State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

Similar documents
Cutting Through SIEM Vendor Marketing. Make the right technology decision A. Ananth

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

VISIBLY BETTER RISK AND SECURITY MANAGEMENT

Security Information & Event Management (SIEM)

Q1 Labs Corporate Overview

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

End-user Security Analytics Strengthens Protection with ArcSight

What is Security Intelligence?

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

IBM QRadar Security Intelligence April 2013

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

How To Buy Nitro Security

RSA Security Analytics

What s New in Security Analytics Be the Hunter.. Not the Hunted

Redefining SIEM to Real Time Security Intelligence

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

SANS Top 20 Critical Controls for Effective Cyber Defense

Caretower s SIEM Managed Security Services

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

IBM Security Intelligence Strategy

QRadar Security Intelligence Platform Appliances

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Intelligence Driven Security

Is your SIEM ready.???

Secure Cloud Computing

Concierge SIEM Reporting Overview

QRadar SIEM and FireEye MPS Integration

IBM Security IBM Corporation IBM Corporation

Splunk Company Overview

SourceFireNext-Generation IPS

NitroView Enterprise Security Manager (ESM), Enterprise Log Manager (ELM), & Receivers

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

The SIEM Evaluator s Guide

Secret Server Splunk Integration Guide

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

Obtaining Enterprise Cybersituational

Information Technology Policy

IBM SECURITY QRADAR INCIDENT FORENSICS

The webinar will begin shortly

Meeting PCI Data Security Standards with

Tivoli Security Information and Event Manager V1.0

XpoLog Center Suite Log Management & Analysis platform

Netzwerkvirtualisierung? Aber mit Sicherheit!

McAfee Network Security Platform

Kelvin Wee CISA, CISM, CISSP Principal Consultant (DLP Specialist) Asia Pacific and Japan

Ecom Infotech. Page 1 of 6

How to Choose the Right Security Information and Event Management (SIEM) Solution

Detect & Investigate Threats. OVERVIEW

ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

Secure Networks for Process Control

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

TrustDefender Mobile Technical Brief

Continuous Network Monitoring

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Security Analytics for Smart Grid

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

McAfee Database Security. Dan Sarel, VP Database Security Products

BIG DATA. Shaun McLagan General Manager, RSA Australia and New Zealand CHANGING THE REALM OF POSSIBILITY IN SECURITY

Bridging the gap between COTS tool alerting and raw data analysis

How To Manage Security On A Networked Computer System

How To Monitor Your Entire It Environment

Security Intelligence Solutions

QRadar Security Management Appliances

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Syslog Analyzer ABOUT US. Member of the TeleManagement Forum

Vulnerability Management

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Enabling Security Operations with RSA envision. August, 2009

FISMA / NIST REVISION 3 COMPLIANCE

Scalability in Log Management

Security strategies to stay off the Børsen front page

Compliance Overview: FISMA / NIST SP800 53

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Information & Asset Protection with SIEM and DLP

Analyzing HTTP/HTTPS Traffic Logs

High End Information Security Services

Compliance Guide: PCI DSS

AccelOps NOC and SOC Analytics in a Single Pane of Glass Date: March 2016 Author: Tony Palmer, Senior ESG Lab Analyst

Find the needle in the security haystack

TRIPWIRE NERC SOLUTION SUITE

Agenda , Palo Alto Networks. Confidential and Proprietary.

Beyond passwords: Protect the mobile enterprise with smarter security solutions

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

QRadar SIEM 6.3 Datasheet

Discover & Investigate Advanced Threats. OVERVIEW

Log management & SIEM: QRadar Security Intelligence Platform

CONTINUOUS LOG MANAGEMENT & MONITORING

Boosting enterprise security with integrated log management

_Firewall. Palo Alto. How Logtrust works with Palo Alto Networks

2012 North American Managed Security Service Providers Growth Leadership Award

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

CAS8489 Delivering Security as a Service (SIEMaaS) November 2014

Transcription:

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

Introduction What s in a name? SIEM? SEM? SIM? Technology Drivers Challenges & Technology Overview Deciding what s right for you Worst practices Q&A 4/21/2013 2

What s a SIEM? SIEM is the Evolution and Integration of Two Distinct Technologies Security Event Management (SEM) Primarily focused on Collecting and Aggregating Security Events (Real Time task) Security Information Management (SIM) Primarily focused on the Enrichment, Normalization, and Correlation of Security Events. Another name for Log management (Non Real time task) Security Information & Event Management (SIEM) is a Set of Technologies for: Log Data Collection Correlation Aggregation Normalization Retention Analysis and Workflow Three Major Factors Driving the Majority of SIEM Implementations Real-Time Threat Visibility Security 1 2 Operational 3 Efficiency Compliance and/or Log Management Requirements 4/21/2013 April 21, 2013 3

Evolution 2005-2012 SANS Annual Log Management Survey 2005: 43% of those surveyed collected logs 2012: 91% of those surveyed collected logs Stats courtesy: SANS 4/21/2013 4

Industry Verticals 4/21/2013 5

State of SIEM - Challenges SIEM Promise: Turns Security Data Into Actionable Information Provides an Intelligent Investigation Platform Supports Management and Demonstration of Compliance Legacy SIEM REALITY: 00001001001111 11010101110101 10001010010100 VS 00101011101101 Antiquated Architectures Force Choices Between Time-to-Data and Intelligence Events Alone Do Not Provide Enough Context to Combat Today s Threats Complex Usability and Implementation Have Caused Costs To Skyrocket

Security and Business Challenges What are the Security Management Challenges? Current Operational Mandates: Managing Big SECURITY Data Query Response Time Weak Back-end Data Management systems Ability to Respond Quickly (e.g., Reports take hours to generate) Lack of Live Interactive Analysis Cost Effective Enterprise Scale Previous Investments / Technology are not scaling Reduce Sustainment Costs Improve Situational Awareness Leverage Diverse Security Solutions Enhanced Security Posture 4/21/2013 7

APTs Cloud Data Insider Anomalies The Big Security Data Challenge Billions of Events Multi-dimensional Active Trending; LT Analysis Large Volume Analysis Compliance Historical Reporting Thousands of Events Perimeter Correlate Events Consolidate Logs 8 4/21/2013 8

Vendor Approaches SEM is the real problem Focused on the SOC The network is the computer Correlation is it SIM is the real problem Focused on archival Compliance reporting 4/21/2013 9

Vendor Approaches Normalization is the key Parsers, standard SQL schema Ever larger ODBC instances Vendor standards Vulnerability is the key what does it mean? Netflow/Jflow is the key Another network based approach 4/21/2013 10

See log frequencies Search for logs Traditional Log Management and Search Generation 0 Investigate Log Management INVESTIGATE LOGS AFTER THE FACT 11

Log Mngt & Context Generation 1 See log frequencies Visualize & Investigate Search for logs Correlate events Device and Application Log Files Authentication and IAM Events from Security Devices and Endpoints User Identity Location VA Scan Data Network Flows Time OS Events Traditional Context Log Management DETECTION OF KNOWN SUSPICIOUS PATTERNS 12

See log frequencies Search for logs Correlate events (Net)FLOW traffic information (Anomaly detection) Content Awareness Generation 2 (FLOW / Anomaly Detection) Visualize & Investigate Flows indicate frequency / Anomalies but miss the what, who and how.. Anomaly (FLOWS) & Content Applications Traditional Context Log Management Database

Case for SIEM: APT Without Content Aware SIEM, APT s can evade detection and steal Data January : Email Sent February : File Share Access! March: FTP Internal Services External IP 1 HTTP File Downlo ad Core IP Verdict POSSIBLE POLICY VIOLATION External IP 2 Access Denied Verdict: USER ERROR

January : Email Sent Run vuln. Scan Quarantine Actor (IPSP)!! Bad Actor Quarantine: Source and Destination Future Evolution: Actionability February : File Share Access Communication with North Korea via Real-time Content and Advanced Analytics External IP 1 External IP 2! HTTP File Downlo ad UNUSU AL PACKET SIZE March: FTP System Owner in Dev. Mgrs. Access to Core IP IP File Downloaded! Name and Extension Changed Quarantine File, add Tag Investigate Laptop (AV/DLP Console) Internal Services Core IP Access Denied! Activity Outside the Norm Set Server and Laptop Security to High

SIEM Magic Quadrant 2011 & 2012

Deciding what s right for you Start with the real reason Monitor for PCI-DSS, protect web apps Monitor critical servers for suspicious login Include log sources Size the environment Consider phased approach 4/21/2013 17

Deciding what s right for you Describe essential SIEM features Which reports/trends, role based dashboards, Netflow, Change monitoring, search etc SEM? SIM? Ops? What is the main driver? Keep the requirements short More than 10 pages? Go back and prune 4/21/2013 18

SIEM Myths NOT a security product!! It s a tool to visualise your security posture It is intelligent by default! does NOT control security products(as of now) Expensive with no ROI in sight! 4/21/2013 19

Worst practices Determine the need Define scope Make shortlist of vendors Conduct POC Deploy Use Expand 4/21/2013 20

Worst practices Determine need: Skip this step, just buy something. Security? Compliance? Ops? Define scope: Be vague Real-time? Platforms? Log volume? Reports? Alerts? Usage? Assume you are the only stakeholder 4/21/2013 21

Worst practices Shortlist vendors: Choose by initial price. Ignore modules, support, training, Accept vendor ROI formula Choose by relationship. We already use their AV or OS or IDS Choose by PowerPoint 4/21/2013 22

Worst practices Conduct POC Don t bother Ignore the vendor completely Let vendor dictate the POC Don t verify references 4/21/2013 23

Worst practices Deploy Don t plan before the vendor shows up Demand admin access at the last minute Scramble to configure network/firewall Use any old hardware or software Surprise staff with the schedule Announce training at the last minute Ignore the vendor recommendations What do they know anyway? 4/21/2013 24

Worst practices Use Don t upgrade to new release Don t invest in support contracts Expand Ignore vendor provided best practices Never provide training to the actual users Don t designate a product owner Don t check for changed needs or scalability 4/21/2013 25

Final Thoughts SIEM is the fastest adopted technology in the market Continuous evolution because of customer demands & market challenges SIEM is a typical IT project Planning early and often is key Match your needs to product features Conduct a pilot, verify claims Befriend your enemy (vendor) 4/21/2013 26

\ Q & A 4/21/2013 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information