Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SIEM-plifying security
monitoring: A different
approach to security
visibility

Dave Shackleford, Voodoo Security and SANS...
Introduction

• Many organizations are still
experiencing data breaches
– Attackers are more advanced
– But…we’ve got prev...
First…security intelligence

• Security/threat intelligence is all
the rage these days…in theory
• Today, most organizatio...
External Threat Intel Data
• Intel about
attacks and
attackers may
include:

– Source
IP/hostnames/do
mains
– Ports/servic...
Internal sources of threat intel data
• Baseline security controls:
– Firewalls and router ACLs
– IDS/IPS
– Antivirus
– Pr...
Collaborative Threat Intelligence

• Diversity in Threat Intelligence limits
attackers’ ability to isolate targets by
indu...
SIEM Challenges Abound
• Many SIEM users have had
challenges getting needed insights
• Why?
• A vast variety of issues can...
© 2014 The SANS™ Institute - www.sans.org

8
Lessons Learned the Hard Way

• Situation: "Tribal" knowledge and a
move to an MSSP
– Lesson Learned: Improve
documentatio...
Getting More From a SIEM

• There are several important
things organizations can do to
improve SIEM success:
– Assess inte...
Fundamental SIEM
Integration Points
• Asset discovery and inventory
• Vulnerability assessment
• Network packet/flow analy...
Discuss Outcomes & Use Cases

• Every organization is different
– Business use cases
– Compliance/security priorities
– Ex...
Ease-of-use & Implementation
• Many SIEM solutions have been
notoriously difficult to implement and
use
• SIEM platforms s...
Questions for SIEM Vendors
Hint: Print this out for the next time they call you…

 How long will it take to go from softw...
Threat Intelligence:
Questions to Ask

• What sources of threat
intelligence are available?
• Are intelligence sources wid...
Collaborative Threat Intelligence:
AlienVault Open Threat Exchange TM
(OTX)

Coordinated Analysis, Actionable Guidance

• ...
A Unified Approach

SECURITY INTELLIGENCE
• SIEM Event Correlation
• Incident Response

AlienVault
USMTM

Powered by
AV La...
Conclusion

• Some organizations have
traditionally been afraid of SIEM…
– But do they need to be?
• SIEM platforms *can* ...
Questions?

Q@SANS.ORG

Three Ways to Test Drive
AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/fre...
Upcoming SlideShare
Loading in …5
×

SIEM-plifying security monitoring: A different approach to security visibility

1,269 views

Published on

Despite investments in preventative security technology and teams, devastating data breaches continue to occur, and the threats we face only grow more advanced all the time. If even the largest companies are struggling to avoid breaches, how can teams with more limited security staff and budgets hope to avoid that same fate? Organizations need to invest more in detection and proactive threat intelligence. SIEM products have been widely deployed for this purpose, however much of the technology remains unwieldy and difficult to use.
Join Dave Shackleford, founder of Voodoo Security and a Senior SANS Instructor, and Joe Schreiber, Solution Architect with AlienVault for this session covering:
Key security intelligence insights you need to defend against modern threats
"Tales from the trenches" of challenges getting the insights you need from SIEM
Fundamentals for evaluating a security approach that will work for you, not against you.
How a unified approach to security visibility can help you get from install to insight more quickly

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SIEM-plifying security monitoring: A different approach to security visibility

  1. 1. SIEM-plifying security monitoring: A different approach to security visibility Dave Shackleford, Voodoo Security and SANS Joe Schreiber, AlienVault © 2014 The SANS™ Institute - www.sans.org
  2. 2. Introduction • Many organizations are still experiencing data breaches – Attackers are more advanced – But…we’ve got preventive and detective controls, right? • More proactive threat intelligence and time on internal detection capabilities will help – But what do you need? – How can you succeed with limited time and/or budget? © 2014 The SANS™ Institute - www.sans.org 2
  3. 3. First…security intelligence • Security/threat intelligence is all the rage these days…in theory • Today, most organizations are gathering external threat intelligence from sources such as: – The SANS Internet Storm Center – Blog sites – Commercial feeds – ISACs and other public-private collaboration groups © 2014 The SANS™ Institute - www.sans.org 3
  4. 4. External Threat Intel Data • Intel about attacks and attackers may include: – Source IP/hostnames/do mains – Ports/services in use – Source countries – Attack types – Packet traces – Malware – File names • DNS entries that are or should be blacklisted • Countries of origin with specific reputation criteria • Types of events to look out for: – Application attacks – Ports and IP addresses – Specific types of malware detected • Vertical-specific likelihood © 2014 The SANS™ Institute - www.sans.org 4
  5. 5. Internal sources of threat intel data • Baseline security controls: – Firewalls and router ACLs – IDS/IPS – Antivirus – Proxies and load balancers – Log management • More advanced controls – SIEM – Host IDS/whitelisting – Malware sandboxing • So why are we still getting hacked?! © 2014 The SANS™ Institute - www.sans.org 5
  6. 6. Collaborative Threat Intelligence • Diversity in Threat Intelligence limits attackers’ ability to isolate targets by industry, location, size, etc • The AlienVault Open Threat ExchangeTM (OTX) is the world’s largest collaborative threat intelligence system • AlienVault Labs validates threat data and contributes from their research © 2014 The SANS™ Institute - www.sans.org 6
  7. 7. SIEM Challenges Abound • Many SIEM users have had challenges getting needed insights • Why? • A vast variety of issues can lead us here: – Difficulty deploying – Lack of integration – Challenging UI and usability – No threat intelligence – Difficult correlation rules – Poor planning © 2014 The SANS™ Institute - www.sans.org 7
  8. 8. © 2014 The SANS™ Institute - www.sans.org 8
  9. 9. Lessons Learned the Hard Way • Situation: "Tribal" knowledge and a move to an MSSP – Lesson Learned: Improve documentation and planning around internal data types and use cases • Situation: “You are what you eat” – Lesson Learned: Review your data sources before AND after your deployment © 2014 The SANS™ Institute - www.sans.org 9
  10. 10. Getting More From a SIEM • There are several important things organizations can do to improve SIEM success: – Assess integration with data/tools – Discuss outcomes/use cases – Assess ease-of-use and implementation – Look for threat intelligence integration - both external and internal © 2014 The SANS™ Institute - www.sans.org 10
  11. 11. Fundamental SIEM Integration Points • Asset discovery and inventory • Vulnerability assessment • Network packet/flow analysis (packet capture) • Wireless intrusion detection (WIDS) • Host-based intrusion detection (HIDS) • Network-based intrusion detection (NIDS) • File Integrity Monitoring • Log management © 2014 The SANS™ Institute - www.sans.org 11
  12. 12. Discuss Outcomes & Use Cases • Every organization is different – Business use cases – Compliance/security priorities – Existing gaps • Build technical rule implementations of business use cases – Identify & monitor privileged users – Build behavior profiles – Detect C&C channels more rapidly © 2014 The SANS™ Institute - www.sans.org 12
  13. 13. Ease-of-use & Implementation • Many SIEM solutions have been notoriously difficult to implement and use • SIEM platforms should be: – Relatively simple to install – Intuitive for analysts using the GUI or other tools – Easy to expand or upgrade – Understandable without a PhD © 2014 The SANS™ Institute - www.sans.org 13
  14. 14. Questions for SIEM Vendors Hint: Print this out for the next time they call you…  How long will it take to go from software installation to security insight? For reals.  How many staff members or outside consultants will I need for the integration work?  What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)?  What is the anticipated mix of licensing costs to consulting and implementation fees?  Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations? © 2014 The SANS™ Institute - www.sans.org 14
  15. 15. Threat Intelligence: Questions to Ask • What sources of threat intelligence are available? • Are intelligence sources widely distributed, representing a range of organizations and technology? • How is threat intelligence integrated with internal data sets? • How can threat intelligence be shared securely? © 2014 The SANS™ Institute - www.sans.org 15
  16. 16. Collaborative Threat Intelligence: AlienVault Open Threat Exchange TM (OTX) Coordinated Analysis, Actionable Guidance • 200-350,000 IPs validated daily • 8,000 collection points • 140 countries Join OTX: www.alienvault.com/open-threat-exchange
  17. 17. A Unified Approach SECURITY INTELLIGENCE • SIEM Event Correlation • Incident Response AlienVault USMTM Powered by AV Labs Threat Intelligence BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning
  18. 18. Conclusion • Some organizations have traditionally been afraid of SIEM… – But do they need to be? • SIEM platforms *can* be implemented and managed without horror stories • They key is planning up front, and asking key questions of potential vendors • A unified approach will prove more successful with limited resources © 2014 The SANS™ Institute - www.sans.org 18
  19. 19. Questions? Q@SANS.ORG Three Ways to Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/ali envault-usm-live-demo Thank You! © 2014 The SANS™ Institute - www.sans.org 19

×