first aid for it: automated, integrated & dynamic operations
TRANSCRIPT
www.arcsight.com 1© 2010 ArcSight Confidential
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Twitter hashtag #HPSWU
BTOS-TU-1700Twitter hashtag #HPSWU
www.arcsight.com 2© 2010 ArcSight Confidential
© 2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
First AID for IT –Automated, Integrated & Dynamic Operations
Hugh Njemanze
Founder, CTO, Executive VP of Research & Development
ArcSight – an HP Company
www.arcsight.com 3© 2010 ArcSight Confidential
Today’s Agenda
Today’s Challenges
– IT Ops and Service Availability
– Compliance
– Security Threats
How do SIEM and Log Management enable the Automated, Integrated and Dynamic Enterprise
– What do SIEM and Log Management Products Do?
How can HP BTO and security products together help?
www.arcsight.com 4© 2010 ArcSight Confidential
Today’s Challenges
ComplianceSecurity Threats Compliance Controls & Reporting
IT OperationsIT Operations & Service Availability
www.arcsight.com 5© 2010 ArcSight Confidential
Security and IT Operations Challenges for the Enterprise
Audit & Risk
NetworkingApplications
Forensics
IT Operations
Security
Change Management
Infrastructure
?
? ????
?ComplianceReporting
Network Availability User Monitoring
Investigations
SLA Monitoring
Threat Monitoring
Configuration Monitoring
System Health
LOGS
Security Monitoring IT Operations
Manual Security Monitoring
Challenging SLAs
Slow Forensics Response
www.arcsight.com 6© 2010 ArcSight Confidential
Today’s Problems
ComplianceIT Operations Compliance IT OperationsSecurity
• 80% of application downtime is due to people or processes
• 1 hour of downtime means a loss of 250K USD or more for most companies
• Change management can reduce downtime by 35% and save 30% in costs
• Quickly resolve FCAPS issues to keep MTTR as short as possible
www.arcsight.com 7© 2010 ArcSight Confidential
Log Collection Challenges
7www.arcsight.com © 2009 ArcSight Confidential 7
Network Devices
Servers
Mobile
Desktop
Security Devices
Physical Access
Apps
Databases
Identity Sources
•More devices and growing log volumes
• Collection agents are not a feasible option
• Ensuring complete collection from all devices & locations
www.arcsight.com 8© 2010 ArcSight Confidential
Log Storage Challenges
www.arcsight.com © 2009 ArcSight Confidential 8
• Retention requirements drive up storage costs
• Hard to manage logs distributed across native devices
• Tedious and error prone log rotation
• Enforcing security and access controls
www.arcsight.com 9© 2010 ArcSight Confidential
Log Analysis Challenges
www.arcsight.com © 2009 ArcSight Confidential 9
• Lots of different and cryptic log formats
• No simple search and reporting interface for users
• High-performance search and reporting is critical
• Expertise required to build regulation specific content
• Lots of different and cryptic log formats
• No simple search and reporting interface for users
• High-performance search and reporting is critical
• Expertise required to build regulation specific content
www.arcsight.com 10© 2010 ArcSight Confidential
Today’s Problems
Security ComplianceIT OperationsIT Operation
• 46 of 50 states in US require disclosure of breaches
• Europe currently reviewing similar laws
• Non-compliance means fines of millions of dollars, criminal charges and imprisonment
• Individual compliance solutions cost 10x more than consolidated ones
• Shrinking budgets and growing # of regulations require automation to maximize ROI
www.arcsight.com 11© 2010 ArcSight Confidential
More Compliance
Canada• The Privacy Act 1983• PIPEDA 2001
Asia Pacific • New Zealand – Privacy Act 1993• Australia – PA/PA(PS)A 1988/2000
2001• South Korea – eCommerce Act
1999• Taiwan – CPPDP Law 1995• Hong Kong – Personal Data 1996,
Code of Practice on Consumer Credit Data (2003, Privacy at Work (2004)
• India – Information Technology Act 2000 and Amendment Act 2006
South America• Chile – APPD 1998• Argentina – PDPA 2000
Mexico• eCommerce Act 2000
U.S.A. • Sarbanes-Oxley• NERC CIP 002-009• SB1386• S239• S248• S495• S806• S1178• S1260• HIPAA 1996/2002• FSMA/GLBA
1999/2001• COPPA 1998/2000• DMPEA 1999/2000• State Breach Laws
• Slovakia – Protection of Personal Data Act 2002 and Amendment Act 2005
• Slovenia – (99) • Hungary – On the Protection of
Personal Data and the Disclosure of Data of Public Interest 1992
• Czech – (00) • Latvia – (00) • Lithuania – (00) • EU Directive• Basel II • Greece – PIPPD 1995/1997• Portugal – PDPA 1995/1998• Italy – Data Protection Code• Malta – Data Protection Act 2001• Norway – Personal Data Act 2000• Finland – FPDA 1995/1999
• Germany – FDPA 1995/2001, S 93 Telecommunications Act
• Austria – DPA 1995/2000• Luxembourg – “EUD” 1995/2002• Netherlands – PDPA 1995/2001,
Telecommunications Act• France – ADPDFIL 1978, “EUD” 1995,
Postal and Electronic Communications Code
• Spain – Personal Data Protection Act, Telecommunications Act
• Ireland – Data Protection Act (1988) and Amendment Act (2003) and Ireland Data Protection Commission
• Belgium – LPPLRPPD 1992, DPA 1995/2001
• Sweden – PDPA 1995/1998, Electronic Communications Act
• UK – DPA 1995/2000, Proposal by House of Lords Committee, Privacy and Electronic Communications Regulations
• Denmark – DPRA 1978, Act on Processing of Personal Data 1995/2000
• Estonia – (96)• Poland – (98)
Europe
Africa• SALRC 2009
11
More Regulations Affect More Companies
www.arcsight.com 12© 2010 ArcSight Confidential 12
Confusing Compliance Requirements
www.arcsight.com 13© 2010 ArcSight Confidential
Today’s Problems
IT Operations Compliance Security
• 859% of employees steal data on the way out
• Average cost of financial fraud is $500,000
• Cybercrime is committed every 10 seconds; twice the rate of actual real-world robberies
• 362 million identity records lost by the top ten known incidents
www.arcsight.com 14© 2010 ArcSight Confidential
More Security: Recent Cyber Attacks
www.arcsight.com © 2009 ArcSight Confidential 14
• 27 American and South Korean government agencies attacked
• 50,000 to 65,000 computers used in the attack• Attackers were generating about 23 megabits of
data/second• Attackers used 86 IP addresses in 16 countries,
including the United States, Guatemala, Japan and China, but North Korea was not among them
www.arcsight.com 15© 2010 ArcSight Confidential
01010101111101010101010101000010101010101010101010101010101010101111111111111111111100000000000000111111111111111000000000000000000001000000000000000010101011111010101010101010000101010101010101010101010101010101011111111111111111111000000000000001111111111111110000000000000000000010000000
000000000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000000000
00000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000011111
11111111110101010111
01010101111101010101010101000010101010101010101010101010101010101111111111111111111100000000000000111111111111111000000000000000000001000000000000000010101011111010101010101010000101010101010101010101010101010101011111111111111111111000000000000001111111111111110000000000000000000010000000
000000000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000000000
00000101010111110101010101010100001010101010101010101010101010101010111111111111111111110000000000000011111111111111100000000000000000000100000011111
11111111110101010111
The line of sight has been digitized
www.arcsight.com © 2009 ArcSight Confidential 15
ZombieZombieVirusVirusFraudFraud
MalwareMalware
HackingHacking
SpamSpam
Target
Attacker
Zombie
Zombie Control center
www.arcsight.com 16© 2010 ArcSight Confidential
It is Fairly Easy to Launch a Cyber-attack
www.arcsight.com © 2009 ArcSight Confidential 16
An Ounce of Prevention is Worth a Pound of Cure!
www.arcsight.com 17© 2010 ArcSight Confidential 17
Malware is Getting Worse
Source: F-Secure
More Widespread and More Malicious
20x over the last 5 years
3x in the last year alone
1,600,000
1,500,000
1,400,000
1,300,000
1,200,000
1,100,000
1,000,000
900,000
800,000
700,000
600,000
500,000
400,000
300,000
200,000
100,000
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08
www.arcsight.com 18© 2010 ArcSight Confidential
Is Your Staff Growing?
18
Bottom-line: The Problems are Growing
Regulations are Growing
Breaches are GrowingMalware is Growing
Problems moving downstream and impacting more and more for SMBs
www.arcsight.com 19© 2010 ArcSight Confidential
Effective log management can save you money by:…
ComplianceHelping to Identify and mitigate
security vulnerabilities
Helping with compliance
reporting & controls
IT OperationsSimplifying and improving IT operations
www.arcsight.com 20© 2010 ArcSight Confidential 20
Leveraging SIEM and Log Management Products
www.arcsight.com © 2009 ArcSight Confidential
www.arcsight.com 21© 2010 ArcSight Confidential
What is SIEM?
www.arcsight.com © 2009 ArcSight Confidential 21
www.arcsight.com 22© 2010 ArcSight Confidential 22
SIEM in action
Firewalls/VPN
IntrusionDetectionSystems
VulnerabilityAssessment
NetworkEquipment
Server and Desktop OS Anti-Virus Applications Databases
PhysicalInfrastructure
IdentityManagement
DirectoryServices
System HealthInformation
WebTraffic
Risk-based Prioritization Critical Events Surfaced
Identified .Threats
Known Vulnerabilities
Business-critical IT Assets
Millions:Raw Events
Thousands:Security Relevant Events
Hundreds:Correlated Events
www.arcsight.com 23© 2010 ArcSight Confidential
Before and After
Helps in reducing cost, time and resources
Manual & Dispersed Automated & Centralized
SIEM & Log Management
vs.
23
www.arcsight.com 24© 2010 ArcSight Confidentialwww.arcsight.com © 2009 ArcSight Confidential 24
Problem: Security
“Everything looks like a one-off”
Too Many Devices on the Network
Too Many Different Device Types
Too Many Systems Exposed to the Internet
“I can’t understand the impact of this problem”
“We don’t even know when we are being attacked”
www.arcsight.com 25© 2010 ArcSight Confidential
Solution: Real-Time Correlation + Event History
SIEM and/or Log Management
Collect, categorize, correlate network/application activities
Alert staff, take automated action
Find unusual behavior in time to prevent lossWorms spreading through the firewall
Viruses spreading across desktops
Hackers accessing the network
Users running p2p applications
Remote accesses through the VPN
Use Log Management for forensics investigation:How long has this been happening
Who else is involved
What systems are affected
www.arcsight.com 26© 2010 ArcSight Confidential 26
Problem: Compliance
“Even simple investigations require my best people”
Too Much Data
Too Many Formats
Too Hard to Consolidate
Too Expensive to Store
“My databases can’t retain this many years’ of audit data”
“We spend too much time preparing for an audit”
www.arcsight.com 27© 2010 ArcSight Confidential
Solution: Automated Compliance Reporting
Log Management
Collect, categorize, and capture for long term storage
Produce up-to-date and automatic reports for auditors
Perform forensics investigations in minutes
Low TCO to support multiple retention policies
Reports mapped directly to regulatory requirements
www.arcsight.com 28© 2010 ArcSight Confidential 28
Problem: IT Ops
“We are not aware of the downtime unless a ticket is
opened”
Too Many Log Formats
Unplanned and unknown downtimes
Change management is difficult
Mean Time To Repair (MTTR) is too high
“Root cause analysis is difficult and takes a lot of time and resources”
“We never know who made the change that resulted in failure”
www.arcsight.com 29© 2010 ArcSight Confidential
Solution: Real-Time Correlation + Event History
SIEM and/or Log Management
Collect, categorize, correlate network/application activities
Alert staff, take automated action
Find unusual behavior in time to resolve issues
Fault
Configuration
Accounting
Performance
Security
Use Log Management for forensics investigation:
Who made the change
How well are your systems/resources are being utilized
What other systems are impacted
www.arcsight.com 30© 2010 ArcSight Confidential
The Automated Integrated and Dynamic Enterprise
Insider Threat Perimeter Threat Forensics SANS
SecurityOperations
PCISOX
Regulations & Industry Mandates
System Health Network Avail SLA
IT Operations
+ HIPAAFISMA
www.arcsight.com 31© 2010 ArcSight Confidential
Key Evaluation Criteria
Does the technology…
•Collect from everything?
•Make events easy to read?
•Provide built-in security rules?
•Enable regulation-specific audit reporting?
•Efficiently retain and manage my data?
•Expand when I need it?
www.arcsight.com 32© 2010 ArcSight Confidential
The AID Platform That Delivers More
Audit & Risk
NetworkingApplications
Security
IT Operations
IT Governance
Change Management
Infrastructure
SIEM NSMsForensic Tools
HP BTO & ArcSight SIEM/LogHP BTO & ArcSight SIEM/LogManagement SuiteManagement Suite
www.arcsight.com 33© 2010 ArcSight Confidential
Customer Case Study: University of Tennessee
Compliance challenges quickly addressed after 2-day deployment
"Finding needles in the haystack" reduced from 45 minutes to 2 minutes
Reduced budgets highlight the operational efficiencies of ArcSight Logger
“Tremendous cost savings from ArcSight Logger”- James Perry, U. of Tenn
“We continue to find new applications for the product“• e.g. Early detection of network outage warning signs
• e.g. PCI reporting across stores/restaurants on all campuses (150+ collection locations)
www.arcsight.com 34© 2010 ArcSight Confidential
Customer Success Profile:Large Healthcare Provider
We need a scalable log management solution for HIPAA compliance. Plus ability to proactively protect our infrastructure and improve SLA. The ArcSight Log Management solution streamlines our audit and delivers ongoing visibility into security risk. It saves time for our system, application support and forensic teams. We now provide the right log data to the right staff in a cost-effective manner.
► Top 10 provider of health insurance plans in the nation
► 565,000 customers► 1000 employees► 10,500 healthcare providers
► Homegrown log management did not scale to event rates of network and server devices
► Compliance: containing the cost of HIPAA and other audits
► IT Operations: increasing pressure on SLA adherence
► Security team overburdened by forensics follow up
► Significant improvements in event rate collection and cost effective long term storage
► Automated HIPAA audits► Continuous real time awareness and
notification on security threats► Dramatic reduction in troubleshooting
complex IT system issues► Direct access to forensic team
CHALLENGES
COMPANY OVERVIEW
RESULTS
COMPANY PERSPECTIVE
—CIO
www.arcsight.com 35© 2010 ArcSight Confidential
ArcSight for IT Operations
NSM tool provides system (CPU, memory, etc.) alerts but lacks source context
With ArcSight Log Management– Helpdesk user launches ArcSight
Logger Web interface– IP, hostname, and/or application
search shows all activity in last x minutes
– Dynamic result set and drill down capabilities provide intuitive navigation path to root cause analysis
Customer Success Profile
www.arcsight.com 36© 2010 ArcSight Confidential
ArcSight for IT Operations
Turnkey
– Eliminate HW procurement and deployment delays – rapid deployment
Consolidated log repository
– Avoid separate log storage investment
– Reduce direct access to critical infrastructure
– Rapid cross device troubleshooting
Device independent search taxonomy
– Reduced training cost and faster root cause analysis
Analytics portal
– Rapid conversion of searches to alerts – reduce future incidence
– SLA reports and dashboards
Customer Success Profile
www.arcsight.com 37© 2010 ArcSight Confidential
ArcSight for Forensics Investigations
Investigative tools (ex: Encase, iLook) take a snapshot of volatile machine activity as evidence
With ArcSight Log Management
– Search by user or host can quickly reveal similar past behavioral trends – reconnaissance activity
– Across years of historical data
Readily accessible audit quality data can provide strong evidentiary trails to support forensics investigations
Customer Success Profile
www.arcsight.com 38© 2010 ArcSight Confidential
ArcSight for Security Monitoring
Advanced Threat Detection–Multi-event correlation–Session extrapolation–User correlation–Pattern discovery–Comprehensive case management
ArcSight Logger
ArcSight Connectors
Any SIEM(ESM)
Proactive Security Awareness– Reports– Real time alerts– Anomaly detection– Tier 1 notification – Ad hoc investigations
Customer Success Profile
Phase I Phase II
www.arcsight.com 39© 2010 ArcSight Confidential
ArcSight SIEM & Log Management Suite Delivers
ArcSight LogArcSight LogManagement SuiteManagement Suite
Uncontrolled Log Infrastructure
Manual & Expensive Audits
Inefficient IT Operations
Small to Enterprise ScaleAutomated & Cost-effective AuditsProactive Security MonitoringIT Operations SLA Efficiency
Before
+
Real-Time Protectionwith ArcSight ESM
www.arcsight.com 40© 2010 ArcSight Confidential
Automated and Integrated Real Time Operations
DETECT
PR
IOR
ITIZ
E
ISOLATE
DIA
GN
OS
ER
EP
AIR
CO
NSO
LIDATE
1. Discover, monitor and measure. Events detected, alerts are sent.
2. Topology, events and performance metrics are consolidated cross domains into BSM. Events are automatically correlated.
3. Affected Business Servicesand SLAs are determined.
4. Find root cause and escalate as needed.
5. Diagnose root cause through subject matter expert investigation tools.
6. Repair problem through automated response and close event/incident once resolved.
www.arcsight.com 41© 2010 ArcSight Confidential41
HP C
on
fid
en
tial
IT OPERATIONS & SECURITY: SYNERGIES
REAL TIME REAL TIME SERVICE SERVICE MODELMODEL((CMDB)CMDB)
APPLICATIONS, BUSINESS SERVICES RISK & APPLICATIONS, BUSINESS SERVICES RISK & COMPLIANCECOMPLIANCE
APPLICATIONS, BUSINESS SERVICES RISK & APPLICATIONS, BUSINESS SERVICES RISK & COMPLIANCECOMPLIANCE
Changes
Pro
ble
ms
Ale
rts.
Inci
dents
Vuln
era
bili
ties
Thre
ats
Events
, Lo
gs
SIEMSIEMSIEMSIEM
IT OPSIT OPS SECURITY OPSSECURITY OPSSECURITY OPSSECURITY OPS
POLICYPOLICYPOLICYPOLICY
REMEDIATION REMEDIATION (BSA)(BSA)
DISCOVERDISCOVERYY
THE IT ENVIRONMENTTHE IT ENVIRONMENTTHE IT ENVIRONMENTTHE IT ENVIRONMENT
CIs
COMPLIANCECOMPLIANCECOMPLIANCECOMPLIANCE
Upd
ate
s
Rules
Polic
y
Upd
ate
sA
ctio
ns
CommonContext
Alignment
RISK & RISK & COMPLAINCE COMPLAINCE
OFFICEOFFICE
RISK & RISK & COMPLAINCE COMPLAINCE
OFFICEOFFICE
Event Event CorrelationCorrelation
Problem Problem IsolationIsolation AnalyticsAnalytics Event Event
CorrelationCorrelationProblem Problem IsolationIsolation AnalyticsAnalytics
www.arcsight.com 42© 2010 ArcSight Confidentialwww.arcsight.com © 2009 ArcSight Confidential
To learn more, contact ArcSight at: [email protected] or 1-888-415-ARST
ArcSight, Inc. (NASDAQ: ARST)5 Results Way, Cupertino, CA 95014, USACorporate Headquarters: 1 888 415 ARST EMEA Headquarters: +44 870 351 6510 Asia Pac Headquarters: 852 2166 8302http://www.arcsight.com/
Questions?
www.arcsight.com 43© 2010 ArcSight Confidential
© 2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.
Backup Slides
www.arcsight.com 44© 2010 ArcSight Confidential
Integrated Platform for Closed Loop Work Flow
InfrastructureInfrastructure Network, Hosts, VM, OS
Network, Hosts, VM, OS
UsersUsers Database, Apps, Identity
Database, Apps, Identity
PhysicalPhysical Datacenter, Doors, Cameras
Datacenter, Doors, Cameras
Application TransactionsApplication Transactions Financial, Retail, Insurance, TelcoFinancial, Retail, Insurance, Telco
www.arcsight.com 45© 2010 ArcSight Confidential45
HP C
on
fid
en
tial
SECURITY: VISION & MISSION
Proactively manage application security and vulnerabilities across the applications lifecycle with continuous, real time assessment and remediation of business risk at
lower cost.
Customer needs Disruptions & Inflections Beliefs
• Align the security organization’s priorities with the business
• A single control framework to facilitate governance, compliance and security
• Reduce the cost of managing security while maintaining or improving risk and compliance levels
• Reduce the number of tools and vendors required to manage security related practices
• Convergence of governance, risk management and compliance into a single practice
• The scope and breadth of business expectations from the CISO group has increased significantly due to higher complexity
• Managed Security Services market is growing at an increasing rate and provides a viable alternative to in house implementations.
• The most proactive and cost-effective way to manage application security risks and vulnerabilities is as part of quality assurance in pre production
• Once deployed, applications security and compliance needs to be continuously monitored in real time.
• Risk assessment for the enterprise must be aggregated, assessed, prioritized and remediated at the business service level
Improve application security & vulnerability assessment to proactively reduce business risk in real time
CONFIDENTIAL
www.arcsight.com 46© 2010 ArcSight Confidential
Analysis Optimization
Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside
Device Independent CategorizationOne Common Taxonomy
“Plain language” analysis
Universal device content applicability
Avoids content explosion
“Plain language” analysis
Universal device content applicability
Avoids content explosion
www.arcsight.com 47© 2010 ArcSight Confidential
2. Real Time Alerting
SECURITY MONITORING
Reporting Real Time Alerting
www.arcsight.com 48© 2010 ArcSight Confidential
3. Automation of Analysis Lifecycle
Dashboards
Drill DownReports
Forensic Searches
Real TimeAlerting
www.arcsight.com 49© 2010 ArcSight Confidential
Personalized, Interactive Dashboards
Browser-based, ready-to-use out of the box Hyperlink to KB articles, remediation procedures and other
internal or external referential documents Fully customizable
– Role-based views
– Active reports ondrill down
– Drag-and-drop monitors
– Comprehensive reporting
– Configurable auto refresh rates
www.arcsight.com 50© 2010 ArcSight Confidential
Workflow Simulation: Drill Down Reporting
www.arcsight.com 51© 2010 ArcSight Confidential
Forensic Search
Distributed, device independent search based on time or term Meta-search filters for retention policies, devices, device groups,
and peer Logger appliances Dynamic time and term based drill down/drill across
www.arcsight.com 52© 2010 ArcSight Confidential
Real Time Alerting
Based on
– Any expression
– Metadata
• Device
• Device group
• Retention policy
– Taxonomy
Anomalous activity
– Time + term thresholds
Console, syslog, SMTP, SNMP Internal system health
www.arcsight.com 53© 2010 ArcSight Confidential
ArcSight Log Managementfor Compliance, Security & IT Operations
Com
plia
nce
Com
plia
nce
Secu
rity
Secu
rity
Op
era
tion
sO
pera
tion
s
IT
IT
Op
era
tion
sO
pera
tion
s
Log Management Log Management NeedsNeeds
Universal Event Collection
Scalable Architecture
Automated Analysis Lifecycle
High Performance Collection
www.arcsight.com 54© 2010 ArcSight Confidential
ArcSight Log Managementfor Compliance, Security & IT Operations
Com
plia
nce
Com
plia
nce
Secu
rity
Secu
rity
Op
era
tion
sO
pera
tion
s
IT
IT
Op
era
tion
sO
pera
tion
s
Log Management Log Management NeedsNeeds
Transaction AssuranceMinimal Footprint at Remote
SitesAudit & Litigation Quality Data
Storage Flexibility
www.arcsight.com 55© 2010 ArcSight Confidential
Continue the conversation with your peers at the HP Software Community hp.com/go/swcommunity