Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deconstructing SIEM

220 views

Published on

What are SIEM platforms made of and why are frameworks so important?
Delivered at the Big Data Conference for Cybersecurity in 2017

Published in: Data & Analytics
  • Hello! Who wants to chat with me? Nu photos with me here http://bit.ly/helenswee
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Deconstructing SIEM

  1. 1. DECONSTRUCTING SIEM What are SIEM platforms made of and why are frameworks so important? Harry McLaren – Senior Security Consultant at ECS
  2. 2. HARRY MCLAREN •Alumnus of Edinburgh Napier •Senior Security Consultant at ECS • Splunk Consultant & Architect • SOC Build & Use Case Development
  3. 3. Security Information & Event Management (SIEM) Software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by network hardware and applications. Source: Wikipedia & Gartner
  4. 4. SIEM USE CASES SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECTING UNKNOWN THREATS INCIDENT INVESTIGATION S & FORENSICS FRAUD DETECTION INSIDER THREAT
  5. 5. SIEM EVOLUTION Term Initially Coined in 2005 by Gartner v1.0 Ticketing & Workflow Integrations v1.5 Risk Based Analysis & “Intelligence” v2.0 “Next-Gen SIEM”v3.0 Initial Rule Sets & Event Queues Environment Awareness & Correlation Searches Risk Management & Threat Data Intelligence Machine Learning & Orchestration
  6. 6. SO WHAT'S THE PROBLEM?
  7. 7. SIEM COMPONENT PARTS RULES Correlation Searches, Thresholds & Grouping CONTEXT Organisational Awareness & Impact Assessment FRAMEWORKS Scalable Functionality & User Empowerment INTEGRATION Data Compatibility, Extensibility & Workflow Management
  8. 8. Source: Splunk Developer Portal
  9. 9. NOTABLE EVENTS FRAMEWORK Source: Splunk Developer Portal
  10. 10. ASSETS & IDENTITY FRAMEWORK Source: Splunk Developer Portal
  11. 11. THREAT INTELLIGENCE FRAMEWORK Source: Splunk Developer Portal
  12. 12. RISK ANALYSIS FRAMEWORK Source: Splunk Developer Portal
  13. 13. ADAPTIVE RESPONSE FRAMEWORK Source: Splunk Developer Portal
  14. 14. A B C D INTEGRATION Maximize cross-silo visibility by on-boarding ALL data sources. Automate repetitive tasks and setup orchestration for the rest. PREPARATION Understand your project’s input and output requirements. Champion the project and identify project dependencies. SUCCESS CRITERIA Identify the problem(s) you’re trying to solve. Document the risks/threats this control mitigates or minimises. EMBEDDING Position SIEM project as part of transformative change. Enable and engage SecOps to own and evolve platform. SUCCESSFUL SIEM
  15. 15. SPLUNK USER GROUP - EDINBURGH • What: • Splunking at Home (Homegrown Lab) • Supporting Splunk at Scale • Overview of Splunk Enterprise Security • When: • Tuesday, 27th of June, 5:30pm-8pm • Where: • Edinburgh Napier University, 10 Colinton Road, Edinburgh, EH10 5DT • Register: https://usergroups.splunk.com/group/spl unk-user-group-edinburgh.html
  16. 16. CONTACT twitter.com/cyberharibu harry.mclaren@ecs.co.uk harrymclaren.co.uk

×