Jones
- 5 years ago
- Views:
Transcription
1 Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6 A SANS Product Review Written by Dave Shackleford April 2015 Sponsored by HP 2015 SANS Institute
2 Introduction Most organizations today collect logs and actively use them for monitoring, forensics, troubleshooting, and detecting and tracking suspicious behavior, according to the ninth SANS Log Management Survey, in which 97 percent of organizations reported they are currently collecting and leveraging logs for all of these reasons and more. 1 How well they use logs is another matter entirely. In the same survey, 50 percent of respondents for whom detection and tracking of suspicious behavior was a stated need confirmed that such detection and tracking is moderately difficult to accomplish, with another 30 percent stating that log collection and analysis is difficult for this purpose. Many organizations are also struggling with large amounts of log data from a vast variety of distributed sources and are spending significant amounts of time analyzing logs each week 22 percent of respondents spend more than one full day per week analyzing logs. It s clear that log collection and analysis is a critical aspect for most IT security teams. However, even with the advances in log management techniques seen in recent years, many teams are still struggling to get control of their logs and properly manage them, both effectively and efficiently. We recently reviewed HP ArcSight Logger 6, which includes significant updates over earlier releases. The new Logger s standout features include improved incident analysis and response flexibility, overhauled reporting and monitoring, and general enhancements for ease of use. Our evaluation focused on three areas that HP notably updated and enhanced in Logger 6: We can summarize our review process using this question: How can this tool help Logger 6 performed admirably for all the major use cases, and we found numerous capabilities that would help many organizations improve the effectiveness of their log management. 1 Ninth Log Management Survey Report, October 2014; 1
3 Ease of Use We reviewed ArcSight Logger 6 in a test environment that HP installed and configured, simulating many events across 20 logging devices to represent a typical enterprise. The first use case that we explored flexibility, customization and ease of use directly relates to the user friendliness of the dashboards and interfaces available to analysts. Our Figure 1. ArcSight Logger 6 Main Dashboard Although Logger 6 includes a number of stock dashboards (packaged for various roles and job functions), we used a dashboard prebuilt by the ArcSight team to demonstrate what current product users report to be the most popular graphs and charts. The Logger upper left to lower right: Contains the aggregate number of failed login events across all users and platforms. Displays administrative SSH sessions to UNIX platforms; this information can assist in monitoring privileged activities. This panel shows patterns of network traffic throughout the environment, emphasizing services in active use. within the environment. 2
4 Ease of Use (CONTINUED) Beyond these examples, we noted the flexibility to quickly change between saved dashboards in a variety of different categories. Custom dashboards are usually where security analysts spend their time, looking at aggregate events and trends that allow for available to rapidly switch between saved dashboard views, making it simpler than ever to navigate to the desired dashboards. We quickly switched from this original custom dashboard to another one, labeled Intrusion and Configuration Events, that was configured for us. Much like the main dashboard, the Intrusion and Configuration Events dashboard shows popular and useful Figure 2. Intrusion and Configuration Events Dashboard While reviewing the malicious code activity, we noticed a number of events labeled denial of service (DoS) attack or hostile network discovery activity. 3
5 Ease of Use (CONTINUED) To get a sense for how simple it is to drill down on events, we simply clicked into the HSBQI BSFB PO UIF FOUSZ GPS *$.1 1BDLFU 'MPPE %PJOH TP QSPWJEFE NPSF HSBOVMBS SFTVMUT BOE BVUPNBUJDBMMZ SFEJSFDUFE VT UP UIF "OBMZ[F DBUFHPSZ BT TIPXO JO 'JHVSF Figure 3. Drilldown Malicious Events for ICMP Packet Flood 5IF TDSFFO JO 'JHVSF QSPWJEFE B XFBMUI of data related to the captured events, including the time of the events, what devices observed the events and which logging engine captured and recorded the events for analysis. We could also easily use this data to build a custom dashboard on the fly, using the top malicious IP addresses or another data type from within the events. To create quick dashboard charts and graphs, all we had to do was click the save button (in the toolbar on the query response page) and choose to save to an existing dashboard or create a new one, as shown Figure 4. Creating a Custom Dashboard on the Fly JO 'JHVSF 4"/4 "/"-:45 130(3". 4
6 Ease of Use (CONTINUED) The Logger interface also allowed us to easily view the overall status of the monitored systems and events. By selecting the Summary menu item at the top of the dashboard window, we were able to quickly review the number of different event types across devices and endpoint agents that forward events to log collector servers in the test network. Clicking any of the various categories yielded more data, and simple metrics Figure 5. Global Summary of Events Having immediate access to a central view of event count, types, systems and logging platforms (known as receivers in Logger jargon) is invaluable to security operations immediately determine whether a particular system is seeing a higher count of events than normal, which receivers are getting the most logs and events sent to them, and what types and categories of events are being seen most frequently. This visibility allows large, distributed teams to focus on particular types of events or one or more receivers that are seeing higher event counts; teams can then scrutinize those platforms to see the cause of the changes. 5
7 Ease of Use (CONTINUED) emphasis and details on receivers, events, utilization and processing stats from the ArcSight host and, finally, storage. Figure 6. Logger Monitoring Summary of the Environment This view presents a wide range of data, including CPU usage for the Logger platform over specified time periods, total event flow, receiver status and a list of storage repositories defined for use within the event management infrastructure. This data is valuable for security professionals who need to keep up with changes in performance and events over time, as well as operations teams that need to track how much space is in use for event storage. the direct navigation query field (shown at the top of the screen throughout the UI). This intelligent search query box autopopulates suggestions based on keywords or even just letter combinations and strings that a user types, making it exceedingly simple to locate various dashboard pages, analysis pages, specific data types starts with the term Data and the suggested search options that Logger 6 automatically creates. Figure 7. Dynamic Search Query Field 6
8 Ease of Use (CONTINUED) The Logger interface was incredibly simple to use. Within seconds, enormous amounts of data were readily visible and available, and finding specific events, dashboards, metrics and other important elements of the monitoring environment was easy. on how Logger works, where to find data of interest, and how to create and monitor custom dashboards. This element is critically important for most enterprises that are struggling with the increasing volume of log data in their environments. The respondents to the latest SANS Log Management Survey were in many cases spending hours or even days each and every week simply analyzing logs and trying to bring log management under control. Security analysts will be as efficient and effective as their log management products are easy to learn and use. Logger 6 should enable any organization to cut the time needed to perform maintenance, keep the systems up and running properly, and track events for security monitoring and response. 7
9 product its usability and effectiveness for security operations team members who would need to: investigation security issues We began evaluating Logger s capabilities by reviewing some of its monitoring dashboards. The first dashboard we looked at was Login and Connection Activity, shown Figure 8. Login and Connection Activity Dashboard This dashboard displays the total failed logins, both by product (system type) and user name. In our test network, the majority of failed logins occurred within the UNIX environment, which would immediately cause an experienced analyst to wonder:
10 (CONTINUED) We can also pinpoint the user accounts experiencing the most login failures and determine whether these failures correlate with the failed logins for UNIX servers. Figure 9. Account Login Failure Detail We compared users and the failed logins to their accounts with ease. We then had the option to click on individual users to get more detail on when and where each failed login occurred, as well. Such details are useful for any security analyst who is investigating a potential breach or suspected account compromise, because correlation with specific times and dates of other activities will likely be useful. 9
11 (CONTINUED) One of the most practical and useful features that can aid in monitoring and investigation activities is the free text search function within the Analyze category. As we found, entering a keyword into the search field triggers Logger to provide options for filter and event selection, as well as a search history, examples and suggestions for additional search operators that fit with the entered keyword. An example of this feature, Figure 10. Free Text Search A more advanced and specific query for netflow and top destination ports was simple to create using Logger s flexible and reasonably intuitive syntax. (An analyst might use such a query when looking for network scanning in the environment or for actively seeking out top data flow destinations.) The syntax for this query was Figure 11. A More Targeted Logger Query 10
12 (CONTINUED) Although this query is a simple example, Logger has an enormous number of syntax options, so analysts will definitely need to take some time to get comfortable with many of them. destination port, which may indicate (in normal situations) traffic headed to the Network Time Protocol (NTP) service or, alternatively, a new channel for malware distribution or some other attack. (This column appears in light blue.) We easily expanded the query to determine what the top source addresses (senders) are for these data flows, using the syntax Figure 12. Filtering Netflow Source Addresses to Port 123 (Note that Logger retrieved our search operator history, based on the string we entered.) Another example we explored was searching for all information and events related to Logger returned a distillation of all events and IDS platforms producing log and alert Figure 13. Querying All IDS Events 11
13 (CONTINUED) The results showed us what the IDSes were reporting, which is usually a valuable start to network intrusion analysis. We could query with ease across all such devices by using advanced syntax ( ) to evaluate their responses against a list detected by the test environment s IDS platforms. Figure 14. Searching for Top IDS Attack Categories (This query took just over five seconds to process and report on more than 514,000 aggregate events, doing so in real time.) We kept exploring our use case, entering even more detailed queries and examining known exploits and vulnerabilities in the environment. In particular, we explored a common scenario in enterprise security monitoring environments. The premise in this case was based on a new attack profile identified either by a IDS update. After the IDS sensors were updated with the signatures for this attack, how would an analyst go about seeing whether the signature tripped all the sensors in the environment? 12
14 (CONTINUED) Enter ArcSight Logger. Because we were concerned with one event type only, we could easily build on the last IDS sensor query we created to find out whether any of our IDS Execute Command, we could add this event name to our existing query, to end up with the following: dynamically updated with the new query. Figure 15. A Targeted Query for a Specific Exploit The results provided us with useful tactical data on which to focus. We could see how many events came in and when those events took place. We could also see which sensors detected the events; such information can help analysts pinpoint what services are targeted and where the attacks are happening. We also noticed that Logger assists analysts in constructing queries by providing operator history). 13
15 (CONTINUED) We finished this example by finding the top sources of this attack which we could then use for firewall rules, IP blacklists or other monitoring efforts simply by adding the filter Figure 16. Top Malicious Source Addresses With a list in hand of IP addresses that were sending malicious exploits and attacks to systems in our environment, we could add these addresses to firewall filtering and block rules, watch lists for monitoring additional activity, or threat intelligence cases in case they represent part of a larger attack campaign. 14
16 (CONTINUED) We explored several additional scenarios where information security and IT operations teams may need to monitor user activity in the environment for troubleshooting corporate VPN services to determine who was connecting and how often, using a simple query of Figure 17. Top VPN Access by Source IP Address As before, we could drill down into any areas of the graph, providing further visibility into who was connecting and from where. (Incidentally, this data could also help us in areas such as license or network management.) IP address which took us to a detailed view of exactly when this address connected to the VPN. We also loaded the same query with a saved search that the labeled VPN Connections. 15
17 (CONTINUED) Figure 18. A Saved Search for VPN Connections collecting and aggregating data, Logger allows the receiver platforms to be peered together, facilitating searches across them all. In addition, analysts can search against the local log repository they re accessing or across them all very simply. features within the Dashboards and Analyze menus that analysts would find tactically useful in their jobs. To summarize our experiences: categories that can quickly get security teams up to speed, whether they are highly intuitive and rapid query creation that returned results in seconds. within multiple areas of the product that users can save for later use. Logger also remembers the most recent history of queries and filters. number of options is available, which may take time for analysts to learn and understand fully. The suggestions provided in the Logger UI go a long way to mitigate this wide span of options. 16
18 In our final area of review, we looked at the newly enhanced reporting facility in Logger 6. (The previous versions of Logger s reporting engine were highly capable but also complex and potentially challenging to use, by HP s own admission; the new version of graphs used; the reporting dashboard within our test environment included reports for bandwidth usage by source IP address, top IDS alerts and several others the ArcSight product team added to the testbed as examples. Our reporting dashboard appears in Figure 19. Reporting Dashboard 17
19 (CONTINUED) errors and warnings. Figure 20. Database Reports in Report Explorer
20 (CONTINUED) Customizing reports in case analysts need to modify parameters such as the period to examine, the device groups from which events should be selected or the storage database report to 30 days worth of events. Figure 21. Report Customization operations teams could easily use such a report to discover database issues. 19
21 (CONTINUED) canned report that HP includes with the product, based on a SANS reference document. 2 We ran the first log report listed, which showed attempts to gain access to the environment Figure 22. Running the SANS Top 5 Log Reports 2 Top 5 Essential Log Reports, Version 1.0; 20
22 (CONTINUED) Reporting is a critical part of security monitoring and event analysis, and the easier it is, the better. Figure 23. The Final SANS Top Failed Logins Report Customizing any report was easy. Selecting the Customize Report link when running a report enables analysts to add new graphs or data, include custom headers and graphics, or add or remove detail to tailor the report for different audiences. The reporting engine was so simple to use that we had a solid grasp on features and navigation within a brief time. Security teams will appreciate how easy it is to create new reports, customize existing reports, and schedule reports to run regularly and deliver security monitoring and event analysis, and the easier it is, the better. 21
23 Conclusion Security analysts who need to collect and monitor logs look for certain key features in a product: The ability to collect, analyze, and search across logs quickly is paramount. Customization in queries and dashboards will be essential to handle any number of unforeseen cases and scenarios that come up over time. Any log management product should come with a variety of prebuilt reports and offer analysts the ability to create new and customized reports easily. Security teams want the tools they use daily to have features that enable powerful searches across logs and provide the ability to drill down into data for granular viewing. A log management platform should be able to consume many different log data types and formats. HP ArcSight Logger 6 offers analysts all these capabilities and more. We found the product to be intuitive and easy to use, with powerful features that can save analysts time in analyzing and reporting on events within their environments. 22
24 About the Author is the founder and principal consultant with Voodoo Security, a SANS analyst, of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vexpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave is the author of the book Virtualization Security (Sybex). Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Sponsor SANS would like to thank its sponsor: 23
Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6
Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6 A SANS Product Review Written by Dave Shackleford April 2015 Sponsored by Hewlett Packard Enterprise 2015 SANS Institute Introduction
More informationInsider-Focused Investigation Made Easier
A SANS Product Review Written by Dave Shackleford August 2015 Sponsored by Raytheon Websense 2015 SANS Institute Introduction For years, organizations have struggled with insider threats. Insider threats
More informationHow to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect
How to Conquer Targeted Email Threats: SANS Review of Agari Enterprise Protect A SANS Product Review Written by Dave Shackleford May 2017 Sponsored by Agari 2017 SANS Institute Introduction: Email Is a
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationNovetta Cyber Analytics
Know your network. Arm your analysts. Introduction Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationACTIONABLE SECURITY INTELLIGENCE
ACTIONABLE SECURITY INTELLIGENCE Palo Alto Networks ACC, Logging and Reporting Data is widely available. What is scarce is the ability to extract actionable intelligence from it. Palo Alto Networks next-generation
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationNational Cyber Security Operations Center (N-CSOC) Stakeholders' Conference
National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference Benefits to the Stakeholders A Collaborative and Win-Win Strategy Lal Dias Chief Executive Officer Sri Lanka CERT CC Cyber attacks
More informationSecurity Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:
Position: Reports to: Location: Security Monitoring Engineer / (NY or NC) Director, Information Security New York, NY or Winston-Salem, NC Position Summary: The Clearing House (TCH) Information Security
More informationSIEM: Five Requirements that Solve the Bigger Business Issues
SIEM: Five Requirements that Solve the Bigger Business Issues After more than a decade functioning in production environments, security information and event management (SIEM) solutions are now considered
More informationARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin
ARC VIEW FEBRUARY 1, 2018 Critical Industries Need Continuous ICS Security Monitoring By Sid Snitkin Keywords Anomaly and Breach Detection, Continuous ICS Security Monitoring, Nozomi Networks Summary Most
More informationForeScout Extended Module for Splunk
Enterprise Strategy Group Getting to the bigger truth. ESG Lab Review ForeScout Extended Module for Splunk Date: May 2017 Author: Tony Palmer, Senior Lab Analyst Abstract This report provides a first look
More informationGDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ
GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool Contact Ashley House, Ashley Road London N17 9LZ 0333 234 4288 info@networkiq.co.uk The General Data Privacy Regulation
More informationSIEM Solutions from McAfee
SIEM Solutions from McAfee Monitor. Prioritize. Investigate. Respond. Today s security information and event management (SIEM) solutions need to be able to identify and defend against attacks within an
More informationTHE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson
THE RSA NETWITNESS SUITE REINVENT YOUR SIEM Presented by: Walter Abeson 1 Reality Goals GOALS VERSUS REALITY OF SIEM 1.0 Single compliance & security interface Analyze & prioritize alerts across various
More informationTHE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM
THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM Modern threats demand analytics-driven security and continuous monitoring Legacy SIEMs are Stuck in the Past Finding a mechanism to collect, store
More informationSOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.
More informationNEXT GENERATION SECURITY OPERATIONS CENTER
DTS SOLUTION NEXT GENERATION SECURITY OPERATIONS CENTER SOC 2.0 - ENHANCED SECURITY O&M SOC 2.0 - SUCCESS FACTORS SOC 2.0 - FUNCTIONAL COMPONENTS DTS SOLUTION SOC 2.0 - ENHANCED SECURITY O&M SOC 2.0 Protecting
More informationEliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat
WHITE PAPER Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat Executive Summary Unfortunately, it s a foregone conclusion that no organisation is 100 percent safe
More informationCisco Security Manager 4.1: Integrated Security Management for Cisco Firewalls, IPS, and VPN Solutions
Data Sheet Cisco Security Manager 4.1: Integrated Security Management for Cisco Firewalls, IPS, and VPN Solutions Security Operations Challenges Businesses are facing daunting new challenges in security
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationTargeted Attack Protection: A Review of Endgame s Endpoint Security Platform
Targeted Attack Protection: A Review of Endgame s Endpoint Security Platform A SANS Product Review Written by Dave Shackleford October 2017 Sponsored by Endgame 2017 SANS Institute Introduction Signature-based
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationsecuring your network perimeter with SIEM
The basics of auditing and securing your network perimeter with SIEM Introduction To thwart network attacks, you first need to be on top of critical security events occurring in your network. While monitoring
More informationSOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE
RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE KEY CUSTOMER BENEFITS: Gain complete visibility across enterprise networks Continuously monitor all traffic Faster analysis reduces risk exposure
More informationTechnical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform
Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform Date: October, 2018 Author: Jack Poller, Sr. Analyst The Challenges Enterprise Strategy Group
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationSOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM
RSA NETWITNESS EVOLVED SIEM OVERVIEW A SIEM is technology originally intended for compliance and log management. Later, as SIEMs became the aggregation points for security alerts, they began to be more
More informationSecuring Your Microsoft Azure Virtual Networks
Securing Your Microsoft Azure Virtual Networks IPS security for public cloud deployments It s no surprise that public cloud infrastructure has experienced fast adoption. It is quick and easy to spin up
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationTrisul Network Analytics - Traffic Analyzer
Trisul Network Analytics - Traffic Analyzer Using this information the Trisul Network Analytics Netfllow for ISP solution provides information to assist the following operation groups: Network Operations
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationNot your Father s SIEM
Not your Father s SIEM Getting Better Insights & Results Bill Thorn Director, Security Operations Apollo Education Group Agenda Why use a SIEM? What is a SIEM? Benefits of Using a SIEM Considerations Before
More informationSecuring Your Amazon Web Services Virtual Networks
Securing Your Amazon Web Services s IPS security for public cloud deployments It s no surprise that public cloud infrastructure has experienced fast adoption. It is quick and easy to spin up a workload,
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationRSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1
RSA Advanced Security Operations Richard Nichols, Director EMEA 1 What is the problem we need to solve? 2 Attackers Are Outpacing Defenders..and the Gap is Widening Attacker Capabilities The defender-detection
More informationImperva Incapsula Website Security
Imperva Incapsula Website Security DA T A SH E E T Application Security from the Cloud Imperva Incapsula cloud-based website security solution features the industry s leading WAF technology, as well as
More informationTHE ACCENTURE CYBER DEFENSE SOLUTION
THE ACCENTURE CYBER DEFENSE SOLUTION A MANAGED SERVICE FOR CYBER DEFENSE FROM ACCENTURE AND SPLUNK. YOUR CURRENT APPROACHES TO CYBER DEFENSE COULD BE PUTTING YOU AT RISK Cyber-attacks are increasingly
More informationUEBA User Entity Behavior Analytics Aristotle Insight Sergeant Laboratories
UEBA User Entity Behavior Analytics Aristotle Insight Sergeant Laboratories 20+ Year Old organically grown company from the Silicon Technology Belt right here in the Midwest Lacrosse Wisconsin. Presented
More informationEvolving Micro-Segmentation for Preventive Security: Adaptive Protection in a DevOps World
A SANS Whitepaper Evolving Micro-Segmentation for Preventive Security: Adaptive Protection in a DevOps World Written by Dave Shackleford January 2019 Sponsored by: VMware Intro to Micro-Segmentation Network
More informationShavlik Protect: Simplifying Patch, Threat, and Power Management Date: October 2013 Author: Mike Leone, ESG Lab Analyst
ESG Lab Review Shavlik Protect: Simplifying Patch, Threat, and Power Management Date: October 2013 Author: Mike Leone, ESG Lab Analyst Abstract: This ESG Lab Review documents hands-on testing of Shavlik
More informationTRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS
SOLUTION BRIEF TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED CONTROLS..: Tripwire security controls capture activity data from monitored assets no matter if you rely on physical, virtual,
More informationEnhanced Threat Detection, Investigation, and Response
Enhanced Threat Detection, Investigation, and Response What s new in Cisco Stealthwatch Enterprise Release 6.10.2 Cisco Stealthwatch Enterprise is a comprehensive visibility and security analytics solution
More informationBehavioral Analytics A Closer Look
SESSION ID: GPS2-F03 Behavioral Analytics A Closer Look Mike Huckaby VP, Global Systems Engineering RSA The world is full of obvious things which nobody by any chance ever observes. Sherlock Holmes 2 Patterns
More informationStandard Content Guide
Standard Content Guide Express Express 4.0 with CORR-Engine March 12, 2013 Copyright 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession,
More informationAbstract. The Challenges. ESG Lab Review Lumeta Spectre: Cyber Situational Awareness
ESG Lab Review Lumeta Spectre: Cyber Situational Awareness Date: September 2017 Author: Tony Palmer, Senior IT Validation Analyst Enterprise Strategy Group Getting to the bigger truth. Abstract ESG Lab
More informationNIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation
NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation Automating Cybersecurity Framework Technical Controls with Tenable SecurityCenter Continuous View February
More informationCTI in Security Operations:
A SANS Survey CTI in Security Operations: SANS 2018 Cyber Threat Intelligence Survey Written by Dave Shackleford February 2018 Sponsored by: DomainTools SANS Analyst Program 2018 SANS Institute Executive
More informationPackets Don t Lie: What s Really Happening on Your Network?
Packets Don t Lie: What s Really Happening on Your Network? Sponsored by LogRhythm Today s Speakers Dave Shackleford SANS Analyst and Instructor Rob McGovern LogRhythm Senior Technical Product Manager
More informationHOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL
HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL CONTENTS EXECUTIVE SUMMARY 1 WEB APPLICATION SECURITY CHALLENGES 2 INSIST ON BEST-IN-CLASS CORE CAPABILITIES 3 HARNESSING ARTIFICIAL INTELLIGENCE
More informationTHE RISE OF GLOBAL THREAT INTELLIGENCE
THE RISE OF GLOBAL THREAT INTELLIGENCE 1 THE RISE OF GLOBAL THREAT INTELLIGENCE IN THE DIGITAL BUSINESS WORLD In developing the Global Threat Intelligence Report (GTIR), the NTT Group security team used
More informationRSA IT Security Risk Management
RSA IT Security Risk Adding Insight to Security March 18, 2014 Wael Jaroudi GRC Sales Specialist 1 Where is Security Today? Companies have built layer upon layer of security, but is it helping? Complexity
More informationWHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter
WHITEPAPER Enterprise Cyber Risk Management Protecting IT Assets that Matter Contents Protecting IT Assets That Matter... 3 Today s Cyber Security and Risk Management: Isolated, Fragmented and Broken...4
More informationesendpoint Next-gen endpoint threat detection and response
DATA SHEET esendpoint Next-gen endpoint threat detection and response esendpoint powered by Carbon Black eliminates endpoint blind-spots that traditional technologies miss. Operating on a philosophy that
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security
More informationA BETTER PATH: Security Enlightened. Security s Shift to the Cloud
A BETTER PATH: Security Enlightened Security s Shift to the Cloud Defense in Doubt Enterprises may be growing increasingly conscious of cybersecurity risks and investing millions of dollars in IT security,
More informationThe Future of Threat Prevention
The Future of Threat Prevention Bricata is the leading developer of Next Generation Intrusion Prevention Systems (NGIPS) technology, providing innovative, disruptive, high-speed, high-performance network
More informationINTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
INTRODUCTION: DDOS ATTACKS 1 DDOS ATTACKS Though Denial of Service (DoS) and Distributed Denial of Service (DDoS) have been common attack techniques used by malicious actors for some time now, organizations
More informationCisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics
Solution Overview Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics BENEFITS Gain visibility across all network conversations, including east-west and north-south
More informationAutomated Context and Incident Response
Technical Brief Automated Context and Incident Response www.proofpoint.com Incident response requires situational awareness of the target, his or her environment, and the attacker. However, security alerts
More informationReducing the Cost of Incident Response
Reducing the Cost of Incident Response Introduction Cb Response is the most complete endpoint detection and response solution available to security teams who want a single platform for hunting threats,
More informationTop 10 use cases of HP ArcSight Logger
Top 10 use cases of HP ArcSight Logger Sridhar Karnam @Sri747 Karnam@hp.com #HPSecure Big data is driving innovation The Big Data will continue to expand Collect Big Data for analytics Store Big Data for
More informationWHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief
WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION A Novetta Cyber Analytics Brief Why SIEMs with advanced network-traffic analytics is a powerful combination. INTRODUCTION Novetta
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationTransforming Security from Defense in Depth to Comprehensive Security Assurance
Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new
More informationSecurity Operations & Analytics Services
Security Operations & Analytics Services www.ecominfotech.biz info@ecominfotech.biz Page 1 Key Challenges Average time to detect an attack (Dwell time) hovers around 175 to 210 days as reported by some
More informationSecurity
Security +617 3222 2555 info@citec.com.au Security With enhanced intruder technologies, increasingly sophisticated attacks and advancing threats, your data has never been more susceptible to breaches from
More informationATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS
PARTNER BRIEF ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS INTRODUCTION Attivo Networks has partnered with McAfee to detect real-time in-network threats and to automate incident response
More informationNetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.
NetWitness Overview 1 The Current Scenario APT Network Security Today Network-layer / perimeter-based Dependent on signatures, statistical methods, foreknowledge of adversary attacks High failure rate
More informationSymantec Security Monitoring Services
24x7 real-time security monitoring and protection Protect corporate assets from malicious global threat activity before it impacts your network. Partnering with Symantec skilled and experienced analysts
More informationArcSight Activate Framework
ArcSight Activate Framework Petropoulos #HPProtect 44% Have trouble managing their SIEM eiqnetworks 2013 SIEM Survey #1 challenge Identification of key events SANS 2012 Log Management and Event Management
More informationSnort: The World s Most Widely Deployed IPS Technology
Technology Brief Snort: The World s Most Widely Deployed IPS Technology Overview Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort in 1998. Snort is an open-source,
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationEXABEAM HELPS PROTECT INFORMATION SYSTEMS
WHITE PAPER EXABEAM HELPS PROTECT INFORMATION SYSTEMS Meeting the Latest NIST SP 800-53 Revision 4 Guidelines SECURITY GUIDELINE COMPLIANCE There has been a rapid increase in malicious insider threats,
More informationSECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation
SECURITY AUTOMATION BEST PRACTICES A Guide to Making Your Security Team Successful with Automation TABLE OF CONTENTS Introduction 3 What Is Security Automation? 3 Security Automation: A Tough Nut to Crack
More informationOUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER
OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER HOW TO ADDRESS GARTNER S FIVE CHARACTERISTICS OF AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER 1 POWERING ACTIONABLE
More informationEmpower stakeholders with single-pane visibility and insights Enrich firewall security data
SonicWall Analytics Transforming data into information, information into knowledge, knowledge into decisions and decisions into actions SonicWall Analytics provides an eagle-eye view into everything that
More informationKen Hines, Ph.D GraniteEdge Networks
Ken Hines earned his Ph.D. in computer science at the University of Washington in 2000, by successfully defending his dissertation, which applied causal analysis to debugging heterogeneous distributed
More informationHelp Your Security Team Sleep at Night
White Paper Help Your Security Team Sleep at Night Chief Information Security Officers (CSOs) and their information security teams are paid to be suspicious of everything and everyone who might just might
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationProCurve Network Immunity
ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
More informationQuestion No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:
Volume: 75 Questions Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan
More informationCYBERBIT P r o t e c t i n g a n e w D i m e n s i o n
CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n CYBETBIT in a Nutshell A leader in the development and integration of Cyber Security Solutions A main provider of Cyber Security solutions for the
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationForeScout App for Splunk
How-to Guide Version 2.0.0 Table of Contents About Splunk Integration... 3 Use Cases... 3 Data Mining and Trend Analysis of CounterACT Data... 4 Continuous Posture Tracking Based on a Broad Range of CounterACT
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationDetecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0
Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0 April 9, 2012 Introduction One of the earliest indicators of an impending network attack is the presence of network reconnaissance.
More informationSIEM (Security Information Event Management)
SIEM (Security Information Event Management) Topic: SECURITY and RISK Presenter: Ron Hruby Topics Threat landscape Breaches and hacks Leadership and accountability Evolution of security technology What
More informationSecurity. Made Smarter.
Security. Made Smarter. Your job is to keep your organization safe from cyberattacks. To do so, your team has to review a monumental amount of data that is growing exponentially by the minute. Your team
More informationSTATE OF THE NETWORK STUDY
10TH ANNUAL STUDY 2017 1 EXECUTIVE SUMMARY The Tenth Annual State of the Network Global Study focuses a lens on the network team s role in security investigations. Results indicate that 88 percent of network
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationProactive Approach to Cyber Security
Proactive roach to Cyber Security Jeffrey Neo Sales Director HP Enterprise Security Products Customers struggle to manage the security challenge Today, security is a board-level agenda item 2 Trends driving
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More informationDesigning an Adaptive Defense Security Architecture. George Chiorescu FireEye
Designing an Adaptive Defense Security Architecture George Chiorescu FireEye Designing an Adaptive Security Architecture Key Challanges Existing blocking and prevention capabilities are insufficient to
More informationMastering The Endpoint
Organizations Find Value In Integrated Suites GET STARTED Overview In the face of constantly evolving threat vectors, IT security decision makers struggle to manage endpoint security effectively. More
More information