smart investigator - ibusinessevents.ro · - from log aggregators (siem): hp arcsight, rsa security...
TRANSCRIPT
SMART INVESTIGATOR Find. Alert. Decide. Security done smartTM
Powered by 31st MARCH 2017
Our Company
Since 15 years, our company architects, integrates, deploys and operates the systems that enable
Dell Software Inc. (nowadays, Quest Software Inc.) customers to conduct business in today's highly
competitive marketplace.
This gave us the chance to turn our dedication and experience into profit and became one of the
Quest Partner Circle that is the unique reseller for Romania, Bulgaria and Moldova.
Our vision:
100% secured IT infrastructures
Proactivity in managing daily risks
Real time visibility among huge volume data logs
31st MARCH 2017
Security Challenges & Limitations of Legacy SIEMs
Continuous big data expansion: collection and analysis of increasingly larger amounts of event, historical and security contextual data
Relational and time-indexed databases that support SIEMs are having a hard time to manage the event and analytics load
Legacy SIEMs show slow performance, inability to manage data effectively, poor visibility and high scaling costs
Our customers asked us to address their recurrent challenges and limitations:
31st MARCH 2017
Smart Investigator to Address Your Needs
Specific Infrastructure
Measurable Events
Achievable Knowledge
Realistic Decision Making
Time-bound & Speed
31st MARCH 2017
Empower Specific Infrastructure
Main features
Integration with any existing cyber infrastructure and Agent/Agentless gather data:
- Direct from systems (Cisco, Fortinet, Juniper, Windows, Linux, Unix) - From log aggregators (SIEM): HP Arcsight, RSA Security Analytics, Quest InTrust, IBM, Splunk - From Business applications - From other security tools (Vulnerability management, IDS/IPS, DLP, Firewalls)
Data Transformation enrich, transform, manage, correlate, integrate, Add Business intelligence to security data from Active Directory, Business applications, IAM solutions
Unlimited built-in horizontal scalability, with no extra database costs (additional power available in 15 minutes with NO DownTime)
Archive encrypt, compress, Digitally SIGN, leverage existing storage space by keeping it in file system based archives (NEVER vendor locked in)
31st MARCH 2017
Empower Specific Infrastructure
Data Storage Node
Data Storage Node
Dell InTrust
Network Devices
SyslogUDP
Change Auditor Events
Real Time
SYSLOG TCP/UDP
Real time
DB or RealTime
Real Time or DB
DB Based
RealTime
Log Agent
Windows Servers/Workstations
Windows Servers/Workstations
Real Time Collection
Real Time WMI
Real Time WMI
Other Logs:- Exchange Message Tracking
- Custom CSV- EVTX
- Custom Database Logs
Real Time
Real time
Cloud Providers/APIs
Real Time
Cisco ISE
Real Time
High Level Design and Data Flow
31st MARCH 2017
Empower Specific Infrastructure
Unified Event Bus between blocks
Cluster Ready Event Bus -> for unlimited Scalability and HA
Receive/Get FULL Cisco device information:
- Net Flow - Alerts - Reports - Firewalls/Routers/ Switches/ ISE/ SourceFire
Connections between endpoints as events
Cisco Support
31st MARCH 2017
Measurable Events
Intensive industry-specific expertise for high visibility and compliance
Synthesized results displayed into graphical intuitive charts
Embedded reports to validate control efficiency and effectiveness for frameworks and standards: ISO 27001, COBIT, FISMA, HIPPA, PCI/DSS, SOX
Context Sensitive Dashboards & Reports
Top Event
Sources
Top Event
Categories
Top Event Types:
Warning
Failure audit
Success audit
Error Information
Look & Feel: Dashboards Main features
31st MARCH 2017
Achievable Knowledge
The Big Picture, All-in-one View
Advanced Event Search & Filter
Visual Interactive Investigations:
• Graphical interactive drill ups/drill downs • Visually correlate information • Scheduled/Interactive Reports
Integrate new CyberSecurity feeds into your security orchestration
JavaScript based event Log Parsing
Generate events in a programmatic way based on VERY custom criteria at log parsing RUNTIME
Main features Look & Feel: Smart filtering simple and/or composed. Use interactive decision trees
31st MARCH 2017
Enhanced Decision Making Capability
Single point of access to security data: Fraud detection, Cybersecurity, Internal Security, Compliance
Precise identification of security incidents through innovative multi-SIEM/multi-platform data correlation
User-defined alerts and graphical anomaly analyzer starting from one single exception event
Configurable anomaly detection patterns in network and applications
Investigation Case Management
Main features
31st MARCH 2017
Time-bound & Speed
Quick access to events and investigations data – 5 seconds to access 2.4 billions of events (15 TB)
Correlation between tens of millions of events in 2 seconds
Real-time / schedule based connectivity to classical SIEM systems for data feeds
Predefined Real-time Alerts
Lower TCO due to high self-manageability and autonomy
Fast Deployment: 30 min - 4 hours
Main features
31st MARCH 2017
Use Cases
Unify audit data produced by all applications to track access to sensible information
Quickly investigate security incidents related to internal business applications usage
Roll up / drill down on all unified business applications
Fraud alerting rules
Correlate data from all systems involved for meaningful alerts
Internal Investigations team
31st MARCH 2017
Information Security team
Massively improve investigation times of security incidents
Unify all security information and security analytics from multiple security log sources:
• SIEM • Firewalls • Infrastructure • Data Loss Prevention Systems • Vulnerability Management Systems • Physical access systems • Identify anomalous events from
infrastructure
Quickly drill down, roll up into data and incidents
Use Cases
Natively integrate with FireEye/other IDS/IPS; Firewalls (Cisco ASA; Sonic Wall, Fortinet, etc.)
Quickly identify attack sources with both high level aggregated views and grass level data
Quickly Identify impacted machines
Easy cross-correlate information from other systems in just 2 clicks: SIEM, Internal Applications
31st MARCH 2017
Cyber Security Team Compliance Team
Operations Team
Search/Locate operational events (from infrastructure, databases, networking)
Horizontal scalability for decreased costs (licensing and hardware)
View/export Compliance reports based on several standards: ISO 27001, SOX etc.
Log Archive (file system based) to store information for several years
Access on a “need to know” basis (Segregation of duties):
• Infrastructure Security team members – access only infrastructure security data
• Investigations team - access to all data • Cyber Security Team - access to cyber related
data
Valeriu STANCIU
Senior Technical Consultant
Q-EAST SOFTWARE SRL BUCHAREST
55 Clucerului Street, Bucharest, ROMANIA
www.smart-investigator.com