Transcript Slide 1
SmartEvent (Intro) Антон Разумов [email protected] Консультант по безопасности Check Point Software Technologies ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Agenda 1 Eventia vs SmartEvent 2 SmartEvent look and feel 3 Packaging ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 2 2 SmartEvent vs Eventia SmartEvent blade is based on Eventia Analyzer technology, designed and tuned for event management leveraging Eventia’s sophisticated engines and displays SmartEvent Intro is tuned for a specific product (like IPS or DLP in R71). ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 3 3 SmartEvent Intro vs. SmartEvent Full SmartEvent Intro SmartEvent Full Timeline visibility Single product Full Geo-location view Single product Full Graphical views Single product Full Automatic Actions Single product Full Events Forensics and Analysis Single product Full Basic – Fixed reports Advanced – supports full reporting blade capabilities No Yes No Yes Reports Support 3rd Party Devices Custom events ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 4 4 SmartEvent deployment Corporate Network Additional SmartEvent Correlation Unit +correlation Log SmartEvent Intro has a default unit Adding an additional SmartEvent (Full) Server on every Log Server Extranet Partners Correlation Unit + Log Server Security Management + Log Server Remote Users Internet In addition SmartEvent Into Package does not require any policy configuration or policy install SmartEvent Server + Correlation Unit + Log server NOC + SOC SmartEvent Branch Offices GUI ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 5 5 Agenda 1 Eventia vs SmartEvent 2 SmartEvent look and feel 3 Packaging ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 6 6 SmartEvent Intro features Timelines – See real time information, trends, and anomalies at a glance. Charts – View event statistics in bar charts or pie graphs. Maps – Locate source or destination IP on a world map. Forensics – Drill down by double clicking on Timelines, Charts or Maps. Group By – Group events based on severity, source, destination or other fields. Ticketing – Assign events to administrators for analysis ClientInfo – Right click IP address to see processes, hotfixes, and vulnerabilities User Identification – Every log can be associated with Active Directory user names. ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 7 7 Monitor Only what is Important! Timeline view Number and severity of attacks over time Simple mouse-click drill down to forensic analysis Customizable – allows user to define his own timelines Monitor what is Important Recent critical events Recent critical events At-a-glance view of recent critical events Simple mouse-click drill down to forensic analysis Timeline view ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 8 8 Search in any field Timeline view Number and severity of attacks over time Simple mouse-click drill down to forensic analysis Customizable – allows user to define his own timelines Search in any field or combination of fields Recent critical events At-a-glance view of recent critical events Simple mouse-click drill down to forensic analysis ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 9 9 Easy Analysis Top views simplify analysis and allow easy drill-down ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 10 10 Group Events for Better Understanding Data can be grouped by any field or combination of fields ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 11 11 Assign a Ticket Jim is assigned to investigate Attacks must be investigated Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 12 12 User and Machine Names within Eventia Jim looks up the User Name and Machine Info Jim can also see the client and server types ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 13 13 View Client Information Jim wants more information about the client machine ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 14 14 Client Information ClientInfo provides full details about the client machine: software and security patches installed, processes and services running and more using WMI (Windows Management Instrumentation) ClientInfo investigates a specific attack that exploits a vulnerability based on Microsoft Security Bulletin By Comparing this info ClientInfo can also state whether the client machine is vulnerable to specific Microsoft issues ClientInfo requires credentials with administrator-level privileges on the target computer. ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 15 15 Sending an event Jim can decide to send the event by mail to Mark his colleague for further investigation Jim can decide to report the event to Check Point with or without packet capture The information is analyzed to better understand customer environments and potential false positives Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land Hacker Land ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 16 16 IPS Events Packet capture – retrieves the data packet that caused the attack if it is still stored on the gateway Add exception, go to protection launches SmartDashboard Advisory, Protection Description attack description as in SmartDashboard CVEs – hyperlink to Mitre and other standard sources Follow-up for new events Report to Check Point (Note: we don’t give the user any status update) ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 17 17 Agenda 1 Eventia vs SmartEvent 2 SmartEvent look and feel 3 Packaging ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 18 18 Pricing & Packaging Available packages: Package Name Description SmartEvent Intro Package Intro Package: event analysis for one single product - IPS, DLP, etc… SmartEvent Full Package Full Event Analysis capabilities: • Full Check Point products support • 3rd party products support • Custom Events definitions • Reporting Price $4000 $8000 / $16,000 / $32,000 (Based on container size) Pre-defined Systems Intro package included in SM2506 and SMU007 predefined systems ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 19 19 Антон Разумов [email protected] Консультант по безопасности Check Point Software Technologies ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone