Concierge SIEM Reporting Overview



Similar documents
SANS Top 20 Critical Controls for Effective Cyber Defense

Speed Up Incident Response with Actionable Forensic Analytics

APPLICATION PROGRAMMING INTERFACE

Vulnerability Management

Top 20 Critical Security Controls

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

24/7 Visibility into Advanced Malware on Networks and Endpoints

DYNAMIC DNS: DATA EXFILTRATION

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements

IBM QRadar Security Intelligence April 2013

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

How To Manage Security On A Networked Computer System

How Attackers are Targeting Your Mobile Devices. Wade Williamson

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

The SIEM Evaluator s Guide

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

First Line of Defense

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

CALNET 3 Category 7 Network Based Management Security. Table of Contents

ENABLING FAST RESPONSES THREAT MONITORING

Defending Against Data Beaches: Internal Controls for Cybersecurity

Breach Found. Did It Hurt?

Introducing IBM s Advanced Threat Protection Platform

Network Security Monitoring: Looking Beyond the Network

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

IBM Advanced Threat Protection Solution

FISMA / NIST REVISION 3 COMPLIANCE

Critical Controls for Cyber Security.

Modern Approach to Incident Response: Automated Response Architecture

Breaking the Cyber Attack Lifecycle

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

SPEAR PHISHING UNDERSTANDING THE THREAT

Cisco RSA Announcement Update

CMPT 471 Networking II

Stop advanced targeted attacks, identify high risk users and control Insider Threats

IBM Security Operations Center Poland! Wrocław! Daniel Donhefner SOC Manager!

What is Penetration Testing?

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

THE TOP 4 CONTROLS.

Defending Against Cyber Attacks with SessionLevel Network Security

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

The Cloud App Visibility Blindspot

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Automate PCI Compliance Monitoring, Investigation & Reporting

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

End-user Security Analytics Strengthens Protection with ArcSight

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements with Enterasys SIEM

Security Information & Event Management (SIEM)

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

ThreatSTOP Technology Overview

Verve Security Center

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

SourceFireNext-Generation IPS

The Incident Response Playbook for Android and ios

IBM Security QRadar Risk Manager

Practical Steps To Securing Process Control Networks

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Intelligence Driven Security

Redefining SIEM to Real Time Security Intelligence

Unified Security, ATP and more

How to Grow and Transform your Security Program into the Cloud

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

D. Grzetich 6/26/2013. The Problem We Face Today

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Secret Server Qualys Integration Guide

Closing the Security Gap

5 Steps to Advanced Threat Protection

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Security strategies to stay off the Børsen front page

Extreme Networks: A SOLUTION WHITE PAPER

Trend Micro. Advanced Security Built for the Cloud

UNMASKCONTENT: THE CASE STUDY

INCIDENT RESPONSE CHECKLIST

IBM Security IBM Corporation IBM Corporation

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Perspectives on Cybersecurity in Healthcare June 2015

WHITE PAPER: THREAT INTELLIGENCE RANKING

Marble & MobileIron Mobile App Risk Mitigation

FIVE PRACTICAL STEPS

Transcription:

Concierge SIEM Reporting Overview

Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts and Vulnerabilities)... 8 Perimeter Security View... 10 Identity View... 11 Ad Hoc Requests... 13 Summary... 14 2014 Arctic Wolf Networks 1

Introduction As a Concierge SIEM TM (Security Incident and Event Management), the Arctic Cloud and related network vsensors collect, normalize and correlate various security events for analysis to produce actionable security intelligence delivered from Concierge Security Engineers (CSE) to customers. The primary data sources include Inventory, IP Flow, HTTP, SSL and DNS network traffic, plus Vulnerability Assessment and the use an IDS/IPS with the option of packet captures for deeper analysis as required. The intersection of multiple security data sources supports critical security controls for continuous network security monitoring and protection including the detection threat opportunities and infections. Security Data Views within the Arctic Cloud: Inventory Data (Any IP accessible device) Internal Traffic (IP Flows) External Traffic (HTTP, SSL, DNS) Risk Analysis (IPS Alerts, Vulnerabilities, Exploits) Perimeter Data (Firewall, Ports, Apps, Network Zones) Identity Data (Users, Groups, Hosts) Arctic Wolf also imports third party security intelligence and feeds from multiple sources, including open source data, commercial vendors and industry research reports. This paper contains samples of reporting within views that tap into a wealth of information also open to ad hoc requests and analysis. Arctic Wolf uniquely provides Concierge Security Engineer (CSE) services as part of its solution, thus pairing security expertise with reporting data for comprehensive analysis, alerts and actionable security intelligence. Arctic Wolf Concierge SIEM Features: SIEM-as-a-Service cloud service to manage security incidents and events Security Engineer(s) your security concierge and expert. Actionable Security Intelligence o Security event management focused on threat opportunities and infection o Behavioral analysis of network traffic for anomalies and suspicious events o Baseline of inventories, traffic flows, vulnerabilities, apps and user profiles o Security summary and detail profile reports highlighting key events and risks o Ad hoc queries for increased visibility and knowledge Arctic Wolf Concierge SIEM Benefits: No capital expense No systems to install, trial or manage No mountains of data to analyze No SIEM or query expertise required Secure in the knowledge you are protected Prepared for security incident analysis and response 2014 Arctic Wolf Networks 2

Inventory View Key to critical security controls is to know yourself as well as the enemy. Inventory data provides an important baseline for systems, networking equipment, end user devices, printers or basically anything with an IP address. Attackers commonly look for new systems via scanning to quickly assess them, as they are likely not fully protected as they come online. End users may also deploy test systems for short-term use, new Wireless Access Points (WAPs), small firewalls or network-enabled devices without IT notification or security controls. Working with your CSE to identify critical systems, data stores, user profiles, network mapping and expectations for new or dropped devices increases risk assessment depth and value. An example of reporting within the Inventory View is a Network Summary: The Network Summary report provides a table of core network device groups (group label, subnet/ranges, number of devices), plus mapping network groups accessed for the specific group, and what networks the group is accessed from highlighting network access between groups and the Internet. Another example is a Device Summary: 2014 Arctic Wolf Networks 3

Internal Traffic View (IP Flow Data) IP Flow data from common exporters (e.g. vsensors, firewalls, switches, routers) provides a wealth of information for security analysis, plus overall bandwidth usage and investigating performance. This data source also enables detection of scanning and recon, large data transfers, possible data theft, botnet communications, plus analyzing user activities. Correlated with inventory data enables forensic analysis of Indicators of Compromise (IOCs) with the ability to find attack pivot points and reconnaissance to determine the depth and breadth of an attack. Security labs frequently publish IOC details on attacks that can be analyzed against archived IP Flow data to determine possible impact. An example of reporting within the Internal Traffic View is a Scanning Devices Summary: This summary provides profiles on devices scanning (device, network group, scan type, target count, and IP Flow count), plus devices being scanned (device, network group, scan type, and number of scans), plus a summary of actionable alerts with date/time, status, alert, ticket number and notes. 2014 Arctic Wolf Networks 4

External Traffic View (HTTP, SSL and DNS) HTTP and SSL are the foundation for data communications on the web. Driven mainly by web browsers and increasingly apps, this data source is extremely valuable for continuous security monitoring and protection. Attack kills chains often begin with lures that socially profile users via web, email and social networking that invoke hidden web redirects to exploit kits designed to find exploitable vulnerabilities in target systems. Given an open door, dropper files can infect to provide an attack pivot point for recon, C2 communications and malware delivery. Inbound and outbound web traffic analysis is critical, unfortunately many defenses only rate inbound web traffic. An example of reporting within the External Traffic View is the Reputation Class Overview: 2014 Arctic Wolf Networks 5

This overview provides profiles on specific reputation classes for top users and devices with bandwidth profile, top destination hosts, protocol distribution chart, geo-destination traffic map, plus a summary of actionable alerts with date/time, status, alert, ticket number and notes. The Domain Name System (DNS) is the phone book to map user consumable destination names into IP addresses for machine delivery. The security issues of DNS cache poisoning, international fonts types that disguise characters in domains, and typo-squatting domains enables the direction of users to malicious destinations. Attacks on DNS accounts have enabled attackers to quickly change destinations for popular web sites where in minutes and hours a large harvest of users is collected. More recently, DNS communications have been used to hide C2 communications from detection. 2014 Arctic Wolf Networks 6

An example of reporting on DNS traffic within the External Traffic View is the DNS Summary: This summary provides tables on corporate required DNS servers (name, requests, bytes, devices, users and notes), plus rogue DNS servers with reputation, and devices using rogue DNS servers (device, requests, bytes, reputation profile, and notes), plus a table of actionable alerts by device with ticket number and notes. 2014 Arctic Wolf Networks 7

Risk View (IPS Alerts and Vulnerabilities) The traditional IDS/IPS has advanced into a network security monitoring system with the ability to detect protocols on any port and apply the correct rules and logging, log HTTP requests, log and store TLS/SSL certificates plus analyzing handshake variables, extract and store files, keyword matching, plus utilize PCAP for full packet captures providing deep content analysis. Also the ability to apply IP reputation ratings, use of MD5 file hash sums, type, size and magic byte in rules, and detecting less than reputable certificate authorities. This makes the modern IPS a command and control (CnC) and malware hunter unlike any other tool. An example reporting on IDS activity within the Risk View is the IDS Summary: This summary provides profiles on top IDS alerts noting number of devices, occurrences and direction, plus tables with top alerts by device, user and device type/os. An event action log summary notes date/time, status, device/ip, alert and notes. 2014 Arctic Wolf Networks 8

Identifying and correcting the root cause of vulnerabilities is key to a vulnerability management program that may also include penetration testing, grey box application testing, web application testing, and security training. The end goal is identifying weaknesses in patch management, firewall and router configurations, minimum-security baselines, policies and procedures. Often overwhelming reports on detected vulnerabilities result in practices to address only high risk ones to limit the workload. However risk profile analysis notes the automation of exploitable vulnerabilities of any risk rating are the most dangerous and should have immediate attention. In the end, vulnerability assessment without remediation has little value. An example of reporting for Vulnerability Assessment within the Risk View is Vulnerability Summary: This summary provides a profile of high-risk vulnerabilities where risk is a function of resource value, exposure, vulnerability severity, age and availability of exploit/automation. Table notes vulnerability, device, CVE identity, risk score and associated variables. 2014 Arctic Wolf Networks 9

Perimeter Security View While the concept of single perimeter has faded and should be viewed as another security layer in a honeycomb design, it remains important to secure. Virtualized cloud apps and BYOD are distributing where security perimeters exist and changing the definition to multiple security perimeters. For a fragmented IT data center, the concept of identity as the new security perimeter is surfacing. Locks on the doors remain important even if you have data secured in a safe, these security concepts should work together to defend and reduce risk. Smaller businesses with flat network designs should be even more inclined to secure their perimeter as one infection provides a pivot point to the majority of systems. An example of reporting within the Perimeter Security View is the Firewall Audit: This audit report exposes observed firewall policies for source and destination network groups from the Network Summary or IP ranges, service, direction, action and a heartbeat chart on bandwidth for the reporting time period. 2014 Arctic Wolf Networks 10

Identity View Given the growth of BYOD mobile devices, virtualized cloud apps and fragmented data centers, identity is becoming a new security perimeter. Initial logins are becoming very important due to federated authentication and single-sign-on (SSO) access. Correlating the activity of top users and groups with adjacent security information silos is an important perspective. An example of reporting for the Identity View is a User Focus report: 2014 Arctic Wolf Networks 11

This user detail focus report provides a user network presence map, bandwidth profile, protocols & usage map, devices accessed, risk factor trending (logins, reputations, AUP violations, SSL certs, BW), SaaS App profile, traffic reputation map, and geo-destination traffic map. 2014 Arctic Wolf Networks 12

Ad Hoc Requests The Arctic Cloud platform collects and correlates information across multiple security data silos that normally exist within individual solutions, and often from different vendors. This ability to associate two or more data elements from various silos into a reporting view is unique and infinite in what can be analyzed. This becomes valuable to determine risk in proactive security assessments and in forensic analysis for incidents or when leveraging IOCs to determine impact. Concierge Security Engineers (CSEs) with our customers are key to surfacing new areas of reporting. An example of Ad Hoc Request reporting is a Device Focus Report: 2014 Arctic Wolf Networks 13

This device focus report provides a device services profile, protocols & usage map, user logins, IP address usage, uptime, OS profile, vulnerability count, bandwidth profile, risk factor trending, inbound/outbound security events, traffic reputation map, and geo-destination traffic map. Summary Our objective is to provide actionable security intelligence delivered from Concierge Security Engineers without the cost, complexity and overhead of a SIEM. This paper has a few examples of reporting from our security data views; a trial and security audit provides a richer experience for your network and data. Contact us for more details at info@arcticwolf.com or 1-888-ARCTICWOLF. 2014 Arctic Wolf Networks 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information