Hawk Network Defense
Enterprise Event Correlation & Heuristic Trend Analysis for Unified Information Security
www.hawkdefense.com
�Who Are We?
• Hawk Network Defense, Inc. [HND]
Network/Applications Security Solutions Provider
• Application and Network Security consulting consortium that recognizes the strengths of an organization built upon cuttingedge technology. • We maintain the commitment of providing our clients with a seamless transition from insecure coding practices and a reliable commitment to secure code. • We place importance upon concrete, quality services and solutions while maintaining that sense of urgency necessary for our clientele in order to respond quickly and accordingly.
�IT Pains & Problems
• IT Professional Management
– In a SANS Survey, Users Were Asked How Log Data Most Benefited Their
Organization • Event Detection and Tracking of Suspicious Behaviour • Day to day IT Operations • Process Control/Compliance • Employee Use Monitoring • Historical Forensic Analysis • Information Leak Protection • and Regulatory Compliance
�IT Pains & Problems
• Automated Correlation & Collection
• Just over 11 percent store their log information for 30-90 days, and a mere nine percent store their log data for six months or more. • Compliance reporting is also a growing concern among respondents. • Over the past few years, regulatory bodies have considerably increased the requirements for logging of security-related data. • Much of the data today required by regulations goes well beyond logs from their network and security devices. • It also includes managing log data from applications where sensitive data might be stored and accessed by end users.
– This includes: » operating systems » databases » home grown and commercial applications » and mainframes.
• Tracking access to restricted data must become part of normal operation, as should the ability to tell when there is misuse of access to data.
�IT Pains & Problems
• Automated Correlation & Collection
• Survey respondents are collecting this data to varying degrees. • Most (77 percent) are collecting firewall log data. • After that, other forms of data collection drop off precipitously.
– Collection of antivirus, routers and IDS/IPS is done by 59 percent of respondents. – At the application level, 58 percent are using their O/S logs – 57 percent are using their database logs – 46 percent use logs in their enterprise applications – 33 percent use logs on home grown applications – and mainframe application logs are used among 22 percent of respondents.
�IT Pains & Problems
• Automated Correlation & Collection
• In the SANS study, a majority (63 percent) of respondents are not satisfied with their current log file analysis processes. • Over half (55 percent) of Global 2000 firms are unhappy with their log analysis processes, even though they spent an average of $187,000 in 2006 on log management. • Of our respondents, 89% would react favorably to an allin-one platform to analysis, tracking and storage of log events, suggesting a product such as HAWK offers large and medium sized networks more than data archival and management.
�IT Pains & Problems
• Automated Correlation & Collection
• Nearly two-thirds of IT professionals are unhappy with their log data management systems, due to the lack of correlation and normalization, areas the HAWK system addresses. • Of those implementing a log management system, two out of three are not deriving the information they need from their log management systems. • Analysis of the Global 2000 reveals that the two top reasons for collecting data are archiving and compliance reporting, which are obviously related. • Based on their storage retention uses, organizations are not maintaining these logs indefinitely for compliance purposes. • Most (14 percent) are unsure of how long they maintain their logs or they rely on the O/S default for that system.
�Correlation & Aggregation • HAWK Event Correlation & Aggregation
Automated Correlation & Collection
• Correlation and Collection from applications and infrastructure
components • Distilling them into a homogeneous set of events and analysis will reveal any potential security threats or performance outages. • Potentially automating responses to reliably detected threats through automated e-mail notification. • Forrester reports SIM tools are fast becoming must-haves for security teams wanting more visibility into IT activity within their environment. • Enterprises’ needs to filter, aggregate, and correlate event information from multiple sources for real-time monitoring and historical analysis will fuel the projected growth of this market.
�Unified Information Event Correlation
Why Information Event Correlation? • Monitoring network vitals and host infrastructure for:
• Digital Security Attacks • System Performance Outages • Corporate Policy Violations
• Achieving IT Infrastructure Goals such as:
• Monitoring network performance and security violations. • Increasing the value of existing security investments. • Improving the effectiveness of security personnel. • Bridging existing security knowledge gaps. • Measuring security performance against key metrics. • Secure your network with real-time notification.
�Event Correlation Target Demographic Target Demographic
• Business units associated with:
• Health (HIPAA) • Government • Financial (PCI) (GOBA) • Publicly Traded Entities (Sarbanes-Oxley)
• Small/Medium/Enterprise Sized Businesses with:
• Network/Host Intrusion Detection and Prevention Security Devices • Microsoft Windows IIS, MsSQL, Active Directory and more • Unix/Linux/BSD Servers • Network Routers, Switches, and Firewalls • Wireless Access Points and more
�The HAWK Benefit
Information Event Monitoring Benefits:
• Provides a ‘single pane of glass’ making sense of thousands of events. • Expose and investigate hidden security threats in real-time. • Customized Event Correlation Sensors tuned to your network's unique activity patterns. • Scheduled reports based on the client’s needs, detailing:
• activity analysis. • average event occurrences. • incident response time-lines.
• Infrastructure Security Consulting Services also available.
• Zero (0) system integration problems. • The greater the network “diversity”, the better.
�Event Aggregation & Normalization
�Event Aggregation & Normalization
�Event Correlation Architecture
HAWK Event Correlation: Executive Dashboard ! Advanced Vendor Support ! Simple, pain-less integration ! Quick, On-site installation ! Infrastructure Planning ! Investigate Hidden Threats
!
HAWK Network Appliance Multi-threaded Engine ! Compliancy Reporting ! Client Quality Assurance ! Hands-free Maintenance ! Emergency Support ! IT Incident Response
!
�HAWK Core Functionality Benefits Advantages of Event Correlation:
• Decreasing response time for routine attacks and expediting root cause analysis.
• Hours before IT determine underlying issue and start resolution
- Without HAWK: Three (3) to Twelve (12) Hours - With HAWK: Within the Hour (Less than 60 minutes)
• Potentially automating responses to reliably detected threats.
- Automated E-Mail Notifications - Automated SMS (Cellular Text Message) Notifications
• Identifying suspicious activity without prior knowledge of attack. • Gain a comprehensive business risk viewpoint of your network. • Quickly adapting to new and consistently changing threats. • Streamlining data from multiple sources. • Pinpointing bottlenecks and points of failure.
�Enterprise ACL Group Policies
�Technical Features Overview
Event Correlation and Real-Time Monitoring & Analysis
• Enterprise information assurance protection and management. • Log/Event Correlation with support for over 50+ vendors. • Patent-pending “Heuristic Learning & Trend Analysis”. • Schedulable enterprise information report management. • Multi-tiered enterprise “user/resource” access control.
• Provide your client the ability to protect its historical information between business groups.
�HAWK Core Functionality Benefits
Two types of event correlation: rule-based & statistical
• Rule-based Correlation - rule-based correlation depends utilizes defined rule-sets to relate events and analyze them with a broader context. The HAWK Rules Engine analyzes events searching for affected matches. • Statistical-based Correlation - statistical correlation relies on accumulated knowledge of normal events to identify patters, which serve as points of comparison for new events. A pre-set algorithm calculates an incoming event’s threat level based upon deviation from historical norms.
�HAWK Core Functionality Benefits
What sets HAWK apart?
Heuristic technology
“A Heuristic computer program is one which begins with only an approximate method of solving a problem within the context of some goal, and then uses feedback from the effects of the solution to improve its own performance.” Hawk utilizes its Patent Pending Heuristic technology in its solutions.
�HAWK Event Correlation – Additional Services
Vendor Event Correlation Solutions:
• Advanced Log Correlation for many resources or appliances:
• Unix/Linux/Solaris Security Logs • Microsoft Windows NT 4.0/2000/XP/2003 and Vista:
• Client agent correlation of Active Directory, IIS, Exchange, Windows Security Events and more.
• Routers, Switches, Firewalls
• Cisco Network Appliances, FWSM/PIX/ASA Firewalls • Checkpoint Firewalls • and more.
• Future support: IBM AIX, IBM AS/400
�HAWK Event Correlation Solutions
HAWK provides several pre-packaged solution:
• An optimized, cost-effective Intrusion Detected solution.
• Multi-tiered hardware and software acceleration and support. • Up-to-date and advanced signature rule-set management. • Implementation of your own IDS/IPS infrastructure. • Integration with existing IDS/IPS monitoring infrastructure.
• Additionally Supported Vendors Formats
• Tipping Point Intrusion Detection Event Correlation. • Radware Intrusion Prevention Event Correlation. • McAfee Intrusion Prevention infrastructure integration and support. • Dragon IDS integration, training and support. • IETF IDMEF (Intrusion Detection Message Exchange Format) and many more.
�Long-Term Event Storage
HAWK Event Storage: 30-180 day Retention Policy ! HAWK Data Archive Mgr. ! Automated Scheduling ! Secure Policy Administration
!
HAWK Data Archive Manager Multi-threaded Retrieval ! Automated Archive Mgmt. ! Calendar Mgmt. Interface ! Event Detail Encryption ! Archived Data Compression
!
�Unify Your Network
HAWK Network Defense, Inc.
www.hawkdefense.com sales@hawkdefense.com Office: 214-373-7100
�