How To Create Situational Awareness



Similar documents
How To Manage Security On A Networked Computer System

2012 Data Breach Investigations Report

Cyber Security Metrics Dashboards & Analytics

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

CAS8489 Delivering Security as a Service (SIEMaaS) November 2014

Rashmi Knowles Chief Security Architect EMEA

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

RSA Security Analytics

Defending Against Data Beaches: Internal Controls for Cybersecurity

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

SecureVue Product Brochure

Security Analytics for Smart Grid

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Intelligence Driven Security

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Evolving Threat Landscape

High End Information Security Services

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Security Information & Event Management (SIEM)

SANS Top 20 Critical Controls for Effective Cyber Defense

Vulnerability Management

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Q1 Labs Corporate Overview

IBM Security Intelligence Strategy

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

The Value of Vulnerability Management*

THE GLOBAL EVENT MANAGER

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Effective Methods to Detect Current Security Threats

Bridging the gap between COTS tool alerting and raw data analysis

What s New in Security Analytics Be the Hunter.. Not the Hunted

How To Manage Sourcefire From A Command Console

McAfee Network Security Platform

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

Effective Methods to Detect Current Security Threats

Obtaining Enterprise Cybersituational

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

Information & Asset Protection with SIEM and DLP

The SIEM Evaluator s Guide

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

The Cloud App Visibility Blindspot

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

The Time has come for A Single View of IT. Sridhar Iyengar March 2011

Continuous Network Monitoring

SIEM Implementation Approach Discussion. April 2012

Adaptive IPS Security in a changing world. Dave Venman Security Engineer, UK & Ireland

QRadar SIEM and Zscaler Nanolog Streaming Service

Security and Privacy

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Cybersecurity The role of Internal Audit

End-user Security Analytics Strengthens Protection with ArcSight

THE EVOLUTION OF SIEM

The Role of Security Monitoring & SIEM in Risk Management

The Hillstone and Trend Micro Joint Solution

Der Weg, wie die Verantwortung getragen werden kann!

Comprehensive Advanced Threat Defense

CLOUD GUARD UNIFIED ENTERPRISE

What is Security Intelligence?

Average annual cost of security incidents

Critical Security Controls

Security Information Management (SIM)

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Modular Network Security. Tyler Carter, McAfee Network Security

Ovation Security Center Data Sheet

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

How To Buy Nitro Security

Securing your IT infrastructure with SOC/NOC collaboration

Agenda , Palo Alto Networks. Confidential and Proprietary.

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Information Security for the Rest of Us

Software that provides secure access to technology, everywhere.

The session is about to commence. Please switch your phone to silent!

Good Guys vs. the Bad Guys: Can Big Data Tools Counteract Advanced Threats?

Application Security Manager ASM. David Perodin F5 Engineer

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

IBM Security IBM Corporation IBM Corporation

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Into the cybersecurity breach

Transcription:

SIEM: The Integralis Difference January, 2013 Avoid the SIEM Pitfalls Get it right the first time

Common SIEM challenges Maintaining staffing levels 24/7 Blended skills set, continuous building of rules and logic Escalation of issues to decentralized Network, Systems and Application support teams Local knowledge of network infrastructure Reporting, trending, KPI and business reporting tasks Complex architecture required to provide relevant information - context behind events 08/02/20132

Common deployment challenges Complex technical architecture Complex logic and integration between products Business process integration Phased implementation - combined with ongoing management Continual need for ongoing service improvement Skill set / resources to manage Ongoing network and business change 08/02/2013

Event Funnel Modeling What SIEM Vendors don t tell you Escalating When It Matters 5 minutes per Critical Event 16 Hours of Analysis 10 minutes per Ticket Escalation 15 Hours of Ticket Escalation Doesn t include Ticket Closure Time 77% of all escalations were true positives Vendor default signatures average 6% 3.79 True Positive every hour Head Count Requirements 24X7 7 FTE Head Count Requirments - 9X6 4 FTE 2,000,000 Total Events 17,560 Viewable Events 196 Critical Events 91 Escalated Tickets 91 True Positive Escalations* SIEM Correlation, Deduplication, etc Critical Events Per Day Potential Tickets SOC Analysis and Investigation

Filling the gaps - Situational Awareness Situational Awareness is Needed by Government and Enterprise Security Organizations for Effective Threat Discovery and Risk Mitigation - Gartner, Delivering Situational Awareness (July, 2011) As defined by Gartner, a situational awareness capability requires organizations to collect, analyze, correlate, and report on all security data: Situational Awareness Capability SIEM Threat Intelligence Asset Vulnerability State User Activity Connectivity State Asset Criticality Configuration State Forensics ` Logs and other event-based data Threat feeds and known countermeasures Vulnerability assessment data IDM/IAM and directory data Performance and availability data Asset and inventory data System security configuration data All security data Customers are at an inflection point in the market Compliance driven projects Security driven projects Security point products (SIEM, configuration audit, NBA, etc.) do not meet these requirements by themselves!

Threat Source Motivation and Attack Complexity Log Mgmt. SIEM Situational Awareness The Need for Situational Awareness: Threat Drivers State- and State- Sponsored Actors Organized Crime/ Monetization Hacking Groups Level of Security Intelligence Required to Detect, Protect and Respond to Threats Virus/Trojans/Malware DDOS Attacks Bots Identity Theft Log Aggregation IP Theft APTs Wikileaks/Insider Threats SIEM-based security monitoring Cyberterrorism Log and vulnerability data correlation Correlation across multiple data types Collection, normalization, analysis, alerting and reporting on all security data Asset inventory and change data Threat intelligence integration Advanced profiling DOS Attacks Manual Log Monitoring Individual Hit-and-Run SIEMial Engineering < 2000 Time > 2012

Compliance Program Requirements Event-Driven Audit-Driven Integrated Business Process The Need for Situational Awareness: Compliance Drivers Compliance Program Maturity and Optimization Requirements Continuous Monitoring SITUATIONAL AWARENESS TOOLSET Fully automated Single source of information for all compliance-related attestation and reporting Reactive, Post-Audit Focused NO TOOLS / MINIMAL TOOLS Incomplete, inconsistent data Unknown state of security controls Substantial audit findings and sanctions SIEM / LOG MANAGEMENT TOOLSET Standardized reporting Manual audits Multiple tools, often with inconsistent and/or overlapping data Extended audit periods Continuous monitoring across all aspects of security data Historical trend analysis for compliance reporting Fast, efficient audit periods TACTICAL Compliance Program Optimization STRATEGIC

Situational Awareness No Gaps in Security Data Complete Context The Need for Integralis Situational Awareness Regularly review basic breach indicators 2012 DBIR Security Control Secure remote access services Increase awareness of SIEMial Recommendations Scope of Common Security Threats engineering Monitor and filter outbound traffic for suspicious communications Run regular incident tests and Identified by 2012 Restrict and Verizon monitor privileged Data users Breach Incident practice responses Report (DBIR) User Context Hacking, e.g. Use of Stolen Credentials, Channel Exploitation Malware, Threat Intelligence e.g. Backdoors, Rootkits, Command-and-Control Physical Tampering Asset Criticality Keyloggers / Form Grabbers / Spyware SIEMial File Integrity Engineering Monitoring (Pretexting) Brute-Force Attacks SQL Log Monitoring Injection and SIEM Attacks Unauthorized Access via Default Credentials Network Behavioral Analysis Phishing / Spear Phishing / Vishing System Configuration Monitoring Log Mgmt and SIEM Tools Configuration Audit Tools Pick essential security controls, put in place without exception Change default credentials, create unique passwords and don't share them Regularly review active accounts to make sure they are valid, necessary, properly configured and given only appropriate privileges Test applications, review code and encourage developers to write more secure code Define, monitor and alert on anomalous network behavior Implement effective monitoring for and response to critical log data

SIEM Operational Architecture - Integralis Separation of Duties Log Aggregation SIEM SOC Raw Log Viewing Normalization Monitoring OSCE Staff Storage & HA Correlation Case Management SIEM Data Mining SecPolicy Enforcement Reporting Forensic Apps Reporting GRC IT Tech & Deployment SOC NAC Incident Forensics Forensic Analysis DLP False Positive Analysis Staffing

NATIVE COLLECTION SDK UNIFIED DATA MODEL UI Achieving Situational Awareness with Integralis The Integralis The Point Situational Security Tool Awareness Approach Approach Dashboards Reports Monitors Alerts Workflow Visualization Forensics Correlation Database Problems with this Approach: Forensic Database No Cross-Correlation = No Situational Awareness Operational Inefficiency No Compliance Automation Reporting High TCO Database Heavily indexed and optimized for ad hoc query activity, and the long-term storage of historical event, context and state data Log Management or SIEM Tools Configuration Audit Tools NBA Tools SNMP Tools FIM Tools Threat Intel Tools IDM/Directory Tools Logs and Events APIs WMI SDEE RDEP CPMI dozens more Known Vulnerabilities Protocols syslog ssh snmp MIB/trap netflow dozens more Asset Inventory Optional Agent Security Configuration Settings native FIM Directory monitor Registry monitor USB monitor Netflow Data and/or Performance Metrics Universal Parser (UP) new syslog sources ODBC sources File Integrity Data SDK any data type, using a simple XML-based API Threat Intelligence Data Example Sources User Data log mgmt tools SIEM tools config mgmt tools NMCs custom apps IT Assets

A New Approach to SIEM Integralis employs skilled Service Delivery Managers and a business-savvy approach. SDMs are dedicated to your organization Establish an enterprise wide uniformity in responding and addressing security incidents and events Understand legal, regulatory, and contractual requirements Review and develop SIEM policies and guidelines Increase efficiency through centralization and correlation Analyze and validate the true depth of enterprise security visibility Develop a workable Incident Response Process Improve an existing SIEM implementation

How Do We Differentiate Our Service? Typical Approach Integralis SDM Approach Assurances Collect Collect Audit Aggregate Report Index Report Correlate Store Respond Asses Integralis Proprietary and Confidential 2/8/2013

Integralis SIEM Offerings SIEM Pre-Assessment & GAP Analysis SIEM Sizing, Risk Based Asset modeling SIEM Product Evaluation and competitive testing Policy Review Log Source Discovery & Assessment Report Creation Introductory Service Advisory Services Follow-Up Services Technology Services SIEM Managed Services SIEM Program Review SIEM Architecture & Product Selection Technology Deployment Policy Creation & Tuning 2/8/2013 - Page 13 Integralis Proprietary and Confidential

Thank You & Questions? Dale A. Tesch Jr Director MaPs NAC & SIEM Leader Dale.tesch@integralis.com http://www.linkedin.com/pub/dale-a-tesch-jr/1/194/85 http://www.ciscopress.com/bookstore/product.asp?isbn=1587052601

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information