Sponsored by

SIEMSIEM has evolved and is now a cornerstone of security. However, experts say alone it may not be enough.

Is SIEM up to the challenge?SIEM tools provide peace of mind to organizations under continual assault, though the challenges are overwhelming without additional assistance, reports Alan Earls.

T he world turns and every day cyber security becomes more of a nightmar-ish challenge. Fortunately, methods and

technologies have been pushed ahead, allow-ing security professionals to occasionally feel like they are ahead of the curve.

Security information and event manage-ment (SIEM), which can help to provide anal-ysis of security alerts and makes handling of log security data more manageable, is one of the cornerstones of security practice that has evolved over the past decade. It has helped provide at least some peace of mind to orga-nizations under continual assault. And it is likely to play a continued role going forward. Unfortunately, though, some experts say that SIEM alone may not be enough. The chal-lenges are just too overwhelming without additional assistance. What’s needed, they

say, is a combination of best practices and perhaps entirely new capabilities, either within SIEM or working with SIEM. Also on the table are newer deploy-ment options such as managed services.

“Good cyber secu-rity is difficult without

a SIEM,” notes Allen Harper, executive vice president and chief hacker at Tangible Secu-rity, a Columbia, Md.-based consultancy and service provider. “We had a client that had 150 million events in an hour that all needed to be processed in a timely manner. Humans

alone can’t do that. However, a good SIEM will bring that down to maybe 100 events that need a closer look.”

On the other hand, he adds, if a SIEM is not tuned right it can produce false positives that could waste time and get people “fired up for nothing.” Of course, false negatives can be just as bad – or worse – because they impart a false sense of security.

“While SIEM has obviously been around for some time, it is finally starting to deliver on some of the promises made in the earlier days,” says Jeffrey Brown, head of IT secu-rity, risk and compliance, AIG Investments.

“When it’s done right, it can provide a holistic security view and event correlation across the enterprise.” And, he notes, SIEM can greatly enhance incident response and forensics capabilities as well.

On the other hand, notes Brown, the

vision that is rarely achieved in real-world deployments is being able to detect events as they happen, correlating these events with vulnerable systems and responding to attacks in near real-time. “Other features, like reme-diation ticketing and advanced correlation, are even harder to get right,” he says.

SIEM and its discontentsThere is a big divide between the expecta-tion of companies that use SIEM and their vendors about what to expect and about what resources a company might need to ded-icate to a SIEM, says Javvad Malik, a senior analyst in the enterprise security practice in the London office of 451 Research, a New York-based consultancy. Thus, he explains, a company might hope to dedicate 1.5 full-time-equivalents (FTEs) to an implementa-tion while the vendor will say they really need three to four FTEs. Understaffed SIEM

2

SIE

M

52%of breaches used some

form of hacking.

– 2013 Data Breach

Investigations Report,

Verizon

www.scmagazine.com | © 2014 Haymarket Media, Inc.

Jeffrey Brown, head of IT security, risk and compliance, AIG Investments.

Allen Harper, executive vice president and chief hacker, Tangible Security

implementations just aren’t that effective, he notes, adding that the growing overload of incidents also makes it difficult to manage and respond effectively.

“Larger companies are more likely to have the resources needed to do it right, but in the case of Target, the breach information still got lost among the huge number of alerts they were getting,” says Malik.

It’s the usual matter of finding needles in a haystack, says David Monahan, director of security and risk management, at Enterprise Management Associates (EMA), a Boulder, Colo.-based industry analyst and consult-ing firm. “SIEM solutions can be very good at crunching down the information to find the needles,” he says. “The problem is in a large organization you may still end up with 10,000 needles. In the case of Target, they had 60,000 alerts a day.”

Thus, in Monahan’s view, SIEM is ripe for acquiring additional capabilities related to analytics. ‘In the last two years and especially in the last six to 12 months, vendors have begun to move toward analytics and intel-ligence, so that those raw alerts can be better parsed and prioritized.”

And, warns John McCann, co-founder of Visual Click Software, an Austin, Texas-based provider of computer network security access management and reporting

applications, SIEM is still dangerously retrospective. “Since most attacks originate outside the company intranet, what good are event logs in containing a breach?,” he posits. “Like a home alarm system that only tracks when doors or windows are opened, it will be

clueless when a window is smashed in.”John Pirc, CTO at NSS Labs, an Austin,

Texas-based network testing facility and security consultancy, agrees that SIEMs have taken center stage with their ability to improve the signal-to-noise ratio, and pro-viding a consolidated view of which assets require immediate attention due to security incidents, in addition to a view of compli-ance reporting, log analysis and other areas.

3

92%of breaches are

perpetrated by

outsiders.

– 2013 Data Breach

Investigations Report,

Verizon

SIE

M

www.scmagazine.com | © 2014 Haymarket Media, Inc.

Our experts: SIEM smartsVikas Bhatia, CEO and executive risk adviser, Kalki Consulting

Armand Boudreau, solutions architect, K logix

Jeffrey Brown, head of IT security, risk and compliance, AIG Investments

Dave Dudley, SOC manager, Rook Security

Richard Friedberg, technical manager, network situational awareness, CERT division,

Software Engineering Institute at Carnegie Mellon University

Allen Harper, EVP and chief hacker, Tangible Security

Joe Magee, director, cyber risk services, Deloitte

Javvad Malik, senior analyst, enterprise security practice, 451 Research

John McCann, co-founder, Visual Click Software

David Monahan, director of security and risk management, Enterprise Management Associates (EMA)

John Pescatore, director of emerging security trends, SANS Institute

John Pirc, CTO at NSS Labs

Peter Schawacker, practice resource manager, situational awareness (SIEM), Accuvant

David Williams, SVP, information technology, OceanFirst Bank

Patrick Zanella, associate VP and security, compliance and product practice head, Zensar Technologies

David Monahan, director of security and risk management, Enterprise Management Associates

4

38%of breaches impacted

larger organizations.

– 2013 Data Breach

Investigations Report,

Verizon

However, he explains, SIEMs are only as good as the information they contain. “In my opinion, it is unlikely that SIEM vendors can identify an APT in the absence of intelligence on specific attacks that the general security community doesn’t know about,” he says. “In short, SIEM is only as smart as the data you feed it.”

Still SIEMs can be very powerful tools, according to Patrick Zanella, associate vice

president and security, compliance and product practice head, with Zensar Technolo-gies, a global information technology services and business process outsourcer headquar-tered in Pune, India. In his view SIEM platforms have actually improved signifi-cantly over the past few years. For example, he notes, some provide a “replay” function that enables an administrator to recreate a past incident or attack and thereby develop a new policy for times when a similar incident might occur in the future.

“Alerts and responses have also improved in most SIEM platforms,” Zanella says. “Early implementations of automated re-sponses caused problems, such as actions being taken when the alert was actually a false positive.” Today the kinks in automatic response systems have mostly been worked out. “More organizations are getting com-fortable that their SIEM will properly cor-relate an attack with information from other tools, such as a web content filtering product, and respond appropriately,” he says.

Zanella says organizations typically use SIEM products for two reasons: to spot evi-dence of security threats or security breaches, and to ensure their organization is complying with regulatory standards. “All those logs

of data captured by the SIEM are growing, especially as SIEM platforms begin to capture usage and incidents from mobile devices. For this reason, some vendors are working to connect business intelligence and analytics tools to SIEM data,” he explains. Zanella points to a Forrester report, “How Proactive Security Organizations Use Advanced Data Practices to Make Decisions,” which proposed that the IT industry is currently poised at the intersection of SIEM, data warehousing and business intelligence, the combination of which could potentially provide the ability to discover and better respond to new threats.

Joe Magee, director, Cyber Risk Services at consultancy Deloitte, also sees a glass that is more than half empty. While some vendors and users are beginning to experiment with newer technologies, such as using Big Data

for security purposes, existing investments in SIEM are, in fact, providing performance improvements, he says.

“For these purposes, the single biggest strengths of SIEM technology remain its ability to perform real-time correlation without extensive

coding or development of complex algo-rithms,” he says. In addition, SIEMs have the ability to ingest a wide range of information – both traditional IT data and various forms of referential data – to establish business context and support workflow automation, which in turn can streamline incident han-dling and reporting, he adds.

But that doesn’t mean SIEMs make it easy. “Despite vendors’ efforts to provide more pre-built use case logic and reports, leveraging SIEM for cyber risk use cases still requires significant customization,” says Magee. Similarly, large-scale SIEM systems are also, in his view, labor-intensive, par-ticularly as the volume of data they ingest

SIE

M

www.scmagazine.com | © 2014 Haymarket Media, Inc.

Alerts and responses have improved in most SIEM platforms.”

– Patrick Zanella, Zensar Technologies

Joe Magee, director, cyber risk services, Deloitte

5

20%of network intrusions

hit information and

professional services

firms.

– 2013 Data Breach

Investigations Report,

Verizon

increases. “For these reasons, many organi-zations choose to get outside help, through professional services or managed services,” he says.

The managed service optionIndeed, according to Zensar’s Zanella, SIEM systems are often expensive to deploy and complex to operate and manage. And, while Payment Card Industry Data Security Stan-dard (PCI DSS) compliance has traditionally driven SIEM adoption in large enterprises, for mid-size and smaller organizations it is often concerns over advanced persistent threats (APTs) that have driven adoption – and led to them looking at the benefits of using a SIEM solution supplied with a managed security service provider (MSSP) option.

A case in point is OceanFirst Bank. “For mid-market companies...it is a challenge to process the security data with our resources, both from an expertise and time perspec-tive,” says David Williams, senior vice presi-dent, information technology of the Toms River, N.J.-based bank that has 25 branches throughout several counties. A SIEM solu-tion should be able to intelligently correlate significant events that need attention, he says. “The source systems that may provide the event data are constantly changing and the challenge appears to be correlating new sources and types of data as the attacks become more multi-layered and complex,” he says. “A managed [SIEM] solution coupled with internal review and response processes has proven to be a successful formula for us,”

he adds.“Staffing an internally deployed solution

is obviously a challenge unless you are using a ‘follow-the-sun model’ – handing off to regional monitoring depending where it’s daytime – and not all organizations have this kind of coverage ability,” says Brown. “I’ve seen at least one complex global corpora-tion where a 24/7 security operations center (SOC) was able to detect and respond to APT events that spanned multiple business units as they were happening,” he says.

That experience would seem to make the case for a strong, centralized approach when deploying this kind of monitoring, he says. Furthermore, being able to tie in asset and vulnerability data to correlate against attacks offers the promise of a more focused and more intelligent incident response. However, adds Brown, “I am not aware of many companies that have reached that level of maturity yet.”

On the other hand, he adds, the pitfalls of adopting a managed solution include having to trust the third party to effectively monitor and escalate events, coordination with your

company in the event of an incident and, in a worst case, dealing with the aftermath if the third party exits the service or goes out of business altogether. “This could leave a company scrambling to get something in place,” he says. Thus,

a lot of companies are actually looking for what Brown calls “more of a staff augmenta-tion model,” to handle evenings and week-ends, rather than a fully managed service, which, he says, is something that not many of the service providers are really supporting.

Pirc at NSS Labs says it all depends on the budget and available talent. The cost-benefit of using managed services, he explains, is that one is likely getting the best security

SIE

M

www.scmagazine.com | © 2014 Haymarket Media, Inc.

A managed [SIEM] solution coupled with internal review and response processes has proven to

be successful formula for us.”

– David Williams, OceanFirst Bank

John Pirc, CTO, NSS Labs

experience, advising and lessons learned because capable service providers tend to have a lot of experience. “Managed services can be a good thing for a company, but you need to do the cost-benefit analysis of doing the job yourself or outsourcing it to a managed service provider,” he says.

However, that approach may not be for everyone. Armand Boudreau, a solutions architect at K logix, a data security company based in Brookline, Mass., that provides consulting and technology integration to enterprise companies, believes SIEM appli-ances for large enterprises are here to stay. That is primarily because of the storage and processing requirements of organizations looking to incorporate additional contextual data, such as packet captures and vulnerabil-ity data. By contrast, he notes, while options like cloud SIEM offerings are available, they are still impractical for large enterprises due to data retention and online accessibility requirements for historical data and [the need for] integration with other in-house systems, he says.

In fact, notes Deloitte’s Magee, the need to correlate a wide range of both internal and external data for cyber threat detection will probably lead more organizations to prefer a co-sourcing model of managed services – in which a third party helps manage SIEM infrastructure that resides on the customer premise.

Another approach to making SIEMs more responsive and effective is simply augmenting them with specialized intelligence compo-

nents that perform identity-aware, stateful-attack detection. That approach can help fill some important real-time detection capabili-ties without bogging down the performance of the central SIEM architecture, says Magee. “De-coupling log storage and collection, for example, from the higher-level data analysis functions can increase effectiveness and performance without sacrificing the volume of data being collected for forensic or compli-ance purposes,” he says.

These more distributed architectures con-tinue to leverage SIEM for central correlation and workflow management, Magee adds, and are beneficial because they can address the challenges of monitoring more complex envi-ronments, while also potentially alleviating some of the performance and capacity issues that SIEM has traditionally suffered.

Among vendors offering a more vitamin-enriched approach to SIEM, Pirc cites RSA’s acquisition of NetWitness and the use of NetWitness as a tool, combined with a SIEM, which could “actually provide you with the missing pieces that could uncover an APT,” he says. “It’s all about the intelligence you feed your SIEM.

Emerging best practicesWhen deploying SIEM solutions, there are several key items to keep in mind, according to Richard Friedberg, technical manager, network situational awareness, CERT divi-sion of the Software Engineering Institute at Carnegie Mellon University.

First, says Friedberg, understand what questions you are trying to answer, and then leverage those use cases to drive what data is fed into a SIEM. “Often deployments are overburdened with data that analysts aren’t actually using in their day-to-day workflow,” he says.

Second, it is important to ensure that the devices that are sending their data to the SIEM solution are properly configured and tuned. Put another way, one must manage the signal-to-noise ratio of security data entering the SIEM. All too often, he explains, logs

6

24%of breaches occurred

in retail environments

and restaurants.

– 2013 Data Breach

Investigations Report,

Verizon

SIE

M

www.scmagazine.com | © 2014 Haymarket Media, Inc.

... we have seen a recent paradigm shift where analysts are trying to

find anomalous, previously unknown, activity within log data.”

– Richard Friedberg, Carnegie Mellon University

that are fed into SIEMs are noisy, littered with false positives from improper intrusion detection system (IDS) or anti-virus tuning. “Ensuring that all of these devices are prop-erly tuned, or at the very least, the ingest is properly filtered, is key to supporting efficient analysis workflows and not overburdening the system,” says Friedberg.

“While many SIEM deployments have focused on making sense of existing event data – where another downstream device has detected an alert based on known mali-cious activity that is sent to the SIEM – we have seen a recent paradigm shift where analysts are trying to find anomalous, previ-ously unknown, activity within log data,” Friedberg explains. Typically referred to as “hunting operations,” these analytics require combing through massive amounts of raw data in an iterative fashion.

According to Friedberg, this raw data includes both typical security logs, as well as data from other parts of the organization historically considered out of scope of routine security monitoring, including HR data, email records, application logs, etc. “Analysts leverage their knowledge of the business environment, the network architecture and a sophisticated understanding of the proto-cols in use by the organization to determine normal versus malicious activity,” he says. The workflow then involves iteratively identi-fying known good traffic and focusing on the “leftover.” Put another way, it can be char-acterized as “throwing out the hay to find the needles,” he says. However, many SIEM offerings have struggled to keep up with the

level of flexible data ingest, the customization to support analysts’ ad-hoc queries, and scal-ability to support these emerging workflows, he adds.

That shift, he adds, has led security ana-lysts to turn to customized Big Data solu-tions – often some variant of Hadoop. “In recent interviews with analysts across critical infrastructure, several comments were made that reinforced the level of customization needed and highlighted the fact that it was just as easy to build their own custom solu-tions instead of completely customizing a vendor offering to meet their unique needs,” Friedberg says.

Of course, all of this activity relies heavily on the quality of data. Thus, according to Friedberg, as businesses evolve and analysts better understand the value of data, the configuration – both of what data is pulled in, and what analytics are run – tends to change frequently. “While this is often easier to implement in custom solutions or in-house deployments, it can also be supported by MSSPs, as long as the flexibility is built into the contract structure,” he says.

“While we have observed a shift away from traditional SIEM offerings, vendors are also quickly adapting to address the customiza-tion and scalability needs of the market,” he says. In particular, recent offerings are lever-aging Big Data solutions to make it easier for analysts to create custom workflows and run their own ad-hoc queries.

And that observation leads to another: implicitly, if not explicitly, SIEM success requires more than technology. “In my mind the biggest challenges with getting value out of a SIEM are the people and process ele-ments, not the technology itself,” says Brown.

“Deploying a SIEM requires a lot of holistic thinking,” he says. “They do work better when paired with complementary technologies, but there will always be chal-lenges getting everything to work together.” He adds that there are plenty of technologi-cal hurdles to overcome. Still, connecting

7

37%of breaches affected

financial organizations.

– 2013 Data Breach

Investigations Report,

Verizon

SIE

M

www.scmagazine.com | © 2014 Haymarket Media, Inc.

...we have observed a shift away from traditional SIEM offerings...”

– Richard Friedberg, Carnegie Mellon University

the various components, parsing log data that may have insufficient detail and even getting general systems inventory right can all represent technical roadblocks in a SIEM deployment.

Therefore, Brown recommends always starting out with small, targeted deployments that factor in future scalability. “I think the big mistakes are not managing expectations and starting too broadly, which will lead to high costs and complex implementations,” he says. In fact, many companies jump right in to big, centralized deployments and then turn on all the dials at once. These deployments are typically not resourced correctly in terms of people and scalable technology architec-tures – and these efforts tend to either stall or fail completely. Another mistake, says Brown, is focusing on check-the-box compliance. PCI compliance remains a strong driver for these types of deployments, but simply putting a SIEM in place to be compliant is not going to provide real value, he says.

“Getting the remediation and incident response processes right takes time, coopera-tion and agreed-upon processes across the organization,” says Brown. “You can’t just deploy the software and not address the people and process elements.”

In short, SIEM needs to be an enter-prise priority. “Getting this right will take funding, resources and cooperation across the organization,” he says. “Simply getting the tools in place can be a challenge, but systems inventory, defining good metrics and the processes that go into incident response and remediation activites usually represent the real challenge,” he adds.

Echoing Brown, Vikas Bhatia, CEO & executive risk adviser at Kalki Consulting, a New York-based provider of cyber security consultancy services, agrees that finding the right staff expertise – and sufficient resources – is the first big challenge that must be met in order to succeed with a SIEM. “That’s what’s needed to increase the maturity of the solu-tion,” he says. However, typically, staffing is

set arbitrarily when a SIEM is put in place, based on an expected level of alerts. Later, the manager will often be asked to handle and integrate a far higher number of alerts, whether positives or negatives, without more

resources. “You can use the technology to filter the information, but when it comes to alerts, you really need a person to analyze and contextualize that so you can determine what action to take, and when,” says Bhatia.

Then, there is what Bhatia calls the “po-litical ownership of SIEM within the enter-prise.” Security operations are normally an enterprise-wide domain, but from a SIEM standpoint there may be siloed systems within departments – HR, for example – that need to be included to track who is and isn’t a current employee. “Getting access can involve bridg-ing political boundaries and may require that you communicate the value of SIEM to the whole organization,” Bhatia notes.

Similarly, when organizations merge or make acquisitions, it can bring additional complications to a SIEM implementation. “We worked with a global organization that had just acquired a smaller firm, and they discovered that the smaller firm had been breached,” Bhatia says. The company then needed to make sure it did not integrate a bad network into its existing operations. Plus, it needed to better monitor he new imple-mentation to discover what was really being attacked.

“That kind of challenge can be akin to trying to change a tire while the car is moving,” he says.

New technical developmentsAnd what further technical refinements are in the offing for SIEM? “I think there are a lot of new features being rolled into SIEM,” says

8

3months on

average to discover

a malicious

breach.

– Ponemon Institute

SIE

M

www.scmagazine.com | © 2014 Haymarket Media, Inc.

Vikas Bhatia, CEO & executive risk adviser, Kalki Consulting

Pirc. Some SIEMs, for example, now have the ability to take in flow-data, which they can flag for abnormalities. “Although useful, this will still require someone digging into the details,” says Pirc. Also, with the massive amount of data that clients are collecting, Pirc sees a growing role for Hadoop as SIEM scales to handle the Big Data problem with the ability to perform parallel processing at the speeds needed to make data actionable.

Brown sees the big new development in SIEM is putting it in the cloud or even using simple SaaS log management services like Sumo Logic. Splunk, specifically Splunk Cloud, is the name that comes to mind with a full cloud offering, he adds. “In my opinion, however, these offerings are relatively new and much more immature than a full SIEM solution deployed locally,” he warns.

Offering a somewhat different perspective, John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Md.-based organization for information security training and certification, predicts there will be two major areas of develop-ment for SIEMs – one is reporting-focused SIEM offerings and the other SIEM tools that are much more complex and provide more analytics, but also require more skilled people. The latter category, he warns, has been over-hyped as so-called predictive technology, but there really isn’t any predic-tive capacity. “All you are doing is speeding up the reaction time,” he says. So, rather than getting results six months later, you will get it in real-time, he explains. “You find out you have a problem when it happens, not when customers start complaining.”

In terms of deployment, Pescatore believes delivery as an application will likely remain dominant. However, he notes, Gartner and the SANS Institute also anticipate growth among service providers, such as Dell and Verizon.

“SIEM is a stone soup affair,” notes Peter Schawacker, practice manager, situational

awareness (SIEM), at Accuvant, a Denver-based provider of information security ser-vices and solutions. “The quality of what you get out of SIEM depends on how well your data sources support your use cases,” he says. Realistic expectation and persistence matter most when it comes to SIEM.

Dave Dudley, security operations center manager for Indianapolis-based Rook Secu-rity, says it is worth remembering that SIEM can be an incredible tool for aggregating and correlating events across a network, but it’s not an “instant win” solution. “A lot of analyst time still needs to be spent going through data, creating correlation rules, analyzing incidents and performing work that just can’t be automated or can’t safely be automated,” he says.

“The big driver for SIEM remains real-time detection and response to attackers,” adds AIG’s Brown. As the experience of Target showed, you also need to get the pro-cesses behind the tools right, he says. “It will be interesting to see how the Target situation turns out.” Particularly, the consequences of what kind of liability a business might incur for detecting but failing to respond to alerts like this may set some interesting precedents in the courtroom, he says. On the other hand, getting thousands of events with names like “malware.binary” may not be something an organization is ready to handle, he adds.

There’s still a lot of room to evolve with these tools, he notes. “Correlating SIEM and user identity management certainly comes to mind,” says Brown. “Anomaly detection and being able to zero in on potentially fraudu-lent behavior also offers a lot of room for improvement from where we are with today’s solutions.” n

For more information about ebooks from SC Magazine, please contact Illena Armstrong, VP, editorial, at illena.armstrong@haymarketmedia.com.

9www.scmagazine.com | © 2014 Haymarket Media, Inc.

SIE

M

66% of breaches took

months or even years

to discover.”

– 2013 Data Breach

Investigations Report,

Verizon

10

Sp

on

sors

Mas

thea

dEventTracker offers a dynamic suite of award-winning SIEM and log management products that process billions of discrete log messages to deliver vital and actionable information, enabling organizations to identify and address security risks, improve IT security, and maintain regulatory compliance requirements with simplified audit functionality.

For more information, visit www.eventtracker.com

EDITORIAL VP, EDITORIAL Illena Armstrong illena.armstrong@haymarketmedia.com ASSOCIATE EDITOR Teri Robinson teri.robinson@haymarketmedia.com MANAGING EDITOR Greg Masters greg.masters@haymarketmedia.comDESIGN AND PRODUCTION ART DIRECTOR Michael Strong michael.strong@haymarketmedia.comPRODUCTION MANAGER Krassi Varbanov krassi.varbanov@haymarketmedia.com

SALESVP, SALES David Steifman (646) 638-6008 david.steifman@haymarketmedia.com REGION SALES DIRECTOR Mike Shemesh (646) 638-6016 mike.shemesh@haymarketmedia.comWEST COAST SALES DIRECTOR Matthew Allington (415) 346-6460 matthew.allington@haymarketmedia.comSALES/EDITORIAL ASSISTANT Ashley Carman (646) 638-6104 ashley.carman@haymarketmedia.com

www.scmagazine.com | © 2014 Haymarket Media, Inc.

LogRhythm is the largest and fastest growing independent security intelligence company in the world. The company’s patented and award-winning Security Intelligence Platform unifies SIEM, log management, file integrity monitoring, network forensics and host forensics, empow-ering organizations around the globe to detect and respond to breaches and the most sophisticated cyber threats.

For more information, visit www.logrhythm.com

SIEM, Simplified.

‘‘ A Big Leap Forward in SIEM Technology’’

Perfect 5 HHHHH Rating

EventTracker | 8815 Centre Park Drive, Columbia MD 21045

www.eventtracker.com

AdvAncEd

HArdEnEd

diligEnT

– RISK +

Firewalls

Compliance Reporting

End Point Security

Configuration Assessment

Anti-Virus

Vulnerability Scanning

Intrusion Detection

Patch Management

File Integrity Monitoring

Behavior Analysis

Incident Response

~~~

Authentication00101010010101010010101011

1010101101000

Centralized Log Management

SCeBookAd_SIEM_0314-v2.indd 1 3/21/14 11:41 AM

It’s When, Not If.

FORENSIC ANALYSIS

CONTINUOUS MONITORING

PRIVILEGED USER MONITORING

RAPIDROOTCAUSEANALYSIS

FILE INTEGRITY MONITORING

FRAUDDETECTION

ENTERPRISE-WIDEVISIBILITY

ADVANCEDCORRELATION

USER ACTIVITYMONITORING EXECUTIVE-LEVEL REPORTING

REDUCEDOWNTIME

COMPLIANCE AUTOMATION & ASSURANCE(FISMA, DIACAP, NEI...)

APT DETECTION

Compromised credentials? Systems hacked? Data breached? In today’s IT environment, it’s a question

of when, not if. LogRhythm’s Security Intelligence Platform unifies SIEM, log management, file

integrity monitoring, network forensics & host forensics to help you detect and respond to breaches

and the most sophisticated cyber threats – faster and with greater accuracy than ever.

Call 1-866-384-0713 to learn more or schedule a demo. Or visit www.LogRhythm.com

l i s t e d a s c h a m p i o nVENDOR LANDSCAPE REPORT