Implementing SIM Today Security Information Management Revealed
Managing Security Data Today… <ul><li>Hundreds of streams of data </li></ul><ul><li>Stored and transmitted using different...
We are losing the battle… <ul><li>Technical attacks going unnoticed </li></ul><ul><li>Fraud and abuse unrestricted within ...
Our capabilities are limited… <ul><li>Ability to handle wide spread incidents </li></ul><ul><li>Ability to diagnosis large...
Security Data is useless. <ul><li>Data must be translated into relevant knowledge regarding our environment and risk level...
Introduction <ul><li>Michael Legary </li></ul><ul><li>Founder, Seccuris Inc. </li></ul><ul><li>CISSP, CISA, CISM, GCIH, CC...
Overview <ul><li>What is SIM & SEM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedur...
What is SIM? <ul><li>Security Information Management (SIM) </li></ul><ul><li>An systems management framework facilitating ...
What is SEM? <ul><li>Security Event Management (SEM) </li></ul><ul><li>Security Information & Event Management (SIEM) </li...
The Value of SIM  & SEM <ul><li>Technical </li></ul><ul><ul><li>Single repository for correlation, analysis & escalation <...
The Value of SIM  & SEM <ul><li>Audit </li></ul><ul><ul><li>Enable & Monitor Compliance </li></ul></ul><ul><ul><li>Manage ...
The Value of SIM  & SEM <ul><li>Business </li></ul><ul><ul><li>Create efficiencies within asset protection  </li></ul></ul...
Overview <ul><li>What is SIM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </l...
SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><li>Event Management </li></ul><ul><li>Event Archiving...
SEM Architecture & Design
SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><ul><li>Collection </li></ul></ul><ul><ul><li>Normaliz...
SEM Architecture & Design <ul><li>Event Collection </li></ul><ul><ul><li>Data Sources such as: </li></ul></ul><ul><ul><ul>...
SEM Architecture & Design <ul><li>Event Collection </li></ul>
SEM Architecture & Design <ul><li>Event Collection </li></ul><ul><ul><li>Communication methods </li></ul></ul><ul><ul><ul>...
SEM Architecture & Design <ul><li>Things to think about in Event Collection </li></ul><ul><ul><li>Avoid systems that only ...
SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><ul><li>Collection </li></ul></ul><ul><ul><li>Normaliz...
SEM Architecture & Design <ul><li>Event Normalization </li></ul><ul><ul><li>Standardize data for input into central reposi...
 
SEM Architecture & Design <ul><li>Things to think about in Event Normalization </li></ul><ul><ul><li>Not all “Normalizatio...
SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><ul><li>Collection </li></ul></ul><ul><ul><li>Normaliz...
SEM Architecture & Design <ul><li>Event Correlation </li></ul><ul><ul><li>Examination of existing data sets to determine i...
SEM Architecture & Design <ul><li>Event Correlation </li></ul><ul><ul><li>Rule Based </li></ul></ul><ul><ul><ul><li>Some p...
SEM Architecture & Design <ul><li>Things to think about in Event Correlation  </li></ul><ul><ul><li>When evaluating a syst...
SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><li>Event Management </li></ul><ul><ul><li>Analysis </...
SEM Architecture & Design
SEM Architecture & Design <ul><li>Event Analysis </li></ul><ul><ul><li>Real-time Monitoring </li></ul></ul><ul><ul><ul><li...
SEM Architecture & Design <ul><li>Thinks to look for in Event Analysis </li></ul><ul><ul><li>Select a system that is consi...
SIM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><li>Event Management </li></ul><ul><ul><li>Analysis </...
SIM Architecture & Design <ul><li>Event Reporting </li></ul><ul><ul><li>Real-time or Historical </li></ul></ul><ul><ul><li...
SEM Architecture & Design <ul><li>Things to look for in Event Reporting </li></ul><ul><ul><li>Ease-of-use </li></ul></ul><...
SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><li>Event Management </li></ul><ul><ul><li>Analysis </...
SEM Architecture & Design <ul><li>Event Tracking & Escalation </li></ul><ul><ul><li>Ticketing System </li></ul></ul><ul><u...
SEM Architecture & Design <ul><li>Things to look for in Tracking & Escalation </li></ul><ul><ul><li>Ticketing System </li>...
SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><li>Event Management </li></ul><ul><li>Event Archiving...
SEM Architecture & Design
SEM Architecture & Design <ul><li>Event Archiving </li></ul><ul><ul><li>On-Line Storage </li></ul></ul><ul><ul><li>Near-Li...
SEM Architecture & Design <ul><li>Things to look for in Event Archiving </li></ul><ul><ul><li>Technologies used </li></ul>...
SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><ul><li>Collection </li></ul></ul><ul><ul><li>Normaliz...
Overview <ul><li>What is SIM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </l...
SIM Processes & Procedures <ul><li>Core Processes  </li></ul><ul><ul><li>Identification </li></ul></ul><ul><ul><li>Collect...
SIM Processes & Procedures <ul><li>Tie core processes to existing ones </li></ul><ul><ul><li>Incident Handling </li></ul><...
Overview <ul><li>What is SIM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </l...
Implementation Considerations <ul><li>Choosing an effective strategy </li></ul><ul><ul><li>Available Resources </li></ul><...
Implementation Considerations <ul><li>Choosing an effective strategy </li></ul><ul><ul><li>Monitoring </li></ul></ul><ul><...
Implementation Considerations <ul><li>Choosing an effective strategy </li></ul><ul><ul><li>Reporting </li></ul></ul><ul><u...
Implementation Considerations <ul><li>Capacity Planning </li></ul><ul><ul><li>Performance Requirements </li></ul></ul><ul>...
Implementation Considerations <ul><li>Justifying the complete investment </li></ul><ul><ul><li>Initial needs assessment & ...
Overview <ul><li>What is SIM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </l...
Available Solutions <ul><li>Applications </li></ul><ul><ul><li>Minimum long term commitment </li></ul></ul><ul><ul><li>Max...
Available Solutions Source: Security Event Management Gets Specialized Andrew Conry-Murray
Available Solutions
Available Solutions <ul><li>Implementation Costs & Considerations </li></ul><ul><ul><li>Needs Analysis </li></ul></ul><ul>...
Overview <ul><li>What is SIM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </l...
The Future of SIM <ul><li>The need for centralized data interpretation is not going away. </li></ul><ul><li>SIM will slowl...
Conclusions <ul><li>Security Information Management allows you to: </li></ul><ul><ul><li>Manage & Reduce Risk </li></ul></...
Conclusions <ul><li>Invest in understanding your requirements </li></ul><ul><li>Potential for a white elephant is high </l...
Thank-you <ul><li>Michael Legary </li></ul><ul><li>Founder, Seccuris Inc. </li></ul><ul><li>(204) 255-4490 </li></ul><ul><...
Upcoming SlideShare
Loading in...5
×

Security Information Management: An introduction

962

Published on

Information Security managers have long been tasked with monitoring the enterprises they work for while the business requirements for enterprise security monitoring continue to mutate and be redefined with ever increasing speed. The definition and location of our assets shifts on a daily basis requiring a new unsurpassed level of flexibility and visibility in managing information security/ Traditional security technologies have continued their overlap with network, information and audit management solutions creating workplace silos for managing information security.
The ability to monitor in the enterprise, identifying, interpreting and intelligently responding to the true needs of our organizations seems impossible.

This presentation introduces Security Information Management (SIM) technologies and concerns, outlining potential solutions and approaches you can take to move your security posture forward.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
962
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
45
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Security Information Management: An introduction"

  1. 1. Implementing SIM Today Security Information Management Revealed
  2. 2. Managing Security Data Today… <ul><li>Hundreds of streams of data </li></ul><ul><li>Stored and transmitted using different formats </li></ul><ul><li>Scattered through out the organizations IT environment </li></ul><ul><li>Not viewed, correlated or verified… </li></ul>
  3. 3. We are losing the battle… <ul><li>Technical attacks going unnoticed </li></ul><ul><li>Fraud and abuse unrestricted within the organization </li></ul><ul><li>Loss of critical forensic data </li></ul>
  4. 4. Our capabilities are limited… <ul><li>Ability to handle wide spread incidents </li></ul><ul><li>Ability to diagnosis large environment issues </li></ul><ul><li>Ability to detect and deter fraud </li></ul><ul><li>Ability to maintain compliance </li></ul>
  5. 5. Security Data is useless. <ul><li>Data must be translated into relevant knowledge regarding our environment and risk levels. </li></ul><ul><li>Automation of data gathering, filtering and reporting is needed to create useful information sets. </li></ul><ul><li>Information must be escalated and responded to by trained staff. </li></ul>
  6. 6. Introduction <ul><li>Michael Legary </li></ul><ul><li>Founder, Seccuris Inc. </li></ul><ul><li>CISSP, CISA, CISM, GCIH, CCSA </li></ul>
  7. 7. Overview <ul><li>What is SIM & SEM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </li></ul><ul><li>Implementation Considerations </li></ul><ul><li>Available Solutions </li></ul><ul><li>The future of SIM </li></ul>
  8. 8. What is SIM? <ul><li>Security Information Management (SIM) </li></ul><ul><li>An systems management framework facilitating the collection, retention and translation of security control data into relevant risk management information. </li></ul><ul><li>People and processes supported by automated systems </li></ul>
  9. 9. What is SEM? <ul><li>Security Event Management (SEM) </li></ul><ul><li>Security Information & Event Management (SIEM) </li></ul><ul><li>An information system providing consolidation, management and archival of security event data </li></ul><ul><li>Automated systems supporting people </li></ul>
  10. 10. The Value of SIM & SEM <ul><li>Technical </li></ul><ul><ul><li>Single repository for correlation, analysis & escalation </li></ul></ul><ul><ul><li>Enable Incident Response and Forensic Programs </li></ul></ul><ul><ul><li>Streamline troubleshooting and diagnosis of technical environment </li></ul></ul>
  11. 11. The Value of SIM & SEM <ul><li>Audit </li></ul><ul><ul><li>Enable & Monitor Compliance </li></ul></ul><ul><ul><li>Manage risk from control breaches </li></ul></ul><ul><ul><li>Reduce risk from technical control failures </li></ul></ul>
  12. 12. The Value of SIM & SEM <ul><li>Business </li></ul><ul><ul><li>Create efficiencies within asset protection </li></ul></ul><ul><ul><li>Facilitate Business Intelligence programs </li></ul></ul><ul><ul><li>Deter & Identify Corporate Espionage </li></ul></ul>
  13. 13. Overview <ul><li>What is SIM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </li></ul><ul><li>Implementation Considerations </li></ul><ul><li>Available Solutions </li></ul><ul><li>The future of SIM </li></ul>
  14. 14. SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><li>Event Management </li></ul><ul><li>Event Archiving </li></ul>
  15. 15. SEM Architecture & Design
  16. 16. SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><ul><li>Collection </li></ul></ul><ul><ul><li>Normalization </li></ul></ul><ul><ul><li>Correlation </li></ul></ul><ul><li>Event Management </li></ul><ul><li>Event Archiving </li></ul>
  17. 17. SEM Architecture & Design <ul><li>Event Collection </li></ul><ul><ul><li>Data Sources such as: </li></ul></ul><ul><ul><ul><li>Firewalls </li></ul></ul></ul><ul><ul><ul><li>OS Events </li></ul></ul></ul><ul><ul><ul><li>Network Devices (Routers, VPNs, Sniffers) </li></ul></ul></ul><ul><ul><ul><li>IDS / IPS (Network & Host) </li></ul></ul></ul><ul><ul><ul><li>Anti-virus </li></ul></ul></ul><ul><ul><ul><li>Proxy & Usage Monitoring Systems </li></ul></ul></ul><ul><ul><ul><li>Vulnerability Management Systems </li></ul></ul></ul><ul><ul><ul><li>Databases & SANs </li></ul></ul></ul><ul><ul><ul><li>Unique Application Controls </li></ul></ul></ul>
  18. 18. SEM Architecture & Design <ul><li>Event Collection </li></ul>
  19. 19. SEM Architecture & Design <ul><li>Event Collection </li></ul><ul><ul><li>Communication methods </li></ul></ul><ul><ul><ul><li>SNMP </li></ul></ul></ul><ul><ul><ul><li>Syslog </li></ul></ul></ul><ul><ul><ul><li>Telnet / SSH Transfers </li></ul></ul></ul><ul><ul><ul><li>Proprietary </li></ul></ul></ul>
  20. 20. SEM Architecture & Design <ul><li>Things to think about in Event Collection </li></ul><ul><ul><li>Avoid systems that only have limited input methods! </li></ul></ul><ul><ul><li>Ask specifics about capacity </li></ul></ul><ul><ul><ul><li>Events Per Second </li></ul></ul></ul><ul><ul><ul><li>Bandwidth Usage </li></ul></ul></ul><ul><ul><ul><li>Average Storage Requirements </li></ul></ul></ul>
  21. 21. SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><ul><li>Collection </li></ul></ul><ul><ul><li>Normalization </li></ul></ul><ul><ul><li>Correlation </li></ul></ul><ul><li>Event Management </li></ul><ul><li>Event Archiving </li></ul>
  22. 22. SEM Architecture & Design <ul><li>Event Normalization </li></ul><ul><ul><li>Standardize data for input into central repository </li></ul></ul><ul><ul><li>Handle unknown or incomplete data streams </li></ul></ul><ul><ul><li>Translate data types to increase efficiency </li></ul></ul>
  23. 24. SEM Architecture & Design <ul><li>Things to think about in Event Normalization </li></ul><ul><ul><li>Not all “Normalization” is created equal </li></ul></ul><ul><ul><li>Avoid systems that </li></ul></ul><ul><ul><ul><li>Simplify </li></ul></ul></ul><ul><ul><ul><li>Modify </li></ul></ul></ul><ul><ul><ul><li>Re-encode </li></ul></ul></ul>
  24. 25. SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><ul><li>Collection </li></ul></ul><ul><ul><li>Normalization </li></ul></ul><ul><ul><li>Correlation </li></ul></ul><ul><li>Event Management </li></ul><ul><li>Event Archiving </li></ul>
  25. 26. SEM Architecture & Design <ul><li>Event Correlation </li></ul><ul><ul><li>Examination of existing data sets to determine if an attack has occurred </li></ul></ul><ul><ul><li>Attempts to reduce false positives </li></ul></ul><ul><ul><li>Functionality offered by SIM systems varies widely </li></ul></ul>
  26. 27. SEM Architecture & Design <ul><li>Event Correlation </li></ul><ul><ul><li>Rule Based </li></ul></ul><ul><ul><ul><li>Some pre-existing finite knowledge of the attack </li></ul></ul></ul><ul><ul><ul><li>Tied-in with historical data to minimize false positives </li></ul></ul></ul><ul><ul><li>Statistical (Algorithmic) </li></ul></ul><ul><ul><ul><li>Relies on the knowledge and recognition of normal activity over time </li></ul></ul></ul><ul><ul><ul><li>Calculates threat levels though weighting of real-time & historical data about the asset and the attack. </li></ul></ul></ul>
  27. 28. SEM Architecture & Design <ul><li>Things to think about in Event Correlation </li></ul><ul><ul><li>When evaluating a system you need a good understanding of what data will be going in. </li></ul></ul><ul><ul><li>Some systems misinterpret / discount intrusion prevention data (IPS) </li></ul></ul><ul><ul><li>False Accept rates vary widely in large scale implementations </li></ul></ul>
  28. 29. SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><li>Event Management </li></ul><ul><ul><li>Analysis </li></ul></ul><ul><ul><li>Reporting </li></ul></ul><ul><ul><li>Tracking & Escalation </li></ul></ul><ul><li>Event Archiving </li></ul>
  29. 30. SEM Architecture & Design
  30. 31. SEM Architecture & Design <ul><li>Event Analysis </li></ul><ul><ul><li>Real-time Monitoring </li></ul></ul><ul><ul><ul><li>Active </li></ul></ul></ul><ul><ul><ul><li>Passive </li></ul></ul></ul><ul><ul><li>Historical Event Analysis </li></ul></ul><ul><ul><ul><li>High & Wide </li></ul></ul></ul><ul><ul><ul><li>Deep & Narrow </li></ul></ul></ul>
  31. 32. SEM Architecture & Design <ul><li>Thinks to look for in Event Analysis </li></ul><ul><ul><li>Select a system that is consistent with your capabilities and requirements </li></ul></ul><ul><ul><ul><li>Who are the main users? </li></ul></ul></ul><ul><ul><ul><li>Are there other audiences using the system? </li></ul></ul></ul><ul><ul><ul><li>What are their responsibilities? </li></ul></ul></ul><ul><ul><li>Is the event analysis system auditable? </li></ul></ul><ul><ul><ul><li>Different levels of access? Logging? </li></ul></ul></ul>
  32. 33. SIM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><li>Event Management </li></ul><ul><ul><li>Analysis </li></ul></ul><ul><ul><li>Reporting </li></ul></ul><ul><ul><li>Tracking & Escalation </li></ul></ul><ul><li>Event Archiving </li></ul>
  33. 34. SIM Architecture & Design <ul><li>Event Reporting </li></ul><ul><ul><li>Real-time or Historical </li></ul></ul><ul><ul><li>Multiple Views </li></ul></ul><ul><ul><ul><li>Management, Audit, Technical </li></ul></ul></ul><ul><ul><li>Integration with Incident Management & Forensics </li></ul></ul>
  34. 35. SEM Architecture & Design <ul><li>Things to look for in Event Reporting </li></ul><ul><ul><li>Ease-of-use </li></ul></ul><ul><ul><li>Performance </li></ul></ul><ul><ul><li>Customization </li></ul></ul>
  35. 36. SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><li>Event Management </li></ul><ul><ul><li>Analysis </li></ul></ul><ul><ul><li>Reporting </li></ul></ul><ul><ul><li>Tracking & Escalation </li></ul></ul><ul><li>Event Archiving </li></ul>
  36. 37. SEM Architecture & Design <ul><li>Event Tracking & Escalation </li></ul><ul><ul><li>Ticketing System </li></ul></ul><ul><ul><ul><li>Integrated, Add-on or External </li></ul></ul></ul><ul><ul><li>Alerting Mechanisms </li></ul></ul><ul><ul><ul><li>Integrated, Add-on or External </li></ul></ul></ul>
  37. 38. SEM Architecture & Design <ul><li>Things to look for in Tracking & Escalation </li></ul><ul><ul><li>Ticketing System </li></ul></ul><ul><ul><ul><li>Ease-of-use, Performance, Customization </li></ul></ul></ul><ul><ul><ul><li>Control and Audit </li></ul></ul></ul><ul><ul><li>Alerting Mechanisms </li></ul></ul><ul><ul><ul><li>Encryption </li></ul></ul></ul><ul><ul><ul><li>Redundancy </li></ul></ul></ul><ul><ul><ul><li>Expandability </li></ul></ul></ul>
  38. 39. SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><li>Event Management </li></ul><ul><li>Event Archiving </li></ul><ul><ul><li>Storage </li></ul></ul>
  39. 40. SEM Architecture & Design
  40. 41. SEM Architecture & Design <ul><li>Event Archiving </li></ul><ul><ul><li>On-Line Storage </li></ul></ul><ul><ul><li>Near-Line Storage </li></ul></ul><ul><ul><li>Off-Line Storage </li></ul></ul>
  41. 42. SEM Architecture & Design <ul><li>Things to look for in Event Archiving </li></ul><ul><ul><li>Technologies used </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Compression </li></ul></ul><ul><ul><li>Automation of process </li></ul></ul><ul><ul><li>Reporting & Alerting of issues </li></ul></ul>
  42. 43. SEM Architecture & Design <ul><li>Event Consolidation </li></ul><ul><ul><li>Collection </li></ul></ul><ul><ul><li>Normalization </li></ul></ul><ul><ul><li>Correlation </li></ul></ul><ul><li>Event Management </li></ul><ul><ul><li>Analysis </li></ul></ul><ul><ul><li>Reporting </li></ul></ul><ul><ul><li>Tracking & Escalation </li></ul></ul><ul><li>Event Archiving </li></ul><ul><ul><li>Storage </li></ul></ul><ul><ul><li>Redundancy </li></ul></ul><ul><ul><li>Maintenance </li></ul></ul>
  43. 44. Overview <ul><li>What is SIM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </li></ul><ul><li>Implementation Considerations </li></ul><ul><li>Available Solutions </li></ul><ul><li>The future of SIM </li></ul>
  44. 45. SIM Processes & Procedures <ul><li>Core Processes </li></ul><ul><ul><li>Identification </li></ul></ul><ul><ul><li>Collection </li></ul></ul><ul><ul><li>Analysis </li></ul></ul><ul><ul><li>Escalation </li></ul></ul><ul><ul><li>Reporting </li></ul></ul><ul><ul><li>Tracking & Workflow Management </li></ul></ul><ul><ul><li>Maintenance </li></ul></ul>
  45. 46. SIM Processes & Procedures <ul><li>Tie core processes to existing ones </li></ul><ul><ul><li>Incident Handling </li></ul></ul><ul><ul><li>Forensics </li></ul></ul><ul><ul><li>Network Health Monitoring </li></ul></ul><ul><ul><li>Active Systems Audits </li></ul></ul><ul><li>Map back to security framework or best practice </li></ul><ul><ul><li>SABSA </li></ul></ul><ul><ul><li>ISO / COBIT </li></ul></ul>
  46. 47. Overview <ul><li>What is SIM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </li></ul><ul><li>Implementation Considerations </li></ul><ul><li>Available Solutions </li></ul><ul><li>The future of SIM </li></ul>
  47. 48. Implementation Considerations <ul><li>Choosing an effective strategy </li></ul><ul><ul><li>Available Resources </li></ul></ul><ul><ul><ul><li>Skill Sets </li></ul></ul></ul><ul><ul><li>Placement </li></ul></ul><ul><ul><ul><li>Requirements (Application or Appliance) </li></ul></ul></ul><ul><ul><ul><li>Locations </li></ul></ul></ul><ul><ul><ul><li>Justifications </li></ul></ul></ul>
  48. 49. Implementation Considerations <ul><li>Choosing an effective strategy </li></ul><ul><ul><li>Monitoring </li></ul></ul><ul><ul><ul><li>Real-Time </li></ul></ul></ul><ul><ul><ul><li>Historical </li></ul></ul></ul><ul><ul><li>Analysis </li></ul></ul><ul><ul><ul><li>Involved Parties </li></ul></ul></ul><ul><ul><ul><li>Required SLAs </li></ul></ul></ul>
  49. 50. Implementation Considerations <ul><li>Choosing an effective strategy </li></ul><ul><ul><li>Reporting </li></ul></ul><ul><ul><ul><li>What are the needs of the target audience? </li></ul></ul></ul><ul><ul><ul><li>Canned Reports? </li></ul></ul></ul><ul><ul><ul><li>What customization is required? </li></ul></ul></ul><ul><ul><li>Workflow Management </li></ul></ul><ul><ul><ul><li>Integrated </li></ul></ul></ul><ul><ul><ul><li>Use existing </li></ul></ul></ul>
  50. 51. Implementation Considerations <ul><li>Capacity Planning </li></ul><ul><ul><li>Performance Requirements </li></ul></ul><ul><ul><li>Storage Strategy </li></ul></ul><ul><ul><li>Caching, Failover & Redundancy </li></ul></ul><ul><ul><li>Back-end system compatibility </li></ul></ul>
  51. 52. Implementation Considerations <ul><li>Justifying the complete investment </li></ul><ul><ul><li>Initial needs assessment & workflow design </li></ul></ul><ul><ul><li>Up-front technology expenditure </li></ul></ul><ul><ul><li>Staff Education & Knowledge Transfer </li></ul></ul><ul><ul><li>On-going maintenance & Staffing </li></ul></ul>
  52. 53. Overview <ul><li>What is SIM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </li></ul><ul><li>Implementation Considerations </li></ul><ul><li>Available Solutions </li></ul><ul><li>The future of SIM </li></ul>
  53. 54. Available Solutions <ul><li>Applications </li></ul><ul><ul><li>Minimum long term commitment </li></ul></ul><ul><ul><li>Maximum integration pain </li></ul></ul><ul><li>Appliances </li></ul><ul><ul><li>Turn-key solution </li></ul></ul><ul><ul><li>Limited customization </li></ul></ul><ul><li>Managed Services </li></ul><ul><ul><li>Facilitated Integration & SLA’s </li></ul></ul><ul><ul><li>Minimum retained knowledge </li></ul></ul>
  54. 55. Available Solutions Source: Security Event Management Gets Specialized Andrew Conry-Murray
  55. 56. Available Solutions
  56. 57. Available Solutions <ul><li>Implementation Costs & Considerations </li></ul><ul><ul><li>Needs Analysis </li></ul></ul><ul><ul><li>SIM Development </li></ul></ul><ul><ul><li>SEM Purchase </li></ul></ul><ul><ul><li>SEM Implementation </li></ul></ul><ul><ul><li>Maintenance </li></ul></ul>
  57. 58. Overview <ul><li>What is SIM? </li></ul><ul><li>SEM Architecture & Design </li></ul><ul><li>SIM Processes & Procedures </li></ul><ul><li>Implementation Considerations </li></ul><ul><li>Available Solutions </li></ul><ul><li>The future of SIM </li></ul>
  58. 59. The Future of SIM <ul><li>The need for centralized data interpretation is not going away. </li></ul><ul><li>SIM will slowly become an accepted management framework in Information Assurance Programs </li></ul><ul><li>Smooth, Standardized Integration is on its way </li></ul>
  59. 60. Conclusions <ul><li>Security Information Management allows you to: </li></ul><ul><ul><li>Manage & Reduce Risk </li></ul></ul><ul><ul><li>Enable Compliance </li></ul></ul><ul><ul><li>Facilitate Business Intelligence programs </li></ul></ul>
  60. 61. Conclusions <ul><li>Invest in understanding your requirements </li></ul><ul><li>Potential for a white elephant is high </li></ul><ul><li>Commit to long term improvement of the chosen strategy </li></ul>
  61. 62. Thank-you <ul><li>Michael Legary </li></ul><ul><li>Founder, Seccuris Inc. </li></ul><ul><li>(204) 255-4490 </li></ul><ul><li>[email_address] </li></ul><ul><li>www.seccuris.com </li></ul>

×