Todays Threat Landscape Cloud / Big data / Mobile Jonathan Martin HP Enterprise Security Products
Agenda Today s Threat Landscape HP ArcSight Summary
Agenda Today s Threat Landscape HP ArcSight Summary
What s so significant about these numbers? 94 416 71 84 68 4
Experts Marvel At How Cyberthieves Stole $45 Million Global Network of Hackers Steal $45 Million From ATMs Bank Hack Results in Stunning $45 Million ATM Heist In Hours, Thieves Took $45 Million in A.T.M. Scheme The Circuit: Hackers took $45 million in ATM heist 5
$45M stolen in a matter of hours
but planned over a number of years
If you know the enemy and know yourself, you need not fear the result of a hundred battles. Sun Tzu, The Art of War
Cloud Big data Mobile
Defining the adversary Cybercrime Market with distinct process Hacktivist The Actors organize and specialize adversar y Intelligence is bought and sold Nation state 10
Organize our capability to disrupt the market Researc h Infiltration Their ecosystem Discover y Capture Our enterprise Exfiltration 11
Organize our capability to disrupt the market Educating users Researc Counter intelligence h Their ecosystem Blocking Infiltration access Discover y Capture Our enterprise Exfiltration 12
84% of breaches occur at the application layer 68% increase in mobile application vulnerability disclosures 13
Organize our capability to disrupt the market Educating users Researc Counter intel h Blocking Infiltration access Discover Finding y them Their ecosystem Capture Our enterprise Exfiltration 14
of breaches 94% are reported by a 3rd party 15
416days average time to detect breach 2012 June July August September October November December 2013 January February March April May June July August 16
Organize our capability to disrupt the market Educating users Researc Counter intel h Blocking Infiltration access Discover Finding y them Their ecosystem Protecting Capture the target asset Planning damage Exfiltration mitigation Our enterprise 17
Since 2010, time to resolve an attack has grown 71 % 18
Rethink our capability investments Researc h Infiltration Discover y 5X 1X Their ecosystem Capture Our enterprise Exfiltration 19
Use our intelligence 20
What s so significant about these numbers? 94 416 71 84 68 21
Agenda Today s Threat Landscape HP ArcSight Summary
Agenda Today s Threat Landscape HP ArcSight Summary
Security awareness at board level Organizational and security leadership is under immense pressure CISO Cyber threat Extended supply chain Financial loss Reputation damage Cost of protection Reactive vs. proactive 56% of organizations have been the target of a cyber attack 44% of all data breach involved third-party mistakes $8.6M average cost associated with data breach 30% market cap reduction due to recent events 11% of total IT budget spent on security 97% of data breaches could have been avoided 24
The new business reality A time of significant change & acceleration Cloud Big Data Risk Volume From Cloud or xsps Volume Critical business data expanding from Megabytes to Zetabytes 2020 Volume Business services, devices, and identify need to be dynamically secured in context 2020 On Premise Today Today Time Time Time 25
The new business reality What does this mean for IT security? Volume On Premise Added complexity Cloud More monitoring end points/data Harder triage From Cloud or xsps Less visibility Volume Increased analytics pressure within IT Big Data Faster decision Critical business making data expanding from Megabytes to Zetabytes Data Volume Velocity Variety Three V s of IT 2020 Volume Shared Log Management Alignment of NOC and SOC Risk Common purpose: Business services, devices, Business and identify need to be dynamically secured Continuity context 2020 Today Today Time Time Time 26
traditional dc saas Packaged Applications Employees IT Metrics/Analytics Storage Public Cloud Security Problem with the current approach Cloud Virtual Physica l Expensive Comprehensive monitoring Trade off Third party apps No automation suppliers 1000+ vendors, devices, & apps Service Software Models Driven Networks Mobile Monitoring Assuring the Hybrid Environment managed in-house App cloud custom apps Systems Monitoring Virtual Fabric private cloud 27
A new approach is needed Risk based, adversary-centric
A new approach: Risk based, adversary-centric Log management & Security information and event management (SIEM) Collect Consolidate Correlate Collaborate Collect logs from any device, any source, and in any format at high speed Machine data is unified into a single format through normalization and categorization Real-time, crossdevice correlation of events Automate the process of event analysis, information sharing for IT GRC, IT security, and IT operations 29
Collect
Security Intelligence through Event Analytics Taking unstructured data into account Challenges Scalablility Ingest high Volumes of data (all available data) Normalization Variety of data (structured, semistructured, unstructured) Simultaneous data and query processing Faster access to all relevant information SIEM in the cloud Prioritization of events Other Vendors No no No No No No No No HP ArcSight Yes Yes Yes Yes Yes Yes Yes Yes Competitive Advantage Std reports Adhoc reports The questions that are answered Query Drilldown Alerts Statistical Analysis How many, how often,, where? What happened? Discover Patterns Threat Intelligence Why is this happening? What actions are needed? Is this actually a problem? Degree of Intelligence Decision Support Real-Time Responsiveness What will happen next? What is normal, what might be malicious? 31
Consolidation
Consolidation Access the data from one point The power of the fastest log management tool Universal Log Management of any data to support IT operations, security, compliance and application development Search and report on years of data to investigate outages and incidents quickly and easily Recognized as the industry leader in log management Cost effective powerful solution 33 Easily aggregate your log information into one solution Strong user community powered Protect 7/24 Search and reporting dashboards as standard
Correlation
Correlation What can ArcSight show you? Monitor privileged users Privileged user administration Successful logins Failed logins User session monitoring Network usage Top bandwidth users Top protocols Top domains and zones Top external destinations Top external sources Protect your data Database errors and warnings Successful and failed log ins Database configuration changes 35
Correlation What can ArcSight show you? Control user access User authentication across hosts Authentication success and failures Configuration changes Prevent intrusions Top Attackers and internal targets IPS/IDS metrics Intrusion alert counts Top alert sources and destinations Top attackers and internal targets Control network devices Network Device Errors and Critical Events Network Device Status and Down Notifications Configuration Changes by User and Change Type Successful and Failed Logins 36
Correlation What can ArcSight show you? Prevent viruses Top Infected Systems All AV Errors AV Signature Update Stats Consolidated Virus Activity AV Configuration Changes 37 Monitor VPN/Remote access VPN Authentication Errors Connection Counts Connection Durations Connections Accepted and Denied Successful and Failed Logins Top Connections Top Bandwidth Users VPN Configuration Changes Guard the perimeter Firewall Monitoring Denied Inbound Connections Denied Outbound Connections Successful / Failed Login Activity
Correlation ArcSight provides you with system intelligence The most complete correlation engine on the market Pattern recognition and anomaly detection to identify modern advanced threats Analyze roles, identities, histories and trends to detect business risk violations The more you collect, the smarter it gets 38
Correlation with Context To understand your Enterprise you need deep coverage Asset Context Vulnerability Attack History Criticality Asset Context Roles Attributes Accounts Location Physical Logical Actions Badge swipes Database queries USB file saves Files Accessed Emails Sent Screen prints Web Surfing Hosted Applications 39
Correlation Brings it all Together Your own Sherlock Holmes History Privileged User Session Role Anomaly Asset Location Transactions Action IP Address 40
Collaboration
Collaboration Leverage the power of HP ESP The future of IT security Incorporates application security from HP Fortify Integrates reputation data from HP DVLabs Cloud Connections program to get visibility into cloud data (In addition to physical & virtual layers) Bi-directional integration with HP BSM products ATALLA 42
ArcSight solution delivers Universal Log Management Compliance & Risk Management Perimeter, Data Center & Network Security Insider Threat Mitigation Advanced Persistent Threat & Data Loss Security Information & Event Management Security Operation Center Application & Transaction Monitoring 43
Why HP ArcSight? Advantage Benefit Collect Collect anything from anywhere Comprehensive breadth & depth of collection Store Store big data through high compression ratio, normalize and categorize data Reduced cost of storing logs and unify machine data? Search Sift through big data in seconds through a text-based searching No need of domain expert to investigate deep into logs and events Consolidate Single view into IT security through analytics, monitoring, and machine data Detect & resolve security incidents quickly Correlate Real-time, user-centric, and cross-device correlation of all events Isolate the root-cause and business impact, and fix issues proactively Modular Best price to performance ratio in the market with low TCO Piece of mind through automated & comprehensive continuous monitoring 44
How HP ArcSight has helped? 5 minutes to generate IT GRC report Logger compliance packs generates IT GRC reports that otherwise would take 4 weeks 3 days to run an IT audit Search results yield audit-quality data that otherwise would take 6 weeks 2 days to fix a threat vulnerability Logger integration with SIEM solution builds threat immune that otherwise would take 3 weeks 10 minutes to fix an IT incident Text based searching and integration with BSM detects and corrects IT incident that otherwise would take 8 hours 4 hours to respond to a breach Logger enables forensic investigation and a quick response to a data breach that otherwise would take 24 days 45
Agenda Today s Threat Landscape HP ArcSight Summary
Agenda Today s Threat Landscape HP ArcSight Summary
48 Why HP ArcSight for security? 100,000 Breadth & depth of collection 350+ SmartConnectors to collect logs, events, and flows from 350 distinct log generating sources 350+ Ultra-fast & full-text search Advanced filtering and parsing with rich metadata on unified machine data enables search speeds at over 2 million EPS 2,000,000 EPS Huge savings through SIEM Average companies $1,700,000 through SIEM implementation per Ponemon Institute research $1,700,000 Speed of collection The connectors enable collection up to 100,000 EPS, a speed that nobody else can match in the market. HP-IT, an internal HP s IT organization collects flows at 150,000 EPS 100,000 EPS Scale linearly with big data Modular solution helps you to grow linearly with big data, analyzing and storing at compression at 10:1 10:1 Reduction in compliance audits Automating these compliance is one time task and saves 90% of time every quarter from each audit 90%
HP Protect 2013 Washington DC, September 16th 19th hp.com/go/protect
Make it matter.
Thank you