• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Redefining siem to real time security intelligence
 

Redefining siem to real time security intelligence

on

  • 505 views

 

Statistics

Views

Total Views
505
Views on SlideShare
505
Embed Views
0

Actions

Likes
0
Downloads
40
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Redefining siem to real time security intelligence Redefining siem to real time security intelligence Presentation Transcript

    • Redefining SIEM toReal Time Security IntelligenceDavid OsborneSecurity ArchitectSeptember 18, 2012
    • Its not paranoia if they really are out to getyou• Malware• Malicious Insiders• Exploited Vulnerabilities• Careless Employees• Mobile Devices• Social Networking• Social Engineering• Zero-Day Exploits• Cloud Computing SecurityThreats• Cyber Espionage
    • Reality of Compliance• Audits happen quarterly or annually• Effort and budget spent to get compliant• Little focus or process to stay that way
    • SIEM – The Great Correlator• Major SIEM Functions – Collect – Normalize – Correlate• Collect log and event data from systems across the network – Security devices, applications, OS, databases, end-point protections, etc.• Normalize similar events across disparate data sources – Login events from a VPN, OS, or Application are all ―authentication events‖• Correlate multiple events into known attack vectors or policy violations – ―Multiple failed logins followed by a success‖ indicates brute force access – Eliminates the need for an analyst to try to ―piece together‖ the event
    • Redefining SIEM• Security is a Process, not a Product – Each stage supports the next – A ―weak link‖ breaks the process – Tools need to automate each stage – Integration provides actionable intelligence• Legacy SIEMs are Limited – Risk Assessment — limited to VA scan data – Threat Detection — limited to event correlation – Incident Response — limited to log analysis – Compliance Reporting — limited to canned reports
    • SIEM is Still Evolving…To• SIEM Content Awareness (Next Generation SIEM) – Content Awareness is Understanding the Payload at the Application Layer • What is actually being Communicated, Transferred, and Shared over the Network. • Examples of ―Content‖ Awareness is the understanding of: – Email contents, including the attachments – Social, IM and P2P Network Communications – Document Contents – Application Relationships with Database Queries and Responses – Database Monitoring – Data Leakage – Sensitive Information within chat, email, printed, etc
    • Adding Context to Logs DNS name, Windows name, Other names?What else happened at this time? Whois info? Organization owner? Where doesNear this time? the IP originate from (geo location info)? WhatWhat is the time zone? else happened on this host? Which other hosts did this IP communicate with? What is this service? What other messages did it produce? What other systems does it run on? Log recordWhat is the hosts IP address? Who is this user? What is the usersOther names? Location on the access-level? What is the usersnetwork/datacenter? real name, department, location? What is this port? Is this aWho is the admin? Is this What other events from this user? normal port for thissystem vulnerable to exploits? service? What else is this service being used for? What does this number mean? Is this documented somewhere?
    • Broad Content and Context Correlation Authentication Application & IAM Events from Contents Security Devices User Identity Device & Application Log Files Malware Insider Advanced Viruses Threats Threats Trojans Exploits Database Transactions Location OS events VA Scan Data
    • SIEM and Situational Awareness• SIEM DOES NOT SOLVE APT, but Provides Situational Awareness – THERE IS NO APT ―ALL IN ONE SOLUTION‖• SIEM Can Help with Attacks – Determining the Scope of Attack • What Systems or Devices were Involved • What DATA was Compromised • What Evasion Techniques were Utilized • Timelines • Toolsets Utilized • Work Flows and Processes of Attackers – Heuristics for Historical Correlation• Even with SIEM, Security Expertise and Experience is REQUIRED – Well Trained Security Analysts, Highly Developed Security Policies and Procedures Combined with SIEM for Situational Awareness is the BEST Strategy for dealing with Exploits, Low and Slow Attacks and APT
    • Scalability & Performance• Unmatched Speed – Industry’s Fastest SIEM – 100x to 1,000x faster than current solutions – Queries, correlation and analysis in minutes, not hours• Unmatched Scale – Collect all relevant data, not selected sub-sets – Analyze months and years of data, not weeks – Include higher layer context and content information – Scales easily to billions of data records
    • NitroView Overview “Single Pane-of-Glass” McAfee ESM McAfee ELM McAfee Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available McAfee ADM McAfee DEM McAfee ACE  Application Data Monitor  Database Activity Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical Correlation Application Visibility Data Visibility Risk Scoring100s of applications and 500+ document types Data traffic from leading databases Detect potential threats  Asset information/context  Vulnerability Information  Which assets are most at-risk11 September 18, 2012
    • Global Threat Intelligence (GTI) ESM ELM Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available ADM DEM ACE  Application Data Monitor  Database Event Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical CorrelationShared Threat Intelligence Application Visibility Data Visibility Risk Scoring• Reputation-based  WW visibility into all types of cyber threats• Automatic, push feed• Today – Bad Actors/Dangerous IPs• Additional GTI capabilities: • file, web, message & network connection reputation • web categorization 12 September 18, 2012
    • How can SIEM help with MTTR?• Advanced Correlation uses activity to determine Risk
    • How can SIEM help with MTTR?• Baselines to determine deviations from normal activity
    • How can SIEM help with MTTR?• Normalization of events into a common taxonomy
    • How can SIEM help with MTTR?• Global Threat Intelligence to determine if I have any communication with external known bad actors
    • 17