1
Symantec Security Information Manager Overview and Future Direction
Mustafa Rassiwala Senior Manager, Product Management
SSIM Overview and Future Direction
SYMANTEC VISION 2012
Threat Landscape
SSIM Overview and Future Direction 2
Number of Targeted Attacks is increasing sharply
SYMANTEC VISION 2012
Evolution of SIEM Solutions
Log Collection and Archiving
Log/Event Query
Compliance Reporting
Real-time monitoring
Security Analytics
SSIM Overview and Future Direction 3
SYMANTEC VISION 2012
Data Collection
SSIM Overview and Future Direction 4
Traditional Log Sources
Network Devices
Firewalls
IDS/IPS
New Log Sources
Network Packets/Flow
Connections/Session Data
Database/File Access
Application/Transaction
User Activity
SYMANTEC VISION 2012
Drivers for Analytics
SSIM Overview and Future Direction 5
Detection of Advanced
Threats
Context Aware
Security
Increased Visibility
Compensate for Loss of
Control
Failures and Operational Root Cause
SYMANTEC VISION 2012
Response from Symantec
Make Existing Functionality Better
• Query
• Search
• Incident Workflow
Evolve to Address New Analytics
• Additional Context
• New Algorithms
SSIM Overview and Future Direction 6
SYMANTEC VISION 2012
Context And Data Collection
Log Sources
• Network and Security Products
Context
• Asset Information
Today Future
SSIM Overview and Future Direction 7
SYMANTEC VISION 2012
Context And Data Collection
Log Sources
• Network and Security Products
Context
• Asset Information
Today Expanded Context
• User Information
• Business Context
• Asset Management Systems
• Configuration
• Data Context
• Vulnerability
Future
SSIM Overview and Future Direction 8
SYMANTEC VISION 2012
Data Analysis
Query Based
• Schedule queries for automatic notification and alerts
Correlation Rules
• Wide variety
• Future Proof with Symantec Signature and EMR Values
Today Future
SSIM Overview and Future Direction 9
SYMANTEC VISION 2012
Data Analysis
Query Based
• Schedule queries for automatic notification and alerts
Correlation Rules
• Wide variety
• Future Proof with Symantec Signature and EMR Values
Today New Rules
• Based on new data sources
Baseline and Anomaly Detection
• Recognize “good” and alert based on “bad” deviations
Future
SSIM Overview and Future Direction 10
SYMANTEC VISION 2012
Investigations and Incident Analysis
Query Driven
• Structured and granular
• Iterative process
Ad-hoc Lookup
• Based on IP address/asset
Dashboard/Reports
• Visualizer provides IP Mapping (Destination-Source)
• Limited Summary Visualizations
Today Future
SSIM Overview and Future Direction 11
SYMANTEC VISION 2012
Investigations and Incident Analysis
Query Driven
• Structured and granular
• Iterative process
Ad-hoc Lookup
• Based on IP address/asset
Dashboard/Reports
• Visualizer provides IP Mapping (Destination-Source)
• Limited Summary Visualizations
Today Dashboard Driven
• Customizable monitoring
• Baseline/Anomaly driven
Ad-hoc Experience
• Rapid Summary View
• Drill-down capabilities
• Slice/Dice the data iteratively
Historical Analysis
• Pattern Matching on historical log data
• Historical snapshots of context to match log data
Future
SSIM Overview and Future Direction 12
SYMANTEC VISION 2012
Next Generation Infrastructure
Virtual Environment
• Support log collection from VSphere and VShield
Today Future
SSIM Overview and Future Direction 13
SYMANTEC VISION 2012
Next Generation Infrastructure
Virtual Environment
• Support log collection from VSphere and VShield
Today Cloud Environment
• Collection from Cloud Infrastructure
• Monitor security and business applications hosted in the cloud
Mobile
• Monitor mobile infrastructure and information flow
Future
SSIM Overview and Future Direction 14
SYMANTEC VISION 2012
Application Monitoring
Custom Collectors
• Supports log collection through customized development
• Limited understanding of application
Today Future
SSIM Overview and Future Direction 15
SYMANTEC VISION 2012
Application Monitoring
Custom Collectors
• Supports log collection through customized development
• Limited understanding of application
Today Application Intelligence
Application Monitoring
Future
SSIM Overview and Future Direction 16
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Presentation Identifier Goes Here 17
Mustafa Rassiwala