The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

Similar documents
WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Building Resilience in a Digital Enterprise

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

ForeScout ControlFabric TM Architecture

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

A Data-Centric Approach to Endpoint Security

CloudSOC and Security.cloud for Microsoft Office 365

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Jason Clark CHIEF SECURITY AND STRATEGY OFFICER, OPTIV. Renee Guttmann CHIEF INFORMATION SECURITY OFFICER, ROYAL CARIBBEAN CRUISE LINES

RSA INCIDENT RESPONSE SERVICES

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Behavioral Analytics A Closer Look

Introducing Cyber Observer

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Symantec Security Monitoring Services

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

A Security Admin's Survival Guide to the GDPR.

Automating the Top 20 CIS Critical Security Controls

Bomgar Discovery Report

Un SOC avanzato per una efficace risposta al cybercrime

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

Measuring Cyber Risk Understanding the Right Data Sources. Sponsored By:

EMEA Summit Sponsorship Opportunities 2015

with Advanced Protection

Teradata and Protegrity High-Value Protection for High-Value Data

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

THE EVOLUTION OF SIEM

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Cybersecurity Auditing in an Unsecure World

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

McAfee MVISION Cloud. Data Security for the Cloud Era

HIPAA Regulatory Compliance

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

THE ACCENTURE CYBER DEFENSE SOLUTION

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Industrial Defender ASM. for Automation Systems Management

Securing the Modern Data Center with Trend Micro Deep Security

McAfee epolicy Orchestrator

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Microsoft Security Management

SYMANTEC DATA CENTER SECURITY

The New Era of Cognitive Security

Carbon Black PCI Compliance Mapping Checklist

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

SIEM Solutions from McAfee

2015 VORMETRIC INSIDER THREAT REPORT

Cybersecurity Roadmap: Global Healthcare Security Architecture

Snort: The World s Most Widely Deployed IPS Technology

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Zero Trust in Healthcare Centrify Corporations. All Rights Reserved.

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

McAfee Skyhigh Security Cloud for Amazon Web Services

Traditional Security Solutions Have Reached Their Limit

Todays Threat Landscape Cloud / Big data / Mobile Jonathan Martin HP Enterprise Security Products

GDPR: An Opportunity to Transform Your Security Operations

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

SECOPS: NAVIGATE THE NEW LANDSCAPE FOR PREVENTION, DETECTION AND RESPONSE

Critical Hygiene for Preventing Major Breaches

Symantec Endpoint Protection

CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

Run the business. Not the risks.

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

the SWIFT Customer Security

FOR FINANCIAL SERVICES ORGANIZATIONS

SIEM: Five Requirements that Solve the Bigger Business Issues

AKAMAI CLOUD SECURITY SOLUTIONS

Built-in functionality of CYBERQUEST

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Integrated, Intelligence driven Cyber Threat Hunting

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Cyber-Threats and Countermeasures in Financial Sector

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

2018 Edition. Security and Compliance for Office 365

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

AT&T Endpoint Security

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Are we breached? Deloitte's Cyber Threat Hunting

Security Fundamentals for your Privileged Account Security Deployment

BETTER Mobile Threat Defense (BMTD)

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

WHITEPAPER. Lookout Mobile Endpoint Security for App Risks

Rethinking Security: The Need For A Security Delivery Platform

Transcription:

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks Mark Nicolett Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates.

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks Mark Nicolett Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates.

Welcome! Thank you for joining this Gartner webinar. Today's topic is The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks" 60,000 Clients 10,800 Client Enterprises 5,500 Benchmarks 100,000 IT End-User Inquiries 65% of Fortune 1000 80% of Global 500 2.7 Million IT End-User Searches 55 Conferences 730 Analysts Serving Clients in 80 Countries 3,800 CIOs Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 2 10,000 Media Inquiries

Here's how to participate in today's webinar You can listen to the presentation using your computer's speaker system as the default (VoIP). Or dial the conference line by selecting Use Telephone in the webinar audio pane. Have a question for the presenter(s)? Type it into the Questions pane we will answer as many as time permits. A recording of this presentation will be sent to you within 48 hours. If you would like a copy of today's presentation, contact your Gartner Account Executive or gartner.com/webinars. Please note you may be polled during the webinar; only aggregate answers will appear.

Drivers for SIEM Emerging Use Cases Security Security Event Mgmt. Incident Response Targeted attacks Emerging threats Fraud Outsourcing Application monitoring User activity monitoring Data access monitoring Compliance Log Management Monitoring and Reporting Breach disclosure laws Privacy regulations Critical infrastructure Outsourcing

Defending Against Targeted Attacks Shield vulnerable applications Network defenses Install malware Target User Find and fix system vulnerabilitie s Surveillance Steal user's credentials Steal data Compromise accounts Compromise servers Find and fix application vulnerabilitie s Compromise applications Shield vulnerable systems

Better Monitoring and Detection Is Essential Attack Source: External Internal After a breach: external attack may look like internal activity Monitor: User Activity Application Activity Data Access Early detection is essential Signatures less effective Pattern recognition more important

Security Information and Event Management: Broad-Scope Security Event, User Access Monitoring Business Capability How It Works Firewalls Broad-scope user activity and resource access monitoring for compliance reporting and security management Collects, normalizes, aggregates, correlates and analyzes the event data that is produced by devices, systems and applications Applications IDS/IPS Network Devices Security Devices SIM/SEM Databases Servers Directories IAM Log Management, Reporting and Historical Analysis Real-Time Monitoring, Correlation and Alerts Incident Management

Emerging Monitoring Capabilities for SIEM Requirement Capability Sources User Activity Monitoring IAM Integration User Context IAM Application Monitoring Packaged Applications Unsupported Sources Logs Network Data Monitoring DLP Integration Data Context Early Attack Detection Cloud-Sourced Application Monitoring Pattern Recognition Anomaly Detection Event Stream Integration Internal and External Intelligence Internal and Cloud

SIEM Acquire Access Management Policies and Consolidated Monitoring Monitor Identity Monitor Access Model Database management systems Import from IAM User definitions, access policies, role definitions Identity Workflow Policy Access Model Mitigation Workflow Mitigate Applications In-house Packaged Cloud Enterprise directories User provisioning/ role management tools

Using SIEM to Monitor Privileged User Activity Network Infrastructure SIEM Change detection Network Engineer Device Log Privileged User Server System Administrator Database Instance Operating System or Security Log Correlate observed activity with defined restrictions and change management records Report exceptions Database Administrator Database Audit Log

Using SIEM for Application Monitoring Monitoring Application User Activity Web server SIEM Application user Applications Database server(s) Web server activity log Application activity or transaction logs Collect user activity from all application tiers and across applications Correlate observed activity with role restrictions and known patterns of fraud Database transactionlevel audit data Report exceptions

Consolidated Monitoring: Tracking User Activity Across the Infrastructure and Applications Domain Login File Data Access Database Access Network Login Primary use case: Breach or fraud detection/investigation/forensics Application Login SIEM Collect radius server log data. Collect directory server log data. Collect application login. Collect activity logs from file, application and database servers. Correlate network, domain and application identities. Alert or report on cross-platform user activity. Alert or report on resource access policy violations.

Targeted Attacks Collective Intelligence Security research and intelligence services Intrusion detection sensors Malware detection Vulnerability disclosures Security research Attack signatures Threatening IP addresses Malicious code and network patterns SIEM IPS Endpoint protection External threat Intelligence Enterprise Context User, Application Cyber-intelligence services "Bad actor" IP and identities Industry-specific fraud patterns Phishing attacks IP blacklists Data User and resource access patterns Content and data access patterns Account, user, groups, device and transaction activity patterns Fraud transaction patterns Compromised account lists Fraud mgmt.

Rule-Based Correlation Versus Anomaly Detection Rule-Based Correlation Anomaly Detection Good to identify known attack methods and known bad conditions Can be used to implement specific monitoring methods and policies Good to identify new deviations from normal Can be used to discover new attack methods Customization is typically needed to orient predefined rules to a specific environment Not as useful for "bad" conditions that have not been seen before Extensive tuning is typically needed to "turn down" false positives May not be useful in "unstructured" environments Organizations will need to employ both methods

Repairing User Monitoring Blind Spots Caused by Cloud Computing Cloud application Cloud infrastructure Cloud application User activity event streams Consider monitoring requirements when evaluating workloads for cloud-based services, and provide requirements to cloud providers. Application Application When evaluating enterprise monitoring technologies, pay attention to external data integration capabilities. Infrastructure Data center Unified view

SIEM Magic Quadrant (From "Magic Quadrant for Security Information and Event Management," 13 May 2010)

Examples of SIEM Vendors That Are Working on Emerging Capabilities Integrated with their IAM products Application Integration (SAP) Historical pattern detection Threat intelligence Anomaly detection from network flow data Q1 Labs Application and data context off the network

Your Action Plan CISOs and security managers should Monday Morning - Evaluate opportunities to integrate your SIEM with Active Directory and other IAM sources to gain user context. The Next 90 Days - Engage the fraud management, internal audit, and application support areas for opportunities to leverage your SIEM technology for application layer monitoring. - Use SIEM as a compensating control to address IAM-related audit issues. The Next 12 Months - Consider monitoring requirements when evaluating workloads for cloud-based services, and provide requirements to cloud providers. - Track developments from SIEM vendors in the areas of anomaly detection, threat intelligence, and monitoring "off the wire." Actions are set in italics.

Related Gartner Research Magic Quadrant for Security Information and Event Management Mark Nicolett, Kelly M. Kavanagh (G00176034) Critical Capabilities for Security Information and Event Management Technology Mark Nicolett (G00175976) Implement Pattern-Based Strategies With Security and Fraud Detection Technologies Mark Nicolett (G00173238) SIEM and IAM Technology Integration Mark Nicolett, Earl Perkins (G00161012) For more information, stop by Gartner Solution Central or e-mail us at solutioncentral@gartner.com.

Gartner Events Experience live analyst expertise plus much more at a Gartner event. Events for Security Professionals: Security & Risk Management Summit June 21-23, National Harbor, MD (Washington DC area) Information Security Summit September 22 23, London, UK Identity & Access Management Summit November 15-16, San Diego, CA Visit gartner.com/us/events

Gartner Symposium/ITxpo: The world's most important gathering of CIOs and senior IT executives Hundreds of analyst led sessions, workshops, how-to clinics and more Role-based tracks designed to address your key priorities and challenges Immediately actionable take-aways a clear action plan for the next 3, 6 and 12 months Mastermind Interview Keynotes with industry leaders The ITxpo show floor with hundreds of top solution providers and exciting startups Celebrating 20 years of Symposium/ITxpo September 14 16 October 17 21 October 25 27 November 8 11 November 16 18 São Paulo, Brazil Orlando, FL Tokyo, Japan Cannes, France Sydney, Australia Visit gartner.com/symposium to learn more 21

Thank you for participating Do you have any questions? Have a question for the presenter(s)? Type it into the Questions pane we will answer as many as time permits.

Two simple steps for increasing the value of today s webinar experience Contact your Gartner account executive (or e-mail GartnerWebinars@gartner.com) with any additional questions, comments or requests or to order a complimentary copy of today s presentation Visit gartner.com/webinars for a schedule of upcoming Gartner webinars (plus replays of previous webinars) and share these resources with your colleagues

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback