How To Create Situational Awareness

Transcription

1 SIEM: The Integralis Difference January, 2013 Avoid the SIEM Pitfalls Get it right the first time

2 Common SIEM challenges Maintaining staffing levels 24/7 Blended skills set, continuous building of rules and logic Escalation of issues to decentralized Network, Systems and Application support teams Local knowledge of network infrastructure Reporting, trending, KPI and business reporting tasks Complex architecture required to provide relevant information - context behind events 08/02/20132

3 Common deployment challenges Complex technical architecture Complex logic and integration between products Business process integration Phased implementation - combined with ongoing management Continual need for ongoing service improvement Skill set / resources to manage Ongoing network and business change 08/02/2013

4 Event Funnel Modeling What SIEM Vendors don t tell you Escalating When It Matters 5 minutes per Critical Event 16 Hours of Analysis 10 minutes per Ticket Escalation 15 Hours of Ticket Escalation Doesn t include Ticket Closure Time 77% of all escalations were true positives Vendor default signatures average 6% 3.79 True Positive every hour Head Count Requirements 24X7 7 FTE Head Count Requirments - 9X6 4 FTE 2,000,000 Total Events 17,560 Viewable Events 196 Critical Events 91 Escalated Tickets 91 True Positive Escalations* SIEM Correlation, Deduplication, etc Critical Events Per Day Potential Tickets SOC Analysis and Investigation

5 Filling the gaps - Situational Awareness Situational Awareness is Needed by Government and Enterprise Security Organizations for Effective Threat Discovery and Risk Mitigation - Gartner, Delivering Situational Awareness (July, 2011) As defined by Gartner, a situational awareness capability requires organizations to collect, analyze, correlate, and report on all security data: Situational Awareness Capability SIEM Threat Intelligence Asset Vulnerability State User Activity Connectivity State Asset Criticality Configuration State Forensics ` Logs and other event-based data Threat feeds and known countermeasures Vulnerability assessment data IDM/IAM and directory data Performance and availability data Asset and inventory data System security configuration data All security data Customers are at an inflection point in the market Compliance driven projects Security driven projects Security point products (SIEM, configuration audit, NBA, etc.) do not meet these requirements by themselves!

6 Threat Source Motivation and Attack Complexity Log Mgmt. SIEM Situational Awareness The Need for Situational Awareness: Threat Drivers State- and State- Sponsored Actors Organized Crime/ Monetization Hacking Groups Level of Security Intelligence Required to Detect, Protect and Respond to Threats Virus/Trojans/Malware DDOS Attacks Bots Identity Theft Log Aggregation IP Theft APTs Wikileaks/Insider Threats SIEM-based security monitoring Cyberterrorism Log and vulnerability data correlation Correlation across multiple data types Collection, normalization, analysis, alerting and reporting on all security data Asset inventory and change data Threat intelligence integration Advanced profiling DOS Attacks Manual Log Monitoring Individual Hit-and-Run SIEMial Engineering < 2000 Time > 2012

7 Compliance Program Requirements Event-Driven Audit-Driven Integrated Business Process The Need for Situational Awareness: Compliance Drivers Compliance Program Maturity and Optimization Requirements Continuous Monitoring SITUATIONAL AWARENESS TOOLSET Fully automated Single source of information for all compliance-related attestation and reporting Reactive, Post-Audit Focused NO TOOLS / MINIMAL TOOLS Incomplete, inconsistent data Unknown state of security controls Substantial audit findings and sanctions SIEM / LOG MANAGEMENT TOOLSET Standardized reporting Manual audits Multiple tools, often with inconsistent and/or overlapping data Extended audit periods Continuous monitoring across all aspects of security data Historical trend analysis for compliance reporting Fast, efficient audit periods TACTICAL Compliance Program Optimization STRATEGIC

8 Situational Awareness No Gaps in Security Data Complete Context The Need for Integralis Situational Awareness Regularly review basic breach indicators 2012 DBIR Security Control Secure remote access services Increase awareness of SIEMial Recommendations Scope of Common Security Threats engineering Monitor and filter outbound traffic for suspicious communications Run regular incident tests and Identified by 2012 Restrict and Verizon monitor privileged Data users Breach Incident practice responses Report (DBIR) User Context Hacking, e.g. Use of Stolen Credentials, Channel Exploitation Malware, Threat Intelligence e.g. Backdoors, Rootkits, Command-and-Control Physical Tampering Asset Criticality Keyloggers / Form Grabbers / Spyware SIEMial File Integrity Engineering Monitoring (Pretexting) Brute-Force Attacks SQL Log Monitoring Injection and SIEM Attacks Unauthorized Access via Default Credentials Network Behavioral Analysis Phishing / Spear Phishing / Vishing System Configuration Monitoring Log Mgmt and SIEM Tools Configuration Audit Tools Pick essential security controls, put in place without exception Change default credentials, create unique passwords and don't share them Regularly review active accounts to make sure they are valid, necessary, properly configured and given only appropriate privileges Test applications, review code and encourage developers to write more secure code Define, monitor and alert on anomalous network behavior Implement effective monitoring for and response to critical log data

9 SIEM Operational Architecture - Integralis Separation of Duties Log Aggregation SIEM SOC Raw Log Viewing Normalization Monitoring OSCE Staff Storage & HA Correlation Case Management SIEM Data Mining SecPolicy Enforcement Reporting Forensic Apps Reporting GRC IT Tech & Deployment SOC NAC Incident Forensics Forensic Analysis DLP False Positive Analysis Staffing

10 NATIVE COLLECTION SDK UNIFIED DATA MODEL UI Achieving Situational Awareness with Integralis The Integralis The Point Situational Security Tool Awareness Approach Approach Dashboards Reports Monitors Alerts Workflow Visualization Forensics Correlation Database Problems with this Approach: Forensic Database No Cross-Correlation = No Situational Awareness Operational Inefficiency No Compliance Automation Reporting High TCO Database Heavily indexed and optimized for ad hoc query activity, and the long-term storage of historical event, context and state data Log Management or SIEM Tools Configuration Audit Tools NBA Tools SNMP Tools FIM Tools Threat Intel Tools IDM/Directory Tools Logs and Events APIs WMI SDEE RDEP CPMI dozens more Known Vulnerabilities Protocols syslog ssh snmp MIB/trap netflow dozens more Asset Inventory Optional Agent Security Configuration Settings native FIM Directory monitor Registry monitor USB monitor Netflow Data and/or Performance Metrics Universal Parser (UP) new syslog sources ODBC sources File Integrity Data SDK any data type, using a simple XML-based API Threat Intelligence Data Example Sources User Data log mgmt tools SIEM tools config mgmt tools NMCs custom apps IT Assets

11 A New Approach to SIEM Integralis employs skilled Service Delivery Managers and a business-savvy approach. SDMs are dedicated to your organization Establish an enterprise wide uniformity in responding and addressing security incidents and events Understand legal, regulatory, and contractual requirements Review and develop SIEM policies and guidelines Increase efficiency through centralization and correlation Analyze and validate the true depth of enterprise security visibility Develop a workable Incident Response Process Improve an existing SIEM implementation

12 How Do We Differentiate Our Service? Typical Approach Integralis SDM Approach Assurances Collect Collect Audit Aggregate Report Index Report Correlate Store Respond Asses Integralis Proprietary and Confidential 2/8/2013

13 Integralis SIEM Offerings SIEM Pre-Assessment & GAP Analysis SIEM Sizing, Risk Based Asset modeling SIEM Product Evaluation and competitive testing Policy Review Log Source Discovery & Assessment Report Creation Introductory Service Advisory Services Follow-Up Services Technology Services SIEM Managed Services SIEM Program Review SIEM Architecture & Product Selection Technology Deployment Policy Creation & Tuning 2/8/ Page 13 Integralis Proprietary and Confidential

14 Thank You & Questions? Dale A. Tesch Jr Director MaPs NAC & SIEM Leader