Lessons Learned ID VIEW

Summary:

The document compares and contrasts IdentityView (IV) with an Insider Threats Package integrated into IdView, alongside discussing the features and capabilities of Extended Security Manager (ESM) versions 6.0c and E7400. Key points include: 1. **IdentityView (IV):** A full-blown version for ESM that includes rules, reports, and dashboards, capable of handling up to 50,000 actors. It also integrates with an Insider Threats Package for enhanced security. 2. **ESM 6.0c and E7400:** - **E7400:** Targeted at small to medium businesses, featuring a multi-dimensional correlation engine and direct integration with the Logger without indexing raw data. The architecture is n-tier with lower integration layers. - **ESM 6.0c:** Offers advanced capabilities such as over 300 event sources integration, CEF for event IDs, pre-processing system across all loggers using the same framework, and high performance logging with storage up to 42 TB compressed/indexed in the Logger. It includes a multidimensional correlation engine for threat feeds correlation. - **Logger:** Used for historical reporting and long-term forensics storage, with multiple storage groups including rules and acting as partitions. 3. **Features of ESM:** Includes Express (similar features to E7400) and additional modules, offering prescriptive content packages for advanced use cases like SoX and PCI compliance, providing not just reports but also dashboards for real-time visualization. The document concludes by emphasizing the innovation and capabilities of ESM over 10+ years compared to competitors who often started as separate tools before upgrading to SIEM solutions.

Details:

The document discusses the differences between IdentityView (IV) and Insider Threats Package integrated with IdView, as well as the current versions of ESM – 6.0c and Express/ESM (E7400). It highlights several key features and capabilities: 1. **IdentityView (IV):** This is a full-blown version available for Extended Security Manager (ESM) which includes rules, reports, and dashboards. The maximum number of actors it can handle is 50,000. Additionally, there's an Insider Threats Package integrated with IdView to enhance security measures. 2. **Domain Fields:** These are only available in ESM 5.x. 3. **ESM 6.0c and E7400:**

• **E7400:** This is specific to ESM, intended for small to medium businesses. It features a multi-dimensional correlation engine and supports direct integration with the Logger without indexing, raw data, or unstructured format. The architecture is n-tier with lower integration layers.

• **ESM 6.0c** includes advanced capabilities such as over 300 event sources integration, CEF (Common Event Format) for event IDs, and a pre-processing system that applies to all loggers using the same framework. It also supports throttling, capacity planning, geographically disparate sites, batching events, and has high performance logging capabilities with storage up to 42 TB compressed/indexed in the Logger.

• **Multidimensional Correlation Engine:** This engine is designed for reputation threat feeds correlation, reducing false positives and providing immediate ROI.

• **Logger:** A high-performance log store used for historical reporting and long-term forensics storage, with multiple storage groups including rules and a storage group (each acting as partitions).

• **Enterprise Security Manager (ESM):** This includes Express (same features across small to medium businesses) and additional modules. There are prescriptive content packages available for advanced use cases like SoX and PCI compliance, providing not just reports but also dashboards to visualize issues in real-time.

The document concludes by emphasizing the innovation and capabilities of ESM over 10+ years compared to its competitors, who often started as separate tools before upgrading to SIEM solutions. The summary highlights a product called IdentityView, which is designed for monitoring privileged users, generating reports on user investigations, and associating usernames with events without needing to find MAC addresses. It supports RBAC (Role-Based Access Control) and multi-tenancy, ensuring that only authorized admins can access system events. Deployment considerations include starting small by using one tool for investigation and reporting, then adding IdentityView for real-time use cases and automated response mechanisms like TRM or TippingPoint. For sensitive database monitoring, the application transaction security feature is available. The product supports alerting through Logger, which indexes events and can forward them to other sources. Data collection starts with a small deployment and can be expanded as needed. It includes throttling for maintaining connections and pushing updates to geographically disparate connectors. Important distinctions include no SQL queries being used, which is crucial for handling security-related data, operational data, and compliance requirements. Threat Response capabilities include integration with TP (TippingPoint), SMS (Security Management System), and TRM (Threat Response Manager). The product's architecture is n-tier to cater to technical users, ensuring consistent, professional interfaces rather than amateur or inconsistent designs. The given text refers to a study of Chris's deck, which seems to be related to some form of presentation or sharing of ideas/information, possibly as part of a new hire training session scheduled for April. The reference "Brainshark" suggests that the content might be visualized through an online presentation tool like Brainshark. Additionally, Gary's deck is mentioned as another item in comparison or consideration during this study. Lastly, the notation "101" could imply a basic or introductory nature to the topic at hand.