Expect More From Your SIEM

950 views

Published on

Unlike security cameras, going from installation to insight with a traditional SIEM is far from straightforward. During this session, we’ll cover a few common problems with SIEM technologies, and how you can avoid those pitfalls with AlienVault Unified Security Management. You’ll walk away with a new perspective on an old problem – reducing the cost of security visibility.

Published in: Technology
  • Be the first to comment

Expect More From Your SIEM

  1. 1. Expect More From Your SIEMSandy Hawke, CISSPVP, Product Marketing@sandybeachSF
  2. 2. Top 5 Problems with SIEM1. SIEM is too complex.2. SIEM takes too long to deploy.3. SIEM is too expensive.4. SIEMs are too noisy.5. SIEMs aren’t typically “cloud-friendly.”
  3. 3. SIEM is too complex.
  4. 4. Necessary data sources for meaningfulSIEMNetwork flow / network analysisAsset discovery and inventoryVulnerability assessmentLog managementWireless intrusion detection (WIDS)Host-based intrusion detection (HIDS)Network-based intrusion detection (NIDS)File Integrity Monitoring+all of the network, system, and application-specific eventsSecurity-specific data sources:
  5. 5. Necessary steps to integrate data into the SIEM1. Evaluate, select, and purchasethird party security tools (e.g.IDS, vulnerability scanners, etc.).2. Implement and configure theseproducts.3. Fine-tune and integrate thesefeeds into the SIEM.4. Manage and administer themeach with a different consolethan the SIEM.
  6. 6. SIEM takes too long to deploy.
  7. 7. Bringing disparate tools together takes time
  8. 8. SIEM is too expensive.
  9. 9. “Feeding” the SIEM *is* costly.
  10. 10. SIEMs are too noisy.
  11. 11. When everything requires your attention, nothingwill get it…Adding more haystacks doesn’thelp you find more needles.SIEMs should alert you whenyou need to do something about anevent.And… they should tell you what to do,how to do it, and why it’s important.
  12. 12. SIEMs aren’t typically cloud-friendly.
  13. 13. Your SIEM should see your clouds too.Threats can follow you to the cloud, your security visibility tool should too.
  14. 14. Unified Security ManagementSaves time, money, and resources
  15. 15. Piece it alltogetherLook for strangeactivity which couldindicate a threatStart lookingfor threatsIdentify ways thetarget could becompromisedHow dowe secureourcompany?Figure out whatis valuable
  16. 16. Piece it alltogetherLook for strangeactivity which couldindicate a threatStart lookingfor threatsIdentify ways thetarget could becompromisedHow dowe secureourcompany?AssetDiscoveryAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory
  17. 17. Piece it alltogetherLook for strangeactivity which couldindicate a threatStart lookingfor threatsHow dowe secureourcompany?AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability Testing
  18. 18. Piece it alltogetherLook for strangeactivity which couldindicate a threatHow dowe secureourcompany?AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability TestingThreat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity MonitoringThreatDetection
  19. 19. Piece it alltogetherHow dowe secureourcompany?AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability TestingThreat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity MonitoringThreatDetectionBehavioral Monitoring• Log Collection• Netflow Analysis• Service Availability MonitoringBehavioralMonitoring
  20. 20. How dowe secureourcompany?AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability TestingThreat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity MonitoringThreatDetectionBehavioral Monitoring• Log Collection• Netflow Analysis• Service Availability MonitoringBehavioralMonitoringSecurity Intelligence• SIEM Correlation• Incident ResponseSecurityIntelligence
  21. 21. AssetDiscoveryVulnerabilityAssessmentAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability TestingThreat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity MonitoringThreatDetectionBehavioral Monitoring• Log Collection• Netflow Analysis• Service Availability MonitoringBehavioralMonitoringSecurity Intelligence• SIEM Correlation• Incident ResponseSecurityIntelligenceUnifiedSecurityManagement
  22. 22. Building security in saves money and time …
  23. 23. Auto-DeployReduces the burden of integrating data sourcesIdentify potential data sources with integrated asset discoveryProvides suggestions for improving visibilityWhere is the monitoring deficient? What can be done to improveit?
  24. 24. Unified Security Reduces TCO, AcceleratesVisibility
  25. 25. Dynamic Incident Response TemplatesDMZ_Sensor has detected a possible SQL Injection [reference] attack against the host 10.49.100.131,originating from 198.228.217.190The goal of a SQL Injection attack is to obtain access directly to the database behind a webapplication, by passing data to the application that is unintentionally interpreted as SQL commands bythe database itself.1. Contain BreachDestination IP 100.49.100.131 is the Corporate DMZ network segment• Contact owner of 10.49.100.131: Joe Namath• Cross-reference events from other hosts located in 10.49.100.131 network(Corporate_DMZ) for other suspicious activity.• Alerts in Corporate MZ• Analyze Netflow2. Identify AttackerSource IP 198.228.217.190 is not in your local network• Identify the organization that owns 198.228.217.190 – determine if it is a privateorganization or available to third parties hosting provider, etc).• WHOIS 198.228.217.190
  26. 26. Unified Security Management & Visibility:In the cloud and “on the ground”
  27. 27. Securing the Cloud vs. Cloud-delivered SecurityFollowing clients to the cloud vs. setting up yet another cloud…
  28. 28. Questions for SIEM VendorsHow long will it take to go from software installation tosecurity insight? For reals.How many staff members or outside consultants will I needfor the integration work?What can I do if I don’t have all of the external securitytechnologies in place that can feed the SIEM (e.g. assetinventories, IDS, vulnerability scans, netflows, etc.)?What is the anticipated mix of licensing costs to consultingand implementation fees?Do your alerts and alarms provide step-by-step instructionsfor how to mitigate and respond to investigations?PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU….
  29. 29. Expect More From Your SIEMIt should go where you do.Cloud, hybrid cloud, mobile apps, etc.It should tell you what to do.More than alerts, directional guidance onactions to take.It shouldn’t require more work.Built-in security controls so that integrationdoesn’t take forever.“Smart” deployments: remove the“guesswork”
  30. 30. Next Steps / Q&ARequest an AlienVault USM demo at:www.alienvault.com/schedule-demo.htmlRequest a free trial of AlienVault USM:http://www.alienvault.com/free-trialNot quite ready for all that? Test drive our opensource project - OSSIM here:communities.alienvault.com/Need more info to get started? Try our knowledgebase here:alienvault.bloomfire.comThese resources are also in the Attachments sectionJoin theconversation!@alienvault#AlienIntel30

×