Download Mucho Big Data y ¿La Seguridad para cuándo?

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts

Wireless security wikipedia , lookup

Airport security wikipedia , lookup

Distributed firewall wikipedia , lookup

Information security wikipedia , lookup

Information privacy law wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Mobile security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Mucho Big Data y ¿La Seguridad
para cuándo?
Juan Carlos Vázquez
Sales Systems Engineer, LTAM
mayo 9, 2013
Agenda
•  Business Drivers
•  Big Security Data
•  GTI Integration
•  SIEM Architecture & Offering
•  Why McAfee
•  Demo
Shifting from Compliance to Security
Source: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology
professionals, April 2012
3
mayo 9, 2013
SIEM as solution to detect CyberAttacks
4
mayo 9, 2013
SEM + SIM = SIEM
SIEM is the Evolution and Integration
of Two Distinct Technologies
! 
Security Event Management (SEM)
― 
! 
Primarily focused on Collecting and
Aggregating Security Events
Security Information & Event
Management (SIEM) is a Set
of Technologies for:
! 
! 
Security Information Management (SIM)
! 
Primarily focused on the Enrichment,
Normalization, and Correlation of
Security Events
! 
― 
! 
! 
Log Data Collection
Correlation
Aggregation
Normalization
Retention
Analysis and Workflow
Three Major Factors Driving the Majority of SIEM Implementations
1
5
Real-Time
Threat Visibility
2
Security
Operational
Efficiency
3
Compliance and/or Log
Management Requirements
mayo 9, 2013
Security Connected Platform (SCP)
NETWORK SECURITY
ENDPOINT SECURITY
Malware Protection
Device Encryption
Application Whitelisting
Desktop Firewall
Device Control
Email Protection
Network Access Control
Endpoint Web Protection
Host Intrusion Protection
Mobile Device Management
High Assurance Firewall
Network Intrusion Prevention
Network Access Control
Network Behavior Analysis
INFORMATION SECURITY
Email Security
Web Security
Data Loss Prevention
Encryption
Identity & Access Management
API and Web Services Security
Server & Database Protection
Hardware Assisted Security
Smartphone and Tablet Protection
Virtual Machine and VDI Protection
Embedded Device Protection
SECURITY MANAGEMENT
PARTNER COMMUNITY
Security Operations Mgmt
Policy Auditing & Management
Vulnerability Management
Risk Management/SIEM
Compliance Management
6
Security Innovation Alliance
McAfee Connected
Global Strategic Alliance Partners
mayo 9, 2013
The State of SIEM
SIEM Promise:
Turns Security Data Into
Actionable Information
Provides an Intelligent
Investigation Platform
Supports Management
and
Demonstration of Compliance
Events Alone Do Not
Provide Enough Context
to Combat Today’s Threats
Complex Usability and
Implementation Have
Caused Costs To Skyrocket
Legacy SIEM REALITY:
00001001001111
11010101110101
10001010010100
VS
00101011101101
Antiquated Architectures
Force Choices Between
Time-to-Data and Intelligence
The Big Security Data Challenge: Lots and Lots of Data
APTs
Billions of Events
Multi-dimensional Active
Trending; LT Analysis
Cloud
Data
Insider
Large Volume Analysis
Anomalies
Compliance
Historical Reporting
Thousands of Events
Perimeter
Correlate Events
Consolidate Logs
Big Data vs. Big Security Data
Big Data:
Datasets whose size and variety is beyond
• 
Size of security data
doubling annually
• 
Advanced threats
demand collecting
more data
• 
Legacy data
management
approaches failing
• 
SIEM use shifting from
compliance to security
the ability of typical database software to
capture, store, manage & analyse.
Big SECURITY Data:
Understanding security data as big data.
• 
How do I gather security context?
• 
How do I manage big security information?
• 
How do I make security information
management work?
McAfee Starts at the Core
McAfee ESM
Fast
Smart
McAfeeDB
• 
• 
• 
• 
• 
• 
10
Real-time, complex analysis
Indexing purpose-built for
SIEM
Massive context feeds with
enrichment
Historical retrieval and
analytics
Integrated log and event
management
No DBA required
mayo 9, 2013
Scalable and Intelligent Architecture
Intelligence and
Operational efficiency
Adaptive Risk Analysis &
Historical Correlation
Integrated SIEM
& Log Management
Rich App &
DB Context
Scalable Collection &
Distributed Correlation
GTI
ePO
MRA
SIA
McAfee Advanced Correlation Engine
McAfee Enterprise Security Manager
McAfee Enterprise Log Manager
McAfee Application
Data Monitor
McAfee Database
Event Monitor
McAfee Receivers
Big
Security
Data DB
Global Threat Intelligence and SIEM
IP REPUTATION CHECK
GOOD
SUSPECT
AUTOMATIC RISK
ANALYSIS VIA
ADVANCED
CORRELATION ENGINE
BAD
Medium Risk
High Risk
EVENT
AUTOMATIC
IDENTIFICATION
McAfee Labs
IP Reputation Updates
Botnet/
DDos
Mail/
Spam
Sending
Web
Access
Malware
Hosting
Network
Probing
Network
Probing
Presence
of
Malware
DNS
Hosting
Activity
Intrusion
Attacks
GTI with SIEM Delivers Even Greater Value
Sorting Through a Sea of Events…
Have I Been Communicating With Bad Actors?
200M events
Which Communication Was Not Blocked?
18,000 alerts
and logs
What Specific Servers/Endpoints/ Devices Were Breached?
RESPOND
Dozens of
endpoints
Which User Accounts Were Compromised?
Handful
of users
What Occurred With Those Accounts?
Specific files
breached
(if any)
How Should I Respond?
Optimized
response
McAfee ESM
Scalable, Distributed & Purpose-build
EPS
300,000
150,000
70,000
60,000
50,000
Enterprise
Architecture
deployments
All-in-one
Combo HW & VM
systems
5000
2500
1000
# DEVICES
100
200
400
750
1250
1500
2048
30,000
What does Gartner think?
McAfee Enterprise Security
Manager is a good choice for
organizations that require
high-performance analytics
under high-event-rate
conditions.
Customer references have
validated very high scalability
and query performance
levels for the McAfee
Enterprise Security Manager
event data store.
15
mayo 9, 2013
Competition and Differentiation
NitroSecurity competes most often with select best-of-breed vendors, and
can win most deals due to NitroView’s technical proficiency and scalability
Most Frequent Competitors
! 
Complex product, heavy services, expensive
but best known
! 
Poor standalone product, but can bundle
with other services
Large existing customer base is turning over
! 
! 
Now owned by IBM; adequate product, but
doesn’t scale easily
! 
Mostly log management; poor SIEM; typically
in small accounts
! 
Log-centric, recently added low-end SIEM;
large existing customer base is turning over
Occasional
Non-Factors / Low-End Solutions
Non-Factors / Low-End Solutions
16
Nitro is Scalable
!  Scales easily from SMB to Fortune 500
!  Collects all relevant data, not selected
sub-sets
!  Content-aware & context-aware
Nitro is Fast
!  100x to 1,000x faster than other solutions
!  Single appliance can handle up to 300K EPS
!  Only SIEM with real-time insertion & query
Nitro is Capable
!  Comprehensive product offering,
covering SIEM, log management,
database activity monitor, and application
data & protocol monitor
Nitro is Easy
!  Value increases as more information is added
through “single pane-of-glass” operation
!  Out-of-box full functionality
mayo 9, 2013
Related documents
BBCN BANK: DETECTING LATERAL MOVEMENT AND SERVICE
BBCN BANK: DETECTING LATERAL MOVEMENT AND SERVICE
Ben Hermalin`s JEL Review
Ben Hermalin`s JEL Review
tg5
tg5
Phoenix SIEM (Security Information and Event
Phoenix SIEM (Security Information and Event
Churning of the Ocean of Milk
Churning of the Ocean of Milk
McAfee Database Activity Monitoring 5.1.1 Release Notes About this release
McAfee Database Activity Monitoring 5.1.1 Release Notes About this release
assignment 2 (winter 2007)
assignment 2 (winter 2007)
Decision Support System
Decision Support System
Intrusion Prevention System (IPS)
Intrusion Prevention System (IPS)
How to display Security Events from an external AlienVault Database
How to display Security Events from an external AlienVault Database