SMART INVESTIGATOR Find. Alert. Decide. Security done smartTM

Powered by 31st MARCH 2017

Our Company

Since 15 years, our company architects, integrates, deploys and operates the systems that enable

Dell Software Inc. (nowadays, Quest Software Inc.) customers to conduct business in today's highly

competitive marketplace.

This gave us the chance to turn our dedication and experience into profit and became one of the

Quest Partner Circle that is the unique reseller for Romania, Bulgaria and Moldova.

Our vision:

100% secured IT infrastructures

Proactivity in managing daily risks

Real time visibility among huge volume data logs

31st MARCH 2017

Security Challenges & Limitations of Legacy SIEMs

Continuous big data expansion: collection and analysis of increasingly larger amounts of event, historical and security contextual data

Relational and time-indexed databases that support SIEMs are having a hard time to manage the event and analytics load

Legacy SIEMs show slow performance, inability to manage data effectively, poor visibility and high scaling costs

Our customers asked us to address their recurrent challenges and limitations:

31st MARCH 2017

Smart Investigator to Address Your Needs

Specific Infrastructure

Measurable Events

Achievable Knowledge

Realistic Decision Making

Time-bound & Speed

31st MARCH 2017

Empower Specific Infrastructure

Main features

Integration with any existing cyber infrastructure and Agent/Agentless gather data:

- Direct from systems (Cisco, Fortinet, Juniper, Windows, Linux, Unix) - From log aggregators (SIEM): HP Arcsight, RSA Security Analytics, Quest InTrust, IBM, Splunk - From Business applications - From other security tools (Vulnerability management, IDS/IPS, DLP, Firewalls)

Data Transformation enrich, transform, manage, correlate, integrate, Add Business intelligence to security data from Active Directory, Business applications, IAM solutions

Unlimited built-in horizontal scalability, with no extra database costs (additional power available in 15 minutes with NO DownTime)

Archive encrypt, compress, Digitally SIGN, leverage existing storage space by keeping it in file system based archives (NEVER vendor locked in)

31st MARCH 2017

Empower Specific Infrastructure

Data Storage Node

Data Storage Node

Dell InTrust

Network Devices

SyslogUDP

Change Auditor Events

Real Time

SYSLOG TCP/UDP

Real time

DB or RealTime

Real Time or DB

DB Based

RealTime

Log Agent

Windows Servers/Workstations

Windows Servers/Workstations

Real Time Collection

Real Time WMI

Real Time WMI

Other Logs:- Exchange Message Tracking

- Custom CSV- EVTX

- Custom Database Logs

Real Time

Real time

Cloud Providers/APIs

Real Time

Cisco ISE

Real Time

High Level Design and Data Flow

31st MARCH 2017

Empower Specific Infrastructure

Unified Event Bus between blocks

Cluster Ready Event Bus -> for unlimited Scalability and HA

Receive/Get FULL Cisco device information:

- Net Flow - Alerts - Reports - Firewalls/Routers/ Switches/ ISE/ SourceFire

Connections between endpoints as events

Cisco Support

31st MARCH 2017

Measurable Events

Intensive industry-specific expertise for high visibility and compliance

Synthesized results displayed into graphical intuitive charts

Embedded reports to validate control efficiency and effectiveness for frameworks and standards: ISO 27001, COBIT, FISMA, HIPPA, PCI/DSS, SOX

Context Sensitive Dashboards & Reports

Top Event

Sources

Top Event

Categories

Top Event Types:

Warning

Failure audit

Success audit

Error Information

Look & Feel: Dashboards Main features

31st MARCH 2017

Achievable Knowledge

The Big Picture, All-in-one View

Advanced Event Search & Filter

Visual Interactive Investigations:

• Graphical interactive drill ups/drill downs • Visually correlate information • Scheduled/Interactive Reports

Integrate new CyberSecurity feeds into your security orchestration

JavaScript based event Log Parsing

Generate events in a programmatic way based on VERY custom criteria at log parsing RUNTIME

Main features Look & Feel: Smart filtering simple and/or composed. Use interactive decision trees

31st MARCH 2017

Enhanced Decision Making Capability

Single point of access to security data: Fraud detection, Cybersecurity, Internal Security, Compliance

Precise identification of security incidents through innovative multi-SIEM/multi-platform data correlation

User-defined alerts and graphical anomaly analyzer starting from one single exception event

Configurable anomaly detection patterns in network and applications

Investigation Case Management

Main features

31st MARCH 2017

Time-bound & Speed

Quick access to events and investigations data – 5 seconds to access 2.4 billions of events (15 TB)

Correlation between tens of millions of events in 2 seconds

Real-time / schedule based connectivity to classical SIEM systems for data feeds

Predefined Real-time Alerts

Lower TCO due to high self-manageability and autonomy

Fast Deployment: 30 min - 4 hours

Main features

31st MARCH 2017

Use Cases

Unify audit data produced by all applications to track access to sensible information

Quickly investigate security incidents related to internal business applications usage

Roll up / drill down on all unified business applications

Fraud alerting rules

Correlate data from all systems involved for meaningful alerts

Internal Investigations team

31st MARCH 2017

Information Security team

Massively improve investigation times of security incidents

Unify all security information and security analytics from multiple security log sources:

• SIEM • Firewalls • Infrastructure • Data Loss Prevention Systems • Vulnerability Management Systems • Physical access systems • Identify anomalous events from

infrastructure

Quickly drill down, roll up into data and incidents

Use Cases

Natively integrate with FireEye/other IDS/IPS; Firewalls (Cisco ASA; Sonic Wall, Fortinet, etc.)

Quickly identify attack sources with both high level aggregated views and grass level data

Quickly Identify impacted machines

Easy cross-correlate information from other systems in just 2 clicks: SIEM, Internal Applications

31st MARCH 2017

Cyber Security Team Compliance Team

Operations Team

Search/Locate operational events (from infrastructure, databases, networking)

Horizontal scalability for decreased costs (licensing and hardware)

View/export Compliance reports based on several standards: ISO 27001, SOX etc.

Log Archive (file system based) to store information for several years

Access on a “need to know” basis (Segregation of duties):

• Infrastructure Security team members – access only infrastructure security data

• Investigations team - access to all data • Cyber Security Team - access to cyber related

data

Valeriu STANCIU

Senior Technical Consultant

Q-EAST SOFTWARE SRL BUCHAREST

55 Clucerului Street, Bucharest, ROMANIA

www.smart-investigator.com