sentinellogmanager day1 1 intro

7/28/2019 SentinelLogManager Day1 1 Intro

1/67

Novell Sentinel Log Manager Automated Compliance and Security Management

Norbert KlasenSenior Consultant


2/67

Novell, Inc. All rights reserved.2

Schedule - Day 1

09:00 Introduction 09:30 Why Log Manager? 10:30 Break

10:45 Installation 11:15 Queries 12:00 Lunch 13:00 Event Source Management 14:00 Break 16:00 Wrap-Up


3/67


Schedule - Day 2

09:00 Data Management 10:30 Break 10:45 Actions and Rules

12:00 Lunch 13:00 Reporting 15:00 Integration with Sentinel 15:45 Q&A


4/67

Market Overview and Solution Architecture


5/67


Security Is a Major Concern

Security breaches on the rise, morecostly, more visible According to ITRC report, 303 breaches

reported in 2009 as of 7/21/09with over 12 million personal records exposed

Almost no organization spared

> NYPD 80,000 records exposed

> FAA 45,000

> UC Berkeley 160,000

> Aetna 65,000

Regulation has been stepped up in response to these risks

Today's tools are not up to the challenge of tomorrow's hackers


6/67


Costs of Compliance on the Rise

More frequent and cumbersome audits More data needed

Deeper and deeper into the org

More personnel are needed to analyze data Log files need to be stored and retained for significant

periods of timeincreasing storage costs Amount of log files constantly increasing


7/67


Where Does Log Management Fit?

Log management is a key element of many regulations PCI-DSS requirement 10 HIPPA SOX Section 404 FERC

Log management also provides a holistic view of all ITsystems Helps ensure the network is hardened Administrators can spot weakness before it is exploited A starting point for a complete security strategy


8/67

Log Management Challenges


9/67


Log Management Shortcomings

Why does everyone groan when log managementis mentioned?

Vendors are not focused on reducing the cost of compliance

Vendors sell proprietary storage systems

Require customers to buy expensive appliances

Store data in proprietary formats


10/67


Log Management Issues Storage

Some log management vendors use proprietarystorage systems. This causes problems including:

Dependence on vendor tools for reporting and search

No way to analyze archived data without bringing it back intothe vendor's device

Difficult to prove that the data is unmodified

Some products have no mechanismfor forwarding events in real-time,making it a data black hole

Your DataHere


11/67


Reporting Still Problematic

According to this years survey, reporting is still a challenge for organizations. The surveybroke reporting into a number of differentfunctions. Of those, Using log data to enhance

other operations/cost reduction, was consideredmost difficult by 23 percent of surveyrespondents and difficult by an additional 35percent. Other related items, includingsearching data and creating reports alsoranked relatively high on the difficulty question.

-SANS Log Management Survey 2009


12/67


13/67


Reporting and Search

Report: A subset of the stored logdata, defined and formattedaccording to a predefinedset of criteria

Search:

A subset of the stored log data,defined and formatted accordingto an ad-hoc set of criteria

What do these termsmean in the context of Log Management?


14/67


Typical Reporting / SearchArchitecture

Log Management Server

Raw Data

Parsed Data

Reporting DB

Parsing Appliances /Agents

1. Raw data sent to theappliance is indexedand stored

2. A separateappliance /agent parsessupportedevents for reporting

3. Search function uses theindexed flat file data store

4. Report function uses theparsed data stored in aninternal database

5. Reports and searches can'tbe run against archivesuntil data is reloaded intoLog Management

Log Archive

Indexed raw files


15/67


Novell Architecture


16/67


Log Management Issues Retention

Some log management tools collect all data Why do they do this?

Vendors

Want to sell you more storage capacity Aren't intelligent enough to know which data to filter

Intelligent filtering can reduce the amount of storageused by the log management system

They treat all data equally from a data retentionstandpoint Archived or deleted based solely on age, not value or

retention policy


17/67


Log Management + SIEM

Vendors love to tout their real-time capabilities Mediocre log management + mediocre SIEM does not

equal great software

Novell started with SIEM (Novell Sentinel

) Built a log management product that drew on its strengths

Not trying to shoehorn SIEM on top of log management

We perform exceptionally well with both use cases

Once you have log management + SIEMthen what? How do you get actionable data?


18/67


19/67


Building Identity-enabled Security

Identity Management Security Monitoring

Password Management

AccountSynchronization

Role-based

Provisioning

Log Management

Real-timeMonitoring

Incident

Response

Identity-aware Security and Compliance Monitoring


20/67

Qualifying Questions & Product Positioning


21/67


22/67

Novell Inc. All rights reserved

22

Continuing the Conversation

Ask how their last audit went How long did it take to satisfy their auditor when it came to log files? Was it easy to get all the data together?

Are they storing log data longer then they need to

Might be spending more to store their log files than they need to Could be tired of paying for proprietary storage systems for their logs Can also talk about whether the data is stored in proprietary formats

Are they worried about customer data Can they quickly and easily prove who has historically had access to it How prepared are they to determine the root cause of a data breach...that

happened 6 months ago?

Does their vendor have the capability to integrate logmanagement with identity management?


23/67


23

What to Look For

Want: Homegrown log

management, Splunk or LogLogic

Existing investments inNovell I&S infrastructure Worried about data security Tough regulatory

environment Heterogeneous environment

Stay away from: Currently using ArcSight or

RSA (we can win againstthem, but not worth your time when they are theincumbent)

Compliance or security isnot a priority

Conversations about netflow

analysis


24/67


24

Sales Advantages

Sentinel Log Manager can win in any sales situation Best-of-breed point solution for log management Starting point for a larger conversation about SIEM Building block for identity aware security infrastructure Suitable for large or small deals

Late to market, but capitalizing on the mistakes of competitors

This product can win against any competitive product

Organizational support behind this product Getting a large share of marketing dollars Dedicated people who are supporting the product


25/67


Resources

There is a lot of help available to help you If you're not sure where to get what you need, contact

Brian Singer (PMM) - [email protected] Jason Arrington (PM) - [email protected] Technical Forum - http://forums.novell.com/novell-product-

support-forums/sentinel/

If you need help with pricing or licensing John Haberland - [email protected]


26/67


26

Sentinel Log Manager - Pricing

Instance based pricing Designed to allow direct comparison to competitors Three tiers of pricing:

500 EPS: List price $25,00 (new) 2500 EPS: List price $40,000 7500 EPS: List price $80,000

SAP, Mainframe, other high-end devices require a

separate license


27/67


Log Management vs. SIEM

Log Management is sometimes referred to as SecurityInformation Management or SIM

Security Event Management or SEM is focused onreal-time monitoring, alerting, incident response

Event correlationRobust alerts

Incident responseDashboardsData enrichmentFiltering

Data collection Ad-hoc queryE-mail alerts

Reports

CompressionForensics

Data integrityUnknown log supportData retentionRaw log forwarding

SEM Log Management


28/67


28

With the release of Sentinel RD and Sentinel LogManager we now have a full line of SIEM products:

Novell Identity Audit Log Management for Novell products Sentinel Log Manager event collection, storage, and

reporting for all log sources Sentinel Rapid Deployment single box Sentinel for smaller

organizations or regional deployment, with no externalsoftware required

Multi-Platform Sentinel Enterprise class, multi-platform

Goal is to provide a progression for our customers solve the immediate tactical problem, then upsellto the eventual solution

How does SLM relate to Sentinel?


29/67


29

Product Positioning Log Manager

Event collection &storage for all log sources

Lot of Ad-hoc querying andReporting for all log sources

No real-time eventcorrelation and workflowrequirements

No need for Identity

Tracking


30/67


30

Product Positioning Sentinel RD

Real-time eventmonitoring, correlation,workflow and reporting

Small to medium size

organizations Regional deployments Low event rates (no more

than 2500-3000 total EPS) Customers do no want to

use third party commercialdatabase

SLES platform only


31/67


31

Product Positioning Sentinel

Real-time eventmonitoring, correlation,workflow and reporting

Enterprise Scale rollout

High event rates Customer prefers

commercial databasecomponent (MS-SQL or Oracle)

Multi-platform needs


32/67


33/67


33

Feature ComparisonLog Manger/ Sentinel RD / Sentinel

LogManager Feature or Capability

Web Launching of Client

Platform support - SLES

SentinelRD Sentinel

Report Crystal Server Report Jasper

RemediationReal-time threat dashboard with Advisor High-speed, multi-event correlationReal-time user activity dashboard

Platform support: Windows*/RedHat*/Solaris*

Managing Raw Event Storage

ad-hoc search Web Client

Platform support, multiple platform installationPlatform support, Oracle or MS SQL


34/67


34

SIEM Graduated Maturity Model Novell Entry Points

Log Manager Entry Point

Identity Audit Entry Point

Sentinel Entry Point

Sentinel-RD Entry Point

Upsell

Upsell

Upsell


35/67

Competition


36/67


36

Selected Players ArcSight>2007 Market share 18.6%, Revenue 91.3M

>Both SEM and Log Management (ArcSight Logger)

RSA>2007 Market Share 11.0%, Revenue 61.4M>Combination Log Management / SEM appliance

NetForensics>2007 Market Share 6.9%, Revenue 34M>Both SEM and Log Management (nFX Log One)

LogLogic>2007 Revenue $20M, Log Management only

Q1 Labs>2007 Revenue $19.5M, Released Log Management in 2008 (QRadar SLIM)


37/67


37

RSA enVision

Former Network Intelligence current #2 SIEM vendor Products considered combination SIEM / LM Competitive talking points:

Mediocre at both the SIEM and LM use cases Gartner refersto it only as good enough

No way to move from single-box to multi-site solution Multi-site solution requires a minimum of 3 appliances per

location, so at least 6 for a 2 site installation

UI is poorly designed and unresponsive click, then waaaaait Proprietary database makes it impossible to prove that the data

is unmodified No option to filter out unwanted data buy more EMC storage


38/67


38

RSA enVision Pricing Simple pricing they sell boxes NO upgrade path from ES to LS rip and replace Basic LS pricing scheme, with approx. US street prices:

Application Server: $56k Database Server: $56k Local Collector: $56k or $86k Remote Collector: $25k or $46k 60% of production list for standby system 60% of standby list for test system


39/67


39

LogLogic

Historic leader in Log Management space Recently acquired Exaprotect for SEM functionality Competitive talking points:

Flagship product stagnant in recent years Face major challenges integrating acquired technology; new

technology was not a market leading SEM product Viability concerns rumors of staff cuts Hardware appliance has lower EPS rates than our solution Database for reporting, flat files for search / retention No Syslog-SSL support


40/67


40

ArcSight Current leader in overall SIEM / Log Management mkt Publicly traded, pure-play SIEM vendor In-depth Logger product review here:

http://www.sans.org/reading_room/analysts_program/loggerReview_Jan09.pdf

Competitive talking points: Standalone Log Manager does almost nothing by itself -

SmartConnector appliance needed to convert raw info into ArcSight's CEF event format for reporting, etc.

Reputation for upcharging after the sale separate licenses are

needed for Loggers, SmartConnectors, per-CPU charges for ESM Server, per-user charges for ESM console, etc... Similar architecture to LogLogic, with separate DB and flat file

data store Clunky search interface hit next after each page of results


41/67


41

Arcsight overview

Recognized leader in SIEM Three main products

Arcsight Event Security Manager (ESM) Software Arcsight Logger Hard Appliance Arcsight Express Standalone SEM / LM Appliance (new)

Reputation for being very expensive, upcharging after the initial sale

Introduce their Logger initially, then upsell the rest of their products


42/67

Novell Inc. All rights reserved42

SenSage

Historical competitor to LogLogic Now refers to their technology as a Log Data

Warehouse HP offers an appliance based on SenSage Competitive Talking Points

Huge Black hole problem once the data goes intoSenSage it never comes out

Now claim to offer real-time SEM capability but we've never seen it in a deal

Viability concerns common to all small independent vendors


43/67


Appliances

Most Log Management products are sold pre-loadedon hardware appliances

Not specialized hardware a Dell blade with adifferent faceplate

Bundled OS may or may not be hardened - RSAenVision is generic Windows 2003 Server

Sentinel Log Manager has three deployment options: Software SLES11 based installation package Soft Appliance Self-installing ISO with OS + Sentinel Virtual Appliance Pre-configured VMWare ESX Image


44/67


High EPS Rates LogLogic and Arcsight have devices that claim 50-100k EPS

on a single device These boxes are NOT Log Management devices all they do

is store and archive data Customers need to copy the data from the archive back to a

Log Management box for reporting, search Better to leave the data in place and do distributed search Real-world Maximum EPS for a single device:

Arcsight Logger: 5000 EPS

LogLogic LX: 4000 EPS RSA enVision ES Series (Standalone): 7500 EPS Novell Sentinel Log Manager: Over 10000 EPS in testing, plan to

certify at 7500 EPS


45/67


Arcsight Pricing Originally had a Server / Collector model like Sentinel

Currently they typically sell Arcsight Logger appliances Basic pricing scheme, with approx. US street prices:

ESM server, priced per CPU - $24k, or $30k including DB ESM pattern discovery, per CPU - $13k Data collection per source (Rarely) Comparable to Sentinel Arcsight Loggers based on event load, geographic needs, and

number of devices (more common) - $60k / each Connector Appliances for parsing raw data into CEF - $18k Additional licenses for HA, web console, content subscription

services, content packs, identity integration, etc. US federal price list:

http://var.immixgroup.com/contracts/sewpIV_pricing.cfm?client_id=19&contract=NNG07DA20B


46/67


Arcsight Pricing (example)New York

900 Devices12,000 EPS

Rome


Paris


Security Operations Center

3x E7100s @ $60,5803x Connector @ $18,640Total: $237,600





4x ESM CPU @ $30624(with Oracle)4x Discovery @ $13,3984x ESM HA @ $15,3121x IdentityView @ $66,9901x PCI Compliance Insight

package @ $22,330 Total: $326,656

Overall:$783,276


47/67


RSA enVision Pricing (example)New York


Rome


Paris


Security Operations Center

1x LS A60 @ $56,2451x LS D60x @ $56,2451x LS L605 @ $56,2451x LS L605SB @ $36,983Total: $205,718

1x LS A60 @ $56,2451x LS D60x @ $56,245

1x LS L610 @ $86,1181x LS L605 @ $56,2451x LS L610SB @ $56,6251x LS L605SB @ $36,983Total: $291,836

1x LS A60 @ $56,2451x LS D60x @ $56,2451x LS L610 @ $86,1181x LS L610SB @ $56,625

Total: $255,233

2x LS A60 @ $56,2451x LS D60x @ $56,2451x LS L605 @ $56,2451x LS L605SB @ $36,983Total: $261,963

Overall:$1,014,750


48/67


49/67


How to win vs. ArcSightDo: Talk about Identity

ArcSight 4 includes Identity and RoleCorrelation, so they will try to talk Identity. Wehave the advantage here!

Highlight their database dependence If the ArcSight database goes down, their data

collection, dashboards, correlation, and alertsall stop working. Show this in a POC.

Leverage the Novell relationship ArcSight usually has no incumbent presence.

Focus on scalability and TCO Shift the focus in the POC to the Event Per

Second rate try to get it above 1000 EPS. Bring in partners

ArcSight doesn't generally partner well. Wecan win by leveraging those relationships.

Don't: Allow statements to go unchallenged

For example, they now say they havedatabase independent correlation, which isprovably false in a POC.

Only play defense ArcSight reps are very aggressive we need

to drop our own landmines and not play fromour heels.

Ignore the hardware Apples to apples, Sentinel does more with far

less hardware cost.

Let them marginalize Sentinel With Novell customers, they try to position

Sentinel as only relevant for Novell products

Confuse marketing with capability For example, they try to pass off the same

report as applicable to multiple regulations.


50/67


51/67

Novell Sentinel Log Manager


52/67


53/67


Novell Sentinel Log Manager

Based on the Novell advanced Sentinel SIEM product Designed to combine quick out-of-the box ROI with the

ability for future expansion Intuitive, AJAX-based interface Compressed, file-based data store with signatures for

data integrity Out of the box reports and ad-hoc indexed searching

Easy integration with Sentinel and the NovellCompliance Management Platform for full SIEMfunctionality with the Novell unique identity integration


54/67


Data Collection

Out-of-the-box support for Syslog and native collectionfrom other protocols

Syslog: Support for UDP, TCP, and SSL including authentication and

custom certificates Auto-detection of event source type: PIX, Linux, Solaris, etc. Universal syslog collector for unrecognized syslog events

Other Protocols: Uses pluggable Novell Sentinel

connector frameworkadditional protocols configured using the Event SourceManagement interface


55/67


Reliable TCP and Secure SSL


56/67


Data Collection Syslog


57/67


Data Collection Other Protocols


58/67


Novell Sentinel Log Manager Data Storage and Archiving

All data is stored in the same storage system Data is automatically compressed to minimize storage

requirements10:1 ratios are typical Connects to SAN / NAS to expand archive capacity Custom retention policies can be defined based on the

value of the information and/or a specific mandate Intuitive graphical interface shows data usage trends

and any potential problems Online and Archive refer to storage location only;

search and reporting functions work with both

N ll S i l L M


59/67


Novell Sentinel Log Manager Data Storage and Archiving


60/67


Reporting and Search

Reports and searches run against the same data Search results contain hyperlinks to quickly drill down

and refine the search criteria Web 2.0 tools allow search results begin to appear

almost immediately, then automatically update asadditional results are found without the need to click tothe next page

Query and search span online and archived data

seamlessly Once click converts a search into a reusable report


61/67


Seamless Search

CompressedOffline Storage(SAN or NAS)

SearchUI

OnlineStorage

All other systems, must bring storage online to search

time consuming and cumbersome Novell Sentinel Log Manager can search compressed,

offline storage on the fly

N ll S i l L M


62/67


Novell Sentinel Log Manager Reporting and Search

N ll S i l L M


63/67


Novell Sentinel Log Manager Reporting and Search


64/67


Novell Sentinel Customers

Telecom ArgentinaU.S. Navy Cyber Defense

Operations Command

Cite Media Holding Group


65/67


In Summary

Log management does not have to be cumbersomeand expensive Despite what other vendors may offer

Novell Sentinel Log Manager Provides fast ROI Ships with reports that you need for PCI-DSS, HIPPA, SOX and

more Stores data in a non-proprietary flat file, on any storage

medium, on any file-system Is available as a simple install on any hardware that meets the

minimum specifications Is built on the enterprise tested Sentinel


66/67


67/67

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.

Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scopeof their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.

Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market aproduct. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon inmaking purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contentsof this document, and specifically disclaims any express or implied warranties of merchantability or fitness for anyparticular purpose. The development, release, and timing of features or functionality described for Novell productsremains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to

make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.in the United States and other countries. All third-party trademarks are the property of their respective owners.

sentinellogmanager day1 1 intro

Documents