Download File

METANET IVS
Capabilities refined to meet most pressing
security management objectives
January 14, 2013
Prepared by
Anton Goncharov, CISSP
Founder, Managing Principal
[email protected]
@meta_net
http://metanetivs.com
Quick Introduction
‣ SIEM and Event Management Solutions Provider
‣ Heavy focus on HP ArcSight and Splunk solutions
‣ Based in San Francisco, CA
‣ Team members world-wide
‣ Custom tools
‣ Industry forum - http://siemguru.com
PROPRIETARY AND CONFIDENTIAL
2
Our Expertise
‣ Experts in:
•
•
•
•
Distributed architectures
Complex integrations
Custom solutions for a variety of applications
Services catered to customer needs
‣ Complex environments managed:
•
•
•
8000 Windows Servers monitored remotely (Large Bank)
100,000 Identities (Hospital Network)
Infrastructure to process 2B+ events per day (Defense Contractor)
‣ Strong References - several $8B+ customers currently
PROPRIETARY AND CONFIDENTIAL
3
Proprietary Enablers
‣ Methodologies
• Event Management Program Capability Maturity Model (CMM)
• SIEM Environment Health Monitoring and Maintenance
‣ Content
• Risk Based Escalation Workflow (ArcSight)
• Standards Based Monitoring (Microsoft Best Practices for SIEM)
• CVS / CVEE Integration Kit for (ArcSight)
‣ Tools
• Integrated Intelligence Feeds (OSINT, Anon Proxy)
• Automated Windows Unified Connector (WUC) Configuration Management
• Plug-and-play Information Security Metrics Solution (Distiller)
PROPRIETARY AND CONFIDENTIAL
4
Advanced Threat Detection Methodology
Data Sources
Tools
Leading Edge Security Tools
Correlation
(DLP, IDS, malware, end-point)
(scenario based rules and searches)
Threat Intelligence
(known hostile hosts and domains)
Interactive Analytics
(visual aids for investigations
and forensic discovery)
Indicators of Compromise
(file transfers, tools, unusual account activity)
Anomaly Detection
Common Activity Data
(deviations from baseline, outliers,
peer group activity)
(successful system access, file access)
PROPRIETARY AND CONFIDENTIAL
5
255
255
0
255
204
51
255
153
51
204
102
51
CAPABILITIES
Our Services
SIEM Maintenance Services
Health Monitoring
Upgrades
Issue Resolution
MetaNet Tools
ArcSight Express / ESM
Storage Appliance (Logger)
Connector Appliance
Smart Connectors
Statistics and Reporting
PROPRIETARY AND CONFIDENTIAL
7
SIEM Support Options
Maintenance
Support
Bulk Hours
Issue resolution, and escalation with HP
Yes
Yes
Yes
Issue tracking and reporting
Yes
Yes
No
Remote administration
Yes
No
No
Dedicated resource
Yes
No
No
Upgrades, maintenance, troubleshooting
Yes
No
Yes*
Immediate
Uncertain
Uncertain
1-4 hrs
1-2 days
1 week
Time to identify an issue
Time to respond and mitigate
PROPRIETARY AND CONFIDENTIAL
8
SIEM Consulting
Best
Practices
Technical
Health Check
Capability
Maturity
Architecture
Design
Flex
Connectors
PROPRIETARY AND CONFIDENTIAL
Advanced
Integrations
Custom
Solutions
9
Security Event Monitoring
Customer
Customer Catered
Investigations
Reporting
Devices
24/7 Automation
Event Data
Customer
Analysts
Co-Sourced or Outsourced
Intelligent Content
Escalation
Reports
Alerts and
Analytics
Investigations
MetaNet
Analysts
Event Data
Management
Business Integration
Smart
Connectors
ArcSight ESM
PROPRIETARY AND CONFIDENTIAL
10
255
255
0
255
204
51
255
153
51
204
102
51
DELIVERABLES
The Results
Maturity Assessment
Event Management Capability Maturity Assessment
5
Technology
Automation
Maturity Level
4
3
factor(category)
2
Automation
1
Mgmt Reporting
Risk
0 Assessment
Mgmt Reporting
Process
Resources
Risk Assessment
Technology
Resources
Process
PROPRIETARY AND CONFIDENTIAL
12
Architecture: ArcSight
EMEA (London)
N. America
(Chicago)
APAC (Singapore)
ArcSight
Express
ArcSight
Express
Logger
Logger
Connector
Appliance
Secondary
Connector
VM
Primary
Connector
VM
Primary
Connector
VM
Microsoft Domain
Controllers
Primary
Connector
VMs
Secondary
Connector
VMs
Microsoft Domain
Controllers
PROPRIETARY AND CONFIDENTIAL
Secondary
Connector
VM
Microsoft Domain
Controllers
13
Architecture: Splunk
User Workstations
9
38
P/
TC
Secondary Indexer
West
Hadoop instance
00
P/80
S TC
Active Directory
Domain Controller
UCS C240
Splunk PoC
East Coast
Data Center
HTTP
West Coast
Data Center
UCS C240 M3
Primary Splunk Server
Secondary Indexer
East
UDP/514
syslog
Local Forwarders
Remote Data Sources
PROPRIETARY AND CONFIDENTIAL
TCP/9997
Local Forwarders
14
Security Metrics: ArcSight
08-2012 to 09-2012
Event Counts by Type
Report Month: 08-2012
08-2012 to 09-2012
Total Base Events
2,747,464,371
Correlated Events By Priority
2
3
4
5
6
7
8
9
13
14
15
16
17
18
19
Events In Scope for Monitoring
881,626
12
Correlated Events
26,729,689
1,500,000
Cases Created
1,600
1,200,000
Overview of Daily Event Counts
1,000,000,000
100,000,000
900,000
10,000,000
1,000,000
100,000
600,000
10,000
1,000
300,000
100
10
1
Count(Distinct All_Delivered)
Sum(In_Scope)
31
30
29
28
27
26
25
24
23
22
21
20
11
10
09
08
07
06
05
04
03
01
02
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Sum(Correlated)
Sum(Cases)
Page 1 of 1
Built by MetaNet IVS -- http://metanetivs.com -- All Rights Reserved
‘Correlated Event Counts’
Page 1 of 4
Built by MetaNet IVS -- http://metanetivs.com -- All Rights Reserved
‘Operational Metrics’
PROPRIETARY AND CONFIDENTIAL
15
Security Metrics: Splunk
PROPRIETARY AND CONFIDENTIAL
16
Metrics: Distiller
PROPRIETARY AND CONFIDENTIAL
17
THANK YOU
September 16, 2013
Prepared by
Anton Goncharov, CISSP
Founder, Managing Principal
[email protected]
@meta_net
http://metanetivs.com

Download Report