Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Meetup Scotland - August 2017 (Deconstructing SIEM)

351 views

Published on

There are many misconceptions about what a SIEM is and why they should still be the heart of an operational capability when it comes to security controls and monitoring. This topic will outline what makes a powerful SIEM and why creating it yourself is increasingly challenging. We'll explore the frameworks at the heart of a SIEM and how Splunk has developed Enterprise Security with these in mind; finishing with some general lessons learned for SIEM implementation projects.

Published in: Data & Analytics
  • Hello! Who wants to chat with me? Nu photos with me here http://bit.ly/helenswee
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security Meetup Scotland - August 2017 (Deconstructing SIEM)

  1. 1. DECONSTRUCTING SIEM What are SIEM platforms made of and why are frameworks so important? Harry McLaren – Senior Security Consultant at ECS
  2. 2. WHO AM I? HARRY MCLAREN •Alumnus of Edinburgh Napier • Charity Trustee at Positive Realities •Senior Security Consultant at ECS • Splunk Consultant & Architect • SOC Build & Use Case Development
  3. 3. Security Information & Event Management (SIEM) Software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by network hardware and applications. Source: Wikipedia & Gartner
  4. 4. SIEM USE CASES SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECTING UNKNOWN THREATS INCIDENT INVESTIGATION S & FORENSICS FRAUD DETECTION INSIDER THREAT
  5. 5. SIEM EVOLUTION Term Initially Coined in 2005 by Gartner v1.0 Ticketing & Workflow Integrations v1.5 Risk Based Analysis & “Intelligence” v2.0 “Next-Gen SIEM”v3.0 Initial Rule Sets & Event Queues Environment Awareness & Correlation Searches Risk Management & Threat Data Intelligence Machine Learning & Orchestration
  6. 6. SO WHAT'S THE PROBLEM?
  7. 7. SIEM COMPONENT PARTS RULES Correlation Searches, Thresholds & Grouping CONTEXT Organisational Awareness & Impact Assessment FRAMEWORKS Scalable Functionality & User Empowerment INTEGRATION Data Compatibility, Extensibility & Workflow Management
  8. 8. Source: Splunk Developer Portal
  9. 9. NOTABLE EVENTS FRAMEWORK Source: Splunk Developer Portal
  10. 10. ASSETS & IDENTITY FRAMEWORK Source: Splunk Developer Portal
  11. 11. THREAT INTELLIGENCE FRAMEWORK Source: Splunk Developer Portal
  12. 12. RISK ANALYSIS FRAMEWORK Source: Splunk Developer Portal
  13. 13. ADAPTIVE RESPONSE FRAMEWORK Source: Splunk Developer Portal
  14. 14. A B C D INTEGRATION Maximize cross-silo visibility by on-boarding ALL data sources. Automate repetitive tasks and setup orchestration for the rest. PREPARATION Understand your project’s input and output requirements. Champion the project and identify project dependencies. SUCCESS CRITERIA Identify the problem(s) you’re trying to solve. Document the risks/threats this control mitigates or minimises. EMBEDDING Position SIEM project as part of transformative change. Enable and engage SecOps to own and evolve platform. SUCCESSFUL SIEM
  15. 15. SPLUNK USER GROUP - EDINBURGH • When: • August 22, 2017 5:30 PM • Where: • Edinburgh Napier University, 10 Colinton Road, Edinburgh, EH10 5DT • Register: https://usergroups.splunk.com/group/spl unk-user-group-edinburgh.html
  16. 16. CONTACT twitter.com/cyberharibu harry.mclaren@ecs.co.uk harrymclaren.co.uk

×