Issp автоматизация операционного центра безопасности банка

  • Published on
    11-Feb-2017

  • View
    1.135

  • Download
    1

Embed Size (px)

Transcript

  • ISSPsergey.makovets@issp.ua

    . 4. 044 390 03 01 044 390 03 02

    Information Systems Security Partners .

    , , , -.

    ()

  • ()

    .

    , . . .

    .

    ?*

    ?

    ?

    . .

    ?

    ?! .

    .

  • /

    // ArcSight .

    , ArcSight .*

    /

    //

    ArcSight XML Syslog

    WindowsFailed Login EventOracleFailed Login EventUNIXFailed Login EventBadge Reader Entry DeniedOS/390Failed Login Event

    *The first unique strength is event collection and processing. We touched on this earlier, but it is really core to good SIEM operations.

    One of the primary functions of the ArcSight connector is to normalization and categorization the event data. Some SIM products just take raw event and store it in the database. Others store the event in each of their proprietary formats, then when they correlate or report there is a lot of overhead associated with processing those formats. At ArcSight, we put the various inputs into one common format.

    Here is an example of three different failed login eventswindows, OS390, and linux. First, ArcSight connectors parse the different fields of the event and map them into common event schema in ArcSight. This ensures that the data is stored in a common scheme regardless of input format or device type. So instead of the Security Analyst having to understand the different fields contained in each event of each different device, they have a common set of fields.

    ArcSight , , .300+ CEF (common event format)

    /

    // ArcSight ESM , , .

    ArcSight ESM . , , : DLP, IPS, URL-Filtering, , SSO, AntiVirus, .. , , , IdM, . /.

    ,

    ,

    . , , , , . *

    , , . , ?

    : / / ? , ?

    , . , . , . *

    :

    , . , , , !!! , .*

    .

    , . . , .

    . , SIEM .*

    Firewall VPN -

    :- ?- ? - / ?***** 1 , - ? IP - ?- , IP 15 - , -?- - ?

    .*

    /

    // ArcSight Logger

    , , ,

    ? ?

    , , 10

    /

    // , .

    , .

    * 125 , (real-time data monitors) 48 , :

    * , , - GUI-based :HTML, XLS, PDF

    , , . login

    . !!!!

    /

    /

    ./

    *

    ? ( )

    ?

    123 ? ( )

    PCI, ,

    12

    - : PCI 100

    28 PCI

    PCI

    PAYMENT CARD INDUSTRY (PCI)

    *

    , PCI 7*

  • , , , . , 300 , , CEF, . , IdM, DAM, DLP, SSO .

    , . , .

    , . , .

    *

    - : , c, . // .

    *

    , , IPS , , . 300 , . .

    *

    . -

    ArcSight 6 Gartner MQ

    ArcSight , 4 Forrester WAVE

    ArcSight ArcSight SIEM , 16% 2007 4 : $39.3M

    34% .

  • ! ISSPsergey.makovets@issp.ua

    . 4. 044 390 03 01 044 390 03 02

    *Next, ArcSight connectors categorize the events. Categorization adds a level of intelligence by providing a common taxonomy across diverse devices. For example if you wanted to build report on login activity without categorization, you would have to build the report to include os vendor = microsoft and os = windows. But now you want to add mainframe logins to the report. You would have to modify all reports, filters, correlation rules in your environment to add ibm. With categorization, you would merely have to create report with device group = /operating system.

    Categorization enable Security Analysts to learn one, intuitive taxonomy rather then having to learn the different languages for each different vendor. The benefit is not only simplicity, but future proofing of your business analysis. As new system types are added, your analysis doesnt break.

    3 $10 IdM

    , :- ? ? ?

    SAASCRMContent managementNewslettersData CentersWord processingBlogWebsiteVoIPeCommerceFile shareCorporate portalsWebinarsVirtualizationMobilityWebOfficeVideocastingVideocastingTrojansSQL InjectionsHTML InjectionsBuffer OverflowsCross-siteScripting attacksWormsViruses inattachmentsSpyware inattachmentsBotnetsRootkitsInteractive surveysExploitsFishingVirusesMobile codeDatebasesInformation leaksEmailE-bankingDoS ?

    . .\ .*

    ?

    , , .

    , ?*

    .

    , . . .

    .

    ?* , ArcSight .**The first unique strength is event collection and processing. We touched on this earlier, but it is really core to good SIEM operations.

    One of the primary functions of the ArcSight connector is to normalization and categorization the event data. Some SIM products just take raw event and store it in the database. Others store the event in each of their proprietary formats, then when they correlate or report there is a lot of overhead associated with processing those formats. At ArcSight, we put the various inputs into one common format.

    Here is an example of three different failed login eventswindows, OS390, and linux. First, ArcSight connectors parse the different fields of the event and map them into common event schema in ArcSight. This ensures that the data is stored in a common scheme regardless of input format or device type. So instead of the Security Analyst having to understand the different fields contained in each event of each different device, they have a common set of fields. . , , , , . *, . , . , . *, . , , , !!! , .* .

    , . . , .

    . , SIEM .* :- ?- ? - / ?***** 1 , - ? IP - ?- , IP 15 - , -?- - ?

    .*

    * *

    *

    *

    **Next, ArcSight connectors categorize the events. Categorization adds a level of intelligence by providing a common taxonomy across diverse devices. For example if you wanted to build report on login activity without categorization, you would have to build the report to include os vendor = microsoft and os = windows. But now you want to add mainframe logins to the report. You would have to modify all reports, filters, correlation rules in your environment to add ibm. With categorization, you would merely have to create report with device group = /operating system.

    Categorization enable Security Analysts to learn one, intuitive taxonomy rather then having to learn the different languages for each different vendor. The benefit is not only simplicity, but future proofing of your business analysis. As new system types are added, your analysis doesnt break.

    . .\ .* , , .

    , ?*

Recommended

View more >