Transcript Slide 1

SmartEvent (Intro)
Антон Разумов
[email protected]
Консультант по безопасности
Check Point Software Technologies
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
Agenda
1
Eventia vs SmartEvent
2
SmartEvent look and feel
3
Packaging
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
|
2
2
SmartEvent vs Eventia

SmartEvent blade is
based on Eventia Analyzer
technology, designed and
tuned for event
management leveraging
Eventia’s sophisticated
engines and displays

SmartEvent Intro is tuned
for a specific product (like
IPS or DLP in R71).
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
|
3
3
SmartEvent Intro vs. SmartEvent Full
SmartEvent
Intro
SmartEvent
Full
Timeline visibility
Single product
Full
Geo-location view
Single product
Full
Graphical views
Single product
Full
Automatic Actions
Single product
Full
Events Forensics and
Analysis
Single product
Full
Basic – Fixed reports
Advanced – supports full
reporting blade
capabilities
No
Yes
No
Yes
Reports
Support 3rd Party
Devices
Custom events
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
|
4
4
SmartEvent deployment
Corporate
Network
Additional
SmartEvent
Correlation
Unit +correlation
Log
SmartEvent Intro has a default
unit
Adding an additional SmartEvent
(Full)
Server
on every Log Server
Extranet
Partners
Correlation Unit + Log Server
Security
Management +
Log Server
Remote Users
Internet
In addition SmartEvent Into Package does not
require any policy configuration or policy install
SmartEvent
Server +
Correlation
Unit + Log
server
NOC + SOC
SmartEvent
Branch Offices
GUI
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
|
5
5
Agenda
1
Eventia vs SmartEvent
2
SmartEvent look and feel
3
Packaging
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
|
6
6
SmartEvent Intro features
Timelines – See real time information, trends, and anomalies at a glance.
Charts – View event statistics in bar charts or pie graphs.
Maps – Locate source or destination IP on a world map.
Forensics – Drill down by double clicking on Timelines, Charts or Maps.
Group By – Group events based on severity, source, destination or other fields.
Ticketing – Assign events to administrators for analysis
ClientInfo – Right click IP address to see processes, hotfixes, and vulnerabilities
User Identification – Every log can be associated with Active Directory user names.
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
|
7
7
Monitor Only what is Important!
Timeline view



Number and severity
of attacks over time
Simple mouse-click
drill down to forensic
analysis
Customizable –
allows user to define
his own timelines
Monitor what is
Important
Recent critical
events
Recent
critical events


At-a-glance view of
recent
critical events
Simple mouse-click
drill down to forensic
analysis
Timeline view
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
|
8
8
Search in any field
Timeline view



Number and severity
of attacks over time
Simple mouse-click
drill down to forensic
analysis
Customizable –
allows user to define
his own timelines
Search in any field or
combination of fields
Recent
critical events


At-a-glance view of
recent
critical events
Simple mouse-click
drill down to forensic
analysis
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
|
9
9
Easy Analysis
Top views simplify
analysis and allow
easy drill-down
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
| 10
10
Group Events for Better Understanding
Data can be grouped by any
field or combination of fields
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
| 11
11
Assign a Ticket
Jim is assigned to
investigate
Attacks must be
investigated
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
| 12
12
User and Machine Names within Eventia
Jim looks up the User
Name and Machine Info
Jim can also see the
client and server types
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
| 13
13
View Client Information
Jim wants more
information about the
client machine
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
| 14
14
Client Information
ClientInfo provides full details about
the client machine: software and
security patches installed, processes
and services running and more using
WMI (Windows Management Instrumentation)
ClientInfo investigates a
specific attack that
exploits a vulnerability
based on Microsoft
Security Bulletin
By Comparing this info
ClientInfo can also state
whether the client machine
is vulnerable to specific
Microsoft issues
ClientInfo requires credentials with administrator-level
privileges on the target computer.
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
| 15
15
Sending an event
Jim can decide to send the
event by mail to Mark his
colleague for further
investigation
Jim can decide to report the
event to Check Point with or
without packet capture
The information is analyzed
to better understand
customer environments and
potential false positives
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
Hacker Land
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
| 16
16
IPS Events






Packet capture – retrieves the data packet that caused the
attack if it is still stored on the gateway
Add exception, go to protection launches SmartDashboard
Advisory, Protection Description attack description as in
SmartDashboard
CVEs – hyperlink to
Mitre and other
standard sources
Follow-up for new
events
Report to Check
Point (Note: we don’t
give the user any status update)
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
| 17
17
Agenda
1
Eventia vs SmartEvent
2
SmartEvent look and feel
3
Packaging
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
| 18
18
Pricing & Packaging


Available packages:
Package Name
Description
SmartEvent Intro
Package
Intro Package: event analysis for one single
product - IPS, DLP, etc…
SmartEvent Full
Package
Full Event Analysis capabilities:
• Full Check Point products support
• 3rd party products support
• Custom Events definitions
• Reporting
Price
$4000
$8000 / $16,000
/ $32,000
(Based on
container size)
Pre-defined Systems

Intro package included in SM2506 and SMU007 predefined systems
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone
| 19
19
Антон Разумов
[email protected]
Консультант по безопасности
Check Point Software Technologies
©2010 Check Point Software Technologies Ltd.
|
[Unrestricted] For everyone