Security Integration Splunk and ArcSight
Data Integration for IT security
Wednesday 14th January 2015 IT Analytics’15
Agenda
› Welcome – Ray Bruni › Eric Blavier – Splunk & Nexthink › Mostafa Soliman – ArcSight & Nexthink
Splunk and NexthinkWelcome Eric
Introduction
› Eric Blavier • work for Nexthink since 2005 -‐ • IT security specialist • Security projects using Nexthink • financial institutions • industry • governements • military • Europe / US / Asia
Nexthink security metrics
› Nexthink V5 • generates ~200 datapoints • ~50% are in real-‐time
› Security metrics • Nexthink Security Solution Pack (NSSP)
• Security Cockpit • Web&Cloud
NSSP V5› Specific set of out-‐of-‐the-‐box investigations for Endpoint Security
o Dynamic inventory o Unauthorized applications o Identity & access management o Vulnerability management & protection o Secure network configuration o Indicators of compromise
NSSP Web&Cloud
› Specific set of out-‐of-‐the-‐box investigations for Web & Security (through Nexthink Library)
Splunk
› Splunk • Collect and index many machine-‐generated data from many source or location in real time
• Correlate events spanning many diverse data sources • Can be used as a Security Information and Event Management (SIEM)
Nexthink DATA
Data integration
› Nexthink Engine -‐> Splunk • Using NXQL 2.0 direct Web API • direct access to Nexthink Engine Database
• https://demo.nexthink.com:1671/2/query?query=(select%20(id%20name%20last_seen)%20(from%20device%20(with%20device_activity%20(between%20now-‐7d%20now))))%20&format=csv
• new Nexthink Query Language Web interface
Data integration
› Adding Data in Splunk curl https://<Engine_IP>:1671/2/query?query=NXT_Investigation
update Data interval
SIEM› Security information and event management system • collects real-‐time data from IT infrastructure • analyzes, correlates and provides reporting to further a responsive action
• provides a clear insight into the security posture of a company
› Need notable eventsand behavior from ENDPOINTS (Nexthink)
Security dashboard
› Security posture • high level insight of «notable events» across many security domains
• Example of notable security events from Nexthink • Endpoint
• Host(s) with multiple infections • Critical priority Host(s) with malware detected
• Access • Insecure or cleartext authentication access detected • Default Account activity detected
Nexthink & Splunk
Nexthink NSSP investigations
Nexthink & Splunk
Nexthink NSSP investigations
Get details with Nexthink Finder
ArcSight and NexthinkWelcome Mostafa
www.mannai.com
from Dedication to Excellence ….
The Next Big Thing: A case study in utilizing End-‐User Real-‐Time Analytics tools in the SOC
Mostafa Soliman – Mannai Trading Company
www.mannai.com
✓ Mostafa Soliman ([email protected]) ✓ Home: Alexandria, Egypt ✓ Nexthink Consultant since 2011 ✓ ArcSight Consultant since 2012 ✓ Senior Security Consultant based in Doha, Qatar since 2011 ✓ Presented HP-ArcSight & Nexthink integration in HP Protect 2014
(Washington D.C.)
Introduction
www.mannai.com
Who is Mannai?
www.mannai.com
Who is Mannai?
www.mannai.com
Where is Mannai?
www.mannai.com
Where is Mannai?
www.mannai.com
Where is Mannai?
www.mannai.com
Design, Consultancy, Implementation, Testing, and Support Services
for
What do we do?
OperationsAnalyticsSecurity
www.mannai.com
Mannai Security Solutions Partners
www.mannai.com
Endpoint Monitoring with ArcSight
Challenge:
• Endpoints are the entry point for most of the threats to the organization.
• Security & event logs do not always contain meaningful information.
• Some custom monitoring can be done using scripts on endpoints however this doesn’t detect all endpoint or end-user activities and requires high maintenance.
Conclusion:
• Endpoints are always a blind spot for ArcSight. • Leverage ArcSight by integrating it with endpoint monitoring.
www.mannai.com
Nexthink + ArcSight
Nexthink and ArcSight Integration enhances detecting and investigating endpoint anomalies.
www.mannai.com
Nexthink Data in ArcSight
www.mannai.com
Integration Use Cases
✓ Endpoints with malicious behavior. ✓ Endpoints running files from removable drive. ✓ Endpoints bypassing the proxy to connect to the Internet. ✓ Endpoints doing port scans. ✓ Endpoints accessing well known malicious URLs. ✓ Endpoints with disabled and/or out-of-date antivirus. ✓ Endpoints using Internet broadband connections. ✓ Endpoints executing non-compliant software (IM, P2P, …etc.)
www.mannai.com
Q & A
Remember
› Integration • Push and/or Pull • APIs, Email, Syslog
› Extend, Enhance, and Compliment • Data • Analyze • Visualize
Thank You!For more information
Contact your partner or sales rep