Next Generation SIEM Threat and anomaly detection Policy-aware compliance User behavior & context Analysis before, during, after attack Security Intelligence Platform Risk Management Device configuration & topology Pre-exploit analysis & simulation Prioritized vulnerabilities + + Future Open Systems & SDKs Increasing levels of context Full integration of security process & workflow Deeper vulnerability analysis Network Behavior Anomaly Detection Network activity monitoring; virtual, physical Full packet capture Integrated Architecture | Database Rapid Search & Query | Correlation, Analysis, Normalization | One-console Security 1st Gen SIEM Monitor traditional security telemetry Visibility into servers and security systems Security Information Management (SIM) Log Management Reporting Analysis Compliance reporting Security Event Management (SEM) Real-time monitoring of events Security and network devices Applications Event correlation Incident response Perimeter defense, log consolidation and correlation Deeper reporting and analytics, log consolidation, real-time detection, forensics Log management, compliance, threat detection, application monitoring, risk management, user activity monitoring Small numbers of sources supported out of the box. Larger variety of log data sources. All relevant security data across the enterprise. Dozens to hundreds Hundreds to thousands Unlimited, based on unique scaling requirements of each deployment 1,000 to 5,000 10,000 + Unlimited, based on unique scaling requirements of each deployment Hundreds of gigabytes Terabytes Unlimited, based on unique scaling requirements of each deployment Event filtering, basic event correlation Advanced correlation, analytics limited by data type (log only) Advanced analytics including network and infrastructure events (VPN, IDS/IPS, etc), network and application context, user data via IAM products. Perimeter security team (web services) IT security and compliance teams IT security, compliance, opera- tions, auditor, networking and line of business Slow, manual gathering of data and device info. Can take years to discover. Often takes months or years to discover. Faster, but limited analytics prevent quick response. Real-time / near-real-time discovery of breaches, often with same-day remediation. Manual analysis. False positives/negatives. Limited log file formats. Not scalable, small number of supported devices. Limited data analytics. Data outside of logs cannot be collected. Performance issues with large data sets. False positives and negatives. Standards governing bodies not yet formed. Integration with third-party products/sources still labor intensive. Security management was an integrated solution. Deeply embedded into existing systems. Maturing of log management and security analytics. Distributed architecture. Less intrusive and separated from data center. Network flow included in analytics. Single console. 2000-2004 2005-2009 2010 - present Objective Timeframe Architecture Data sources Num of devices managed Events per second Storage Analytics End users Breach response Major limitations Evolution of the Phase 1 - Perimeter Phase 2 - Logging & Compliance Phase 3 - Security Intelligence MODERN SIEM Phased Evolution to Security Intelligence First Generation SIEM Matures to Anchor Security Intelligence Targets of Opportunity Targets of Choice ** Phase 1 and Phase 2 data source: Enterprise Strategy Group, Security Management Evolution Copyright 2011 Q1 Labs, Inc. All rights reserved. EMS-IG0911 Total Security Intelligence