State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

Transcription

1 State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

2 Introduction What s in a name? SIEM? SEM? SIM? Technology Drivers Challenges & Technology Overview Deciding what s right for you Worst practices Q&A 4/21/2013 2

3 What s a SIEM? SIEM is the Evolution and Integration of Two Distinct Technologies Security Event Management (SEM) Primarily focused on Collecting and Aggregating Security Events (Real Time task) Security Information Management (SIM) Primarily focused on the Enrichment, Normalization, and Correlation of Security Events. Another name for Log management (Non Real time task) Security Information & Event Management (SIEM) is a Set of Technologies for: Log Data Collection Correlation Aggregation Normalization Retention Analysis and Workflow Three Major Factors Driving the Majority of SIEM Implementations Real-Time Threat Visibility Security 1 2 Operational 3 Efficiency Compliance and/or Log Management Requirements 4/21/2013 April 21,

4 Evolution SANS Annual Log Management Survey 2005: 43% of those surveyed collected logs 2012: 91% of those surveyed collected logs Stats courtesy: SANS 4/21/2013 4

5 Industry Verticals 4/21/2013 5

6 State of SIEM - Challenges SIEM Promise: Turns Security Data Into Actionable Information Provides an Intelligent Investigation Platform Supports Management and Demonstration of Compliance Legacy SIEM REALITY: VS Antiquated Architectures Force Choices Between Time-to-Data and Intelligence Events Alone Do Not Provide Enough Context to Combat Today s Threats Complex Usability and Implementation Have Caused Costs To Skyrocket

7 Security and Business Challenges What are the Security Management Challenges? Current Operational Mandates: Managing Big SECURITY Data Query Response Time Weak Back-end Data Management systems Ability to Respond Quickly (e.g., Reports take hours to generate) Lack of Live Interactive Analysis Cost Effective Enterprise Scale Previous Investments / Technology are not scaling Reduce Sustainment Costs Improve Situational Awareness Leverage Diverse Security Solutions Enhanced Security Posture 4/21/2013 7

8 APTs Cloud Data Insider Anomalies The Big Security Data Challenge Billions of Events Multi-dimensional Active Trending; LT Analysis Large Volume Analysis Compliance Historical Reporting Thousands of Events Perimeter Correlate Events Consolidate Logs 8 4/21/2013 8

9 Vendor Approaches SEM is the real problem Focused on the SOC The network is the computer Correlation is it SIM is the real problem Focused on archival Compliance reporting 4/21/2013 9

10 Vendor Approaches Normalization is the key Parsers, standard SQL schema Ever larger ODBC instances Vendor standards Vulnerability is the key what does it mean? Netflow/Jflow is the key Another network based approach 4/21/

11 See log frequencies Search for logs Traditional Log Management and Search Generation 0 Investigate Log Management INVESTIGATE LOGS AFTER THE FACT 11

12 Log Mngt & Context Generation 1 See log frequencies Visualize & Investigate Search for logs Correlate events Device and Application Log Files Authentication and IAM Events from Security Devices and Endpoints User Identity Location VA Scan Data Network Flows Time OS Events Traditional Context Log Management DETECTION OF KNOWN SUSPICIOUS PATTERNS 12

13 See log frequencies Search for logs Correlate events (Net)FLOW traffic information (Anomaly detection) Content Awareness Generation 2 (FLOW / Anomaly Detection) Visualize & Investigate Flows indicate frequency / Anomalies but miss the what, who and how.. Anomaly (FLOWS) & Content Applications Traditional Context Log Management Database

14 Case for SIEM: APT Without Content Aware SIEM, APT s can evade detection and steal Data January : Sent February : File Share Access! March: FTP Internal Services External IP 1 HTTP File Downlo ad Core IP Verdict POSSIBLE POLICY VIOLATION External IP 2 Access Denied Verdict: USER ERROR

15 January : Sent Run vuln. Scan Quarantine Actor (IPSP)!! Bad Actor Quarantine: Source and Destination Future Evolution: Actionability February : File Share Access Communication with North Korea via Real-time Content and Advanced Analytics External IP 1 External IP 2! HTTP File Downlo ad UNUSU AL PACKET SIZE March: FTP System Owner in Dev. Mgrs. Access to Core IP IP File Downloaded! Name and Extension Changed Quarantine File, add Tag Investigate Laptop (AV/DLP Console) Internal Services Core IP Access Denied! Activity Outside the Norm Set Server and Laptop Security to High

16 SIEM Magic Quadrant 2011 & 2012

17 Deciding what s right for you Start with the real reason Monitor for PCI-DSS, protect web apps Monitor critical servers for suspicious login Include log sources Size the environment Consider phased approach 4/21/

18 Deciding what s right for you Describe essential SIEM features Which reports/trends, role based dashboards, Netflow, Change monitoring, search etc SEM? SIM? Ops? What is the main driver? Keep the requirements short More than 10 pages? Go back and prune 4/21/

19 SIEM Myths NOT a security product!! It s a tool to visualise your security posture It is intelligent by default! does NOT control security products(as of now) Expensive with no ROI in sight! 4/21/

20 Worst practices Determine the need Define scope Make shortlist of vendors Conduct POC Deploy Use Expand 4/21/

21 Worst practices Determine need: Skip this step, just buy something. Security? Compliance? Ops? Define scope: Be vague Real-time? Platforms? Log volume? Reports? Alerts? Usage? Assume you are the only stakeholder 4/21/

22 Worst practices Shortlist vendors: Choose by initial price. Ignore modules, support, training, Accept vendor ROI formula Choose by relationship. We already use their AV or OS or IDS Choose by PowerPoint 4/21/

23 Worst practices Conduct POC Don t bother Ignore the vendor completely Let vendor dictate the POC Don t verify references 4/21/

24 Worst practices Deploy Don t plan before the vendor shows up Demand admin access at the last minute Scramble to configure network/firewall Use any old hardware or software Surprise staff with the schedule Announce training at the last minute Ignore the vendor recommendations What do they know anyway? 4/21/

25 Worst practices Use Don t upgrade to new release Don t invest in support contracts Expand Ignore vendor provided best practices Never provide training to the actual users Don t designate a product owner Don t check for changed needs or scalability 4/21/

26 Final Thoughts SIEM is the fastest adopted technology in the market Continuous evolution because of customer demands & market challenges SIEM is a typical IT project Planning early and often is key Match your needs to product features Conduct a pilot, verify claims Befriend your enemy (vendor) 4/21/

27 \ Q & A 4/21/