ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

Transcription

1 1 ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

2 About the Presenters Ms. Irene Selia, Product Manager, ClearSkies SecaaS SIEM Contact: w: Mr. Angelos Printezis, ITHACA Labs Team Leader Researcher/Analyst Contact: w:

3 Agenda The Service in a Nutshell Challenges Faced by Organizations Today Addressing Challenges with ClearSkies SecaaS SIEM ClearSkies SecaaS SIEM overview ClearSkies SIEM Architecture Service Offerings Building Blocks 8 Threat Intelligence powered by ITHACA Labs 9 Supported Vendors 10 Q&A 3

4 The Service in a Nutshell Efficient and effective Security Information and Event Management (SIEM) is no longer an expensive information security tool that can be afforded only by large and resource-rich organizations. ClearSkies Security-as-a-Service (SecaaS) SIEM platform, addresses the need of organizations of any size or industry, to manage the wealth of information generated by their networks, systems and applications. It does so, in a holistic manner and over the cloud, enabling you to effectively and cost efficiently enhance your information security and regulatory compliance operations across the board and with virtually zero upfront investment. 4

5 Challenges Faced by Organizations Today Increase in frequency, complexity and sophistication of threats and attacks against your networks, systems and applications The complexity of Internet & Intranet applications Comply with Legal and Regulatory frameworks and reporting requirements Maintain in-house Information Security expertise. As a result...minimize the Risk of Information Security loss. 5

6 Addressing Challenges with ClearSkies SecaaS SIEM Security, over the private-cloud, access to a feature-rich SIEM platform, which addresses the needs of organizations irrespective of their size, industry, extent and complexity of their existing information security infrastructure, or in-house level of expertise Fast and intuitive deployment allowing organizations to reap the benefits of the ClearSkies SecaaS SIEM services in no time Access to - and utilization of - our Analysis and Correlation engines, which are constantly updated and enriched with the threat intelligence and knowledge gathered and developed within ITHACA Labs, our very own world class Information Security Research and Threat Intelligence Center Zero up-front investment 6

7 What ClearSkies SecaaS SIEM will help you achieve Functional Log and Event Management with clear view of your overall information security posture at any time Instant transformation of raw data into information security intelligence, useful in making informed decisions Early identification of suspected or actual incidents and ability to address and follow up on them through a structured process Effortlessly prepare both specialized as well as ad-hoc reports in no time. Enhance your compliance and business decision support processes. Maximize your knowledge of latest information security threats and trends by tapping into a unique Information Security and Threat Intelligence knowledge pool 7

8 ClearSkies SecaaS SIEM Overview Provides organizations, which otherwise would not have the necessary resources to maintain an adequate SIEM SecaaS infrastructure in-house, the opportunity to gain access to such capability in the cloud. Enables organizations to: Collect, Archive, Normalize, Analyze and Correlate the logs generated from a number of diverse systems and applications Effectively and efficiently Monitor and Raised/Assign Incidents for abnormal behavior and suspected threats Generate the reports require to demonstrate compliance with legal and regulatory obligations 8

9 ClearSkies Architecture Single Site Customer Premises Odyssey s Private Cloud Environment Workstation Log Storage Threat Inteligence Database ClearSkies Secure Web Portal Server Log Collector(s) Switch/Router Event Management & Incident Escalation Firewall Analysis & Correlation Database 9

10 Service Offerings A holistic approach to Security Information and Event Management Security As A Service SecaaS (perform Log Review, Analysis and Event Management) Security As A Service SecaaS with 24/7/365 Log Analysis and Event Management (Managed Security Services in a Hybrid model) ClearSkies SIEM Standard ClearSkies SIEM Plus ClearSkies SIEM Premium Security As A Service SecaaS with Daily Log Review (with Daily Log Review, Analysis and Event Management) 10

11 11 Building Blocks

12 Building Blocks - Collect Collect Raw Logs generated from diverse systems, applications and/or security devices: Syslogs SNMP messages Database Windows Security NetFlow Other. Development/updating of our collection mechanism for supporting either in house/custom applications or other log sources/formats 12

13 Building Blocks - Archive Archive of raw logs collected: During this process the Archive mechanism Compress and Digitally Signs the raw logs collected. Note: Raw logs collected compression ratio up to 5 to 1 (80%) Then the Compressed file checksum is calculated using a hashing algorithm (SHA-1, MD5). The checksum is encrypted with Collector s Private. The encrypted checksum is saved to a database for future use. At any given time, it can be verified that the Raw Logs collected are intact ( not tampered)by using the Public Key 13

14 Building Blocks - Normalize Logs from different network, systems and applications and vendors are formatted in different ways, even if these events are semantically equivalent. Logs collected are normalized and stored into a common schema at time of data collection for further processing and ad hoc search and reporting. Analysis and Correlation is designed to present these logs in a unified view across heterogeneous vendor data formats. 14

15 Building Blocks- Analyze Actuate the process of Threat Intelligence for Analysis. What is Threat Intelligence (TI)? Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. Threat Intelligence is all about collecting, refining, analyzing, and prioritizing vast quantities of data in order to enable a tactical decision to be made about your defenses. 15

16 Building Blocks- Threat Analysis through Intelligence Perform an evidence-based evaluation of the security events for detecting and responding to threats effectively. Key benefits: Focus on the most severe security events based on their actual technical and business impact. Evaluate the risks based on evidence and decide on what precautions need to be taken. Continuously evaluate the effectiveness of the current security controls against emerging threats. 16

17 Building Blocks- Threat Intelligence Methodology Obtain evidence-based intelligence on events and activities for estimating the business risk. Risk calculation Threat mitigation Global Reputation Suspicious characteristics Vulnerability Exposure (NVD, VA Scans) Asset Value Reporting module (FW, IPS, Endpoint) Automated actions (Block, Detect, Quarantine) Affected products CVE References Exploitability Duration 17

18 Building Blocks Analyze (Pre Correlation) 1/2 During the analysis, the following data activities are performed: Link: Delivers insights above and beyond those of individual feeds stored independently. Enrich: Enables us to do linking and relating better and also provides a way to validate weak TI signals. Relate: Discover new threat activities and expand the scope of the organization s response process. 18

19 Building Blocks Analyze (Pre Correlation) 2/2 Data activities continued.. Validate: TI is matched to known industry black lists which enable us to either promote or demote some pieces of intelligence. Contextualize: Make TI data more relevant to the organization. Tag: Collected Events (logs) are tagged with this information such as Relevant/Not Relevant to the Target Host. Risk Calculation: Risk Index is calculated based on the outcome of the above process. 19

20 Building Blocks Correlate Correlate Normalized Logs to identify Malicious and/or Misuse activity based on: Threat Intelligence - Analysis Phase CVSS 2.0 ( Common Vulnerability Scoring System ) Analysis Phase Vulnerabilities that may exist on the target Host - Vulnerability Information from Nessus and Acunetix. Support for other Vulnerability Assessment tools, - Statistical & Behavioral Analysis, - The output of the Analysis phase is used during the correlation phase.. 20

21 Building Blocks Correlation Methodology Threat Intelligence: IP Reputation Malware sites Anonymous Proxies 1st step: Number of events Detected within a time interval 3 rd Step: Asset Vulnerabilities Vs Attacks 5 th Step: Use existing Correlation rules provided, or develop your own Edit, Add Correlation Rules 2 nd Step: Pattern/Behavior Identification, DOS Web Specific Service Probing 4 th Step: Continuous monitoring of suspicious activity Including IP, type...etc.. 21

22 Building Blocks Incident Escalation Incidents raised must be assigned to specific user(s) or Group of Users By default, when an incident is assigned to specific User(s) or Group, an message is sent to these Users providing detailed information. User(s) or Group of Users could be configured to receive Push Notifications on their ios and Android Smart Phones and/or Tablets using Odyssey s App* *The ios and Android App could be downloaded from itunes and Google Play Stores or by visiting our web site 22

23 Building Blocks Summary 23 Collect Raw Logs generated from diverse systems, applications and/or security devices Archive of Raw Logs collected: During this process the Collector Digitally Sign and Compress the Raw Logs collected using a high ratio compression rate up to 80%. Normalize the Raw Logs collected ( Prepare the logs for Analysis ) Analyze the Normalized Logs in regards to ( Threat Intelligence provided by ITHACALabs ): IP Reputation Anonymous Proxies Malware Bot/Zombies (Command & Control) Dymamic DNS Assignment (NoIP) Correlate the Normalize Logs to identify Malicious and/or Misuse activities based on: Threat intelligence ( the outcome of the Analysis phase ) CVSS 2.0 ( Common Vulnerability Scoring System ) Relativity of the attack based on the Asset Information/Characteristics ( Operating System, Application Vendor and Version, Vulnerabilities Present ) Statistical & Behavioral Analysis Incident Escalation

24 24

25 Supported Vendors/Devices for Log Collection 25

26 Do You Have Any Questions? 26

27 27 THANK YOU!