Using SIEM for Real- Time Threat Detection



Similar documents
APPLICATION PROGRAMMING INTERFACE

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Software that provides secure access to technology, everywhere.

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

What is Security Intelligence?

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Enabling Security Operations with RSA envision. August, 2009

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

REVOLUTIONIZING ADVANCED THREAT PROTECTION

IBM QRadar Security Intelligence April 2013

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Q1 Labs Corporate Overview

QRadar SIEM and FireEye MPS Integration

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Splunk: Using Big Data for Cybersecurity

1 Introduction Product Description Strengths and Challenges Copyright... 5

SANS Top 20 Critical Controls for Effective Cyber Defense

Security Analytics for Smart Grid

Discover & Investigate Advanced Threats. OVERVIEW

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Detect & Investigate Threats. OVERVIEW

Getting Ahead of Advanced Threats

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Extreme Networks Security Analytics G2 Vulnerability Manager

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

DYNAMIC DNS: DATA EXFILTRATION

Advanced Threats: The New World Order

After the Attack: RSA's Security Operations Transformed

Analyzing HTTP/HTTPS Traffic Logs

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Performing Advanced Incident Response Interactive Exercise

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

NitroView Enterprise Security Manager (ESM), Enterprise Log Manager (ELM), & Receivers

Information Technology Policy

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Information & Asset Protection with SIEM and DLP

HIGH-RISK USER MONITORING

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

Teradata and Protegrity High-Value Protection for High-Value Data

Extreme Networks Security Analytics G2 Risk Manager

CyberArk Privileged Threat Analytics. Solution Brief

The Next Generation Security Operations Center

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Effective Methods to Detect Current Security Threats

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

The Emergence of Security Business Intelligence: Risk

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

How To Manage Log Management

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

RSA Security Analytics

Effective Methods to Detect Current Security Threats

How To Buy Nitro Security

IBM Security QRadar Vulnerability Manager

Concierge SIEM Reporting Overview

Defending Against Data Beaches: Internal Controls for Cybersecurity

Into the cybersecurity breach

STEALTHWATCH MANAGEMENT CONSOLE

Payment Card Industry Data Security Standard

Cyber Situational Awareness for Enterprise Security

Getting real about cyber threats: where are you headed?

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Scalability in Log Management

SourceFireNext-Generation IPS

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Metric Matters. Dain Perkins, CISSP

CAS8489 Delivering Security as a Service (SIEMaaS) November 2014

How to Secure Your SharePoint Deployment

Under the Hood of the IBM Threat Protection System

Find the needle in the security haystack

RSA, The Security Division of EMC. Zamanta Anguiano Sales Manager RSA

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Actionable Security Intelligence: Preparing for the Next Threat with a Proactive Strategy

Evolution Of Cyber Threats & Defense Approaches

Metrics that Matter Security Risk Analytics

HP NonStop Server Security and HP ArcSight SIEM

Symantec Cyber Security Services: DeepSight Intelligence

What s New in Security Analytics Be the Hunter.. Not the Hunted

End-to-End Application Security from the Cloud

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

Carbon Black and Palo Alto Networks

The session is about to commence. Please switch your phone to silent!

Eight Essential Elements for Effective Threat Intelligence Management May 2015

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Transcription:

Using SIEM for Real- Time Threat Detection Presentation to ISSA Baltimore See and secure what matters Joe Magee CTO and Co-Founder March, 27 2013

About us Vigilant helps clients build and operate dynamic, business-aligned security monitoring, threat detection and incident response capabilities. Focused on the enterprise-wide intelligence layer of security Specialized in SIEM since 2003 Pioneered a co-sourced model for SIEM management Vendor-agnostic PROGRAM MANAGEMENT Coordination of multi-faceted engagements MANAGED SERVICES FOR SECURITY MONITORING THREAT INTELLIGENCE CONSULTING AND ADVISORY SERVICES www.thevigilant.com 2

Agenda What s the potential for SIEM as a threat detection platform? SIEM s strengths as a platform Threat Intelligence Challenges with consuming threat intelligence data Choosing the right threat intelligence Solution architecture Benefits of marrying SIEM and Threat Intelligence Data SIEM Use Cases SIEM Case Study 3

Today s cyberthreat challenge THEN ATTACKS Threats evolve faster Orchestrated by smaller groups Series hackers of events involving networks of people Aimed at as many victims as possible Target specific people and organizations Targeted specific device types Motivated by financial, political, competitive, Aimed to disrupt network thwart worker productivity or national intelligence interests WE NEED: DEFENSE NOW Smarter alerts Prioritization GOAL: KEEP BAD STUFF OUT GOAL: MINIMIZE DAMAGE/RISK Better incident analysis Protect at the perimeter & handling Assume you are always infiltrated All assets treated equally Risk-focused on critical data & assets Used signature-based tools & logic Layered defenses, advanced correlation, transaction-oriented monitoring 4

Benefits of SIEM Technology REFERENTIAL SOURCES blacklists assets ERP vuln SIEM technology in the organization offers many benefits including: Single pane of glass for all security event data monitoring Operational efficiency in Security Operations and Incident Response Regulatory compliance reporting Detection of policy violations and associated threats Fraud and business risk mitigation REFERENTIAL DATA SIEM Alerts & Reports REAL-TIME DATA SIEM DATA SOURCES firewalls IDS windows antivirus The Most Successful SIEM Implementations marry referential data sources with real-time data to enable true business context and actionability 5

SIEM: Powerful security intelligence technology SIEM provides rich real-time support for detecting and responding to infiltrations Compliance & Audit Support Produce audit-related reports Demonstrate adherence to policy & regulations Monitor controls to remediate audit findings Real-Time IT Security Management & Operations Improve staff efficiency through log aggregation Improve incident response through automation Accelerate remediation through improved workflow Enable post-incident forensics Validate effectiveness of security controls Business Risk Management Provide visibility into security status of key IT assets Identify indications of fraud or other cybercrime Reduce risks associated with new technologies & services 6

Threat intelligence? Is this information really intelligent? Too much data, too many sources Tied to specific security devices Inefficient to utilize Lacks contextual information Can SIEM be used to help solve this problem? 2012 Vigilant, Inc. not for duplication or distribution 3/28/2013 T50 7

Threat intelligence data quality issues Typical Open Source Feeds used in threat intelligence integration Many feeds report data that is either aged or is not currently tied to active malware participation. Much of the IP data reported is associated with major hosted servers (i.e. Yahoo, Google). Filtering and validation is absolutely necessary to ensure that data leading to identification of a security incident is valid. 8

Turning threat information into threat intelligence INFORMATION: Knowledge communicated or received concerning a fact or circumstance. INTELLIGENCE: A discipline that exploits a number of information collection and analysis approaches to provide decision-making guidance. High quality data Analytical risk scoring Available to the right people Supported by contextual information and research tools Enables Security Operations to: Prioritize remedial action Streamline incident handling Prevent or minimize damage Am I getting the right data? Is it accurate and easy to use? What needs attention first? What resources will be impacted by this threat? Who needs to use it? What is the most effective integration point? Is the data relevant to us? Can I quickly construct a picture of what s occurring? Can I easily get additional information and support? 9

Considerations for choosing feeds DATA AGGREGATION AND ENRICHMENT REQUIREMENTS AND USE CASE DESIGN DATA SOURCES DISTRIBUTION DATA UTILIZATION What threats are important to monitor for, and how will you detect them? What range & categories of data will you need? ADVANCED PROCESSING & ANALYTICS Are the feeds in the right format for your useage model? What integration points? Who will consume it? What does the provider do to enrich, update & validate? SUPPORT What analysis support does the provider offer? 10

Solution: SIEM infused with Threat Intelligence The more advanced your SIEM deployment is, the more value you can get from threat intelligence. Asset, HR, and other business data enable risk-aware monitoring, insider threat and privileged user monitoring, fraud detection, and other advanced use cases. Real-time threat detection requires Typical IT security data sources Additional, commonly available data Appropriate external threat intelligence, directly into SIEM, or secondarily through other source devices THREAT INTELLIGENCE FEEDS REFERENTIAL SOURCES REFERENTIAL DATA IP Add DNS Email URI Domain blacklists assets ERP vuln SIEM REAL-TIME DATA Commonly-accessible data sources are needed to provide the foundation for threat detection use cases STANDARD SIEM DATA SOURCES REQUIRED DATA FOR THREAT INTEL firewalls IDS windows antivirus DNS proxy smtp http 11

Top ten intelligence use cases for SIEM 12

Case Study: Regional Retail Chain CUSTOMER PROFILE: Retail convenience store chain in US mid-atlantic region 16,000 employees; $5.89B revenue; Forbes largest private companies list KEY BUSINESS OBJECTIVE: To establish SIEM-based monitoring that is more actionable through correlation with external threat data. To identify threats that may already exist within their environment SOLUTION: Build aninternal threat intelligence capability by leveraging third party feed providers (multiple providers) Integrate the feed data into SIEM for the purpose of real-time correlation and alerting. BENEFITS: Organization was able to identify and quarantine a number of systems that were compromised that had Anti Virus running and were behind a firewall/proxy. Organization was able to prioritize the focus of their incident response team on alerts that were actionable and of high priority to the group.

QUESTIONS / DISCUSSION Joe Magee CTO and Co-Founder Office Number: (201) 324-1800 x202 Cell Number: (617) 921-8671 Email: jmagee@thevigilant.com 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information