Implementing SIM Today Security Information Management Revealed

Managing Security Data Today… Hundreds of streams of data Stored and transmitted using different formats Scattered through out the organizations IT environment Not viewed, correlated or verified…

Hundreds of streams of data

Stored and transmitted using different formats

Scattered through out the organizations IT environment

Not viewed, correlated or verified…

We are losing the battle… Technical attacks going unnoticed Fraud and abuse unrestricted within the organization Loss of critical forensic data

Technical attacks going unnoticed

Fraud and abuse unrestricted within the organization

Loss of critical forensic data

Our capabilities are limited… Ability to handle wide spread incidents Ability to diagnosis large environment issues Ability to detect and deter fraud Ability to maintain compliance

Ability to handle wide spread incidents

Ability to diagnosis large environment issues

Ability to detect and deter fraud

Ability to maintain compliance

Security Data is useless. Data must be translated into relevant knowledge regarding our environment and risk levels. Automation of data gathering, filtering and reporting is needed to create useful information sets. Information must be escalated and responded to by trained staff.

Data must be translated into relevant knowledge regarding our environment and risk levels.

Automation of data gathering, filtering and reporting is needed to create useful information sets.

Information must be escalated and responded to by trained staff.

Introduction Michael Legary Founder, Seccuris Inc. CISSP, CISA, CISM, GCIH, CCSA

Michael Legary

Founder, Seccuris Inc.

CISSP, CISA, CISM, GCIH, CCSA

Overview What is SIM & SEM? SEM Architecture & Design SIM Processes & Procedures Implementation Considerations Available Solutions The future of SIM

What is SIM & SEM?

SEM Architecture & Design

SIM Processes & Procedures

Implementation Considerations

Available Solutions

The future of SIM

What is SIM? Security Information Management (SIM) An systems management framework facilitating the collection, retention and translation of security control data into relevant risk management information. People and processes supported by automated systems

Security Information Management (SIM)

An systems management framework facilitating the collection, retention and translation of security control data into relevant risk management information.

People and processes supported by automated systems

What is SEM? Security Event Management (SEM) Security Information & Event Management (SIEM) An information system providing consolidation, management and archival of security event data Automated systems supporting people

Security Event Management (SEM)

Security Information & Event Management (SIEM)

An information system providing consolidation, management and archival of security event data

Automated systems supporting people

The Value of SIM & SEM Technical Single repository for correlation, analysis & escalation Enable Incident Response and Forensic Programs Streamline troubleshooting and diagnosis of technical environment

Technical

Single repository for correlation, analysis & escalation

Enable Incident Response and Forensic Programs

Streamline troubleshooting and diagnosis of technical environment

The Value of SIM & SEM Audit Enable & Monitor Compliance Manage risk from control breaches Reduce risk from technical control failures

Audit

Enable & Monitor Compliance

Manage risk from control breaches

Reduce risk from technical control failures

The Value of SIM & SEM Business Create efficiencies within asset protection Facilitate Business Intelligence programs Deter & Identify Corporate Espionage

Business

Create efficiencies within asset protection

Facilitate Business Intelligence programs

Deter & Identify Corporate Espionage

Overview What is SIM? SEM Architecture & Design SIM Processes & Procedures Implementation Considerations Available Solutions The future of SIM

What is SIM?

SEM Architecture & Design

SIM Processes & Procedures

Implementation Considerations

Available Solutions

The future of SIM

SEM Architecture & Design Event Consolidation Event Management Event Archiving

Event Consolidation

Event Management

Event Archiving

SEM Architecture & Design

SEM Architecture & Design Event Consolidation Collection Normalization Correlation Event Management Event Archiving

Event Consolidation

Collection

Normalization

Correlation

Event Management

Event Archiving

SEM Architecture & Design Event Collection Data Sources such as: Firewalls OS Events Network Devices (Routers, VPNs, Sniffers) IDS / IPS (Network & Host) Anti-virus Proxy & Usage Monitoring Systems Vulnerability Management Systems Databases & SANs Unique Application Controls

Event Collection

Data Sources such as:

Firewalls

OS Events

Network Devices (Routers, VPNs, Sniffers)

IDS / IPS (Network & Host)

Anti-virus

Proxy & Usage Monitoring Systems

Vulnerability Management Systems

Databases & SANs

Unique Application Controls

SEM Architecture & Design Event Collection

Event Collection

SEM Architecture & Design Event Collection Communication methods SNMP Syslog Telnet / SSH Transfers Proprietary

Event Collection

Communication methods

SNMP

Syslog

Telnet / SSH Transfers

Proprietary

SEM Architecture & Design Things to think about in Event Collection Avoid systems that only have limited input methods! Ask specifics about capacity Events Per Second Bandwidth Usage Average Storage Requirements

Things to think about in Event Collection

Avoid systems that only have limited input methods!

Ask specifics about capacity

Events Per Second

Bandwidth Usage

Average Storage Requirements

SEM Architecture & Design Event Consolidation Collection Normalization Correlation Event Management Event Archiving

Event Consolidation

Collection

Normalization

Correlation

Event Management

Event Archiving

SEM Architecture & Design Event Normalization Standardize data for input into central repository Handle unknown or incomplete data streams Translate data types to increase efficiency

Event Normalization

Standardize data for input into central repository

Handle unknown or incomplete data streams

Translate data types to increase efficiency

SEM Architecture & Design Things to think about in Event Normalization Not all “Normalization” is created equal Avoid systems that Simplify Modify Re-encode

Things to think about in Event Normalization

Not all “Normalization” is created equal

Avoid systems that

Simplify

Modify

Re-encode

SEM Architecture & Design Event Consolidation Collection Normalization Correlation Event Management Event Archiving

Event Consolidation

Collection

Normalization

Correlation

Event Management

Event Archiving

SEM Architecture & Design Event Correlation Examination of existing data sets to determine if an attack has occurred Attempts to reduce false positives Functionality offered by SIM systems varies widely

Event Correlation

Examination of existing data sets to determine if an attack has occurred

Attempts to reduce false positives

Functionality offered by SIM systems varies widely

SEM Architecture & Design Event Correlation Rule Based Some pre-existing finite knowledge of the attack Tied-in with historical data to minimize false positives Statistical (Algorithmic) Relies on the knowledge and recognition of normal activity over time Calculates threat levels though weighting of real-time & historical data about the asset and the attack.

Event Correlation

Rule Based

Some pre-existing finite knowledge of the attack

Tied-in with historical data to minimize false positives

Statistical (Algorithmic)

Relies on the knowledge and recognition of normal activity over time

Calculates threat levels though weighting of real-time & historical data about the asset and the attack.

SEM Architecture & Design Things to think about in Event Correlation When evaluating a system you need a good understanding of what data will be going in. Some systems misinterpret / discount intrusion prevention data (IPS) False Accept rates vary widely in large scale implementations

Things to think about in Event Correlation

When evaluating a system you need a good understanding of what data will be going in.

Some systems misinterpret / discount intrusion prevention data (IPS)

False Accept rates vary widely in large scale implementations

SEM Architecture & Design Event Consolidation Event Management Analysis Reporting Tracking & Escalation Event Archiving

Event Consolidation

Event Management

Analysis

Reporting

Tracking & Escalation

Event Archiving

SEM Architecture & Design

SEM Architecture & Design Event Analysis Real-time Monitoring Active Passive Historical Event Analysis High & Wide Deep & Narrow

Event Analysis

Real-time Monitoring

Active

Passive

Historical Event Analysis

High & Wide

Deep & Narrow

SEM Architecture & Design Thinks to look for in Event Analysis Select a system that is consistent with your capabilities and requirements Who are the main users? Are there other audiences using the system? What are their responsibilities? Is the event analysis system auditable? Different levels of access? Logging?

Thinks to look for in Event Analysis

Select a system that is consistent with your capabilities and requirements

Who are the main users?

Are there other audiences using the system?

What are their responsibilities?

Is the event analysis system auditable?

Different levels of access? Logging?

SIM Architecture & Design Event Consolidation Event Management Analysis Reporting Tracking & Escalation Event Archiving

Event Consolidation

Event Management

Analysis

Reporting

Tracking & Escalation

Event Archiving

SIM Architecture & Design Event Reporting Real-time or Historical Multiple Views Management, Audit, Technical Integration with Incident Management & Forensics

Event Reporting

Real-time or Historical

Multiple Views

Management, Audit, Technical

Integration with Incident Management & Forensics

SEM Architecture & Design Things to look for in Event Reporting Ease-of-use Performance Customization

Things to look for in Event Reporting

Ease-of-use

Performance

Customization

SEM Architecture & Design Event Consolidation Event Management Analysis Reporting Tracking & Escalation Event Archiving

Event Consolidation

Event Management

Analysis

Reporting

Tracking & Escalation

Event Archiving

SEM Architecture & Design Event Tracking & Escalation Ticketing System Integrated, Add-on or External Alerting Mechanisms Integrated, Add-on or External

Event Tracking & Escalation

Ticketing System

Integrated, Add-on or External

Alerting Mechanisms

Integrated, Add-on or External

SEM Architecture & Design Things to look for in Tracking & Escalation Ticketing System Ease-of-use, Performance, Customization Control and Audit Alerting Mechanisms Encryption Redundancy Expandability

Things to look for in Tracking & Escalation

Ticketing System

Ease-of-use, Performance, Customization

Control and Audit

Alerting Mechanisms

Encryption

Redundancy

Expandability

SEM Architecture & Design Event Consolidation Event Management Event Archiving Storage

Event Consolidation

Event Management

Event Archiving

Storage

SEM Architecture & Design

SEM Architecture & Design Event Archiving On-Line Storage Near-Line Storage Off-Line Storage

Event Archiving

On-Line Storage

Near-Line Storage

Off-Line Storage

SEM Architecture & Design Things to look for in Event Archiving Technologies used Encryption Compression Automation of process Reporting & Alerting of issues

Things to look for in Event Archiving

Technologies used

Encryption

Compression

Automation of process

Reporting & Alerting of issues

SEM Architecture & Design Event Consolidation Collection Normalization Correlation Event Management Analysis Reporting Tracking & Escalation Event Archiving Storage Redundancy Maintenance

Event Consolidation

Collection

Normalization

Correlation

Event Management

Analysis

Reporting

Tracking & Escalation

Event Archiving

Storage

Redundancy

Maintenance

Overview What is SIM? SEM Architecture & Design SIM Processes & Procedures Implementation Considerations Available Solutions The future of SIM

What is SIM?

SEM Architecture & Design

SIM Processes & Procedures

Implementation Considerations

Available Solutions

The future of SIM

SIM Processes & Procedures Core Processes Identification Collection Analysis Escalation Reporting Tracking & Workflow Management Maintenance

Core Processes

Identification

Collection

Analysis

Escalation

Reporting

Tracking & Workflow Management

Maintenance

SIM Processes & Procedures Tie core processes to existing ones Incident Handling Forensics Network Health Monitoring Active Systems Audits Map back to security framework or best practice SABSA ISO / COBIT

Tie core processes to existing ones

Incident Handling

Forensics

Network Health Monitoring

Active Systems Audits

Map back to security framework or best practice

SABSA

ISO / COBIT

Overview What is SIM? SEM Architecture & Design SIM Processes & Procedures Implementation Considerations Available Solutions The future of SIM

What is SIM?

SEM Architecture & Design

SIM Processes & Procedures

Implementation Considerations

Available Solutions

The future of SIM

Implementation Considerations Choosing an effective strategy Available Resources Skill Sets Placement Requirements (Application or Appliance) Locations Justifications

Choosing an effective strategy

Available Resources

Skill Sets

Placement

Requirements (Application or Appliance)

Locations

Justifications

Implementation Considerations Choosing an effective strategy Monitoring Real-Time Historical Analysis Involved Parties Required SLAs

Choosing an effective strategy

Monitoring

Real-Time

Historical

Analysis

Involved Parties

Required SLAs

Implementation Considerations Choosing an effective strategy Reporting What are the needs of the target audience? Canned Reports? What customization is required? Workflow Management Integrated Use existing

Choosing an effective strategy

Reporting

What are the needs of the target audience?

Canned Reports?

What customization is required?

Workflow Management

Integrated

Use existing

Implementation Considerations Capacity Planning Performance Requirements Storage Strategy Caching, Failover & Redundancy Back-end system compatibility

Capacity Planning

Performance Requirements

Storage Strategy

Caching, Failover & Redundancy

Back-end system compatibility

Implementation Considerations Justifying the complete investment Initial needs assessment & workflow design Up-front technology expenditure Staff Education & Knowledge Transfer On-going maintenance & Staffing

Justifying the complete investment

Initial needs assessment & workflow design

Up-front technology expenditure

Staff Education & Knowledge Transfer

On-going maintenance & Staffing

Overview What is SIM? SEM Architecture & Design SIM Processes & Procedures Implementation Considerations Available Solutions The future of SIM

What is SIM?

SEM Architecture & Design

SIM Processes & Procedures

Implementation Considerations

Available Solutions

The future of SIM

Available Solutions Applications Minimum long term commitment Maximum integration pain Appliances Turn-key solution Limited customization Managed Services Facilitated Integration & SLA’s Minimum retained knowledge

Applications

Minimum long term commitment

Maximum integration pain

Appliances

Turn-key solution

Limited customization

Managed Services

Facilitated Integration & SLA’s

Minimum retained knowledge

Available Solutions Source: Security Event Management Gets Specialized Andrew Conry-Murray

Available Solutions

Available Solutions Implementation Costs & Considerations Needs Analysis SIM Development SEM Purchase SEM Implementation Maintenance

Implementation Costs & Considerations

Needs Analysis

SIM Development

SEM Purchase

SEM Implementation

Maintenance

Overview What is SIM? SEM Architecture & Design SIM Processes & Procedures Implementation Considerations Available Solutions The future of SIM

What is SIM?

SEM Architecture & Design

SIM Processes & Procedures

Implementation Considerations

Available Solutions

The future of SIM

The Future of SIM The need for centralized data interpretation is not going away. SIM will slowly become an accepted management framework in Information Assurance Programs Smooth, Standardized Integration is on its way

The need for centralized data interpretation is not going away.

SIM will slowly become an accepted management framework in Information Assurance Programs

Smooth, Standardized Integration is on its way

Conclusions Security Information Management allows you to: Manage & Reduce Risk Enable Compliance Facilitate Business Intelligence programs

Security Information Management allows you to:

Manage & Reduce Risk

Enable Compliance

Facilitate Business Intelligence programs

Conclusions Invest in understanding your requirements Potential for a white elephant is high Commit to long term improvement of the chosen strategy

Invest in understanding your requirements

Potential for a white elephant is high

Commit to long term improvement of the chosen strategy

Thank-you Michael Legary Founder, Seccuris Inc. (204) 255-4490 [email_address] www.seccuris.com

Michael Legary

Founder, Seccuris Inc.

(204) 255-4490

[email_address]

www.seccuris.com