Académique Documents
Professionnel Documents
Culture Documents
Norbert Klasen
Senior Consultant
Schedule - Day 1
09:00 Introduction 09:30 Why Log Manager? 10:30 Break 10:45 Installation 11:15 Queries 12:00 Lunch 13:00 Event Source Management 14:00 Break 16:00 Wrap-Up
Schedule - Day 2
09:00 Data Management 10:30 Break 10:45 Actions and Rules 12:00 Lunch 13:00 Reporting 15:00 Integration with Sentinel 15:45 Q&A
According to ITRC report, 303 breaches reported in 2009 as of 7/21/09 with over 12 million personal records exposed Almost no organization spared
> > > >
NYPD 80,000 records exposed FAA 45,000 UC Berkeley 160,000 Aetna 65,000
Regulation has been stepped up in response to these risks Today's tools are not up to the challenge of tomorrow's hackers
More personnel are needed to analyze data Log files need to be stored and retained for significant periods of timeincreasing storage costs
Helps ensure the network is hardened Administrators can spot weakness before it is exploited A starting point for a complete security strategy
Why does everyone groan when log management is mentioned? Vendors are not focused on reducing the cost of compliance
Vendors sell proprietary storage systems Require customers to buy expensive appliances Store data in proprietary formats
Some log management vendors use proprietary storage systems. This causes problems including:
Dependence on vendor tools for reporting and search No way to analyze archived data without bringing it back into the vendor's device Difficult to prove that the data is unmodified
Some products have no mechanism for forwarding events in real-time, making it a data black hole
1 0
1 1
Define the relevant events Format the data Customize the report for the specific needs of the organization with filters, etc.
1 2
Search:
A subset of the stored log data, defined and formatted according to an ad-hoc set of criteria
1 3
Parsed Data
Log Archive
5. Reports and searches can't be run against archives until data is reloaded into Log Management
1 4
Novell Architecture
1 5
Vendors
Want to sell you more storage capacity Aren't intelligent enough to know which data to filter
Intelligent filtering can reduce the amount of storage used by the log management system They treat all data equally from a data retention standpoint
1 6
Vendors love to tout their real-time capabilities Mediocre log management + mediocre SIEM does not equal great software Novell started with SIEM (Novell Sentinel )
Built a log management product that drew on its strengths Not trying to shoehorn SIEM on top of log management We perform exceptionally well with both use cases
1 7
Identity-Aware Security
Best way to extract high value from data is to tie events to identities Gartner weighs in:
Organizations should implement user activity monitoring as part of a strategy to manage external and internal threats and for regulatory compliance. Organizations that wish to employ SIEM technology for user activity monitoring must evaluate the level of integration that is provided by the SIEM vendor for the specific event sources in the environment, but should plan for extensive customization in order to implement monitoring for user activity and the application layer.
Novell, Inc. All rights reserved.
1 8
Identity Management
1 9
Security Monitoring
Start by asking what they are using for log management, and if they are happy with it
We can make a strong business case for Sentinel Log Manager against any competitor If they're using an in-house tool, it's costing them to maintain it, they aren't getting the most out of their logs, and probably wasting money on extra storage as well
If no log management today, ask how they are meeting the requirements of the relevant regulation to their industry
2 1
How long did it take to satisfy their auditor when it came to log files? Was it easy to get all the data together?
Might be spending more to store their log files than they need to Could be tired of paying for proprietary storage systems for their logs Can also talk about whether the data is stored in proprietary formats
Can they quickly and easily prove who has historically had access to it How prepared are they to determine the root cause of a data breach...that happened 6 months ago?
Does their vendor have the capability to integrate log management with identity management?
2 2
Want:
Homegrown log management, Splunk or LogLogic Existing investments in Novell I&S infrastructure Worried about data security Tough regulatory environment Heterogeneous environment
Currently using ArcSight or RSA (we can win against them, but not worth your time when they are the incumbent) Compliance or security is not a priority Conversations about netflow analysis
2 3
Sales Advantages
Best-of-breed point solution for log management Starting point for a larger conversation about SIEM Building block for identity aware security infrastructure Suitable for large or small deals
This product can win against any competitive product Getting a large share of marketing dollars Dedicated people who are supporting the product
2 4
Resources
There is a lot of help available to help you If you're not sure where to get what you need, contact
Brian Singer (PMM) - bsinger@novell.com Jason Arrington (PM) - jarrington@novell.com Technical Forum - http://forums.novell.com/novell-productsupport-forums/sentinel/ John Haberland - jhaberland@novell.com
2 5
Instance based pricing Designed to allow direct comparison to competitors Three tiers of pricing:
500 EPS: List price $25,00 (new) 2500 EPS: List price $40,000 7500 EPS: List price $80,000
2 6
Log Management is sometimes referred to as Security Information Management or SIM Security Event Management or SEM is focused on real-time monitoring, alerting, incident response
SEM
Event correlation Robust alerts Incident response Dashboards Data enrichment Filtering
Log Management
Data collection Ad-hoc query E-mail alerts Reports Compression Forensics Data integrity Unknown log support Data retention Raw log forwarding
2 7
With the release of Sentinel RD and Sentinel Log Manager we now have a full line of SIEM products:
Novell Identity Audit Log Management for Novell products Sentinel Log Manager event collection, storage, and reporting for all log sources Sentinel Rapid Deployment single box Sentinel for smaller organizations or regional deployment, with no external software required Multi-Platform Sentinel Enterprise class, multi-platform
Goal is to provide a progression for our customers solve the immediate tactical problem, then upsell to the eventual solution
2 8
Lot of Ad-hoc querying and Reporting for all log sources No real-time event correlation and workflow requirements No need for Identity Tracking
2 9
Small to medium size organizations Regional deployments Low event rates (no more than 2500-3000 total EPS) Customers do no want to use third party commercial database SLES platform only
3 0
Enterprise Scale rollout High event rates Customer prefers commercial database component (MS-SQL or Oracle) Multi-platform needs
3 1
Feature Comparison
Feature or Capability
Platform support - SLES Single-event filters and alerts Reporting and ad-hoc search Data collection: Novell Identity products
Id. Audit
Log Manager
Sentinel
Platform support: Windows*/RedHat*/Solaris* Report creation and modification Identity-enhanced reports and dashboards Data collection: SUSE Linux and Novell OES
Real-time user activity dashboard High-speed, multi-event correlation Real-time threat dashboard with Advisor Data collection: Industry-wide products Manage Raw Event Storage
3 2
Feature Comparison
Feature or Capability
Platform support - SLES Platform support: Windows*/RedHat*/Solaris* Platform support, multiple platform installation Platform support, Oracle or MS SQL Web Launching of Client ad-hoc search Web Client Report Jasper Report Crystal Server Real-time user activity dashboard High-speed, multi-event correlation Real-time threat dashboard with Advisor Remediation Managing Raw Event Storage
3 3
3 4
Competition
Selected Players
ArcSight
>2007 >Both
Market share 18.6%, Revenue 91.3M SEM and Log Management (ArcSight Logger) Market Share 11.0%, Revenue 61.4M Log Management / SEM appliance
RSA
>2007
>Combination
NetForensics
>2007 >Both
Market Share 6.9%, Revenue 34M SEM and Log Management (nFX Log One) Revenue $20M, Log Management only Revenue $19.5M, Released Log Management in 2008 (QRadar
LogLogic
>2007
Q1
Labs
>2007
SLIM)
3 6
RSA enVision
Former Network Intelligence current #2 SIEM vendor Products considered combination SIEM / LM Competitive talking points:
Mediocre at both the SIEM and LM use cases Gartner refers to it only as good enough No way to move from single-box to multi-site solution Multi-site solution requires a minimum of 3 appliances per location, so at least 6 for a 2 site installation UI is poorly designed and unresponsive click, then waaaaait Proprietary database makes it impossible to prove that the data is unmodified No option to filter out unwanted data buy more EMC storage
3 7
Simple pricing they sell boxes NO upgrade path from ES to LS rip and replace Basic LS pricing scheme, with approx. US street prices:
Application Server: $56k Database Server: $56k Local Collector: $56k or $86k Remote Collector: $25k or $46k 60% of production list for standby system 60% of standby list for test system
3 8
LogLogic
Historic leader in Log Management space Recently acquired Exaprotect for SEM functionality Competitive talking points:
Flagship product stagnant in recent years Face major challenges integrating acquired technology; new technology was not a market leading SEM product Viability concerns rumors of staff cuts Hardware appliance has lower EPS rates than our solution Database for reporting, flat files for search / retention No Syslog-SSL support
3 9
ArcSight
Current leader in overall SIEM / Log Management mkt Publicly traded, pure-play SIEM vendor In-depth Logger product review here:
http://www.sans.org/reading_room/analysts_program/loggerReview_Jan09.pdf
Standalone Log Manager does almost nothing by itself SmartConnector appliance needed to convert raw info into ArcSight's CEF event format for reporting, etc. Reputation for upcharging after the sale separate licenses are needed for Loggers, SmartConnectors, per-CPU charges for ESM Server, per-user charges for ESM console, etc... Similar architecture to LogLogic, with separate DB and flat file data store Clunky search interface hit next after each page of results
4 0
Arcsight overview
Arcsight Event Security Manager (ESM) Software Arcsight Logger Hard Appliance Arcsight Express Standalone SEM / LM Appliance (new)
Reputation for being very expensive, upcharging after the initial sale Introduce their Logger initially, then upsell the rest of their products
4 1
SenSage
Historical competitor to LogLogic Now refers to their technology as a Log Data Warehouse HP offers an appliance based on SenSage Competitive Talking Points
Huge Black hole problem once the data goes into SenSage it never comes out Now claim to offer real-time SEM capability but we've never seen it in a deal Viability concerns common to all small independent vendors
4 2
Appliances
Most Log Management products are sold pre-loaded on hardware appliances Not specialized hardware a Dell blade with a different faceplate Bundled OS may or may not be hardened - RSA enVision is generic Windows 2003 Server Sentinel Log Manager has three deployment options:
Software SLES11 based installation package Soft Appliance Self-installing ISO with OS + Sentinel Virtual Appliance Pre-configured VMWare ESX Image
4 3
LogLogic and Arcsight have devices that claim 50-100k EPS on a single device These boxes are NOT Log Management devices all they do is store and archive data Customers need to copy the data from the archive back to a Log Management box for reporting, search Better to leave the data in place and do distributed search Real-world Maximum EPS for a single device:
Arcsight Logger: 5000 EPS LogLogic LX: 4000 EPS RSA enVision ES Series (Standalone): 7500 EPS Novell Sentinel Log Manager: Over 10000 EPS in testing, plan to certify at 7500 EPS
4 4
Arcsight Pricing
Originally had a Server / Collector model like Sentinel Currently they typically sell Arcsight Logger appliances Basic pricing scheme, with approx. US street prices:
ESM server, priced per CPU - $24k, or $30k including DB ESM pattern discovery, per CPU - $13k Data collection per source (Rarely) Comparable to Sentinel Arcsight Loggers based on event load, geographic needs, and number of devices (more common) - $60k / each Connector Appliances for parsing raw data into CEF - $18k Additional licenses for HA, web console, content subscription services, content packs, identity integration, etc.
4 5
Rome
Overall: $783,276
1x E7100s @ $60,580 1x Connector @ $18,640 Total: $79,220 2x E7100s @ $60,580 1x Connector @ $18,640 Total: $139,800
Paris
Rome
1x LS D60x @ $56,245 1x LS L610 @ $86,118 1x LS L605 @ $56,245 1x LS L610SB @ $56,625 1x LS L605SB @ $36,983 Total: $291,836
2x LS A60 @ $56,245 1x LS D60x @ $56,245 1x LS L605 @ $56,245 1x LS L605SB @ $36,983 Total: $261,963
Overall: $1,014,750
1x LS A60 @ $56,245 1x LS D60x @ $56,245 1x LS L605 @ $56,245 1x LS L605SB @ $36,983 Total: $205,718 1x LS A60 @ $56,245 1x LS D60x @ $56,245 1x LS L610 @ $86,118 1x LS L610SB @ $56,625 Total: $255,233
Paris
Rome
Overall: $505,000
1X 7500 EPS SLM license @ $80,000 Total: $80,000 1X 7500 EPS SLM license @ $80,000 Total: $80,000
Paris
Don't:
ArcSight 4 includes Identity and Role Correlation, so they will try to talk Identity. We have the advantage here!
For example, they now say they have database independent correlation, which is provably false in a POC.
If the ArcSight database goes down, their data collection, dashboards, correlation, and alerts all stop working. Show this in a POC.
ArcSight reps are very aggressive we need to drop our own landmines and not play from our heels.
Apples to apples, Sentinel does more with far less hardware cost.
Shift the focus in the POC to the Event Per Second rate try to get it above 1000 EPS.
With Novell customers, they try to position Sentinel as only relevant for Novell products
Bring in partners
ArcSight doesn't generally partner well. We can win by leveraging those relationships.
For example, they try to pass off the same report as applicable to multiple regulations.
4 9
Don't:
Talk about the need to add business relevance to the raw data coming from the devices.
RSA will focus on anti-database spin, but iSCALE mitigates any DB disadvantages.
Box them in
Sentinel 6.1 RD / SLM improves our ease of use dramatically. The greater number of devices required for enVision makes it tougher to manage for an enterprise implementation
Sentinel is designed to grow with the customer's needs while keeping hardware and management costs down. They just keep selling more and more boxes
RSA tries to be both a Log Manager and a SEM with the same device, and isn't very good at either job
Position Sentinel's use of standard reporting, storage and hardware as a positive. We aren't writing our own proprietary DB or selling a box.
They will try to impress the customer with a gigantic number of reports. But those reports are proprietary and can't be customized, and are very security/IT control-centric.
Focus on correlation
5 0
Use your own storage and hardware Log files compressed 10:1 on-the-fly Open data formatno lock-in Quickly and easily create formatted reports from searches 100s of reports available to satisfy PCI-DSS, HIPPA, SOX and much more Increased productivityactually USE your log management tool for security management!
5 2
Based on the Novell advanced Sentinel SIEM product Designed to combine quick out-of-the box ROI with the ability for future expansion Intuitive, AJAX-based interface Compressed, file-based data store with signatures for data integrity Out of the box reports and ad-hoc indexed searching Easy integration with Sentinel and the Novell Compliance Management Platform for full SIEM functionality with the Novell unique identity integration
5 3
Data Collection
Out-of-the-box support for Syslog and native collection from other protocols Syslog:
Support for UDP, TCP, and SSL including authentication and custom certificates Auto-detection of event source type: PIX, Linux, Solaris, etc. Universal syslog collector for unrecognized syslog events Uses pluggable Novell Sentinel connector framework additional protocols configured using the Event Source Management interface
Other Protocols:
5 4
5 5
5 6
5 7
All data is stored in the same storage system Data is automatically compressed to minimize storage requirements10:1 ratios are typical Connects to SAN / NAS to expand archive capacity Custom retention policies can be defined based on the value of the information and/or a specific mandate Intuitive graphical interface shows data usage trends and any potential problems Online and Archive refer to storage location only; search and reporting functions work with both
5 8
5 9
Reports and searches run against the same data Search results contain hyperlinks to quickly drill down and refine the search criteria Web 2.0 tools allow search results begin to appear almost immediately, then automatically update as additional results are found without the need to click to the next page Query and search span online and archived data seamlessly Once click converts a search into a reusable report
6 0
Seamless Search
Search UI Online Storage Compressed Offline Storage (SAN or NAS)
All other systems, must bring storage online to search time consuming and cumbersome Novell Sentinel Log Manager can search compressed, offline storage on the fly
6 1
6 2
6 3
Telecom Argentina
6 4
In Summary
Provides fast ROI Ships with reports that you need for PCI-DSS, HIPPA, SOX and more Stores data in a non-proprietary flat file, on any storage medium, on any file-system Is available as a simple install on any hardware that meets the minimum specifications Is built on the enterprise tested Sentinel
6 5
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.