1. A few general security slides 2. What is a SIM and why is it needed 3. What are the features and functions of a SIM 4. SIM evaluation criteria 5. First Q&A 6. SIM Case Studies 7. Final Q&A Brian T. Contos, CISSP Chief Security Officer - ArcSight Inc. 02.15.2005
Over confidence in existing security measures: GAMMA GUPPY NSA eavesdrop program in the Soviet Union during the Cold War Complexity of security beyond the bits & bytes Multi-Billion Dollar, International Company based in California + Corporate e-mail server for European employees in France + German citizen that was an executive in Germany + a breach of the e-mail server from a Dutch facility = Global Jurisdiction. History of threats The 80s through 90s brought us: viruses, worms and DOS attacks that impacted organizations and individuals. The late 90s through 2004 has brought us more of the same, plus Blended Threats, Limited Warhol Threats, Worm-Driven DDOS, and Infrastructure Hacking that has spread to a Regional and Sector Level. Predictions for the near future are Flash Threats, Massive Worm Driven DDOS and Critical Infrastructure attacks that will have a global impact with little to know warning. Source: The Executive Guide to Information Security
Blended Threats: Capable of utilizing multiple paths (e-mail, network shares, web, wireless, cell phones, Bluetooth, etc) to spread and exploit. To date, most attacks take days or even months to spread and the time between discovering a vulnerability and an exploit being available is months. Blended threats like Nimda and Code Red changed all that with attacks propagating in just hours; this pushed the upper limits of human response, even though these threats had a vulnerability window of many months. Warhol Threats: In 2002 Nicholas Weaver at UC Berkeley published a theoretical paper called Warhol Worms, describing how the entire Internet could be brought down in 15-minutes. The Slammer Worm incorporated these theories and spread quickly doubling its infection rate every 8.5-seconds, and within 10-minutes 90% of all vulnerable hosts were compromised (75,000 hosts causing massive outages especially in the financial and airline industries.) Even patches to protect from Slammer were available months before the attack, but if you weren t secure - human response was very difficult. Flash Threats: This has not happened yet. Human response is impossible, only automated response. They will spread very quickly within seconds to minutes, and the vulnerability window will be less than a day. Currently the smallest vulnerability window has been the Witty Worm with a 2-day vulnerability window. These attacks also may be targeted not general such as Nimda and Klez Worms that still did a significant amount of damage. The vulnerability window will decrease. Savvy Programmer: Weeks Months Organized Crime and Terrorist Organizations: Days Nation/State Threats: Hours Source: The Executive Guide to Information Security
Source: http://www.kkipc.com NGC Security Cisco Systems
Risk discovery Vulnerability assessment Correlation of relevant information SIM in a Nutshell Allowing for comprehensive, real time, expert security information analysis A vehicle to communicate compliance A mechanism for remediation
Why is SIM needed? That depends on where you want to go with it? Would you tell me, please, which way I ought to go from here? That depends a good deal on where you want to get. I don t much care where. Then it doesn t matter which way you go. -Lewis Carroll Through the Looking Glass
Some Common Business Drivers My job has expanded from keeping our business safe to convincing people that our business is trustworthy. Fortune 500 Chief Security Officer Protect Critical Business Assets Revenue Generation Employee Retention Too Much Information Reduce Risk and Measure Security is required by partners and customers Competitive Differentiator Regulatory Compliance Security is now 24/7 Mission-Critical Reduced Operational Cost and Increased ROI Not having a SIM costs too much time and money Comprehensive Executive Reporting on Overall Security Posture Cross-departmental Security Incident Workflow Management and Tracking
Logs Security Information Management (SIM) Some Common Technical Drivers Asset & Vulnerability Management Watch for and remediate malicious traffic Less console face time Alerting & Notification Event Visualization Detailed Reporting Policy Monitoring and Enforcement More & Complex Attacks at an Increasing Rate Reproducible Incident Response Forensics and Real-time Investigation
SIM Features & Functions 25,000 View of a SIM Architecture SIM Manager Discovery Reporting Correlation Backups
Monolithic, Geographically Distributed and HA deployment options Deploy without modifying the existing infrastructure Normalize every alarm and alert into a common security schema for holistic crossvendor correlation Set severity according to a common taxonomy Aggregation & Filtering to reduce unwanted traffic Security Information Management (SIM) SIM Features & Functions Event Collection and Storage Features Support a full range of device types, protocols and vendors and add additional support in days to week Intelligently manage bandwidth to minimize network traffic
Real time events from heterogeneous devices Results of vulnerability scans & threat data Device value, role, application, data, organization Security Information Management (SIM) SIM Features & Functions Event Processing Three Dimensional Correlation Risk Management Assets AND the target is a financial application server, is subject to Sarbanes-Oxley and is mission critical Event Validation Vulnerabilities AND there is 100% confidence that the target is vulnerable Cross Device Intelligence Events The IDS indicated a buffer overflow, the firewall indicated a FTP Response
SIM Evaluation Criteria Buzz words and marketing material make it hard to differentiate make the SIM prove it: Talk to customer references Read independent reviews (Network Computing, Network World, Info World, etc) Ask for a product demonstration Evaluate not just the product, but the vendor s reputation, financial status, and support SIM deployment should be in phases; also there may be a desire not to use every SIM feature on day 1 Based on your organizational goals, decide what features, functions & benefits you need. Here are some common examples: Scalability, scalability, scalability Support of current and future point devices (security products, network gear, servers, physical security devices, access control systems, proprietary or legacy equipment, wireless, telephony Runs on platforms that the IT staff is comfortable managing (Solaris, Windows, Linux, AIX, Mac) Correlation Assets, Vulnerabilities, & Disparate Events with Prioritization & Categorization Linkage between technical and business drivers and integration into an overall security posture including incident work flow case management, policies, procedures, remediation, audits Executive Reporting and ad-hoc reporting Integration with preexisting network management, ticketing and notification systems Real Time and Forensic Analysis going back x-months