This document summarizes an expert panel discussion on implementing security information and event management (SIEM) best practices. The panelists from AccelOps and other security organizations discuss the top 10 SIEM best practices, including establishing monitoring and reporting requirements, determining infrastructure audit activations, identifying audit data requirements, and monitoring defenses, access controls, and applications. The panelists emphasize mapping requirements, scoping implementations based on organizational size, and determining operational processes to integrate SIEM practices effectively.
This document discusses how managed service providers (MSPs) can evolve their business models to offer more competitive managed security services. It notes that MSPs must move from being mere implementers and maintainers to true managed service providers that focus on retention through value articulation. The document recommends that MSPs support all infrastructure types, enable faster identification and prevention of threats through integrated monitoring and analytics, and leverage a single tool to capitalize on new opportunities in the information security market, which is growing at 24.9% annually for IT security outsourcing.
Cisco Advanced Malware Protection for Endpoints is a cloud-managed endpoint security solution that provides visibility, context and control to prevent, detect, contain and remediate advanced cyber threats. It uses continuous monitoring, global threat intelligence, retrospective security capabilities and advanced analysis to uncover hidden malware, understand the full scope of attacks, and automatically contain threats. AMP protects Windows, Mac, Linux and mobile devices from advanced malware in a cost-effective way without slowing systems down.
Top 10 SIEM Best Practices, SANS Ask the ExpertAccelOps
This is the SANS ask the experts webinar "Putting the top 10 SIEM best practices to work" which discussed the major categories by an expert panel during the Sept. 2, 2010 webcast sponsored and created by AccelOps (copyright) and moderated by Bill Sieglein of the CSO Breakfast Club.
This document outlines an information security management standard containing 114 controls organized under 14 groups. The standard provides guidance on security policies, asset management, access control, cryptography, physical security, operations security, systems development and maintenance, supplier relationships, communications security, incident management, business continuity, and compliance. It was authored by Jason P. Rusch and references ISO/IEC 27001 and 27002 for information security standards.
The document discusses software security testing. It covers defining a test strategy, integrating security into the software development lifecycle, performing threat modeling, and available tools for security testing. Regulatory compliance and training requirements are also addressed.
This document summarizes a presentation about Cisco Umbrella, a cloud-based security platform. The summary includes:
1) Cisco Umbrella protects organizations from internet threats by resolving domain names and inspecting web traffic before connections are made. It uses intelligence from billions of requests to identify malicious destinations and prevent both user and malware-initiated connections.
2) Cisco Umbrella provides visibility into all network activity, anywhere, and integrates with existing security tools. It can deploy protection to an entire global organization within minutes through DNS configuration.
3) The presentation cites case studies of customers seeing a 4-5 fold decrease in alerts, 70% reduction in virus tickets, and thousands saved in ransomware
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...Kaspersky
Vulnerability assessments are important to thoroughly analyze advisories from vendors as many have incomplete details, incorrect exploitation conditions, or require deeper research. The presentation provides examples of vulnerabilities from GE Grid Solutions, Schneider Electric, Cisco, Rockwell Automation and Bosch where the initial CVSS scores and details were updated after further analysis. It also outlines Kaspersky's vulnerability assessment process of monitoring, research, and analysis to help improve ICS security.
So You Got That SIEM. NOW What Do You Do? by Dr. Anton ChuvakinAnton Chuvakin
So You Got That SIEM. Now What Do You Do? Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin)
Many organization that acquired Security Information and Event Management (SIEM) tools and even simpler log management tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use" and "totally intuitive."
So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful?
At this presentation, you will learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course! As a bonus track, how to revive a FAILED SIEM deployment you inherited at your new job will be discussed.
This document discusses how managed service providers (MSPs) can evolve their business models to offer more competitive managed security services. It notes that MSPs must move from being mere implementers and maintainers to true managed service providers that focus on retention through value articulation. The document recommends that MSPs support all infrastructure types, enable faster identification and prevention of threats through integrated monitoring and analytics, and leverage a single tool to capitalize on new opportunities in the information security market, which is growing at 24.9% annually for IT security outsourcing.
Cisco Advanced Malware Protection for Endpoints is a cloud-managed endpoint security solution that provides visibility, context and control to prevent, detect, contain and remediate advanced cyber threats. It uses continuous monitoring, global threat intelligence, retrospective security capabilities and advanced analysis to uncover hidden malware, understand the full scope of attacks, and automatically contain threats. AMP protects Windows, Mac, Linux and mobile devices from advanced malware in a cost-effective way without slowing systems down.
Top 10 SIEM Best Practices, SANS Ask the ExpertAccelOps
This is the SANS ask the experts webinar "Putting the top 10 SIEM best practices to work" which discussed the major categories by an expert panel during the Sept. 2, 2010 webcast sponsored and created by AccelOps (copyright) and moderated by Bill Sieglein of the CSO Breakfast Club.
This document outlines an information security management standard containing 114 controls organized under 14 groups. The standard provides guidance on security policies, asset management, access control, cryptography, physical security, operations security, systems development and maintenance, supplier relationships, communications security, incident management, business continuity, and compliance. It was authored by Jason P. Rusch and references ISO/IEC 27001 and 27002 for information security standards.
The document discusses software security testing. It covers defining a test strategy, integrating security into the software development lifecycle, performing threat modeling, and available tools for security testing. Regulatory compliance and training requirements are also addressed.
This document summarizes a presentation about Cisco Umbrella, a cloud-based security platform. The summary includes:
1) Cisco Umbrella protects organizations from internet threats by resolving domain names and inspecting web traffic before connections are made. It uses intelligence from billions of requests to identify malicious destinations and prevent both user and malware-initiated connections.
2) Cisco Umbrella provides visibility into all network activity, anywhere, and integrates with existing security tools. It can deploy protection to an entire global organization within minutes through DNS configuration.
3) The presentation cites case studies of customers seeing a 4-5 fold decrease in alerts, 70% reduction in virus tickets, and thousands saved in ransomware
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...Kaspersky
Vulnerability assessments are important to thoroughly analyze advisories from vendors as many have incomplete details, incorrect exploitation conditions, or require deeper research. The presentation provides examples of vulnerabilities from GE Grid Solutions, Schneider Electric, Cisco, Rockwell Automation and Bosch where the initial CVSS scores and details were updated after further analysis. It also outlines Kaspersky's vulnerability assessment process of monitoring, research, and analysis to help improve ICS security.
So You Got That SIEM. NOW What Do You Do? by Dr. Anton ChuvakinAnton Chuvakin
So You Got That SIEM. Now What Do You Do? Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin)
Many organization that acquired Security Information and Event Management (SIEM) tools and even simpler log management tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use" and "totally intuitive."
So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful?
At this presentation, you will learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course! As a bonus track, how to revive a FAILED SIEM deployment you inherited at your new job will be discussed.
Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/
Here we report the current state of the ICS threat landscape, as presented at the IT&Automation 2018 conference in Böblingen.
To learn more about Kaspersky Lab's ICS CERT, visit https://kas.pr/e34v
This certificate awards 0.2 continuing education units to Shay Gallagher for completing a course titled "Avoiding OSHA's Top 10 Safety Violations" which was held at the 2015 Grainger Show in Orlando, Florida on February 16, 2015. The course instructor was Thomas Foss.
Past and future of integrity based attacks in ics environmentsJoe Slowik
The document discusses several past and potential future ICS attacks:
- Stuxnet successfully disrupted Iranian nuclear centrifuges but had limited direct impact.
- CRASHOVERRIDE largely failed to impact the Ukrainian power grid as intended.
- TRISIS that targeted a safety instrumented system failed to cause damage.
Future attacks may seek to directly manipulate industrial processes, undermine electric utilities, or compromise safety systems to cause physical disruption or damage. Defenders need ICS-focused security strategies including process monitoring to detect and respond to these evolving threats.
This document provides an introduction to methodologies for evaluating the safety integrity level (SIL) of safety instrumented functions (SIF) through determining the probability of failure on demand (PFD) of the SIF. It describes the safety lifecycle model and how SIL evaluation fits in. The document focuses on performance-based approaches for SIL evaluation and provides examples of SIS architectures without promoting any single methodology. It evaluates the whole SIF from sensors to final elements. The user is cautioned to understand the assumptions and limitations of the methodologies described.
The role of an information security manager involves monitoring and controlling all aspects of enterprise computer security. Their responsibilities include assessing risks, minimizing threats, upgrading security systems, ensuring compliance with standards, testing security products and procedures, preparing for disasters and security breaches, documenting technical information, and reporting to users and managers. The information security manager is responsible for detecting and securing weak points in the system.
The document appears to be a presentation from Splunk on security topics. It includes sections on cyber security resilience, the data-centric modern SOC, application monitoring at scale, threat modeling, security monitoring journeys, self-service Splunk infrastructure, the top 3 CISO priorities of risk based alerting, use case development, a security content repository, security PVP (posture, vision, and planning) and maturity assessment, and concludes with an overview of how Splunk can provide end-to-end visibility across an organization.
The Capabilities Integration Environment (CIE):
- Provides a production-compliant environment for development, integration, and testing of information technology solutions and standardized DoD infrastructures.
- Offers an efficient solution for Air Force mission application testing and development needs, providing support from end-to-end through assigned teams.
- Emulates deployment environments like Air Force bases, DISA, and GCSS-AF using standardized desktops, servers, and network configurations to allow testing with production-like conditions and data.
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
The document discusses improving security in the IT supply chain by leveraging purchase power and standards. It describes how the Air Force created a standardized secure desktop configuration by working with NSA, NIST, and vendors. This reduced vulnerabilities by 80%, saved hundreds of millions, and improved performance. The concept was expanded through the Federal Desktop Core Configuration and security content automation protocols. The document argues for expanding these approaches to all software and using offense to inform defensive investments and standards.
IT-AAC and CISQ are the two leading authorities on how to manage risk in IT intensive programs. Join us and some 220 colleagues on March 15th, Reston Hyatt
Cyber Resilience Summit Briefing March 15, 2016John Weiler
Two leading public service institutes; IT-AAC and CISQ, will present how emerging standards around IT Risk Management have been adopted and proven to mitigate the most common vulnerabilities and weaknesses in IT intensive programs.
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
This session will review Splunk’s two premium solutions - Splunk Enterprise Security (ES) is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and
incident response environments. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams.
BMC - Response to the SolarWinds Breach/MalwareMike Rizzo
BMC response to the SolarWinds Breach
Critical compromise to the Solarwinds Orion platform has created an immediate need to respond to the threat from a likely state sponsored actor (Russia)
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPROIDEA
Sesja o doświadczeniach profesjonalnego zespołu SOC (Security Operations Center) w oparciu o przykłady z życia wzięte. Od anatomii ataków do rekomendacji jak można się skutecznie bronić.
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
The document discusses using an attacker's tactics and techniques to design effective cybersecurity defenses. It provides examples of mapping security controls and tools to different stages of common attack models like the Lockheed Martin Kill Chain. This allows an organization to see where in the attack cycle they have visibility and can disrupt threats. The document advocates taking a strategic, intelligence-driven approach to cyber defense by understanding adversaries' full operations in order to implement controls earlier in the attack cycle.
A presentation for the Innovation in the Post-Heartbleed session at the 2014 Cyber Summit by Jason Maynard,
Security Consulting Systems Engineer at CISCO.
Cisco Connect 2018 Thailand - Cisco aci delivering intent for data center net...NetworkCollaborators
The document discusses delivering intent for data center networking using Cisco's Network Assurance Engine. It notes that app is the new business, multicloud is the new data center, and developer is the new customer. It then discusses Cisco's intent lifecycle including automation, intent, assurance, analytics and more. It highlights some key Cisco products like ACI and Tetration and discusses how the Network Assurance Engine uses mathematical models and data collection to provide comprehensive, intelligent and continuous assurance of network intent.
We have evolved an IT system that is ubiquitous and pervasive and integrated into most aspects of our lives. Many of us are working on 4th and 5th level refinements in efficiency and functionality. But, we stand on the shoulders of those who came before and this restricts our freedom of action. The prior work has left us with an ecosystem which is the living embodiment
of our state-of-the-art. While we work on integration, refinement, broader application and efficiency, the results must move seamlessly into the ecosystem. Fundamental concepts are
being researched in the lab and may rebuild the world we all live in, until that happens, we must work within the ecosystem.
This document discusses software development security domains. It covers governance and management topics like software project size risks, the Clinger-Cohen Act, and frameworks like COBIT and the Federal Enterprise Architecture. It also discusses system and software development life cycles based on standards like ISO/IEC 12207. Key life cycle stages, milestones, reviews and their relation to security activities are presented. The importance of governance and security engineering in reducing acquisition risks by addressing defects early is highlighted.
Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/
Here we report the current state of the ICS threat landscape, as presented at the IT&Automation 2018 conference in Böblingen.
To learn more about Kaspersky Lab's ICS CERT, visit https://kas.pr/e34v
This certificate awards 0.2 continuing education units to Shay Gallagher for completing a course titled "Avoiding OSHA's Top 10 Safety Violations" which was held at the 2015 Grainger Show in Orlando, Florida on February 16, 2015. The course instructor was Thomas Foss.
Past and future of integrity based attacks in ics environmentsJoe Slowik
The document discusses several past and potential future ICS attacks:
- Stuxnet successfully disrupted Iranian nuclear centrifuges but had limited direct impact.
- CRASHOVERRIDE largely failed to impact the Ukrainian power grid as intended.
- TRISIS that targeted a safety instrumented system failed to cause damage.
Future attacks may seek to directly manipulate industrial processes, undermine electric utilities, or compromise safety systems to cause physical disruption or damage. Defenders need ICS-focused security strategies including process monitoring to detect and respond to these evolving threats.
This document provides an introduction to methodologies for evaluating the safety integrity level (SIL) of safety instrumented functions (SIF) through determining the probability of failure on demand (PFD) of the SIF. It describes the safety lifecycle model and how SIL evaluation fits in. The document focuses on performance-based approaches for SIL evaluation and provides examples of SIS architectures without promoting any single methodology. It evaluates the whole SIF from sensors to final elements. The user is cautioned to understand the assumptions and limitations of the methodologies described.
The role of an information security manager involves monitoring and controlling all aspects of enterprise computer security. Their responsibilities include assessing risks, minimizing threats, upgrading security systems, ensuring compliance with standards, testing security products and procedures, preparing for disasters and security breaches, documenting technical information, and reporting to users and managers. The information security manager is responsible for detecting and securing weak points in the system.
The document appears to be a presentation from Splunk on security topics. It includes sections on cyber security resilience, the data-centric modern SOC, application monitoring at scale, threat modeling, security monitoring journeys, self-service Splunk infrastructure, the top 3 CISO priorities of risk based alerting, use case development, a security content repository, security PVP (posture, vision, and planning) and maturity assessment, and concludes with an overview of how Splunk can provide end-to-end visibility across an organization.
The Capabilities Integration Environment (CIE):
- Provides a production-compliant environment for development, integration, and testing of information technology solutions and standardized DoD infrastructures.
- Offers an efficient solution for Air Force mission application testing and development needs, providing support from end-to-end through assigned teams.
- Emulates deployment environments like Air Force bases, DISA, and GCSS-AF using standardized desktops, servers, and network configurations to allow testing with production-like conditions and data.
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
The document discusses improving security in the IT supply chain by leveraging purchase power and standards. It describes how the Air Force created a standardized secure desktop configuration by working with NSA, NIST, and vendors. This reduced vulnerabilities by 80%, saved hundreds of millions, and improved performance. The concept was expanded through the Federal Desktop Core Configuration and security content automation protocols. The document argues for expanding these approaches to all software and using offense to inform defensive investments and standards.
IT-AAC and CISQ are the two leading authorities on how to manage risk in IT intensive programs. Join us and some 220 colleagues on March 15th, Reston Hyatt
Cyber Resilience Summit Briefing March 15, 2016John Weiler
Two leading public service institutes; IT-AAC and CISQ, will present how emerging standards around IT Risk Management have been adopted and proven to mitigate the most common vulnerabilities and weaknesses in IT intensive programs.
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
This session will review Splunk’s two premium solutions - Splunk Enterprise Security (ES) is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and
incident response environments. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams.
BMC - Response to the SolarWinds Breach/MalwareMike Rizzo
BMC response to the SolarWinds Breach
Critical compromise to the Solarwinds Orion platform has created an immediate need to respond to the threat from a likely state sponsored actor (Russia)
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPROIDEA
Sesja o doświadczeniach profesjonalnego zespołu SOC (Security Operations Center) w oparciu o przykłady z życia wzięte. Od anatomii ataków do rekomendacji jak można się skutecznie bronić.
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
The document discusses using an attacker's tactics and techniques to design effective cybersecurity defenses. It provides examples of mapping security controls and tools to different stages of common attack models like the Lockheed Martin Kill Chain. This allows an organization to see where in the attack cycle they have visibility and can disrupt threats. The document advocates taking a strategic, intelligence-driven approach to cyber defense by understanding adversaries' full operations in order to implement controls earlier in the attack cycle.
A presentation for the Innovation in the Post-Heartbleed session at the 2014 Cyber Summit by Jason Maynard,
Security Consulting Systems Engineer at CISCO.
Cisco Connect 2018 Thailand - Cisco aci delivering intent for data center net...NetworkCollaborators
The document discusses delivering intent for data center networking using Cisco's Network Assurance Engine. It notes that app is the new business, multicloud is the new data center, and developer is the new customer. It then discusses Cisco's intent lifecycle including automation, intent, assurance, analytics and more. It highlights some key Cisco products like ACI and Tetration and discusses how the Network Assurance Engine uses mathematical models and data collection to provide comprehensive, intelligent and continuous assurance of network intent.
We have evolved an IT system that is ubiquitous and pervasive and integrated into most aspects of our lives. Many of us are working on 4th and 5th level refinements in efficiency and functionality. But, we stand on the shoulders of those who came before and this restricts our freedom of action. The prior work has left us with an ecosystem which is the living embodiment
of our state-of-the-art. While we work on integration, refinement, broader application and efficiency, the results must move seamlessly into the ecosystem. Fundamental concepts are
being researched in the lab and may rebuild the world we all live in, until that happens, we must work within the ecosystem.
This document discusses software development security domains. It covers governance and management topics like software project size risks, the Clinger-Cohen Act, and frameworks like COBIT and the Federal Enterprise Architecture. It also discusses system and software development life cycles based on standards like ISO/IEC 12207. Key life cycle stages, milestones, reviews and their relation to security activities are presented. The importance of governance and security engineering in reducing acquisition risks by addressing defects early is highlighted.
This document proposes an approach to creating cyber resiliency using emerging technologies and network architectures. It identifies key technologies like deep packet inspection, application performance management, and control plane architectures that can be leveraged to build more resilient networks. The document then illustrates an example architecture and proposes validating cyber resiliency solutions using academic network infrastructure to test solutions on real networks at scale.
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
The document discusses how to take a modern approach to IT operations. It recommends collecting data across infrastructure to identify problems, correlating and analyzing data to determine which alerts require immediate attention, and defining key performance indicators and workflows. This approach aims to enhance operations by integrating ThousandEyes into existing environments to facilitate data-driven conversations that minimize disruptions. A live demo was also provided.
Case Study: Datalink—Manage IT monitoring the MSP wayCA Technologies
Increasing infrastructure complexity is causing IT operations teams to re-think their monitoring approach. In this presentation with Datalink, learn how to build and evolve a proactive IT monitoring strategy geared towards the modern, dynamic IT landscape. Learn how Datalink proactively manages IT environments of leading Fortune 500 companies by leveraging analytics, intelligent alarms, a unified architecture and advanced process automation to achieve operational efficiencies. You will also learn how to make monitoring look easy to your end users while delivering the flexibility required to monitor just about anything they throw at you.
For more information on DevOps solutions from CA Technologies, please visit: http://bit.ly/1wbjjqX
Seize the Cloud - Proven Tactics From a Successful Service ProviderCA Nimsoft
Companies everywhere are feeling the pressures of today’s economic demands; and IT departments are being forced to find ways to do more with less. They are taking closer looks at infrastructure and processes—comparing them to business needs and budgets. Companies are looking for practical innovation to solve their problems and many companies are turning to CIBER. In this session listen to how CIBER leverages Nimsoft IT Management as a Service to help them elegantly provide IT management for their clients.
Visit www.nimsoft.com for more information.
Infrastructure Testing: The Ultimate “Shift Left”TechWell
Organizations worldwide are continually required to make significant investments in upgrading, re-engineering, and protecting their IT infrastructure. However, unlike application software development, many companies lack a structured quality assurance approach for infrastructure testing. Creating an infrastructure quality practice is an answer, but it's not without its challenges. However, if your company is interested in avoiding headline-grabbing outages, rooted in deployment problems with infrastructure—server, network, storage, middleware, telephony, hardware, IT security, cloud, virtual, and Data Center Ops—then come to this session. Carl Delmolino and Hitesh Patel explain how to identify and address infrastructure testing opportunities, how to build a diversely skilled infrastructure test team, and how to apply familiar SDLC testing process rigor to enterprise-level infrastructure change. When addressed effectively, infrastructure testing is risk mitigation at the far end of “left,” reduces organizational technical risk, and helps ensure higher system availability for employees and customers, alike.
Similar to Accel Ops Csobc Sans Webcast 090210.Ppt (20)
2. Roundtable Participants
Bill Sieglein
President, CSO Breakfast Club
Dr. Anton Chuvakin
Author/Blog @ Security Warrior
Tim Mather CISSP, CISM
I4, former Chief Security Strategist at RSA,
former CSO Symantec
Randolph Barr, CISSP
CSO Qualys, former CSO at WebEx Comm.
Jamie Sanbower, CISSP
Cyber Security Director @ Force3
Scott Gordon CISSP
Vice President, AccelOps
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 2
3. Ask the Experts:
What is a SIEM? (rhetorical)
A solution that aggregates,
normalizes, filters, correlates
and manages security and other
operational event / log data to
monitor, alert, report, analyze
and manage security and
compliance-relevant information.
Send us your questions…
CHAT to moderators
Tweet Top10SIEMbpract
Email siemtop10@accelops.net
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 3
4. Ask the Experts:
Monitoring and Reporting
Requirements
Establish key monitoring and
reporting requirements prior to
deployment, including objective,
targets, compliance controls,
implementation and workflow.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 4
5. Ask the Experts:
Infrastructure audit activations
Determine the scope of
implementation, infrastructure
audit targets, necessary
credentials and verbosity,
activation phases and activation.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 5
6. Ask the Experts:
Audit data requirements
Identify and assure adherence to
audit data requirements
including accessibility, integrity,
retention, evidentiary requisites,
disposal and storage
considerations.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 6
7. Ask the Experts:
Access Controls
Monitor, respond to and report
on key status, violations and
anomalous access to critical
resources.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 7
8. Ask the Experts:
Perimeter Defenses
Monitor, respond to and report
on key status, configuration
changes, violations/attacks and
anomalous activity associated
with perimeter defenses.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 8
9. Ask the Experts:
Network and host defenses
Monitor, respond to and report
on key status, configuration
changes, violations/attacks and
anomalous activity associated
with internal network and host
defenses.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 9
10. Ask the Experts:
Network and system resource
integrity
Monitor, respond to and report
on key status, configuration
changes, patches,
vulnerabilities, threats and
anomalous activity affecting
network and system resources.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 10
11. Ask the Experts:
Malware Control
Monitor, respond to and report
on key status, threats, issues,
violations and activity
supporting malware controls.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 11
12. Ask the Experts:
Access management and
acceptable use
Monitor, respond to and report
on key status, configuration
changes, violations and
anomalous activity affecting
access management, user
management and acceptable use
of resources
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 12
13. Ask the Experts:
Application defenses
Monitor, respond to and report
on key status, configuration
changes, violations and
anomalous activity with regard
to web, database and other
application defenses.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 13
14. Webcast Sponsor:
Challenges Integrated Data Center Monitoring
Complex Threats
and Environment
Monitoring, Search
& Reporting Scope
Implementation and
Scale Difficulty
Single pane of glass – Intelligence at your fingertips
Timely & Extensive End-to-end visibility – service, performance, availability, security,
Device Support change and compliance management
SOC/NOC convergence – extensive operational visibility
IT Service Efficiency – proactive monitoring, expedited root-cause analysis,
Awareness & Priority flexible search/reporting
Value – easy to use, implement and scale with rich feature set
Budget for Isolated Virtual Appliance or SaaS – out of the box use and readily scale
Security Tools
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 14
15. Ask the Experts:
In Conclusion
Map your requirements; output, audience, functional
Scope implementation; size, deployment, activation
Determine operating norms; what will you do with the
information, incident workflow, escalation…
One size does not fit all; dovetail your infosec policy with
best practices that works best for your organization
For more detailed and on-going contribution to SIEM
best practices visit: www.accelops.net.SIEMtop10.php
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 15
16. Ask the Experts:
For a more extensive, on-going set of Top 10 SIEM Best
Practices visit: WWW.ACCELOPS.NET/SIEMtop10.php
Released under a Creative Commons 3.0 Attribution
license: http://creativecommons.org/licenses/by/3.0/
Thanks to content contribution from:
Scott Gordon CISSP Randolph Barr, CISSP
Dr. Anton Chuvakin Jamie Sanbower, CISSP
Tim Mather CISSP, CISM Bill Sieglein CISSP
SANS.org in reference to…
Top Cyber Security Risks
20 Critical Security Controls
April Russo (number graphics)
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 16