Embed Size (px)
Citation preview
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
www.mannai.com
from Dedication to Excellence ….
The Next Big Thing: A Case Study in Utilizing End-user Real-Time Analytics Tools in the SOC
Mostafa Soliman – Mannai Trading Company Colin Henderson – HP
www.mannai.com
Mostafa Soliman ([email protected]) Home: Alexandria, Egypt Nexthink Consultant since 2011 ArcSight Consultant since 2012 Senior Security Consultant based in Doha, Qatar since 2011
Colin Henderson ([email protected])
Home: Atlanta, Georgia, USA Managing Principal, Security Intelligence & Operations Consulting ArcSight End-User since 2004 ArcSight Consultant since 2008
Introduction
www.mannai.com
Who Is Mannai?
www.mannai.com
Where Is Mannai?
www.mannai.com
Design, Consultancy, Implementation, Testing, and Support Services
for
What Do We Do?
www.mannai.com
Mannai Security Solutions Partners
www.mannai.com
Endpoint Monitoring with ArcSight
Challenge: • Endpoints are the entry point for most of the threats to the
organization. • Security & event logs do not always contain meaningful
information.
• Some custom monitoring can be done using scripts on Endpoints however it doesn’t detect all endpoint or end user activities and requires high maintenance.
Conclusion: • Endpoints are always a blind spot for ArcSight. • Leveraging ArcSight by integrating it with endpoint
monitoring
www.mannai.com
What Is Operations Analytics?
Automatically and rapidly collect and extract the essential from an ocean of data in motion to make decisions and act to better meet needs and expectations of end-users and the business
www.mannai.com
Nexthink Introduction
www.mannai.com
What Does Nexthink Do?
Who From Where When
With What
User Application
Source
Time Binary information
Destination
Port
Source
Time
How To Where
www.mannai.com
How Does Nexthink Work?
Collector Engine Finder & Portal
Real-time monitoring:
• 500KB passive driver
• 0.1% CPU
• 0.15 kbps NW
• All relevant end-user
perspective events
• Zero configuration
Real-time analytics:
• Self-learning
• Uncover unknown
• Artificial intelligence
• Abnormal behavior
• Scope of impact
Real-time visualization:
• Heat map
• Topography
• Event highlights
• Root cause
• Trending issues
www.mannai.com
Security Monitoring with Nexthink
Antivirus 1. Desktops without AV or with non-compliant AV
2. Identify endpoints not updated or not doing regular Scans
3. Monitor AV deployment and updates
Desktop Security 1. Monitor security settings and policy compliance
2. Detect malware and security threats
3. Monitor security solution behavior and coverage
User Privileges 1. Monitor Local and Domain user accounts
2. Identify Users/Groups with Administration privileges
3. Monitor executions and installations of all users
Abnormal Behavior 1. Monitor network behavior by application / user
2. Monitor bandwidth and bit rate by application / User / Subnet
3. Monitor unauthorized connections to the Internet/Intranet
Project Monitoring 1. Identify/Alert on executions from USB drive
2. Monitor external consultants activities
3. Proactively detect problems of new or current tools
www.mannai.com
Nexthink + ArcSight
Nexthink and ArcSight Integration enhances detecting and investigating endpoint anomalies.
www.mannai.com
ArcSight + Nexthink High Threat Level Malware Use Case
www.mannai.com
Other Use Cases
Endpoints running files from removable drive Endpoints bypassing the proxy to connect to the Internet Endpoints doing port scans Endpoints with disabled and/or out-of-date antivirus Endpoints using Internet Broadband connections Endpoints executing non-compliant software (IM, P2P, …etc)
www.mannai.com
Q & A
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Tonight’s party
Time 7:00 – 10: 00 pm Shuttles run between hotel’s Porte Cochere (Terrace Level, by registration) and Newseum from 6:30 - 10:00 pm Questions? Please visit the Info Desk by registration
@ Newseum Enjoy food, drinks, company, and a private concert by Counting Crows
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session BB3101 Speaker Mostafa Soliman and Colin Henderson
Please give me your feedback
www.mannai.com
Thank You
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
