Get Real-Time Cyber Threat Protection with Risk Management and SIEM
2 likes1,120 views
The Rapid7 and LogRhythm webcast discusses the importance of real-time cyber threat protection through an integrated risk management and SIEM approach. It highlights challenges in security progress, such as lack of relevant information and decision-making frameworks, and emphasizes automated technology for effective threat detection and response. The partnership aims to enhance monitoring efficiency by combining Rapid7's risk assessment capabilities with LogRhythm's real-time analytics, aiming to reduce false positives and improve security visibility.
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
- 1. Rapid7 & LogRythym Webcast: Get Real-Time Cyber Threat Protection with Risk Management and SIEM
- 2. Dana Wolf Director of Products, Rapid7 Presenters 2 Seth Goldhammer Director of Product Management, LogRhythym
- 3. Speed With Control Dana Wolf, Director of Products
- 4. Meaningful progress in security? 4
- 5. 5 Challenges to Forward Progress
- 6. Lack of relevant, right-time information 6
- 7. Lack of decision-making framework 7
- 8. Hard to get others to take action or change 8 IT Guy You mean patch ADOBE? Fix CVE 456?
- 9. Under resourced and over stretched 9
- 10. 10
- 11. Visibility through the chaos 11
- 12. The Rapid7 Solution: Speed with Control for You 12 Brain-dead Simple Remediation Time-Saving Automation
- 13. Rapid7’s Solution: Security Programs 13 Decision Making Frameworks (Real Risk, Policy & Compliance) Offensive Security Infrastructure Fingerprinting Applications Configuration, Vulnerability Content Remediation Guidance Security Program TrendingSecurity Testing Business Context SecurityPrograms Threat & Exploit Information
- 14. Rapid7 & LogRhythm Joint solutions Efficiency & Right-Time information in Monitoring 14
- 15. Rapid7 focused on assessing the risk in your organization based on state of the environment LogRhythm focused on monitoring activities in real-time Content from Rapid7’s portfolio adds context to LogRhythm’s monitoring analytics • OS, Vulnerability, Services, Applications, etc. • Exploits, Malware kits, etc. Assessment & Monitoring 15
- 16. Let Us Get You Started 16
- 17. Get Real-Time Cyber Threat Protection with Risk Management and SIEM LogRhythm Rapid7
- 18. 2012 Verizon Breach Report – Key Stats • The number of compromised records across these incidents skyrocketed • “We will likely continue to see the perpetrators utilize such vulnerabilities as the path of least resistance to gain unauthorized entry” • “92% of incidents were discovered by a third party” (Up 6% from previous year) • “Monitor and mine event logs” critical for large organizations • “Anomaly detection is active in the conversation and growing in importance.”
- 19. ent.heisler COMP=VENUS SORC=Security CATG=Logon/Logoff EVID=540 Logon ID: (0x0,0x9BDC1AFD) Logon Type: 3 Logon Process: GUID: {0e9506c5-1c90-769c-d69f-933db4f52454} Caller User Name: - Caller Source Network Address: - Source Port: ryce.griswold COMP=VENUS SORC=Security CATG=Logon/Logoff EVID=540 OX Logon ID: (0x0,0x9BDC1B32) Logon Type: 3 Logon Process: 08 AM TYPE=SuccessAudit USER=SANDBOXanthony.mack COMP=VENUS SORC=Sec cessful Network Logon: anthony.mack Domain: SANDBOX Logon ID: (0x0,0x9BDC86 eros Authentication Kerberos Workstation Name: Logon GUID: {4899467d-7bea-9b95-1da5-ff948b - Caller - Caller Process ID: - Transited Services: - Source Network Address: - 11 9:08 AM TYPE=SuccessAudit USER=SANDBOXanthony.mack COMP=VENUS SORC= Successful Network Logon: ame: anthony.mack Domain: SANDBOX Logon ID: (0x0,0x9BD Kerberos Authentication e: Kerberos Workstation Name: Logon GUID: {4899467d-7bea-9b95-1da5-ff9 0100101001100100111001100100100101010011100100101011001001001001001100101 0100101001100100111001100100100101010011100100101011001001001001001100101 0100101001100100111001100100100101010011100100101011001001001001001100101 0100101001100100111001100100100101010011100100101011001001001001001100101 0100101001100100111001100100100101010011100100101011001001001001001100101 0100101001100100111001100100100101010011100100101011001001001001001100101 0100101001100100111001100100100101010011100100101011001001001001001100101 0100101001100100111001100100100101010011100100101011001001001001001100101 100100100100100110010101001110101010110101010101001001001001001000011 100100100100100110010101001110101010110101010101001001001001001000011 100100100100100110010101001110101010110101010101001001001001001000011 100100100100100110010101001110101010110101010101001001001001001000011 100100100100100110010101001110101010110101010101001001001001001000011 100100100100100110010101001110101010110101010101001001001001001000011 100100100100100110010101001110 100100100100100110010101001110 Compromised Credentials Suspicious Privileged User Activity Reconnaissance Followed by Attack Critical Service Failed Brute Force Attack Malicious Content Observed Unauthorized Network Connection Opened Zero Day Exploit Detected Host Compromised Medical Records Breached Credit Card Data TransferredUnauthorized Access of ePHI
- 20. Understanding ‘Normal’ User Identity Access Privilege External Context Threat Intelligence IP Reputation GeoLocation Application Access Transactions Error Behavior Host Process Access File Activity Resources Internal Context Business Value Asset Classification Risk Rating Vulnerability Network Connection Direction Content Volume Manual discovery of what’s normal network activity is impractical due to the sheer volume of data across multiple types of dimensions. An unmanageable volume of false positives based on benign anomalies Significant blind spots / false negatives Need an automated technology to learn behavioral attributes across multiple dimensions Normal
- 21. What is multi-dimensional? • Multiple dimensions of behavior can be observed • Multiple techniques through which behavior can be modeled • Multiple behaviors can be modeled in a single rule Why is this important • We can align the behavior we want to model with the ideal analysis technique. • We can reduce false positives by identifying multiple behavioral changes indicating a highly corroborated event. • We enable customers to see behavioral changes they’ve been blind to, enabling the detection of a new class of events. Multi-Dimensional Behavioral Analytics(MDBA)
- 22. Log Manager Log Manager LogRhythm Components Network and Security Devices Routers Switches Next Gen Firewalls IDS/IPS VPN Flow Hosts and Applications Operating System Applications Databases Others Vulnerability Data Physical Card Access Point of Sale Etc. Log Managers LogRhythm System Monitor File Integrity Monitoring File Activity Monitoring Database Activity Monitoring Process Monitoring Network Connection Monitoring Event Manager Events Advanced Intelligence Engine All Log, Flow and Event Data Events Intelligence Alerts SmartResponse™ • In memory processing of all log and flow data • Correlation, pattern recognition, and behavioral analysis • No blind spots – accurate recognition of compromised accounts and hosts, fraud, misuse, data exfiltration, etc Reports Real-Time Big Data Security Analysis
- 23. 1. Vulnerability data collected from Rapid7 Nexpose and Metasploit products 2. For every message, LogRhythm: • Collects • Classifies • GeoTags • Recognizes Events • Assigns Risk Prioritization • Stores log and event data for long term retention • Applies behavioral analysis techniques • Performs correlation across data sources 3. Triggers SmartResponse actions when applicable Integration Use Cases: • Security Risk Assessment • Sophisticated Intrusions • Zero Day Confirmation • Compliance Violations
- 24. Quick Investigations and Forensics • Invaluable insight into internal behavior, potential risks and imminent threats • Quick root cause analysis; Identify sources of attacks • Recognize breach scope • Appropriate presentation for key stake holders
- 25. Knowledge Experts in: Advanced threat detection & response Industry and governmental regulations Compliance automation and assurance Log and event taxonomies and normalization Advanced correlation and rules development Incident response Providing Out-of-the-Box & Continuously Updated Embedded Expertise Layouts designed to present the right information to the right people at the right time Executive Views Compliance-specific Dashboards Role-based Analyst Screens Pre-defined forensic investigations accelerate root cause analysis and impact discovery Comprehensive library of ready-to-use analytic rule sets & alarms enables immediate use for the detection of threats, breaches and compliance violations SmartResponse™ plug-ins accelerate response and reduce the impact of actionable events
- 26. Example Use Cases Prioritizing Attack Data Identify Zero Day Attacks Quick Remediation Identifies vulnerability state of host Correlates IDS and Malware to detected vulnerabilities Alert on attacks to known vulnerabilities Recognizes susceptible attacks Scans for attack behavior pattern Alert on matches for attempted attacks Maintains library of custom, accurate remediation steps Identifies highly suspicious series of anomalies Triggers immediate scan with associated, specific remediation steps