The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks Mark Nicolett Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates.
The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks Mark Nicolett Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates.
Welcome! Thank you for joining this Gartner webinar. Today's topic is The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks" 60,000 Clients 10,800 Client Enterprises 5,500 Benchmarks 100,000 IT End-User Inquiries 65% of Fortune 1000 80% of Global 500 2.7 Million IT End-User Searches 55 Conferences 730 Analysts Serving Clients in 80 Countries 3,800 CIOs Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 2 10,000 Media Inquiries
Here's how to participate in today's webinar You can listen to the presentation using your computer's speaker system as the default (VoIP). Or dial the conference line by selecting Use Telephone in the webinar audio pane. Have a question for the presenter(s)? Type it into the Questions pane we will answer as many as time permits. A recording of this presentation will be sent to you within 48 hours. If you would like a copy of today's presentation, contact your Gartner Account Executive or gartner.com/webinars. Please note you may be polled during the webinar; only aggregate answers will appear.
Drivers for SIEM Emerging Use Cases Security Security Event Mgmt. Incident Response Targeted attacks Emerging threats Fraud Outsourcing Application monitoring User activity monitoring Data access monitoring Compliance Log Management Monitoring and Reporting Breach disclosure laws Privacy regulations Critical infrastructure Outsourcing
Defending Against Targeted Attacks Shield vulnerable applications Network defenses Install malware Target User Find and fix system vulnerabilitie s Surveillance Steal user's credentials Steal data Compromise accounts Compromise servers Find and fix application vulnerabilitie s Compromise applications Shield vulnerable systems
Better Monitoring and Detection Is Essential Attack Source: External Internal After a breach: external attack may look like internal activity Monitor: User Activity Application Activity Data Access Early detection is essential Signatures less effective Pattern recognition more important
Security Information and Event Management: Broad-Scope Security Event, User Access Monitoring Business Capability How It Works Firewalls Broad-scope user activity and resource access monitoring for compliance reporting and security management Collects, normalizes, aggregates, correlates and analyzes the event data that is produced by devices, systems and applications Applications IDS/IPS Network Devices Security Devices SIM/SEM Databases Servers Directories IAM Log Management, Reporting and Historical Analysis Real-Time Monitoring, Correlation and Alerts Incident Management
Emerging Monitoring Capabilities for SIEM Requirement Capability Sources User Activity Monitoring IAM Integration User Context IAM Application Monitoring Packaged Applications Unsupported Sources Logs Network Data Monitoring DLP Integration Data Context Early Attack Detection Cloud-Sourced Application Monitoring Pattern Recognition Anomaly Detection Event Stream Integration Internal and External Intelligence Internal and Cloud
SIEM Acquire Access Management Policies and Consolidated Monitoring Monitor Identity Monitor Access Model Database management systems Import from IAM User definitions, access policies, role definitions Identity Workflow Policy Access Model Mitigation Workflow Mitigate Applications In-house Packaged Cloud Enterprise directories User provisioning/ role management tools
Using SIEM to Monitor Privileged User Activity Network Infrastructure SIEM Change detection Network Engineer Device Log Privileged User Server System Administrator Database Instance Operating System or Security Log Correlate observed activity with defined restrictions and change management records Report exceptions Database Administrator Database Audit Log
Using SIEM for Application Monitoring Monitoring Application User Activity Web server SIEM Application user Applications Database server(s) Web server activity log Application activity or transaction logs Collect user activity from all application tiers and across applications Correlate observed activity with role restrictions and known patterns of fraud Database transactionlevel audit data Report exceptions
Consolidated Monitoring: Tracking User Activity Across the Infrastructure and Applications Domain Login File Data Access Database Access Network Login Primary use case: Breach or fraud detection/investigation/forensics Application Login SIEM Collect radius server log data. Collect directory server log data. Collect application login. Collect activity logs from file, application and database servers. Correlate network, domain and application identities. Alert or report on cross-platform user activity. Alert or report on resource access policy violations.
Targeted Attacks Collective Intelligence Security research and intelligence services Intrusion detection sensors Malware detection Vulnerability disclosures Security research Attack signatures Threatening IP addresses Malicious code and network patterns SIEM IPS Endpoint protection External threat Intelligence Enterprise Context User, Application Cyber-intelligence services "Bad actor" IP and identities Industry-specific fraud patterns Phishing attacks IP blacklists Data User and resource access patterns Content and data access patterns Account, user, groups, device and transaction activity patterns Fraud transaction patterns Compromised account lists Fraud mgmt.
Rule-Based Correlation Versus Anomaly Detection Rule-Based Correlation Anomaly Detection Good to identify known attack methods and known bad conditions Can be used to implement specific monitoring methods and policies Good to identify new deviations from normal Can be used to discover new attack methods Customization is typically needed to orient predefined rules to a specific environment Not as useful for "bad" conditions that have not been seen before Extensive tuning is typically needed to "turn down" false positives May not be useful in "unstructured" environments Organizations will need to employ both methods
Repairing User Monitoring Blind Spots Caused by Cloud Computing Cloud application Cloud infrastructure Cloud application User activity event streams Consider monitoring requirements when evaluating workloads for cloud-based services, and provide requirements to cloud providers. Application Application When evaluating enterprise monitoring technologies, pay attention to external data integration capabilities. Infrastructure Data center Unified view
SIEM Magic Quadrant (From "Magic Quadrant for Security Information and Event Management," 13 May 2010)
Examples of SIEM Vendors That Are Working on Emerging Capabilities Integrated with their IAM products Application Integration (SAP) Historical pattern detection Threat intelligence Anomaly detection from network flow data Q1 Labs Application and data context off the network
Your Action Plan CISOs and security managers should Monday Morning - Evaluate opportunities to integrate your SIEM with Active Directory and other IAM sources to gain user context. The Next 90 Days - Engage the fraud management, internal audit, and application support areas for opportunities to leverage your SIEM technology for application layer monitoring. - Use SIEM as a compensating control to address IAM-related audit issues. The Next 12 Months - Consider monitoring requirements when evaluating workloads for cloud-based services, and provide requirements to cloud providers. - Track developments from SIEM vendors in the areas of anomaly detection, threat intelligence, and monitoring "off the wire." Actions are set in italics.
Related Gartner Research Magic Quadrant for Security Information and Event Management Mark Nicolett, Kelly M. Kavanagh (G00176034) Critical Capabilities for Security Information and Event Management Technology Mark Nicolett (G00175976) Implement Pattern-Based Strategies With Security and Fraud Detection Technologies Mark Nicolett (G00173238) SIEM and IAM Technology Integration Mark Nicolett, Earl Perkins (G00161012) For more information, stop by Gartner Solution Central or e-mail us at solutioncentral@gartner.com.
Gartner Events Experience live analyst expertise plus much more at a Gartner event. Events for Security Professionals: Security & Risk Management Summit June 21-23, National Harbor, MD (Washington DC area) Information Security Summit September 22 23, London, UK Identity & Access Management Summit November 15-16, San Diego, CA Visit gartner.com/us/events
Gartner Symposium/ITxpo: The world's most important gathering of CIOs and senior IT executives Hundreds of analyst led sessions, workshops, how-to clinics and more Role-based tracks designed to address your key priorities and challenges Immediately actionable take-aways a clear action plan for the next 3, 6 and 12 months Mastermind Interview Keynotes with industry leaders The ITxpo show floor with hundreds of top solution providers and exciting startups Celebrating 20 years of Symposium/ITxpo September 14 16 October 17 21 October 25 27 November 8 11 November 16 18 São Paulo, Brazil Orlando, FL Tokyo, Japan Cannes, France Sydney, Australia Visit gartner.com/symposium to learn more 21
Thank you for participating Do you have any questions? Have a question for the presenter(s)? Type it into the Questions pane we will answer as many as time permits.
Two simple steps for increasing the value of today s webinar experience Contact your Gartner account executive (or e-mail GartnerWebinars@gartner.com) with any additional questions, comments or requests or to order a complimentary copy of today s presentation Visit gartner.com/webinars for a schedule of upcoming Gartner webinars (plus replays of previous webinars) and share these resources with your colleagues