Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SIX STEPS TO SIEM SUCCESS
Jim Hansen
Sr. Director, Product Management
Step 1:
Avoid single-purpose
Avoid single-purpose SIEM tools.

SIEM tools.

2
LOOK FOR BUILT-IN ESSENTIAL SECURITY CONTROLS.
At a minimum, the SIEM should include
this core set of functionality:
Asse...
BENEFITS OF BUILT-IN SECURITY CONTROLS IN SIEM




Accelerated time to value

-

Reduce cost and complexity

-



Go fr...
Step 2:
Know what use cases
Know what use you need FIRST.

cases you’ll need
FIRST.

5
WHAT ARE YOUR SIEM USE CASES?





Figure this out BEFORE you evaluate or invest
Use cases define your scope and your p...
TRANSLATING BUSINESS USE CASES INTO TECHNOLOGY

Privileged user monitoring requires knowing:

Logs

 Who your privileged ...
EVENT CORRELATION STEPS
What we really want to know… Who is abusing privileged access?
1. Identify the goal for each rule ...
Step 3:
What are the worst case
Imagine all the worstscenarios for your
business?

case scenarios for
YOUR business.
GLOBAL VS. LOCAL BAD SCENARIOS






Global bad scenarios

-

Botnets, malware, C&C traffic, rootkits,
trojans, etc.

L...
PLAN FOR THE WORST, EXPECT THE BEST





Plan for each of those “worst case” scenarios
Ask yourself: How would we know ...
Step 4:
Include built-in threat intelligence as a
MUST-HAVE.
OPERATIONALIZED THREAT INTELLIGENCE

 Threat intelligence should provide info on:
-

WHO the bad actors are
WHAT to focus...
ALIENVAULT LABS THREAT INTELLIGENCE:









COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT
Network and host-based ...
Step 5:
Use IP reputation data to prioritize
alarms & monitor your own reputation.

15
DISRUPT THE INCIDENT RESPONSE CYCLE
A traditional cycle …

1.
2.

Prevent

Detect

Respond

3.

Prevents known threats.
De...
THE POWER OF THE “CROWD” FOR THREAT DETECTION







Cyber criminals are using (and reusing)
the same exploits against...
TRADITIONAL RESPONSE

First Street
Credit Union

Alpha Insurance
Group

John Elway
Auto Nation

Regional Pacific
Telecom

...
TRADITIONAL RESPONSE
Attack

First Street
Credit Union

Alpha Insurance
Group

John Elway
Auto Nation

Regional Pacific
Te...
TRADITIONAL RESPONSE
Attack

First Street
Credit Union

Detect

Alpha Insurance
Group

John Elway
Auto Nation

Regional Pa...
TRADITIONAL RESPONSE
Attack

First Street
Credit Union

Respond
Detect

Alpha Insurance
Group

John Elway
Auto Nation

Reg...
TRADITIONAL RESPONSE
Attack

First Street
Credit Union

Respond
Detect

Alpha Insurance
Group

John Elway
Auto Nation

Reg...
OTX ENABLES PREVENTATIVE RESPONSE

Through an
automated, real-time,
threat exchange
framework
A REAL-TIME THREAT EXCHANGE FRAMEWORK
Puts Preventative Response Measures in Place Through Shared Experience

Attack

Firs...
A REAL-TIME THREAT EXCHANGE FRAMEWORK
Protects Others in the Network With the Preventative Response Measures

Attack

Firs...
GLOBAL THREAT DETECTION FOR LOCAL RESPONSE
Step 6:
Automate your SIEM deployment.

27
27
DATA INTEGRATION WITH A SINGLE-PURPOSE SIEM
1

5

Evaluate & purchase 3rd
party security detection
tools

2

Identify & in...
DATA INTEGRATION WITH ALIENVAULT USM
Reduced licensing costs

1
Automated via Auto-Deploy
Dashboard

5

Evaluate & purchas...
DEPLOYMENT DASHBOARD
Identify potential data
sources to integrate

Set up vulnerability assessment
and asset inventory sca...
TOP 6 STEPS TO SIEM SUCCESS

1.

Avoid single-purpose SIEM tools
(Reduce integration complexities - look for built-in secu...
QUESTIONS FOR SIEM VENDORS
HINT: PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU….










How long will it take to...
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Tr...
Upcoming SlideShare
Loading in …5
×

Six Steps to SIEM Success

Learn the 6 practical steps every IT admin should take to ensure SIEM success in your environment. The promise of SIEM is clearly an essential one–better security visibility. Aggregate, correlate, and analyze all of the security-relevant information in your environment so that you can:
• Identify exposures
• Investigate incidents
• Manage compliance
• Measure your information security program
Unfortunately, going from installation to insight with a SIEM is a challenge. Join us for this 45-minute session to learn tricks for getting the most out of your SIEM solution in the shortest amount of time.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Six Steps to SIEM Success

  1. 1. SIX STEPS TO SIEM SUCCESS Jim Hansen Sr. Director, Product Management
  2. 2. Step 1: Avoid single-purpose Avoid single-purpose SIEM tools. SIEM tools. 2
  3. 3. LOOK FOR BUILT-IN ESSENTIAL SECURITY CONTROLS. At a minimum, the SIEM should include this core set of functionality: Asset discovery and inventory Vulnerability assessment Network analysis / netflow (packet capture) Wireless intrusion detection (WIDS) Host-based intrusion detection (HIDS) Network-based intrusion detection (NIDS) File Integrity Monitoring Log management VS.
  4. 4. BENEFITS OF BUILT-IN SECURITY CONTROLS IN SIEM   Accelerated time to value - Reduce cost and complexity -  Go from install to insight QUICKLY At deployment time: Focus on integrating the infrastructure event data only Over the long term: Manage all through the same console, better workflow, etc. More coordinated detection for accurate alarms - Built-in event correlation rules Known sources mean more accurate correlation
  5. 5. Step 2: Know what use cases Know what use you need FIRST. cases you’ll need FIRST. 5
  6. 6. WHAT ARE YOUR SIEM USE CASES?    Figure this out BEFORE you evaluate or invest Use cases define your scope and your priorities (e.g. Pass a PCI audit vs. Detect malware infections) Differences between a business & technology use cases - Business use cases (fewer) translate to: - Technology use cases (many more)
  7. 7. TRANSLATING BUSINESS USE CASES INTO TECHNOLOGY Privileged user monitoring requires knowing: Logs  Who your privileged users are (users)  What constitutes privileged activity (commands) - Logins = rlogins / ssh User permission changes (e.g. sudo or LDAP) - Critical servers, applications, network devices, and network traffic (action sequences) Endpoints…? Whose?  Where you care to focus (devices) -
  8. 8. EVENT CORRELATION STEPS What we really want to know… Who is abusing privileged access? 1. Identify the goal for each rule (and use case). To detect unauthorized access user activity – including privilege escalation 2. Determine the conditions for the alert. Privilege escalation with no corresponding change request 3. Select the relevant data sources. Active directory, user management system, change control system 4. Test the rule. 5. Determine response strategies, and document them.
  9. 9. Step 3: What are the worst case Imagine all the worstscenarios for your business? case scenarios for YOUR business.
  10. 10. GLOBAL VS. LOCAL BAD SCENARIOS    Global bad scenarios - Botnets, malware, C&C traffic, rootkits, trojans, etc. Local bad scenarios - Unique to your business and priorities Only YOU and your mgmt team can answer this Example: - Outbound FTP connections to a former business partner’s network AFTER you’ve canceled the contract. - Service availability “hiccups” during peak operational windows.
  11. 11. PLAN FOR THE WORST, EXPECT THE BEST    Plan for each of those “worst case” scenarios Ask yourself: How would we know when these happen? - Types of events, and their sequences Devices in scope - Let’s get those data sources added FIRST; First step is finding them (automated asset discovery is a must) How do we respond when we discover them? - Develop standard operational procedures, and train staff - SIEM should have built-in documentation for standard operational procedures  Customized guidance that’s attached to each alert  Details on assets, their owners, contact info, etc.
  12. 12. Step 4: Include built-in threat intelligence as a MUST-HAVE.
  13. 13. OPERATIONALIZED THREAT INTELLIGENCE  Threat intelligence should provide info on: - WHO the bad actors are WHAT to focus on HOW to respond when threats are detected WHERE these threats are in your environment  Threat intelligence should also… - Provide instructions on what to do when X happens to Y And… be easily and rapidly consumable – part of your SOP
  14. 14. ALIENVAULT LABS THREAT INTELLIGENCE:        COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint
  15. 15. Step 5: Use IP reputation data to prioritize alarms & monitor your own reputation. 15
  16. 16. DISRUPT THE INCIDENT RESPONSE CYCLE A traditional cycle … 1. 2. Prevent Detect Respond 3. Prevents known threats. Detects new threats in the environment. Respond to the threats – as they happen. This isolated closed loop offers no opportunity to learn from what others have experienced ….no advance notice
  17. 17. THE POWER OF THE “CROWD” FOR THREAT DETECTION     Cyber criminals are using (and reusing) the same exploits against others (and you). Sharing (and receiving) collaborative threat intelligence makes us all more secure. Using this data, identify, flag and block known attackers by source IP addresses. Organizations can’t build this “neighborhood watch” infrastructure on their own… that’s where AlienVault comes in…
  18. 18. TRADITIONAL RESPONSE First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  19. 19. TRADITIONAL RESPONSE Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  20. 20. TRADITIONAL RESPONSE Attack First Street Credit Union Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  21. 21. TRADITIONAL RESPONSE Attack First Street Credit Union Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  22. 22. TRADITIONAL RESPONSE Attack First Street Credit Union Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  23. 23. OTX ENABLES PREVENTATIVE RESPONSE Through an automated, real-time, threat exchange framework
  24. 24. A REAL-TIME THREAT EXCHANGE FRAMEWORK Puts Preventative Response Measures in Place Through Shared Experience Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
  25. 25. A REAL-TIME THREAT EXCHANGE FRAMEWORK Protects Others in the Network With the Preventative Response Measures Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
  26. 26. GLOBAL THREAT DETECTION FOR LOCAL RESPONSE
  27. 27. Step 6: Automate your SIEM deployment. 27 27
  28. 28. DATA INTEGRATION WITH A SINGLE-PURPOSE SIEM 1 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Integrate data and event feeds into SIEM 28
  29. 29. DATA INTEGRATION WITH ALIENVAULT USM Reduced licensing costs 1 Automated via Auto-Deploy Dashboard 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Built-in asset discovery, vuln assessment, threat detection, behavioral monitoring, and more… Integrate data and event feeds into SIEM Simpler security management, faster remediation 29
  30. 30. DEPLOYMENT DASHBOARD Identify potential data sources to integrate Set up vulnerability assessment and asset inventory scans Implement suggestions to improve visibility
  31. 31. TOP 6 STEPS TO SIEM SUCCESS 1. Avoid single-purpose SIEM tools (Reduce integration complexities - look for built-in security detection sources) 2. 3. 4. 5. 6. Know what use cases you’ll need FIRST. (this will dictate what data sources to prioritize) Imagine all the worst case scenarios for your business. (this will inform your incident response strategy) Include built-in threat intelligence as a must-have requirement. (threats move way too quickly not to operationalize your defenses) Use IP reputation data to prioritize alarms & monitor your own rep. (Identify exposures – both inside and outside your network) Automate your deployment. (yes, hard to believe, but this *is* possible)
  32. 32. QUESTIONS FOR SIEM VENDORS HINT: PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU….       How long will it take to go from software installation to security insight? For reals. How many staff members or outside consultants will I need for the integration work? What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)? What is the anticipated mix of licensing costs to consulting and implementation fees? Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations? Is IP reputation data included in the threat intelligence content? 32
  33. 33. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? hello@alienvault.com

    Be the first to comment

    Login to see the comments

  • eldabah

    Nov. 18, 2013
  • JoostHekman

    Nov. 22, 2014
  • balghoor

    Jan. 24, 2015
  • SamirAhmed9

    Feb. 22, 2015
  • smotabagani

    May. 10, 2015
  • AbhishekSrivastava354

    Apr. 13, 2017
  • ozymoon

    Nov. 24, 2017
  • HasanAlMonsur

    May. 8, 2018
  • MikeSkeith

    Jun. 27, 2018
  • ChinP1

    Jun. 30, 2019
  • TaherAbuJreda

    Mar. 29, 2020

Learn the 6 practical steps every IT admin should take to ensure SIEM success in your environment. The promise of SIEM is clearly an essential one–better security visibility. Aggregate, correlate, and analyze all of the security-relevant information in your environment so that you can: • Identify exposures • Investigate incidents • Manage compliance • Measure your information security program Unfortunately, going from installation to insight with a SIEM is a challenge. Join us for this 45-minute session to learn tricks for getting the most out of your SIEM solution in the shortest amount of time.

Views

Total views

5,767

On Slideshare

0

From embeds

0

Number of embeds

14

Actions

Downloads

1

Shares

0

Comments

0

Likes

11

×