Ross Spooner Cyber Security for Government Conference 6 August 2013
What is SIEM? Security Information and Event Management Centralised security log management Long term storage, analysis and reporting Real-time monitoring, alerting, correlation and dashboards Comes in a software format or as an appliance. Source: www.compushare.com/solutions/network-security/
Fundamentals Security Monitoring Process Collection Analysis Escalation EVENTS Investigate Incident Mgmt Monitor ALERTS Assess Incident Response Which security events and alerts require my attention? How do I obtain meaningful information from the events collected from the ever-increasing number of devices across my enterprise?
Evaluation Process Where to look for Inspiration? Industry Analysts and Market Observations Within Gov t and Private Sector with similar technology What do we really trying to achieve? Requirements Who are we trying to satisfy? Software vs Appliances? Proof Of Concept Realistic Multiple Log Sources and Use Cases
Drivers Requirements Functional and Non-Functional Requirements Log Sources Platforms, Systems and Applications Deployment Scale Budget Resources Real-time Monitoring and Reporting Administration and Analytics
Home Team Duties SIEM Stakeholders are IT Security, Technical Operations, Audit, Compliance Functional requirements and Scalability must be known at Purchase time Road Map into the future Solution to match your capabilities Identify what you don t know services to cover capability gaps. Use Case development
Vendor Selection Event Collection and Management Monitoring, Analysis and Alerting Built-in Functionality Scalability and Storage Minimal Performance Impact Ease of Use with User Friendly Interface Support within Australia Software or Appliance
M i l l i o n s $ P e r c e n t a g e G r o w t h Revenue and Growth Revenue Growth 1100 1000 1000 950 1000 1050 90 80 900 800 800 850 70 60 700 600 50 50 40 500 400 400 30 30 25 30 20 300 200 15 15 15 2006 2007 2008 2009 2010 2011 2012 Data Sources : Frost & Sullivan, the Growth Partnership Company. Gartner Core Research Notes. Gartner Inc. 10 0
Gartner Magic Quadrant Niche Players Smaller or regional vendors More specific or narrow focus May have small or shrinking user base
Gartner Magic Quadrant Challengers Well funded, good revenue Strong execution capabilities Typically haven't demonstrated rich capability or track record
Gartner Magic Quadrant Visionaries Good functional match to market requirements Lower execution capabilities, well funded Smaller installed base, revenue, viability or growth.
Gartner Magic Quadrant Leaders Good functional match to market requirements Good installed base and revenue stream and growth Superior execution of anticipated requirements and service
Retrospective Look 2008 2013 Source : Magic Quadrant for Security Information and Event Management. Gartner Core Research Notes. Gartner Inc. 2008, 2009, 2010, 2011, 2012, 2013.
HP ArcSight 2013 2008 2013 2008 ArcSight acquired in 2010 ESM for large scale deployments Express appliance for midsized Connector and Logger appliances CORR replacing Oracle Feature rich but most complex Complete set of capabilities
IBM QRadar 2013 2008 2013 2008 IBM acquired Q1 Labs in late 2011 Juniper appliances (STRM) Good general SIEM capabilities Straightforward to deploy and maintain Behaviour analysis for NetFlow and log events
McAfee ESM 2008 2013 2013 Acquired NitroSecurity 2011 Integration within Stable High-performance analytics under highevent-rates Network-based packet inspection 2008
LogRhythm 2008 2013 2008 2013 Appliances and software Scalability Light and Nimble Good fit for limited deployment and support resources Wizards for fast deployment
Symantec SSIM 2013 2013 2008 2008 Integrates with SEP DeepSight provides threat and vulnerability data. Narrow Fit Modest Development
EMC-RSA 2013 2008 2013 2008 Early success Now most replaced EnVision to Security Analytics Based on NetWitness platform Watch this space!
NetIQ Sentinel 2013 2013 2008 2008 Acquired Novell in late 2010 Based on Sentinel Agent and content technology from Security Manager Integration within Stable Large-scale processing in highly distributed environments
Log Management Poor Log Management Predates SIEM Log Management Issues Still Exist Big Data Sets and Archival Incomplete captures Auditing turned off Log format standards and specifications Applications security logging SIEM dependant upon Audit and Logging Regime
Distilling Events Three layers of Architecture Event Collectors Event Indexing and Storage Processing/Mgt/Admin/Console Collection/Storage is High Volume Ranging up to 100K EPS. Event Processing against a subset Collection Storage Processing Aggregation and Filtering consolidate to 10-20% What you collect isn t what you keep nor use!!
Event Collection Built-In Support for Most Common Devices Poor Back-End Systems Capability (e.g. Mainframe) Custom Log Sources Cost and Expertise Events Normalised into Proprietary Format Makes Migration Difficult Raw Logs Still Needed Adoption of a Standard (CEF)
Filtering Correlation Faster Against Known Bad Events Log Volumes Can Overwhelm SIEM systems SIEM licences often based on EPS Filtering at Source Best approach for Log Filtering Control know what you log Lower System Resources utilization Filtering at Destination Most practical and easiest to implement SIEM takes care of filtering Source Devices will be generating tons of logs Higher System Resources and Bandwidth Utilization
Correlation is a Vital and Powerful Analysis of : Attack Vectors Threat Scenarios specific to You Start with Built-In Rules Correlation Understand, Investigate, Tune and then Build
SIEM is Only as Good as the Administrator Ecosystem Maintenance and Care Technical Skills Across ALL Platforms and Systems Across O/S and Applications SIEM Itself Training Mentoring Specialist Skills Managed Service Offerings
Hired Help
Now we ve got SIEM we can get rid of archiving native logs other similar software, like Splunk alert me whenever fraud occurs generate Web Application Analytics Reports we can tick that Compliance box
Bandwidth/CPU Fails Uncompressed Syslog over NW DNS Lookups
Dashboard Fails Beware, the colour, Red Default colours may send the wrong signals Dashboards MUST give Info at a Glance Clarity of Alerts Drive Behaviour Not there to just look colourful!!
Dashboard Fails Don t be over-awed by Sheer Numbers! Forest and Trees Syndrome The Devil is often in the Detail
Return on Investment Managing SIEM is Not Simple Poor People Investment = Poor Return SIEM is not a Silver Bullet Identifies security issues Needs Response and Remediation resources
SIEM is not about acquiring a tool, but about gaining intimacy with your logs and events, your configuration and business goals, commensurate with your environment and requirements. People, not Product is the Key to Success