• Save
MISTI Infosec 2010- SIEM Implementation
Upcoming SlideShare
Loading in...5
×
 

MISTI Infosec 2010- SIEM Implementation

on

  • 1,582 views

Talk that I gave in 2010 for the MIS Training Institute in Orlando. Two areas that garnered the most questions from the crowd were how to establish effective business objectives prior to implementing ...

Talk that I gave in 2010 for the MIS Training Institute in Orlando. Two areas that garnered the most questions from the crowd were how to establish effective business objectives prior to implementing the SIEM in order to effectively manage expectations and of course vendor selection criteria. I could probably do a whole other talk on selecting a SIEM vendor.

Statistics

Views

Total Views
1,582
Views on SlideShare
1,569
Embed Views
13

Actions

Likes
0
Downloads
8
Comments
0

2 Embeds 13

http://paper.li 12
http://a0.twimg.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Session #: Title

MISTI Infosec 2010- SIEM Implementation MISTI Infosec 2010- SIEM Implementation Presentation Transcript

    • C9
    • Implementing Security Information and Event Management
    • Wednesday, April 21, 2010
    • 11:30 AM - 1:00 PM
    • Michael Nickle, CISSP
    • [email_address]
  • Key Points
    • Development of baseline business and technical requirements
    • Value of SIEM in managing compliance and risk mitigation
    • Walkthrough of a successful implementation
    • Post implementation issues
    • Vendor Selection Criteria
  • Terminology
    • Aggregation
      • To gather together as a whole
      • Singular repository for data
    • Normalization
      • To create consistent records
      • By type and format (syslog, application, Windows log)
    • Reporting
      • Interpreting data to create information over time
      • Mapped against goals to drive decisions
  • Terminology
    • Correlation
      • Determining relationships between data points
      • If a and b are not null, then c
    • Visualization
      • Translate events and data into pictures
      • Ex: Changing a device’s color on a map
      • Creating hyperbolic trees to show traffic
  • Terminology
  • Looking at Business Requirements
  • Development of Baseline Requirements: Business
    • What is the problem that you are addressing?
      • This is the primary driver for procurement
      • Technical objectives should follow statement of problem
    • Set realistic requirements
      • Overly ambitious goals ultimately lead to a perceived failure
      • The point is to enable business activity
      • Create phases in the project plan to establish success and build
  • Development of Baseline Requirements: Business
    • Common business drivers:
      • Risk management
      • Service Continuity
      • IT Alignment
      • Regulatory compliance
    • The more clarity that exists as to the driver, the better the procurement
  • Development of Baseline Requirements: Business
    • Regulatory Compliance-
      • What standards affect the organization?
        • Internal Policies
        • ISO
        • Regulations
          • SOX, HIPAA, GLBa, FISMA
        • Partner agreements
      • Dynamics may affect vendor selection
  • Development of Baseline Requirements: Business
    • Regulatory Compliance-
      • What is the organization required to supply by law?
        • Audit Compliance
          • Governmental (SOX, FISMA, GLBa)
          • Industry regulation (FINRA, PCI)
        • Who is responsible for compliance?
        • Does non compliance lead to fines? Sanctions?
      • Why it Matters
        • Business continuation
        • Passing audit
        • Reporting requirements
  • Development of Baseline Requirements: Business
    • Regulatory Compliance-
      • Multiple standards may apply to a single organization
        • PCI-DSS requires log management and collection
        • SOX 404 requires privileged user reporting
        • HIPAA requires audit trail on systems that ‘process’ PHI
  • Looking at Technical Requirements
  • Development of Baseline Requirements: Technical
    • Expected event rate
    • Incident response
    • Extensibility of solution
    • Integration with other applications
  • Development of Baseline Requirements: Technical
    • Expected event rate
      • Understand the average and peak event rates for your organization
      • Study event sources closely
        • Growth in the business versus event rates
          • Peak
          • Average
        • Is a source producing redundant events?
  • Development of Baseline Requirements: Technical
    • Incident response
      • Is the SIEM for incident response?
      • Automation
        • Notification
        • Workflow
        • Triggering
      • Workflow will need to be adapted
  • Development of Baseline Requirements: Technical
    • Extensibility of solution
      • What is the projected final state?
        • Departmental
        • Division
        • Enterprise-wide
        • Critical assets only
  • Development of Baseline Requirements: Technical
    • Extensibility of solution
      • What are the data retention requirements?
        • Driven by regulations typically
        • Reporting and investigation
        • DBMS adequacy
        • Online, near-line, archive
  • Development of Baseline Requirements: Technical
    • Extensibility of solution
      • How dispersed will the solution be?
        • Hierarchical versus distributed
        • Data latency is unavoidable
        • Char-set issues in normalization
        • Political versus technical issues
  • Development of Baseline Requirements: Technical
    • Integration with other applications
      • Implementing data feeds
        • No single solution supports everything out of the box
        • Understanding the feed is key to usable information
        • Agent/Agentless
  • Development of Baseline Requirements: Technical
    • Workflow Management
      • Change Management
      • Ticketing within SIEM
      • Approval Processes
      • ERP
      • Identity Provisioning lifecycle
    • Sticking points
      • Manual processes
      • Compatibility- eg. XML, proprietary
      • SIEM has to integrate with existing
  • Development of Baseline Requirements: Technical
    • Integration with other applications
      • Workflow integration
        • Will the SIEM generate tickets? Where?
        • How does the SIEM fit into the network management strategy?
        • Is provisioning lifecycle a factor?
  • Looking at Value of SIEM
  • Value of SIEM- Risk Management
    • Real Corporate Network
      • Events flowed into SIEM
      • Protection of data integrity was driver
      • Correlate events to actions
      • Integration with Vulnerability Management
      • More than 10,000 assets as data sources
    UNIX SysLogs 65,000 events* Windows Event Log 1,036,800 events* IDS and Access Logs 1,100,000 events* Firewall 787,000 events* Antivirus 12,000 events* Events Correlated Events Distinctive Security Issues Incidents Requiring Action 8 24 15,000 3 Million
  • Value of SIEM- Compliance Management
    • Public Pharmacy Benefit Company
      • SOX 404 requires privileged user reporting
        • Report aggregates events and links log data to identity management platform
      • PCI-DSS requires log management and collection
        • PCI hosts need to be within solution scope
      • HIPAA requires audit trail on systems that ‘process’ PHI
        • User data
        • Process data
  • Looking at Successful SIEM Implementation
  • SIEM Success Walkthrough
    • XYZ Corp. decided to acquire a SIEM
    • Business Drivers:
    • Reporting as the key driver
      • Tired of compiling custom reports
      • Multi-platform insight non-existent
      • Auditors using staff time
    • Situational awareness is secondary driver
      • Large percentage of Enterprise Value lies in digital assets
  • SIEM Success Walkthrough
    • Technical Requirements:
    • Events per second
      • Average EPS in boundary ~ 10,000
      • Peak EPS ~ 25,000
      • Peak limited to end of quarter reporting period
    • Incident response not a driver
      • Control remediation took precedent
      • Strong desire to integrate custom policy
    • Multiple departments
      • All on same MPLS cloud
  • SIEM Success Walkthrough
    • Technical Requirements:
    • Data retention
      • SOX relevant- 1 quarter + 7 years
      • Patented asset- 16 years (filing + 10 years)
      • Trade secrets- indefinite
    • Integration- Data feed
      • Windows server
      • CA Identity Manager
      • AIX 4.2.1- 6.1
      • Oracle DMBS
      • Hyperion
  • SIEM Success Walkthrough
    • Technical Requirements:
    • Integration- Application
      • ServiceDesk for ticket generation
      • Not integrated into NMS
      • Strong desire to integrate with external reporting
  • SIEM Success Walkthrough
    • Implementation Project:
    • Project initiated with steering committee
      • Platform owners
      • Application owners
      • Security
      • Audit
    • 3 phases to Project
      • Base installation (hardware, DB, software)
      • SOX implementation
      • Asset implementation
  • SIEM Success Walkthrough
    • Project Outcome:
    • Business objectives met
      • Auditors now have reports through browser
      • High degree of confidence in protection of key assets
    • Technical objectives largely met
      • Hyperion integration breaks with new releases
      • Technical controls have improved
      • Ticketing is functional
      • External reporting not implemented (cost)
  • Looking at Post Implementation Issues
  • Post Implementation Issues
    • Support costs can exceed acquisition over 5 year lifecycle
    • Database cost can greatly exceed cost of SIEM software
    • Training cost
    Issue #1 Cost:
  • Post Implementation Issues
    • Ensure that project is well documented
    • Have technical resources review custom integration code
      • Understand the code
      • Ensure it is well commented
    • Diffusion of knowledge within organization
    Issue #2 Complexity:
  • Post Implementation Issues
    • Unlike AV or firewall, SIEM doesn’t “fit” into a tidy security box
    • Multiple stakeholders can muddle ownership
    • Who is accountable for the SIEM and related data?
      • Complex hierarchies
      • Departments, partners, auditors
    Issue #3 Ownership:
  • Looking at Vendor Selection
  • Vendor Selection Criteria
    • Business Drivers
    • Technical requirements
    • Current technology mix
      • Can your staff not manage a particular product?
    • Architecture
      • Hierarchical
      • Distributed
    • Interface & Usability
    • Reporting
  • Vendor Selection Criteria
    • Vendor Feature Showdown
      • All of the products have an impressive list of features
      • Is a specific feature beneficial to your organization?
      • Difference between out of the box functionality and product capabilities
  • Vendor Selection Criteria
    • Identity Management
      • How well does the product integrate with your IdM infrastructure
      • Security consequence of a changed password on a host ?
      • Difference between out of the box functionality and product capabilities
    • Network Management Integration
      • Most security groups are not 24/7
      • NOC/SIEM data flow
      • Is there a workflow to coordinate escalation and response
  • Summary
    • Business objectives need to drive the acquisition
    • Understand your organization’s needs prior to meeting with a vendor
    • ‘ Boil the ocean’ implementations lead to disappointment
    • Tight integration with identity infrastructure eases the WHO question
    • TCO costs need to be considered closely
    • Thanks for listening!