• Share
  • Email
  • Embed
  • Like
  • Private Content
Supercharging SIEM with Change & Configuration Data
 

Supercharging SIEM with Change & Configuration Data

on

  • 826 views

Most organizations capture log data that could indicate a breach occurred. Yet not a single breach investigated in the Verizon 2011 Data Breach Investigation Report was detected through log analysis ...

Most organizations capture log data that could indicate a breach occurred. Yet not a single breach investigated in the Verizon 2011 Data Breach Investigation Report was detected through log analysis or review. Learn how adding Tripwire Enterprise change and configuration data makes all the difference in detecting critical events.

Statistics

Views

Total Views
826
Views on SlideShare
823
Embed Views
3

Actions

Likes
0
Downloads
5
Comments
0

1 Embed 3

https://twitter.com 3

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • More organizations have deployed more compliance and security tools and are capturing and analyzing more data than ever.Unfortunately, they are not getting stellar results as noted in the Verizon 2011 Data Breach Report.Each year we learn that—even with more data being captured—the number of attacks increases, most organizations had to have a 3rd party tell them they had been hacked, and the resulting breaches were avoidable through simple controls.What was so interesting and new in the 2011 report was the fact that “ZERO” breaches were discovered through log analysis or review!!!
  • In other words, Log management and SIEM solutions did not deliver on the promise of
  • TZ: Ed, what exactly is this “data deluge problem?’Ed: Over the last several years many organizations have put collection systems in place to meet PCI requirements. They put in log management and FIM along with other security tools. And they have been collecting a ton of data ever since. So they have plenty of data to meet compliance requirements. But the problem is they have too much data for it to be useful. And it is almost impossible to quickly know if any of the data is indicating a security issue. It’s like trying to find a single land-mine in a massive land-fill before it goes off and caused damage.TZ (to transition to next): and this here is some data to show what the “deluge” actually means in terms of volume.
  • ER: The cost of this time delay is enormous.These organizations not only suffer monetarily, their “mojo” is also badly damaged.They loose shareholder trust and value.Their name remains in the press and presentation like this for a very long time.TZ (to transition to next slide): Going back to our title which is about ensuring security and compliance in light of this vast sea of data, we at Tripwire offer a Pragmatic approach to compliance and security. Let’s spend a moment talking about what that means.
  • ER: The cost of this time delay is enormous.These organizations not only suffer monetarily, their “mojo” is also badly damaged.They loose shareholder trust and value.Their name remains in the press and presentation like this for a very long time.TZ (to transition to next slide): Going back to our title which is about ensuring security and compliance in light of this vast sea of data, we at Tripwire offer a Pragmatic approach to compliance and security. Let’s spend a moment talking about what that means.
  • Having tools in place that just capture the things that are changing does not help close the time gap problem.Capturing data is NOT the same as knowing when something BAD is happening.And isolating the bad from the good is what is needed to make it possible to find and fix bad events within minutes of them happening.
  • Event Integration Framework benefits:Aggregate change data based on criticalityCan integrate a single criticality level into a single log messageEIF reports “who” made the changeReports on patterns of compliance (change reduces compliance level of a box then report it – not just in or out of a compliant state)
  • Event Integration Framework benefits:Aggregate change data based on criticalityCan integrate a single criticality level into a single log messageEIF reports “who” made the changeReports on patterns of compliance (change reduces compliance level of a box then report it – not just in or out of a compliant state)

Supercharging SIEM with Change & Configuration Data Supercharging SIEM with Change & Configuration Data Presentation Transcript

  • Supercharging SIEMwith Change &Configuration Data
  • Log analysis/review discovered0% no breaches 2011
  • Change is Needed! Existing technology isn’t providing expected ROI, is too expensive and complex, and only delivers data Log analysis/review discovered0% no breaches 2011
  • Too much data!All of one type!
  • SECURITY COMPLIANCECompromise Failed Audits $$$$ Labor Intensive Branding Project Delays
  • SECURITY OPERATIONS COMPLIANCECompromise Longer MTTR Failed Audits $$$$ Unplanned Work Labor Intensive Branding Budget Pressure Project Delays
  • 0%: Log analysis/review discovered no breaches Capturing Data…. Is Not The Same As Knowing When Something Bad Just Happened!
  • “Context of Change” Windows event log clearedWere undesired changes made? Who made them? Was compliance level lowered?Did changes enable SIEM events? Or enable other events? Login successful FTP Enabled 10 failed logins Host not generating events
  • “Context of Change” Windows event log clearedWere undesired changes made? Who made them? Was compliance level lowered? Logging turned offDid changes enable SIEM events? Or enable other events? Login successful Policy test fails FTP Enabled 10 failed logins Host not generating events
  • Raw Log DataDetect Change  Good & Bad No Intelligence No Context No Security Just Data!Report Change  Good & Bad
  • “Context” Raw Log Data Detect Change  Good & Bad  Configuration Policy Failures  Change Policy FailuresDynamic Analysis   Change Authorization Failures Changes of Interest = Changes of Interest! Report & Alert 
  • 10 failed logins Login successful Changes of Interest Windows event log cleared correlated with Log Events of Interest Logging turned off turn Raw Data into FTP Enabledtimely, actionable Information Host not generating events Policy test fails
  • • File ‘Sales_Forecast_2011.xls’ was changed on node ‘PROD_FINANCE’ by Ed Rarick.• There were 15 Medium Severity Changes on node ‘PROD_DC1’.• Node ‘PROD_DC1’ had an additional 2 tests fail from policy ‘PCI 2.1’ after the last scan. 15 tests passed and 30 failed.• Node ‘PROD_DC1’ decreased its score by 2.53 on policy ‘PCI 2.1’ after the last scan.
  • MaintainDesired State Non-stop monitoring & collection Dynamic analysis to find suspicious activities Assess & Achieve Alert on impact to policy Remediate options to speed remedy Time
  • Answers For Your Questions