Security Monitoring and Alerting: Managed Security Service Providers (MSSP) vs. Security Incident & Event Management (SIEM)

Transcription

1 Security Monitoring and Alerting: Managed Security Service Providers (MSSP) vs. Security Incident & Event Management (SIEM) ActiveGuard U.S. Patent Nos 6,988,208; 7,168,093; 7,370,359; 7,424,743; 2015 Solutionary, Inc. 7,673,049: 7,954,159; 8,261,347. Canadian Patent No. 2,436,096. October 27,

2 Attack Example (Forensics consulting customer, not monitoring customer) User received phishing User clicked on link, PC was infected with malware Attackers gained remote control of user s PC Attackers performed network reconnaissance Infection spread peer to peer to other systems Attackers analyzed documents on local hard drives and network shares Attackers found How to perform a wire transfer document Keyloggers used to get needed users credentials Using procedure document, attackers instigated and approved fund transfer to foreign bank This attack took more than 2 months from initial infection to final execution At no point did the network run funny 2

3 Two More Attack Examples Coca Cola Malicious software installed July 2013, detected January 2014 Hackers accessed sensitive files about attempted $2.4B acquisition of China Huiyuan Juice Company Deal never happened Fazio Mechanical malware attack began September, 2013 November & December of 2013, attackers used VPN connection to partner company to steal 40 million customers personal information $200 million in losses, 475 employees laid off Target s CIO resigns March, 2014; CEO resigns May

4 Cybersecurity Assumptions There are two kinds of organizations Those that have been hacked Those that don t realize they ve been hacked. Preventive vs. Detective controls Preventive controls (firewalls, IPS, Malware blockers, patching, etc.) should be used as much as possible. Some attacks WILL get past the preventive controls Detective controls, combined with operational response capabilities, are required for effective security 4

5 Log Monitoring Goals Log Retention Regulatory & audit compliance Data searches Legal evidence Near-Real-Time Alerting Detect cybersecurity events Reduce risk Financial Legal Reputational 5

6 Why is Alerting Hard? - Security Tuning The Tuning Challenge: Tight tuning few false positives, but may miss REAL events Loose tuning detects real events, but lots of false positives The Problem of False Positives: I ll waste time chasing false alarms I ll be slow to respond to real events I ll give up and ignore the system entirely When the BIG event comes, I won t catch it AND there will be a smoking gun record 6

7 The Options Customer Managed SIEMs Managed Security Service Providers Provider Managed SIEMs 7

8 Provider-Managed SIEM Advantages Retains investment in SIEM product Retains value of previous tuning Retains value of staff knowledge/training Disadvantages Does not optimize MSSP economies of scale Physical infrastructure Engineering staff Operations staff Retains maintenance and upgrade costs of SIEM product Inconsistent quality tends to be delivered as staff augmentation, not real managed service 8

9 Customer-Managed SIEM Tasks Installation Configuration Maintenance Tune IDS/IPS Create SIEM correlation rules Train analysts Update SIEM software Re-tune environment Challenges Expensive Hard to configure Limited view Hard to stay focused Staff coverage The problem of false positives Hard to retain personnel 9

10 SIEM Pros and Cons Advantages Maximum internal control Provides staff skill development Added staff has additional uses Disadvantages: High cost for required staff Training and development costs Need design, escalation, and management personnel High turnover in analysts Limited view / hard to maintain skills Hard to stay focused / staff reassignment No fall-back position 10

11 When SIEM is Needed Some Organizations Cannot or Will Not Allow Log Data to Leave Their Premises Department of Defense Other intelligence or security agencies Nuclear power plants Sites without Internet connections What s Needed for SIEM Success? DEDICATED staff More than one person assigned Senior management support Ancillary services global intel, forensics, etc. SIEM Guy SIEM Guy SIEM Guy 11

12 The MSSP Advantage Why is an MSSP Better? Specialization of roles Economies of scale: Shared physical infrastructure Shared engineering staff Shared analysts Shared global intelligence Broader visibility Focus Scalability/access to security experts Rapid implementation Knowledge transfer to internal staff 12

13 Cost Comparison Cost Breakdown SIEM MSSP Savings Initial One-Time Costs Security Information Event Management (SIEM) platform (including data storage) $892,500 Included SIEM Implementation Labor Costs $20,000 Included Computers and Software for Additional Employees $8,000 Included Initial SIEM Training $12,000 Included MSSP Fees/Charges $20,000 Total - Initial $932,500 $20,000 $912,500 Annual/Ongoing Expenses SIEM MSSP Savings SIEM Engineer $125,000 Included Security Analyst $80,000 $8,000 Personnel Management Cost $75,000 Included Security Engineering Costs $8,000 Included Maintenance and Support Contracts $44,625 Included Depreciation and Amortization $300,167 $6,667 MSSP Fees/Charges $550,000 Total - Recurring $632,792 $564,667 $68,125 13

14 Cost Comparison Over Time $1,400,000 $1,200,000 $1,000,000 $800,000 $600,000 $400,000 SIEM MSSP $200,000 $

15 Cost Comparison Over Time (Small Company) $300,000 $250,000 $200,000 $150,000 $100,000 SIEM MSSP $50,000 $

16 No Fall-Back Sunk Costs in Traditional Economics: Sunk costs are irrelevant. The only important factors are the goal to be achieved and the most cost-effective ways to achieve that goal. Sunk Costs in the Real World: Previous investments reflect on the judgment of the company s management. A change in direction or strategy may be perceived as a loss. The Result: Once a SIEM has been purchased, it is difficult to abandon that investment, even if it is not working effectively. 16

17 Provider-Managed SIEM (Revisited) Advantages Retains investment in SIEM product Retains value of previous tuning Retains value of staff knowledge/training Disadvantages Does not have MSSP economies of scale Real reason for selection try to avoid or delay recognition of failure of SIEM project Results in higher overall costs AND lower quality of service 17

18 Coexistence Running a SIEM and an MSSP in Parallel Ongoing Split-Function MSSP used for: Transition High-value devices Intelligent alerting Use SIEM and MSSP in parallel Build case for MSSP usage Retire SIEM when up for renewal/refresh SIEM used for: Low-value (or all) devices Post-hoc forensics 18

19 Q&A Questions? 19

20 Thank You! ActiveGuard U.S. Patent Nos 6,988,208; 7,168,093; 7,370,359; 7,424,743; 2015 Solutionary, Inc. 7,673,049: 7,954,159; 8,261,347. Canadian Patent No. 2,436,096. February 2, 2015