Redefining SIEM to Real Time Security Intelligence David Osborne Security Architect September 18, 2012
Its not paranoia if they really are out to get you Malware Malicious Insiders Exploited Vulnerabilities Careless Employees Mobile Devices Social Networking Social Engineering Zero-Day Exploits Cloud Computing Security Threats Cyber Espionage
Reality of Compliance Audits happen quarterly or annually Effort and budget spent to get compliant Little focus or process to stay that way
SIEM The Great Correlator Major SIEM Functions Collect Normalize Correlate Collect log and event data from systems across the network Security devices, applications, OS, databases, end-point protections, etc. Normalize similar events across disparate data sources Login events from a VPN, OS, or Application are all authentication events Correlate multiple events into known attack vectors or policy violations Multiple failed logins followed by a success indicates brute force access Eliminates the need for an analyst to try to piece together the event
Redefining SIEM Security is a Process, not a Product Each stage supports the next A weak link breaks the process Tools need to automate each stage Integration provides actionable intelligence Legacy SIEMs are Limited Risk Assessment limited to VA scan data Threat Detection limited to event correlation Incident Response limited to log analysis Compliance Reporting limited to canned reports
SIEM is Still Evolving To SIEM Content Awareness (Next Generation SIEM) Content Awareness is Understanding the Payload at the Application Layer What is actually being Communicated, Transferred, and Shared over the Network. Examples of Content Awareness is the understanding of: Email contents, including the attachments Social, IM and P2P Network Communications Document Contents Application Relationships with Database Queries and Responses Database Monitoring Data Leakage Sensitive Information within chat, email, printed, etc
Adding Context to Logs What else happened at this time? Near this time? What is the time zone? DNS name, Windows name, Other names? Whois info? Organization owner? Where does the IP originate from (geo location info)? What else happened on this host? Which other hosts did this IP communicate with? What is this service? What other messages did it produce? What other systems does it run on? Log record What is the hosts IP address? Other names? Location on the network/datacenter? Who is the admin? Is this system vulnerable to exploits? Who is this user? What is the users access-level? What is the users real name, department, location? What other events from this user? What is this port? Is this a normal port for this service? What else is this service being used for? What does this number mean? Is this documented somewhere?
Broad Content and Context Correlation Application Contents Authentication & IAM Events from Security Devices Device & Application Log Files User Identity Malware Viruses Trojans Insider Threats Advanced Threats Exploits Database Transactions OS events VA Scan Data Location
SIEM and Situational Awareness SIEM DOES NOT SOLVE APT, but Provides Situational Awareness THERE IS NO APT ALL IN ONE SOLUTION SIEM Can Help with Attacks Determining the Scope of Attack What Systems or Devices were Involved What DATA was Compromised What Evasion Techniques were Utilized Timelines Toolsets Utilized Work Flows and Processes of Attackers Heuristics for Historical Correlation Even with SIEM, Security Expertise and Experience is REQUIRED Well Trained Security Analysts, Highly Developed Security Policies and Procedures Combined with SIEM for Situational Awareness is the BEST Strategy for dealing with Exploits, Low and Slow Attacks and APT
Scalability & Performance Unmatched Speed Industry s Fastest SIEM 100x to 1,000x faster than current solutions Queries, correlation and analysis in minutes, not hours Unmatched Scale Collect all relevant data, not selected sub-sets Analyze months and years of data, not weeks Include higher layer context and content information Scales easily to billions of data records
NitroView Overview Single Pane-of-Glass McAfee ESM Unified Visibility & Analysis Compliance & Reporting Policy Management McAfee ELM Log Management Compliant Log Storage SAN/CIFS/NFS/Local Storage McAfee Receiver 3 rd Party Log/Event Collection Network Flow Data Collection VMware Receivers Available McAfee ADM Application Data Monitor Layer 7 Decode Full Meta-Data Collection McAfee DEM Database Activity Monitor Database Log Generation Session Audit McAfee ACE Advanced Correlation Risk-Based Correlation Historical Correlation Application Visibility 100s of applications and 500+ document types Data Visibility Data traffic from leading databases Risk Scoring Detect potential threats Asset information/context Vulnerability Information Which assets are most at-risk 11 September 18, 2012
Global Threat Intelligence (GTI) ESM Unified Visibility & Analysis Compliance & Reporting Policy Management ELM Log Management Compliant Log Storage SAN/CIFS/NFS/Local Storage Receiver 3 rd Party Log/Event Collection Network Flow Data Collection VMware Receivers Available ADM Application Data Monitor Layer 7 Decode Full Meta-Data Collection DEM Database Event Monitor Database Log Generation Session Audit ACE Advanced Correlation Risk-Based Correlation Historical Correlation Shared Threat Intelligence Application Visibility Data Visibility Risk Scoring Reputation-based WW visibility into all types of cyber threats Automatic, push feed Today Bad Actors/Dangerous IPs Additional GTI capabilities: file, web, message & network connection reputation web categorization 12 September 18, 2012
How can SIEM help with MTTR? Advanced Correlation uses activity to determine Risk
How can SIEM help with MTTR? Baselines to determine deviations from normal activity
How can SIEM help with MTTR? Normalization of events into a common taxonomy
How can SIEM help with MTTR? Global Threat Intelligence to determine if I have any communication with external known bad actors
17