Expect More From Your SIEMSandy Hawke, CISSPVP, Product Marketing@sandybeachSF
Top 5 Problems with SIEM1. SIEM is too complex.2. SIEM takes too long to deploy.3. SIEM is too expensive.4. SIEMs are too ...
SIEM is too complex.
Necessary data sources for meaningfulSIEMNetwork flow / network analysisAsset discovery and inventoryVulnerability assessm...
Necessary steps to integrate data into the SIEM1. Evaluate, select, and purchasethird party security tools (e.g.IDS, vulne...
SIEM takes too long to deploy.
Bringing disparate tools together takes time
SIEM is too expensive.
“Feeding” the SIEM *is* costly.
SIEMs are too noisy.
When everything requires your attention, nothingwill get it…Adding more haystacks doesn’thelp you find more needles.SIEMs ...
SIEMs aren’t typically cloud-friendly.
Your SIEM should see your clouds too.Threats can follow you to the cloud, your security visibility tool should too.
Unified Security ManagementSaves time, money, and resources
Piece it alltogetherLook for strangeactivity which couldindicate a threatStart lookingfor threatsIdentify ways thetarget c...
Piece it alltogetherLook for strangeactivity which couldindicate a threatStart lookingfor threatsIdentify ways thetarget c...
Piece it alltogetherLook for strangeactivity which couldindicate a threatStart lookingfor threatsHow dowe secureourcompany...
Piece it alltogetherLook for strangeactivity which couldindicate a threatHow dowe secureourcompany?AssetDiscoveryVulnerabi...
Piece it alltogetherHow dowe secureourcompany?AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scannin...
How dowe secureourcompany?AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network S...
AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• ...
Building security in saves money and time …
Auto-DeployReduces the burden of integrating data sourcesIdentify potential data sources with integrated asset discoveryPr...
Unified Security Reduces TCO, AcceleratesVisibility
Dynamic Incident Response TemplatesDMZ_Sensor has detected a possible SQL Injection [reference] attack against the host 10...
Unified Security Management & Visibility:In the cloud and “on the ground”
Securing the Cloud vs. Cloud-delivered SecurityFollowing clients to the cloud vs. setting up yet another cloud…
Questions for SIEM VendorsHow long will it take to go from software installation tosecurity insight? For reals.How many st...
Expect More From Your SIEMIt should go where you do.Cloud, hybrid cloud, mobile apps, etc.It should tell you what to do.Mo...
Next Steps / Q&ARequest an AlienVault USM demo at:www.alienvault.com/schedule-demo.htmlRequest a free trial of AlienVault ...
Upcoming SlideShare
Loading in...5
×

Expect More From Your SIEM

532

Published on

Unlike security cameras, going from installation to insight with a traditional SIEM is far from straightforward. During this session, we’ll cover a few common problems with SIEM technologies, and how you can avoid those pitfalls with AlienVault Unified Security Management. You’ll walk away with a new perspective on an old problem – reducing the cost of security visibility.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
532
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • SIEM is too complex. Collecting the right data, aggregating it, normalizing and correlating disparate technologies for that one common view is not a trivial task. And most of the time, the SIEM vendor will expect the client or the client’s service provider to bear the brunt of that deployment challenge. “Feeding the beast” requires multiple hours spent with system administrators who manage those data sources to reroute the event information over to the SIEM. Technically, this isn’t so complex for a single system, but at scale it can get very complicated. In some cases, this can take months. SIEM takes too long to deploy. Most organizations looking to invest in a SIEM do so with a sense of urgency. They need answers and they need them now. Questions like “What’s going on in our network?” “Who is attacking me?” “Are we leaking data?” “Which threats require my attention now?” “What’s going to be an issue for our audit next week?” will need to wait to be answered until integration is completed (typically months after the initial installation). The event correlation rules that provide the “security intelligence” advertised by the vendor will not be of any use until external data sources are pulled in and fine-tuned. And that’s takes time and as we know time is…SIEM is too expensive. The licensing costs for the SIEM are just the start. Since virtually nothing is functional out of the SIEM box, organizations will likely need to hire expensive consultants and architects to design and implement the integration, fine-tune the data feeds, and schedule imports across all of the various external data sources. Additionally, in order to make sense for each organization’s business and security priorities, these teams will also need to customize event correlation rules so that the alarms are relevant to them. As a result, consulting services fees can often exceed the software licensing costs. So prepare to double the cost of the software alone, just to get meaningful information out of your SIEM.SIEMs are too noisy. More doesn’t always mean “better” when it comes to alerts and alarms. Typically, out-of-the-box, SIEMs will err on the side of alerting on items that aren’t considered relevant or important to an organization. When everything requires your attention, nothing will get it. Furthermore, these alerts often lack the actionable intelligence security analysts need in order to respond and investigate. It doesn’t help me to know that a particular event occurred if I don’t know what to do about it.SIEMs aren’t typically “cloud friendly”. Let’s face it. Whether you planned it or not, there are some corporate assets that are already in the cloud. Depending upon where you are on your “cloud evolution”, you probably have a mix of assets in your data center as well as a public cloud like Amazon’s EC2 or other provider. If so, it’s highly likely that your SIEM implementation doesn’t provide visibility into those assets that are within the cloud provider’s network. Even if these don’t house mission-critical or sensitive information today, they may likely in the future – and security visibility at that point is essential. Ultimately, your SIEM should go wherever you do… whether that’s in the cloud, on the move, or in your data center.
  • SIEM is too complex. Collecting the right data, aggregating it, normalizing and correlating disparate technologies for that one common view is not a trivial task. And most of the time, the SIEM vendor will expect the client or the client’s service provider to bear the brunt of that deployment challenge. “Feeding the beast” requires multiple hours spent with system administrators who manage those data sources to reroute the event information over to the SIEM. Technically, this isn’t so complex for a single system, but at scale it can get very complicated.
  • SIEM takes too long to deploy. Most organizations looking to invest in a SIEM do so with a sense of urgency. They need answers and they need them now. Questions like “What’s going on in our network?” “Who is attacking me?” “Are we leaking data?” “Which threats require my attention now?” “What’s going to be an issue for our audit next week?” will need to wait to be answered until integration is completed (typically months after the initial installation). The event correlation rules that provide the “security intelligence” advertised by the vendor will not be of any use until external data sources are pulled in and fine-tuned.
  • SIEM is too expensive. The licensing costs for the SIEM are just the start. Since virtually nothing is functional out of the SIEM box, organizations will likely need to hire expensive consultants and architects to design and implement the integration, fine-tune the data feeds, and schedule imports across all of the various external data sources. Additionally, in order to make sense for each organization’s business and security priorities, these teams will also need to customize event correlation rules so that the alarms are relevant to them. As a result, consulting services fees can often exceed the software licensing costs. So prepare to double the cost of the software alone, just to get meaningful information out of your SIEM.
  • SIEMs are too noisy. More doesn’t always mean “better” when it comes to alerts and alarms. Typically, out-of-the-box, SIEMs will err on the side of alerting on items that aren’t considered relevant or important to an organization. When everything requires your attention, nothing will get it. Furthermore, these alerts often lack the actionable intelligence security analysts need in order to respond and investigate. It doesn’t help me to know that a particular event occurred if I don’t know what to do about it.
  • SIEMs aren’t typically “cloud friendly”. Let’s face it. Whether you planned it or not, there are some corporate assets that are already in the cloud. Depending upon where you are on your “cloud evolution”, you probably have a mix of assets in your data center as well as a public cloud like Amazon’s EC2 or other provider. If so, it’s highly likely that your SIEM implementation doesn’t provide visibility into those assets that are within the cloud provider’s network. Even if these don’t house mission-critical or sensitive information today, they may likely in the future – and security visibility at that point is essential. Ultimately, your SIEM should go wherever you do… whether that’s in the cloud, on the move, or in your data center.
  • Extend SIEM functionality past the alertProvide workflow driven response procedures for alerts to help guide / train IR teamDynamically populate template with information from environment and alertProvide simple links to access relevant informationGeneral Analysis Guidelines:Remember that you are looking for SQL commands (SELECT, UPDATE, DELETE, UNION, JOIN, etc) in the communication from 10.49.100.131 to 198.228.217.190Although there are many tools to assist in compromising a system via SQL Inject, this attack requires nothing more than a web browser to perform. SQL Injection can be used as both a means to gain entry to a system, but also as a means to exfiltrate data from a system too.
  • SIEMs aren’t typically “cloud friendly”. Let’s face it. Whether you planned it or not, there are some corporate assets that are already in the cloud. Depending upon where you are on your “cloud evolution”, you probably have a mix of assets in your data center as well as a public cloud like Amazon’s EC2 or other provider. If so, it’s highly likely that your SIEM implementation doesn’t provide visibility into those assets that are within the cloud provider’s network. Even if these don’t house mission-critical or sensitive information today, they may likely in the future – and security visibility at that point is essential. Ultimately, your SIEM should go wherever you do… whether that’s in the cloud, on the move, or in your data center.
  • Demand more from your SIEM vendor. Ask direct and detailed questions to understand how to avoid these typical problems – before you make the leap to purchase. Make sure to get the most value out of every security investment you make in 2013 and beyond. Here are few questions to get you started.
  • Expect more from your SIEM.It should go where you do. Cloud, hybrid cloud, mobile apps, etc.“I want to leverage the cloud, but I don’t want to sacrifice my security visibility.”It should tell you what to do. More than alerts, directional guidance on actions to take. (Incident Response workflow feature in v4.1)“Real-time alerts and alarms are great, but if I don’t know what to do with them, they just become more noise.”It shouldn’t require more work.Essential security capabilities that are already pre-integrated.Auto-deploy functionality so you know exactly where you are in the deployment process, and where the holes are.“I thought SIEM would help me with audits and managing threats, but after months we’re still not fully integrated and deployed.”
  • Expect More From Your SIEM

    1. 1. Expect More From Your SIEMSandy Hawke, CISSPVP, Product Marketing@sandybeachSF
    2. 2. Top 5 Problems with SIEM1. SIEM is too complex.2. SIEM takes too long to deploy.3. SIEM is too expensive.4. SIEMs are too noisy.5. SIEMs aren’t typically “cloud-friendly.”
    3. 3. SIEM is too complex.
    4. 4. Necessary data sources for meaningfulSIEMNetwork flow / network analysisAsset discovery and inventoryVulnerability assessmentLog managementWireless intrusion detection (WIDS)Host-based intrusion detection (HIDS)Network-based intrusion detection (NIDS)File Integrity Monitoring+all of the network, system, and application-specific eventsSecurity-specific data sources:
    5. 5. Necessary steps to integrate data into the SIEM1. Evaluate, select, and purchasethird party security tools (e.g.IDS, vulnerability scanners, etc.).2. Implement and configure theseproducts.3. Fine-tune and integrate thesefeeds into the SIEM.4. Manage and administer themeach with a different consolethan the SIEM.
    6. 6. SIEM takes too long to deploy.
    7. 7. Bringing disparate tools together takes time
    8. 8. SIEM is too expensive.
    9. 9. “Feeding” the SIEM *is* costly.
    10. 10. SIEMs are too noisy.
    11. 11. When everything requires your attention, nothingwill get it…Adding more haystacks doesn’thelp you find more needles.SIEMs should alert you whenyou need to do something about anevent.And… they should tell you what to do,how to do it, and why it’s important.
    12. 12. SIEMs aren’t typically cloud-friendly.
    13. 13. Your SIEM should see your clouds too.Threats can follow you to the cloud, your security visibility tool should too.
    14. 14. Unified Security ManagementSaves time, money, and resources
    15. 15. Piece it alltogetherLook for strangeactivity which couldindicate a threatStart lookingfor threatsIdentify ways thetarget could becompromisedHow dowe secureourcompany?Figure out whatis valuable
    16. 16. Piece it alltogetherLook for strangeactivity which couldindicate a threatStart lookingfor threatsIdentify ways thetarget could becompromisedHow dowe secureourcompany?AssetDiscoveryAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory
    17. 17. Piece it alltogetherLook for strangeactivity which couldindicate a threatStart lookingfor threatsHow dowe secureourcompany?AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability Testing
    18. 18. Piece it alltogetherLook for strangeactivity which couldindicate a threatHow dowe secureourcompany?AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability TestingThreat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity MonitoringThreatDetection
    19. 19. Piece it alltogetherHow dowe secureourcompany?AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability TestingThreat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity MonitoringThreatDetectionBehavioral Monitoring• Log Collection• Netflow Analysis• Service Availability MonitoringBehavioralMonitoring
    20. 20. How dowe secureourcompany?AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability TestingThreat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity MonitoringThreatDetectionBehavioral Monitoring• Log Collection• Netflow Analysis• Service Availability MonitoringBehavioralMonitoringSecurity Intelligence• SIEM Correlation• Incident ResponseSecurityIntelligence
    21. 21. AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability TestingThreat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity MonitoringThreatDetectionBehavioral Monitoring• Log Collection• Netflow Analysis• Service Availability MonitoringBehavioralMonitoringSecurity Intelligence• SIEM Correlation• Incident ResponseSecurityIntelligenceUnifiedSecurityManagement
    22. 22. Building security in saves money and time …
    23. 23. Auto-DeployReduces the burden of integrating data sourcesIdentify potential data sources with integrated asset discoveryProvides suggestions for improving visibilityWhere is the monitoring deficient? What can be done to improveit?
    24. 24. Unified Security Reduces TCO, AcceleratesVisibility
    25. 25. Dynamic Incident Response TemplatesDMZ_Sensor has detected a possible SQL Injection [reference] attack against the host 10.49.100.131,originating from 198.228.217.190The goal of a SQL Injection attack is to obtain access directly to the database behind a webapplication, by passing data to the application that is unintentionally interpreted as SQL commands bythe database itself.1. Contain BreachDestination IP 100.49.100.131 is the Corporate DMZ network segment• Contact owner of 10.49.100.131: Joe Namath• Cross-reference events from other hosts located in 10.49.100.131 network(Corporate_DMZ) for other suspicious activity.• Alerts in Corporate MZ• Analyze Netflow2. Identify AttackerSource IP 198.228.217.190 is not in your local network• Identify the organization that owns 198.228.217.190 – determine if it is a privateorganization or available to third parties hosting provider, etc).• WHOIS 198.228.217.190
    26. 26. Unified Security Management & Visibility:In the cloud and “on the ground”
    27. 27. Securing the Cloud vs. Cloud-delivered SecurityFollowing clients to the cloud vs. setting up yet another cloud…
    28. 28. Questions for SIEM VendorsHow long will it take to go from software installation tosecurity insight? For reals.How many staff members or outside consultants will I needfor the integration work?What can I do if I don’t have all of the external securitytechnologies in place that can feed the SIEM (e.g. assetinventories, IDS, vulnerability scans, netflows, etc.)?What is the anticipated mix of licensing costs to consultingand implementation fees?Do your alerts and alarms provide step-by-step instructionsfor how to mitigate and respond to investigations?PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU….
    29. 29. Expect More From Your SIEMIt should go where you do.Cloud, hybrid cloud, mobile apps, etc.It should tell you what to do.More than alerts, directional guidance onactions to take.It shouldn’t require more work.Built-in security controls so that integrationdoesn’t take forever.“Smart” deployments: remove the“guesswork”
    30. 30. Next Steps / Q&ARequest an AlienVault USM demo at:www.alienvault.com/schedule-demo.htmlRequest a free trial of AlienVault USM:http://www.alienvault.com/free-trialNot quite ready for all that? Test drive our opensource project - OSSIM here:communities.alienvault.com/Need more info to get started? Try our knowledgebase here:alienvault.bloomfire.comThese resources are also in the Attachments sectionJoin theconversation!@alienvault#AlienIntel30

    ×