Advertisement
Check these out next
SIEM Alone is Not Enough
Dec. 29, 2011•0 likes•3,976 views
5 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
Business
This presentation addresses: -True shortcomings of traditional SIEM solutions -Why security controls that are utilized in isolation are limited in providing useful indicators of data breaches -How an alternative approach to IT security that combines state data from multiple security controls provides more advanced incident detection, adds a layer of risk context, and provides more intelligent security for protecting your data
TripwireFollow
TripwireAdvertisement
Advertisement
Advertisement
Recommended
10 Steps to Better Security Incident DetectionTripwire
Adapt or Die: The Evolution of Endpoint SecurityTripwire
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanTripwire
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
SIEM in NIST Cyber Security FrameworkBernie Leung, P.E., CISSP
SIEM Alone is Not Enough
- SIEM Alone is Not Enough
- SIEM Alone is Not Enough
- SIEM Alone is Not Enough Follow the conversation on Twitter using #siemWebcast
- Key Trends Being Attacked is a Statistical Certainty 4 #siemWebcast
- 3 Questions That Need Fast Answers – SIEM Answers Only 1 Did it take me out of my secure state? Am I out of compliance? Is my sensitive data safe? Where any of my critical systems affected? What was the impact? Security Triad What events occurred? What was the path of attack? When did this happen? What actually changed? Who made the change? What happened and when? 5 #siemWebcast How quickly can I fix it? How to prevent it from happening again? What will it take to roll it back? How do I fix it?
- A Better Approach: More Context Through Better Intelligence Security rules State and policy Less false positives and noise Leading indicators of risk System State Intelligence 6 #siemWebcast
- What is System State Intelligence Knowing… is Hashing, Size, Content, Attributes, Severities (Weight /Risk) was Versions, Forensics, Before and After Details should Policy Parameters, IT rules, Comparison to Reference Master 7 #siemWebcast Delivered by integrating… Change-triggered Configuration Management True File Integrity Monitoring Dynamic Change Assessment Security Event Context
- Configuration Management: typical approach When did failures begin: not sure What caused failures: not sure 8 #siemWebcast
- Configuration Management: Tripwire approach Know when failure begins: change triggers testing Know what caused failure: change & test results associated and maintained 9 #siemWebcast
- File Integrity Monitoring: typical approach Limited platforms Limited attributes Limited architecture 10 #siemWebcast
- File Integrity Monitoring: Tripwire approach 11 Broad coverage Extensive integrity information Efficient and fast Monitor the enterprise – large or small #siemWebcast
- Change Assessment: typical approach Shows what changed not what to investigate Pass an audit, miss the catastrophe…..for weeks or months 12 #siemWebcast
- Change Assessment: Tripwire approach Analyze change dynamically …to multiple criteria Know what to investigate Intelligence as change happens 13 #siemWebcast
- SIEM Event Deluge Lack of Context Windows event log cleared Login successful FTP Enabled 10 failed logins Host not generating events Most breaches detected by 3rd party Weeks or months after-the-fact SIEM alone is not enough 14 #siemWebcast >> What else was going on? >> Was compliance level lowered?
- Security Event Context : Tripwire approach Correlate Changes of Interest to SIEM Events Provide leading indicators of risk Add context to reduce false-positives and noise 15 #siemWebcast
- System State Intelligence Event Data Change & Config. Data Events of interest File changes from baseline High-risk security incident Configuration changes Anomaly detection Leading indicators of threat Event/change info correlation Access to critical systems Privileged user activity 16 #siemWebcast Known & trusted deviation Context Context and granularity Current pass v. fail # and % Score improvements / declines Granular change details
- Automation Reduce massive volume of data • Correlate suspicious changes & events Distill intelligent information • Apply context to situation Respond immediately • Get info into the right hands • Make risk-based decision 17 #siemWebcast
- Additional Assets http://bit.ly/velc3n http://bit.ly/tgXtz6 18 #siemWebcast
- THANK YOU! www.tripwire.com Cindy Valladares Ed Rarick 19 #siemWebcast
- The Tripwire Difference Content 20 #siemWebcast Context Analytics Workflow
- The Tripwire Solution 21 #siemWebcast
Editor's Notes
- Use under detective or investigate and correctOnce you know you’ve been breached, you want to know what changed, what happened, am I still in the reliable state. Bridge between detective and corrective. Set up to the corrective piece. Correction flows from Time is your enemy – need to manage in weeks and hours, not months or years. Need to know your answer to these questionsNeed to have things in place that need to be corrective
- Moving these slide up – and combining it with secure configuration.Also with audit logging (set it up earlier with 87% of the DBIR)Do these with automationAnd add correlation and intelligent-- One point is a point, two is a line, three is a trends
- Event Integration Framework benefits:Aggregate change data based on criticalityCan integrate a single criticality level into a single log messageEIF reports “who” made the changeReports on patterns of compliance (change reduces compliance level of a box then report it – not just in or out of a compliant state)
- Things you witness (TLC)Things not expected (TE)
- Part of detection, combine with log data stats. All the data is there, but you can’t do it manually. Detective controls need to be automated.
- Tripwire VIA delivers an integrated IT security framework to proactively and continuously protect critical data and infrastructure. The VIA platform offers components that build on your integrated controls to:Provide proprietary security and policy content to protect against the most common attacks.Let you manage monitored assets more intuitively and in business context.Let you use data from the various controls for analytics and reporting in Tripwire and third party tools.Combine security controls through automated workflows that address key IT security needs.The Tripwire VIA platform:Provides you with business-aligned leading indicators of riskCombines protective security controls that harden systems against compromise and detective security controls that continuously monitor systems for threats, risks and non-compliance. Integrates data from both protective and detective controls that adds a layer of contextual intelligence to detect incident that may cause undesired risk to the organization.Continuously monitors for system integrity, unauthorized changes, security vulnerabilities and incidents and non-compliance across the virtual, physical and cloud infrastructure to ensure security defenses are maintainedEnsures organizations that their critical security controls provide continuous protection, mitigate the risks of cyber threats and delivers business context across assets, business services, policies, data types and risks.ContentIntegrated content for security hardening and continuous monitoring to protect your critical data and mitigate risks. Leading enterprise organizations rely on this content to automatically identify and fix weaknesses in their cyber defenses and detect when someone has tampered with systems.ContextThe Tripwire VIA platform is designed to turn the massive amounts of data your critical security controls produce into information you can use to protect your data and infrastructure. It also lets you add business context to your monitored assets. Tripwire VIA identifies and alerts on suspicious and unexpected events and places them in context of your assets, business services and risk profiles.AnalyticsEasily use data from controls in dashboards and a variety of analysis and reporting tools, add it to data marts, and correlate data from multiple controls to identify security threats, trends and status.WorkflowThe Tripwire VIA platform delivers built-in workflows so you can quickly implement and integrate your critical security controls in ways that turn the data they provide into information that helps you improve security.
Advertisement