The Crisis You Didn t See

Transcription

1 The Crisis You Didn t See A case for real-time security monitoring Maxim Elliott-Massouras Principal Architect

2 Let s get started!

3 Agenda 1.Introductions 2.Why are we here? 3.What are the challenges? 4.How do we start? So who are Eduserv?.

4 Introductions Eduserv Managed Cloud & Identity Mgmt SaaS offerings UK NFP (about 20 years old) ~170 Staff (>80% Technical) Sell exclusively into UK public & 3 rd sectors ~80% of our business is from regional & central government customers What are we protecting?.

5 Context ~ m a n a g e d s e r v e r s ~ 4 M i l l i o n S a a S u s e r s Quick Terminology Refresh.

6 Quick Terminology SIEM Security Information and Event Management SIRO Senior Information Risk Owner CSI Continual Service Improvement Why are we here?.

7 Starting With Why? VISIBILITY Machine behaviours User Activity Changes There is industry consensus

8 Industry View "Organisations are outgunned and outmatched " Forrester report "71% of staff think they have access to company data they should probably not see" Ponemon Institute "anti-virus becoming irrelevant..." MobileIron i.e. attacks are more sophisticated so relying on traditional tools alone wont work Look at our activity map.

9 Visibility

10 Visibility Who is targeting you?. Source: Bit9

11 Matchmaking State Sponsored Hacktivists Professionals Committed Amateurs 3 Organisation Types Breached but don t know or haven t disclosed it Will be breached, its just a matter of time Too insignificant to attract attention (but will still be breached) Planning and risk priorities.

12 Planning: What are we protecting? Ask someone What risks are we trying to mitigate? Who are the threat actors? What are our most valuable info assets What do we want to get out of our SIEM function? SIEM can help you with

13 The Big Challenges Security Compliance versus Security Compliance Resources Existing solutions.

14 Are often mismatched IT CHALLENGES Increased security risks Compressed response time Uptime visibility Escalating costs Cloud, on-premise, hybrid Higher user expectations EXISTING SOLUTIONS Not designed for cloud Legacy silo solutions Non-real time insights Multiple tools Lack of reporting flexibility Unknown cost Visualise a diverse landscape

15 The IT Landscape Has Evolved Internet of Things Physical Infrastructure Consumerisation DevOps Physical Switches Physical Servers Virtual Infrastructure Thousands of Devices Hundreds of Apps Deployed Generating Billions of Events per day and TBs of Data Cloud Infrastructure Public Cloud Private Cloud Mobile SaaS Virtual Networks Virtual Servers Big Data Understand the value

16 Other Challenges. Understanding the risks Means understanding the value Getting executive sponsorship* Don t proceed without sponsorship! Being blinded by science, must be business led with support and buy-in from IT Misconceptions

17 Common Misconceptions SIEM is too technical: SIEM is 9/10 s Process SIEM is expensive: This was true 5-8 years ago, costs have reduced dramatically, awareness is higher this has created a larger market SIEM is someone's else's responsibility: Knowing, who, what, where and when has become an obligation on all data owners/aggregators (i.e any organisation) I have firewalls, so I am safe: Firewalls only as good as the operator, sophisticated application level attacks exploit open doors Lets break it down

18 SIEM Dismantled We are under attack! We found suspicious activity What do we do? Who do we tell? Now what? It is not my problem. Tell someone else (Great tools and great people are a good start) How should we see SIEM

19 Perspective Your Staff Your Customers Your Partners & Suppliers Your Systems SIEM Service Processes Policies Vetted People Leadership & Escalation Wrapping up

20 Almost there.3 Business Benefits 1.SIEM brings you closer to the truth 2.SIEM helps both Security and Compliance teams The force multiplier 3.SIEM is a real-time magnifying glass You wont know what you did without it Key Takeaways

21 Next Steps & Takeaways Get sponsorship Check where you are most at risk Find a partner - not just a supplier Agree terms, scope internally - don t boil the ocean, understand this is a continual improvement process Always: Strategise Plan Act in that order! Lets break it down