SlideShare a Scribd company logo

Six Steps to SIEM Success

AlienVault
AlienVault

This document outlines six steps to ensure SIEM success: 1) Avoid single-purpose SIEM tools and look for built-in security controls, 2) Know your use cases before evaluating tools, 3) Imagine worst case scenarios for your business, 4) Include built-in threat intelligence, 5) Use IP reputation data to prioritize alarms, and 6) Automate deployment. It emphasizes the importance of integrated security tools to reduce costs and complexity, and knowing business needs and threats to properly focus the SIEM.

Technology
1 of 33
SIX STEPS TO SIEM SUCCESS Jim Hansen Sr. Director, Product Management
Step 1: Avoid single-purpose Avoid single-purpose SIEM tools. SIEM tools. 2
LOOK FOR BUILT-IN ESSENTIAL SECURITY CONTROLS. At a minimum, the SIEM should include this core set of functionality: Asset discovery and inventory Vulnerability assessment Network analysis / netflow (packet capture) Wireless intrusion detection (WIDS) Host-based intrusion detection (HIDS) Network-based intrusion detection (NIDS) File Integrity Monitoring Log management VS.
BENEFITS OF BUILT-IN SECURITY CONTROLS IN SIEM   Accelerated time to value - Reduce cost and complexity -  Go from install to insight QUICKLY At deployment time: Focus on integrating the infrastructure event data only Over the long term: Manage all through the same console, better workflow, etc. More coordinated detection for accurate alarms - Built-in event correlation rules Known sources mean more accurate correlation
Step 2: Know what use cases Know what use you need FIRST. cases you’ll need FIRST. 5
WHAT ARE YOUR SIEM USE CASES?    Figure this out BEFORE you evaluate or invest Use cases define your scope and your priorities (e.g. Pass a PCI audit vs. Detect malware infections) Differences between a business & technology use cases - Business use cases (fewer) translate to: - Technology use cases (many more)
TRANSLATING BUSINESS USE CASES INTO TECHNOLOGY Privileged user monitoring requires knowing: Logs  Who your privileged users are (users)  What constitutes privileged activity (commands) - Logins = rlogins / ssh User permission changes (e.g. sudo or LDAP) - Critical servers, applications, network devices, and network traffic (action sequences) Endpoints…? Whose?  Where you care to focus (devices) -
EVENT CORRELATION STEPS What we really want to know… Who is abusing privileged access? 1. Identify the goal for each rule (and use case). To detect unauthorized access user activity – including privilege escalation 2. Determine the conditions for the alert. Privilege escalation with no corresponding change request 3. Select the relevant data sources. Active directory, user management system, change control system 4. Test the rule. 5. Determine response strategies, and document them.
Step 3: What are the worst case Imagine all the worstscenarios for your business? case scenarios for YOUR business.
GLOBAL VS. LOCAL BAD SCENARIOS    Global bad scenarios - Botnets, malware, C&C traffic, rootkits, trojans, etc. Local bad scenarios - Unique to your business and priorities Only YOU and your mgmt team can answer this Example: - Outbound FTP connections to a former business partner’s network AFTER you’ve canceled the contract. - Service availability “hiccups” during peak operational windows.
PLAN FOR THE WORST, EXPECT THE BEST    Plan for each of those “worst case” scenarios Ask yourself: How would we know when these happen? - Types of events, and their sequences Devices in scope - Let’s get those data sources added FIRST; First step is finding them (automated asset discovery is a must) How do we respond when we discover them? - Develop standard operational procedures, and train staff - SIEM should have built-in documentation for standard operational procedures  Customized guidance that’s attached to each alert  Details on assets, their owners, contact info, etc.
Step 4: Include built-in threat intelligence as a MUST-HAVE.
OPERATIONALIZED THREAT INTELLIGENCE  Threat intelligence should provide info on: - WHO the bad actors are WHAT to focus on HOW to respond when threats are detected WHERE these threats are in your environment  Threat intelligence should also… - Provide instructions on what to do when X happens to Y And… be easily and rapidly consumable – part of your SOP
ALIENVAULT LABS THREAT INTELLIGENCE:        COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint
Step 5: Use IP reputation data to prioritize alarms & monitor your own reputation. 15
DISRUPT THE INCIDENT RESPONSE CYCLE A traditional cycle … 1. 2. Prevent Detect Respond 3. Prevents known threats. Detects new threats in the environment. Respond to the threats – as they happen. This isolated closed loop offers no opportunity to learn from what others have experienced ….no advance notice
THE POWER OF THE “CROWD” FOR THREAT DETECTION     Cyber criminals are using (and reusing) the same exploits against others (and you). Sharing (and receiving) collaborative threat intelligence makes us all more secure. Using this data, identify, flag and block known attackers by source IP addresses. Organizations can’t build this “neighborhood watch” infrastructure on their own… that’s where AlienVault comes in…
TRADITIONAL RESPONSE First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
TRADITIONAL RESPONSE Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
TRADITIONAL RESPONSE Attack First Street Credit Union Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
TRADITIONAL RESPONSE Attack First Street Credit Union Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
TRADITIONAL RESPONSE Attack First Street Credit Union Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
OTX ENABLES PREVENTATIVE RESPONSE Through an automated, real-time, threat exchange framework
A REAL-TIME THREAT EXCHANGE FRAMEWORK Puts Preventative Response Measures in Place Through Shared Experience Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
A REAL-TIME THREAT EXCHANGE FRAMEWORK Protects Others in the Network With the Preventative Response Measures Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
GLOBAL THREAT DETECTION FOR LOCAL RESPONSE
Step 6: Automate your SIEM deployment. 27 27
DATA INTEGRATION WITH A SINGLE-PURPOSE SIEM 1 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Integrate data and event feeds into SIEM 28
DATA INTEGRATION WITH ALIENVAULT USM Reduced licensing costs 1 Automated via Auto-Deploy Dashboard 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Built-in asset discovery, vuln assessment, threat detection, behavioral monitoring, and more… Integrate data and event feeds into SIEM Simpler security management, faster remediation 29
DEPLOYMENT DASHBOARD Identify potential data sources to integrate Set up vulnerability assessment and asset inventory scans Implement suggestions to improve visibility
TOP 6 STEPS TO SIEM SUCCESS 1. Avoid single-purpose SIEM tools (Reduce integration complexities - look for built-in security detection sources) 2. 3. 4. 5. 6. Know what use cases you’ll need FIRST. (this will dictate what data sources to prioritize) Imagine all the worst case scenarios for your business. (this will inform your incident response strategy) Include built-in threat intelligence as a must-have requirement. (threats move way too quickly not to operationalize your defenses) Use IP reputation data to prioritize alarms & monitor your own rep. (Identify exposures – both inside and outside your network) Automate your deployment. (yes, hard to believe, but this *is* possible)
QUESTIONS FOR SIEM VENDORS HINT: PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU….       How long will it take to go from software installation to security insight? For reals. How many staff members or outside consultants will I need for the integration work? What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)? What is the anticipated mix of licensing costs to consulting and implementation fees? Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations? Is IP reputation data included in the threat intelligence content? 32
NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? hello@alienvault.com

Recommended

Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
Patten John
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Q radar architecture deep dive
Q radar architecture deep diveQ radar architecture deep dive
Q radar architecture deep dive
Kamal Mouline
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 

Recommended

Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
Patten John
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Q radar architecture deep dive
Q radar architecture deep diveQ radar architecture deep dive
Q radar architecture deep dive
Kamal Mouline
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
Splunk
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
Splunk
 

More Related Content

What's hot

Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
Splunk
 

What's hot (20)

Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 

Similar to Six Steps to SIEM Success

TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
Damir Delija
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
Software Vulnerabilities Risk Remediation
Software Vulnerabilities Risk RemediationSoftware Vulnerabilities Risk Remediation
Software Vulnerabilities Risk Remediation
Bruce Hafner
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 

Similar to Six Steps to SIEM Success (20)

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Hacking appliances
Hacking appliancesHacking appliances
Hacking appliances
 
SIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystSIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analyst
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
Cybersecurity: A Manufacturers Guide by Clearnetwork
Cybersecurity: A Manufacturers Guide by ClearnetworkCybersecurity: A Manufacturers Guide by Clearnetwork
Cybersecurity: A Manufacturers Guide by Clearnetwork
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
Software Vulnerabilities Risk Remediation
Software Vulnerabilities Risk RemediationSoftware Vulnerabilities Risk Remediation
Software Vulnerabilities Risk Remediation
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Darktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdfDarktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdf
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 

More from AlienVault

Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
AlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
AlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 

More from AlienVault (20)

Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Six Steps to SIEM Success

  • 1. SIX STEPS TO SIEM SUCCESS Jim Hansen Sr. Director, Product Management
  • 2. Step 1: Avoid single-purpose Avoid single-purpose SIEM tools. SIEM tools. 2
  • 3. LOOK FOR BUILT-IN ESSENTIAL SECURITY CONTROLS. At a minimum, the SIEM should include this core set of functionality: Asset discovery and inventory Vulnerability assessment Network analysis / netflow (packet capture) Wireless intrusion detection (WIDS) Host-based intrusion detection (HIDS) Network-based intrusion detection (NIDS) File Integrity Monitoring Log management VS.
  • 4. BENEFITS OF BUILT-IN SECURITY CONTROLS IN SIEM   Accelerated time to value - Reduce cost and complexity -  Go from install to insight QUICKLY At deployment time: Focus on integrating the infrastructure event data only Over the long term: Manage all through the same console, better workflow, etc. More coordinated detection for accurate alarms - Built-in event correlation rules Known sources mean more accurate correlation
  • 5. Step 2: Know what use cases Know what use you need FIRST. cases you’ll need FIRST. 5
  • 6. WHAT ARE YOUR SIEM USE CASES?    Figure this out BEFORE you evaluate or invest Use cases define your scope and your priorities (e.g. Pass a PCI audit vs. Detect malware infections) Differences between a business & technology use cases - Business use cases (fewer) translate to: - Technology use cases (many more)
  • 7. TRANSLATING BUSINESS USE CASES INTO TECHNOLOGY Privileged user monitoring requires knowing: Logs  Who your privileged users are (users)  What constitutes privileged activity (commands) - Logins = rlogins / ssh User permission changes (e.g. sudo or LDAP) - Critical servers, applications, network devices, and network traffic (action sequences) Endpoints…? Whose?  Where you care to focus (devices) -
  • 8. EVENT CORRELATION STEPS What we really want to know… Who is abusing privileged access? 1. Identify the goal for each rule (and use case). To detect unauthorized access user activity – including privilege escalation 2. Determine the conditions for the alert. Privilege escalation with no corresponding change request 3. Select the relevant data sources. Active directory, user management system, change control system 4. Test the rule. 5. Determine response strategies, and document them.
  • 9. Step 3: What are the worst case Imagine all the worstscenarios for your business? case scenarios for YOUR business.
  • 10. GLOBAL VS. LOCAL BAD SCENARIOS    Global bad scenarios - Botnets, malware, C&C traffic, rootkits, trojans, etc. Local bad scenarios - Unique to your business and priorities Only YOU and your mgmt team can answer this Example: - Outbound FTP connections to a former business partner’s network AFTER you’ve canceled the contract. - Service availability “hiccups” during peak operational windows.
  • 11. PLAN FOR THE WORST, EXPECT THE BEST    Plan for each of those “worst case” scenarios Ask yourself: How would we know when these happen? - Types of events, and their sequences Devices in scope - Let’s get those data sources added FIRST; First step is finding them (automated asset discovery is a must) How do we respond when we discover them? - Develop standard operational procedures, and train staff - SIEM should have built-in documentation for standard operational procedures  Customized guidance that’s attached to each alert  Details on assets, their owners, contact info, etc.
  • 12. Step 4: Include built-in threat intelligence as a MUST-HAVE.
  • 13. OPERATIONALIZED THREAT INTELLIGENCE  Threat intelligence should provide info on: - WHO the bad actors are WHAT to focus on HOW to respond when threats are detected WHERE these threats are in your environment  Threat intelligence should also… - Provide instructions on what to do when X happens to Y And… be easily and rapidly consumable – part of your SOP
  • 14. ALIENVAULT LABS THREAT INTELLIGENCE:        COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint
  • 15. Step 5: Use IP reputation data to prioritize alarms & monitor your own reputation. 15
  • 16. DISRUPT THE INCIDENT RESPONSE CYCLE A traditional cycle … 1. 2. Prevent Detect Respond 3. Prevents known threats. Detects new threats in the environment. Respond to the threats – as they happen. This isolated closed loop offers no opportunity to learn from what others have experienced ….no advance notice
  • 17. THE POWER OF THE “CROWD” FOR THREAT DETECTION     Cyber criminals are using (and reusing) the same exploits against others (and you). Sharing (and receiving) collaborative threat intelligence makes us all more secure. Using this data, identify, flag and block known attackers by source IP addresses. Organizations can’t build this “neighborhood watch” infrastructure on their own… that’s where AlienVault comes in…
  • 18. TRADITIONAL RESPONSE First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 19. TRADITIONAL RESPONSE Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 20. TRADITIONAL RESPONSE Attack First Street Credit Union Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 21. TRADITIONAL RESPONSE Attack First Street Credit Union Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 22. TRADITIONAL RESPONSE Attack First Street Credit Union Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 23. OTX ENABLES PREVENTATIVE RESPONSE Through an automated, real-time, threat exchange framework
  • 24. A REAL-TIME THREAT EXCHANGE FRAMEWORK Puts Preventative Response Measures in Place Through Shared Experience Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
  • 25. A REAL-TIME THREAT EXCHANGE FRAMEWORK Protects Others in the Network With the Preventative Response Measures Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
  • 26. GLOBAL THREAT DETECTION FOR LOCAL RESPONSE
  • 27. Step 6: Automate your SIEM deployment. 27 27
  • 28. DATA INTEGRATION WITH A SINGLE-PURPOSE SIEM 1 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Integrate data and event feeds into SIEM 28
  • 29. DATA INTEGRATION WITH ALIENVAULT USM Reduced licensing costs 1 Automated via Auto-Deploy Dashboard 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Built-in asset discovery, vuln assessment, threat detection, behavioral monitoring, and more… Integrate data and event feeds into SIEM Simpler security management, faster remediation 29
  • 30. DEPLOYMENT DASHBOARD Identify potential data sources to integrate Set up vulnerability assessment and asset inventory scans Implement suggestions to improve visibility
  • 31. TOP 6 STEPS TO SIEM SUCCESS 1. Avoid single-purpose SIEM tools (Reduce integration complexities - look for built-in security detection sources) 2. 3. 4. 5. 6. Know what use cases you’ll need FIRST. (this will dictate what data sources to prioritize) Imagine all the worst case scenarios for your business. (this will inform your incident response strategy) Include built-in threat intelligence as a must-have requirement. (threats move way too quickly not to operationalize your defenses) Use IP reputation data to prioritize alarms & monitor your own rep. (Identify exposures – both inside and outside your network) Automate your deployment. (yes, hard to believe, but this *is* possible)
  • 32. QUESTIONS FOR SIEM VENDORS HINT: PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU….       How long will it take to go from software installation to security insight? For reals. How many staff members or outside consultants will I need for the integration work? What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)? What is the anticipated mix of licensing costs to consulting and implementation fees? Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations? Is IP reputation data included in the threat intelligence content? 32
  • 33. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? hello@alienvault.com

Editor's Notes

  1. SIEM, or security intelligence, has become the current standard for achieving complete visibility into your compliance status and any threats to your organization’s data and infrastructure. The challenge is that the first wave of SIEM vendors only focused on the logic or analysis layer, basically the event correlation engine - not on how to deploy it or how to feed it. And without those two key success factors, SIEM becomes shelf-ware.Alright so let’s get started… what are those six steps?========Security intelligence has become the current standard for getting
  2. SIEM arose from the fact that most of the security products out there have started and evolved as point products. So we all needed something to tie these things together. But if a SIEM only does one thing – it becomes yet another single purpose point product. Just like a single purpose hotdog cooker/hot dog bun toaster. Or should I say “hot dog production solution”. I agree it might be best of breed, but it wastes valuable space on my counter!
  3. Not everyone has all this stuff already in place, if you do, yes we can integrate. But if you don’t, or you don’t want the hassle of managing multiple consoles, this eases those issues.
  4. Figure this out BEFORE you evaluate or investThese will depend on WHY you’re implementing SIEMThis defines scope and your priorities (e.g. Pass a PCI audit vs. Detect malware infections)Differences between a business use case & how it’s translated into a technology use caseBusiness use case (fewer) = e.g. monitor all privileged user activity for PCI-DSS requirementsTechnology use case (many more) = e.g. alert on all “sudo” events for Linux servers, especially failed root logins, and prioritize those that occur during X time windows, etc.
  5. Priv user monitoring for PCI-DSS will be a different scope than if you wanted to do it for a broader purpose…
  6. SIEM is too complex. Collecting the right data, aggregating it, normalizing and correlating disparate technologies for that one common view is not a trivial task. And most of the time, the SIEM vendor will expect the client or the client’s service provider to bear the brunt of that deployment challenge. “Feeding the beast” requires multiple hours spent with system administrators who manage those data sources to reroute the event information over to the SIEM. Technically, this isn’t so complex for a single system, but at scale it can get very complicated.
  7. Evaluate, select, and purchase third party security tools (e.g. IDS, vulnerability scanners, etc.).Implement and configure these products.Fine-tune and integrate these feeds into the SIEM.Manage and administer them each with a different console than the SIEM.Identify which additional data sources are needed: Firewalls, routers, proxies, switches etc.Web-servers, database servers, LDAP/AD servers, file directories, etc.Repeat steps #3-4.
  8. Reduces the burden of integrating data sources Provides suggestions for improving visibilityWhere is the monitoring deficient? What can be done to improve it?
  9. So the goal of today’s session is to give you the secrets of success in terms of planning for a solution that works with your environment, your use cases, can be deployed quickly, and can easily scale and be managed over time. Oh yeah, and it needs to be continually updated with the latest threat intelligence, so you’re not trying to figure out how to write rules on your own every time something wicked this way comes.We’re going to focus on each one of these as we go through our presentation today. So here’s just the overview.Most of the reason why SIEM takes so long to deploy is because these tools do only one thing. They correlate data, but they don’t develop the data they’re correlating. They’re reliant on other tools from other vendors who do things like asset discovery, vulnerability assessment, threat detection, tools like IDS, log management, and the list goes on and on. So look for more than just a fancy reporting tool and event correlation engine.The second point is to know why you’re evaluating a tool that provides SIEM functionality. What do you want to do with it? What do you want to know? What are you prepared to act on if it happens? We’ll spend time talking through how to build your use cases. Because this will dictate what data sources you’ll need to prioritize.The next one is probably pretty familiar territory for us security geeks. Ultimately, security professionals spend a lot of time thinking through worst case scenarios… it comes with the territory… we need to. We need to know what terrible things would happen that would have X impact in Y dollars to Z business initiative. And then we build an incident response program out of it.Threat intelligence is an absolute must-have these days. Attackers are continually morphing and adapting their tools, techniques, and there’s too much coming at you and your network to know what to focus on and when. So we’ll talk about the need not just to know the latest threats, but give you the ability to operationalize your consumption of emerging threat intelligence, so you actually have the ability to act on it.The fifth step is all about taking a collaborative approach to threat management – IP reputation data gives you that perspective. When you correlate data from everyone else’s network – a crowd-sourced approach – you now start to turn the tables on those trying to attack you. So we’ll talk about how to use IP reputation data to prioritize events and alarms as well as monitor the reputation of your own public-facing assets.Finally, SIEM deployment is a dirty word. The good news… you can honestly automate the deployment process. At least critical pieces of it…and we’ll talk about how that’s done later in the presentation. So let’s focus on our first step.
  10. Demand more from your SIEM vendor. Ask direct and detailed questions to understand how to avoid these typical problems – before you make the leap to purchase. Make sure to get the most value out of every security investment you make in 2013 and beyond. Here are few questions to get you started.