Transcript of 9 SIEM 2010 v2
Slide 1A Division of Siemens Enterprise Communications GmbH &
Co KG
Sales Expert Advanced Solutions
*
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Agenda
Sales Tools and Resources
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
SIEM Market
>80% of SIEM deployment projects are funded to close a
compliance gap
EMEA and APAC focused primarily on external threat monitoring but
compliance also a strong driver
Total 2010 revenue forecast to almost $1B
Excellent growth (16% average) projected from 2008-2013
Market Dynamics
2008 SIEM projects more narrow, tactical focus, “Phase 1
deployments”
Cisco MARS
No longer considered a viable SIEM product (Gartner,
10/29/09)
Enterasys SIEM, positioned as the master of the other SIEMs can
provide a smooth, transition for migrating from Cisco MARS.
Sources: IDC, Gartner
IDC data, Worldwide Security and Vulnerability Management 2009-2013
Forecast and 2008 Vendor Shares,” Charles Kolodgy, October
2009.
Gartner Magic Quadrant for Security Information and Event
Management, May 29, 2009.
Cisco has recently confirmed that it will not be adding support for
new third-party devices to MARS and there is speculation about what
this decision implies about Cisco’s commitment to this product.
(See NetworkWorld, Messmer, Ellen, “Cisco MARS shuts out new
third-party security devices,” 11/06/09
http://www.networkworld.com/news/2009/110609-cisco-mars.html
)
Gartner Research, 10/29/09, “Findings: Cisco MARS Is Becoming Less
Viable as a
General SIEM Solution” Mark Nicolett
“Cisco's recent decision to freeze MARS support for non-Cisco
event sources marks the beginning of the end of MARS as a viable
security information and event management (SIEM) technology.
Organizations that need support for non-Cisco event sources should
plan to move to a viable SIEM solution.”
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Signature Based
Threat Detection
Anomaly Based
Behavior Based
Network attacks
Intrusion Prevention Systems
(Host and Network-based)
Compares traffic against library of known threats =
signatures
Establishes performance baselines (apps. protocols, networks,
individuals/devices) & monitors for anomalies
*
*
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Security Threat Detection
*
Let’s take a closer look at the vulnerability we typically see
within present day infrastructures. This is really the “before”
picture…. before our customers deploy our Secure Networks.
The traditional approach to securing the infrastructure has been to
apply perimeter security in as many places as possible, mostly in
response to a specific threat.
Personal firewall and antivirus technology is a good measure to
protect the edge, but it is optional, meaning that any end user can
turn it off—causing an impact on the network and other users even
if their firewall and antivirus software is running.
Firewalls are good when there is a clear demarcation point between
a threat and an asset (e.g., between the Internet and the
enterprise). But they cannot address threats that are internal,
pervasive or mobile.
IDS is another good technology for detecting anomalies in the
network. (Enterasys has one of the leading IDS on the market with
Enterasys. ) However, an IDS generally sits in the core, and can’t
determine the exact origination of a threat, nor can it actually do
anything about the problem.
VPNs have been categorized as security technologies, but in reality
they’re just protecting a session across the infrastructure, and
are really just a logical interface.
There is still a gaping hole because the network itself is not an
active participant in the overall security architecture. These
technologies on their own are not granular or pervasive enough to
address the entire problem.
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Security Information Overload
What is not?
*
Let’s take a closer look at the vulnerability we typically see
within present day infrastructures. This is really the “before”
picture…. before our customers deploy our Secure Networks.
The traditional approach to securing the infrastructure has been to
apply perimeter security in as many places as possible, mostly in
response to a specific threat.
Personal firewall and antivirus technology is a good measure to
protect the edge, but it is optional, meaning that any end user can
turn it off—causing an impact on the network and other users even
if their firewall and antivirus software is running.
Firewalls are good when there is a clear demarcation point between
a threat and an asset (e.g., between the Internet and the
enterprise). But they cannot address threats that are internal,
pervasive or mobile.
IDS is another good technology for detecting anomalies in the
network. (Enterasys has one of the leading IDS on the market with
Enterasys. ) However, an IDS generally sits in the core, and can’t
determine the exact origination of a threat, nor can it actually do
anything about the problem.
VPNs have been categorized as security technologies, but in reality
they’re just protecting a session across the infrastructure, and
are really just a logical interface.
There is still a gaping hole because the network itself is not an
active participant in the overall security architecture. These
technologies on their own are not granular or pervasive enough to
address the entire problem.
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Security Information Overload
Compliance Monitoring & Reporting
Threat Monitoring, Detection,
*
Let’s take a closer look at the vulnerability we typically see
within present day infrastructures. This is really the “before”
picture…. before our customers deploy our Secure Networks.
The traditional approach to securing the infrastructure has been to
apply perimeter security in as many places as possible, mostly in
response to a specific threat.
Personal firewall and antivirus technology is a good measure to
protect the edge, but it is optional, meaning that any end user can
turn it off—causing an impact on the network and other users even
if their firewall and antivirus software is running.
Firewalls are good when there is a clear demarcation point between
a threat and an asset (e.g., between the Internet and the
enterprise). But they cannot address threats that are internal,
pervasive or mobile.
IDS is another good technology for detecting anomalies in the
network. (Enterasys has one of the leading IDS on the market with
Enterasys. ) However, an IDS generally sits in the core, and can’t
determine the exact origination of a threat, nor can it actually do
anything about the problem.
VPNs have been categorized as security technologies, but in reality
they’re just protecting a session across the infrastructure, and
are really just a logical interface.
There is still a gaping hole because the network itself is not an
active participant in the overall security architecture. These
technologies on their own are not granular or pervasive enough to
address the entire problem.
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Agenda
Sales Tools and Resources
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Enterasys SIEM Value Proposition
Quick time to Value
Flexible Phased Deployments
Reduces the overload of network security events to a manageable,
prioritized view of the network
Empowers security administrators to take control of security event
information
Deliver security and compliance reports aligned with the goals of
the organization
Prioritize evidence of malicious behavior into practical steps for
remediation
Open interoperability with third-party devices and the Enterasys
Automated Security Manager for enhanced remediation
*
*
*
*
Dragon Security Command Console is a Security Information and Event
Manager (SIEM) that combines best of breed detection methodologies
with behavioral analysis and information from third party
vulnerability assessment tools to provide the industry’s most
intelligent security management solution. Dragon Security Command
Console delivers actionable information to effectively manage the
security posture for the largest organizations.
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Enterasys SIEM Solves Information Overload
Delivers threat management, log management, compliance reporting
and increased operational efficiency
Collects and combines network activity data, security events, logs,
vulnerability data and external threat data into a powerful
management dashboard
Intelligently correlates, normalizes and prioritizes—greatly
improving remediation and response times, and greatly enhancing the
effectiveness of IT staff
Baselines normal network behavior by collecting, analyzing and
aggregating network flows from a broad range of networking and
security appliances
*
*
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Complete Visibility with Powerful Dashboard
*
*
*
Dragon Security Command Console is a Security Information and Event
Manager (SIEM) that combines best of breed detection methodologies
with behavioral analysis and information from third party
vulnerability assessment tools to provide the industry’s most
intelligent security management solution. Dragon Security Command
Console delivers actionable information to effectively manage the
security posture for the largest organizations.
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Compliance Enablement
Reports: Enterasys SIEM offers a robust reporting engine providing
users with the capability to quickly and easily create customized
reports for the critical business assets essential to
compliance
Reports can be created for any portion of the network and most any
measure taken by the SIEM
Default compliance-focused reports and rules are based on industry
control frameworks applied to specific regulations
Enterasys SIEM provides critical and detailed compliance
reporting
*
*
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Agenda
Sales Tools and Resources
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
SIEM Base Unit
Enterasys SIEM Components
***Flow support for existing NetFlow, sFlow, cFlowd, jFlow, or
QFlow from the Behavioral Flow Sensor. A Behavioral Flow Sensor is
required to collect flows and forward to SIEM. Since NetFlow is
unidirectional, the device can support about 1 ½ times what is
listed in the license.
Flow Collectors
Distribute flow collection throughout the environment
*
*
Note: A Behavioral Flow Sensor is required to pass flows into the
system. This is required for QFlows as well as existing 3rd party
flows.
The flows per minute specified refer to bi-directional flows.
NetFlows are unidirectional flows. So, if you are using NetFlow, a
good rule of thumb is to use a factor of 1.5 such that a license
supporting 200K bi-direction flows/min will support 300K
NetFlows/Min. It may be as high as 400K NetFlows/Min but 300 is
safe.
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Agenda
Sales Tools and Resources
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Enterasys SIEM Key Differentiators
Real-time view any asset within the network
Intergrates/correlates information from widest array of 3rd party
devices
Built-in Scalable Network Behavior Anomaly Detection system
Group and weight asset priority to quantify/qualify security
event’s risk
Custom data store eliminates the need for secondary software costs
and ongoing maintenance
*
*
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Agenda
Sales Tools and Resources
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Log Management
Gartner, Magic Quadrant for Security Information and Event
Management, 5/29/09.
Cisco has recently confirmed that it will not be adding support for
new third-party devices to MARS and there is speculation about what
this decision implies about Cisco’s commitment to this product.
(See NetworkWorld, Messmer, Ellen, “Cisco MARS shuts out new
third-party security devices,” 11/06/09
http://www.networkworld.com/news/2009/110609-cisco-mars.html
)
Gartner Research, 10/29/09, “Findings: Cisco MARS Is Becoming Less
Viable as a
General SIEM Solution” Mark Nicolett
“Cisco's recent decision to freeze MARS support for non-Cisco
event sources marks the beginning of the end of MARS as a viable
security information and event management (SIEM) technology.
Organizations that need support for non-Cisco event sources should
plan to move to a viable SIEM solution.”
*
Strong
Weak
· Disjoint solutions for log and threat management
· Limited Flow support · No NBAD
Strong
No
Compliance Management
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Agenda
Sales Tools and Resources
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Questions That Keep You Up At Night
How do you monitor risk to assets that are critical to your
regulatory and corporate compliance mandates?
Can you viewe status of these assets and their vulnerability in
real-time?
Can you monitor the compliance control elements necessary for
auditors and compliance?
Can you provide the reports necessary to satisfy compliance?
Do you have the security/IT staff required to satisfy compliance
requirements?
*
*
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
Agenda
Sales Tools and Resources
*
*
Monitoring control framework
Reporting specific to regulations
Security Event Correlation:
Firewalls, IDS, IPS, AV, Netflow, Sflow, vulnerability tools,
syslog
Most advanced data reduction in the industry
Tolly test Cisco MARS vs. Enterasys SIEM
Supports response and remediation
User or device behavior
*
© 2010 Enterasys Networks, Inc., A Division of Siemens Enterprise
Communications GmbH & Co KG - All rights reserved.
© 2009 Enterasys Networks, Inc. All rights reserved.
“There is nothing more important than our customers”
*