5. bringing up the rear – forensic logging and consolidation
– log storage is the scut-work no sane-minded admin really wants to do
– logs are cumbersome, space-consumptive; they overflow, they break
– logs obey murphy’s law… the precise one(s) you need are often missing
– alert logic collector (“log manager”) is a one-line agent or log directive
– alert logic collector (“log manager”) can store locally, or in the cloud
– alert logic collector (“log manager”) uses tamper-proof hash for validity
– alert logic collector (“log manager”) will escalate on ‘risky’ patterns
– alert logic collector (“log manager”) will escalate on repetition/volume
– incident 13340004 (new domain admin added in late-afternoon)
– incident 13416288 (privileged admin acct repeatedly locking itself out)
7. getting out in front – web app-query (layer 7) inspection
– layer 3 access-control rules are well and good, but more is needed
– each web app differs, app-firewalls need constant tuning-and-training
– alert logic web-firewall (“wsm”) can be deployed as appliance or VM
(…in fact, it can sit atop a traditional amazon elastic load-balancer)
– alert logic web-firewall (“wsm”) can passively monitor, or actively block
– alert logic web-firewall (“wsm”) can be customized by you, or by vendor
– 30-to-90-day break-in period; watch + gather queries, then advise rules
– garden-variety incident (plain-vanilla nmap scan from outside)
– slightly-more-sophisticated incident (PHP parameter walkthrough)
9. automating the machine – rent-a-SOC (?!?)
– enterprise goal #1: reduce tier-zero ground clutter, but do not ignore it
– enterprise goal #2: ensure daily (shift-by-shift) event review, escalation
– enterprise goal #3: crowd-source current attack signatures, bad actors
– enterprise goal #4: maintain off-site forensic events/logs for later use
– enterprise goal #5: do all of this in a (hopefully) cost-effective manner
– alert logic SOC will alert/call/email to 3+ different personnel chains
– alert logic SOC will perform realtime event response + daily log review
– alert logic SOC will annul/suppress/whitelist items you don’t care about
– alert logic SOC will do it all at 20% to 40% of equiv. organic cost (4+ FTE)
– i‘ll appeal to your continued patience with one or two more examples…
11. example(s) – automating your rent-a-SOC (?!?)
(250 MILLION events per day?!? a single team just can’t keep up…)
12. final thought – meta-insights made possible by the cloud (?)
– i‘ve already made reference to “crowd-sourcing threats, bad actors”
– also a notion of “meta-access” (amazon cloudtrail, roles, api invocation)
– also a notion of “asset tracking” (new VM, using template(s)… or not)
– how about a ‘cyber weather forecast’ showing my posture v. the world?
– how about a ‘cyber weather forecast’ showing attack trends over time?
(…14-yr-old script kiddie crawling my amazon cloud is boring)
(…14-yr-old script kiddie who progresses to my webmail is HUGE)
– alert logic’s newest service (Cloud Insight) will watch meta-properties
– alert logic’s newest service (Cloud Insight) will alert you on deviations
– and that’s only a taste of things to come…
13. thank you – sven.skoog@monotype.com (781.970.6112)