Redefining siem to real time security intelligence

1,325 views
1,071 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,325
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
106
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Redefining siem to real time security intelligence

  1. 1. Redefining SIEM toReal Time Security IntelligenceDavid OsborneSecurity ArchitectSeptember 18, 2012
  2. 2. Its not paranoia if they really are out to getyou• Malware• Malicious Insiders• Exploited Vulnerabilities• Careless Employees• Mobile Devices• Social Networking• Social Engineering• Zero-Day Exploits• Cloud Computing SecurityThreats• Cyber Espionage
  3. 3. Reality of Compliance• Audits happen quarterly or annually• Effort and budget spent to get compliant• Little focus or process to stay that way
  4. 4. SIEM – The Great Correlator• Major SIEM Functions – Collect – Normalize – Correlate• Collect log and event data from systems across the network – Security devices, applications, OS, databases, end-point protections, etc.• Normalize similar events across disparate data sources – Login events from a VPN, OS, or Application are all ―authentication events‖• Correlate multiple events into known attack vectors or policy violations – ―Multiple failed logins followed by a success‖ indicates brute force access – Eliminates the need for an analyst to try to ―piece together‖ the event
  5. 5. Redefining SIEM• Security is a Process, not a Product – Each stage supports the next – A ―weak link‖ breaks the process – Tools need to automate each stage – Integration provides actionable intelligence• Legacy SIEMs are Limited – Risk Assessment — limited to VA scan data – Threat Detection — limited to event correlation – Incident Response — limited to log analysis – Compliance Reporting — limited to canned reports
  6. 6. SIEM is Still Evolving…To• SIEM Content Awareness (Next Generation SIEM) – Content Awareness is Understanding the Payload at the Application Layer • What is actually being Communicated, Transferred, and Shared over the Network. • Examples of ―Content‖ Awareness is the understanding of: – Email contents, including the attachments – Social, IM and P2P Network Communications – Document Contents – Application Relationships with Database Queries and Responses – Database Monitoring – Data Leakage – Sensitive Information within chat, email, printed, etc
  7. 7. Adding Context to Logs DNS name, Windows name, Other names?What else happened at this time? Whois info? Organization owner? Where doesNear this time? the IP originate from (geo location info)? WhatWhat is the time zone? else happened on this host? Which other hosts did this IP communicate with? What is this service? What other messages did it produce? What other systems does it run on? Log recordWhat is the hosts IP address? Who is this user? What is the usersOther names? Location on the access-level? What is the usersnetwork/datacenter? real name, department, location? What is this port? Is this aWho is the admin? Is this What other events from this user? normal port for thissystem vulnerable to exploits? service? What else is this service being used for? What does this number mean? Is this documented somewhere?
  8. 8. Broad Content and Context Correlation Authentication Application & IAM Events from Contents Security Devices User Identity Device & Application Log Files Malware Insider Advanced Viruses Threats Threats Trojans Exploits Database Transactions Location OS events VA Scan Data
  9. 9. SIEM and Situational Awareness• SIEM DOES NOT SOLVE APT, but Provides Situational Awareness – THERE IS NO APT ―ALL IN ONE SOLUTION‖• SIEM Can Help with Attacks – Determining the Scope of Attack • What Systems or Devices were Involved • What DATA was Compromised • What Evasion Techniques were Utilized • Timelines • Toolsets Utilized • Work Flows and Processes of Attackers – Heuristics for Historical Correlation• Even with SIEM, Security Expertise and Experience is REQUIRED – Well Trained Security Analysts, Highly Developed Security Policies and Procedures Combined with SIEM for Situational Awareness is the BEST Strategy for dealing with Exploits, Low and Slow Attacks and APT
  10. 10. Scalability & Performance• Unmatched Speed – Industry’s Fastest SIEM – 100x to 1,000x faster than current solutions – Queries, correlation and analysis in minutes, not hours• Unmatched Scale – Collect all relevant data, not selected sub-sets – Analyze months and years of data, not weeks – Include higher layer context and content information – Scales easily to billions of data records
  11. 11. NitroView Overview “Single Pane-of-Glass” McAfee ESM McAfee ELM McAfee Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available McAfee ADM McAfee DEM McAfee ACE  Application Data Monitor  Database Activity Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical Correlation Application Visibility Data Visibility Risk Scoring100s of applications and 500+ document types Data traffic from leading databases Detect potential threats  Asset information/context  Vulnerability Information  Which assets are most at-risk11 September 18, 2012
  12. 12. Global Threat Intelligence (GTI) ESM ELM Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available ADM DEM ACE  Application Data Monitor  Database Event Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical CorrelationShared Threat Intelligence Application Visibility Data Visibility Risk Scoring• Reputation-based  WW visibility into all types of cyber threats• Automatic, push feed• Today – Bad Actors/Dangerous IPs• Additional GTI capabilities: • file, web, message & network connection reputation • web categorization 12 September 18, 2012
  13. 13. How can SIEM help with MTTR?• Advanced Correlation uses activity to determine Risk
  14. 14. How can SIEM help with MTTR?• Baselines to determine deviations from normal activity
  15. 15. How can SIEM help with MTTR?• Normalization of events into a common taxonomy
  16. 16. How can SIEM help with MTTR?• Global Threat Intelligence to determine if I have any communication with external known bad actors
  17. 17. 17

×