AlienVault, profile picture
Uploaded byAlienVault
6,078 views

Six Steps to SIEM Success

This document outlines six steps to ensure SIEM success: 1) Avoid single-purpose SIEM tools and look for built-in security controls, 2) Know your use cases before evaluating tools, 3) Imagine worst case scenarios for your business, 4) Include built-in threat intelligence, 5) Use IP reputation data to prioritize alarms, and 6) Automate deployment. It emphasizes the importance of integrated security tools to reduce costs and complexity, and knowing business needs and threats to properly focus the SIEM.

Embed presentation

SIX STEPS TO SIEM SUCCESS Jim Hansen Sr. Director, Product Management
Step 1: Avoid single-purpose Avoid single-purpose SIEM tools. SIEM tools. 2
LOOK FOR BUILT-IN ESSENTIAL SECURITY CONTROLS. At a minimum, the SIEM should include this core set of functionality: Asset discovery and inventory Vulnerability assessment Network analysis / netflow (packet capture) Wireless intrusion detection (WIDS) Host-based intrusion detection (HIDS) Network-based intrusion detection (NIDS) File Integrity Monitoring Log management VS.
BENEFITS OF BUILT-IN SECURITY CONTROLS IN SIEM   Accelerated time to value - Reduce cost and complexity -  Go from install to insight QUICKLY At deployment time: Focus on integrating the infrastructure event data only Over the long term: Manage all through the same console, better workflow, etc. More coordinated detection for accurate alarms - Built-in event correlation rules Known sources mean more accurate correlation
Step 2: Know what use cases Know what use you need FIRST. cases you’ll need FIRST. 5
WHAT ARE YOUR SIEM USE CASES?    Figure this out BEFORE you evaluate or invest Use cases define your scope and your priorities (e.g. Pass a PCI audit vs. Detect malware infections) Differences between a business & technology use cases - Business use cases (fewer) translate to: - Technology use cases (many more)
TRANSLATING BUSINESS USE CASES INTO TECHNOLOGY Privileged user monitoring requires knowing: Logs  Who your privileged users are (users)  What constitutes privileged activity (commands) - Logins = rlogins / ssh User permission changes (e.g. sudo or LDAP) - Critical servers, applications, network devices, and network traffic (action sequences) Endpoints…? Whose?  Where you care to focus (devices) -
EVENT CORRELATION STEPS What we really want to know… Who is abusing privileged access? 1. Identify the goal for each rule (and use case). To detect unauthorized access user activity – including privilege escalation 2. Determine the conditions for the alert. Privilege escalation with no corresponding change request 3. Select the relevant data sources. Active directory, user management system, change control system 4. Test the rule. 5. Determine response strategies, and document them.
Step 3: What are the worst case Imagine all the worstscenarios for your business? case scenarios for YOUR business.
GLOBAL VS. LOCAL BAD SCENARIOS    Global bad scenarios - Botnets, malware, C&C traffic, rootkits, trojans, etc. Local bad scenarios - Unique to your business and priorities Only YOU and your mgmt team can answer this Example: - Outbound FTP connections to a former business partner’s network AFTER you’ve canceled the contract. - Service availability “hiccups” during peak operational windows.
PLAN FOR THE WORST, EXPECT THE BEST    Plan for each of those “worst case” scenarios Ask yourself: How would we know when these happen? - Types of events, and their sequences Devices in scope - Let’s get those data sources added FIRST; First step is finding them (automated asset discovery is a must) How do we respond when we discover them? - Develop standard operational procedures, and train staff - SIEM should have built-in documentation for standard operational procedures  Customized guidance that’s attached to each alert  Details on assets, their owners, contact info, etc.
Step 4: Include built-in threat intelligence as a MUST-HAVE.
OPERATIONALIZED THREAT INTELLIGENCE  Threat intelligence should provide info on: - WHO the bad actors are WHAT to focus on HOW to respond when threats are detected WHERE these threats are in your environment  Threat intelligence should also… - Provide instructions on what to do when X happens to Y And… be easily and rapidly consumable – part of your SOP
ALIENVAULT LABS THREAT INTELLIGENCE:        COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint
Step 5: Use IP reputation data to prioritize alarms & monitor your own reputation. 15
DISRUPT THE INCIDENT RESPONSE CYCLE A traditional cycle … 1. 2. Prevent Detect Respond 3. Prevents known threats. Detects new threats in the environment. Respond to the threats – as they happen. This isolated closed loop offers no opportunity to learn from what others have experienced ….no advance notice
THE POWER OF THE “CROWD” FOR THREAT DETECTION     Cyber criminals are using (and reusing) the same exploits against others (and you). Sharing (and receiving) collaborative threat intelligence makes us all more secure. Using this data, identify, flag and block known attackers by source IP addresses. Organizations can’t build this “neighborhood watch” infrastructure on their own… that’s where AlienVault comes in…
TRADITIONAL RESPONSE First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
TRADITIONAL RESPONSE Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
TRADITIONAL RESPONSE Attack First Street Credit Union Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
TRADITIONAL RESPONSE Attack First Street Credit Union Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
TRADITIONAL RESPONSE Attack First Street Credit Union Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
OTX ENABLES PREVENTATIVE RESPONSE Through an automated, real-time, threat exchange framework
A REAL-TIME THREAT EXCHANGE FRAMEWORK Puts Preventative Response Measures in Place Through Shared Experience Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
A REAL-TIME THREAT EXCHANGE FRAMEWORK Protects Others in the Network With the Preventative Response Measures Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
GLOBAL THREAT DETECTION FOR LOCAL RESPONSE
Step 6: Automate your SIEM deployment. 27 27
DATA INTEGRATION WITH A SINGLE-PURPOSE SIEM 1 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Integrate data and event feeds into SIEM 28
DATA INTEGRATION WITH ALIENVAULT USM Reduced licensing costs 1 Automated via Auto-Deploy Dashboard 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Built-in asset discovery, vuln assessment, threat detection, behavioral monitoring, and more… Integrate data and event feeds into SIEM Simpler security management, faster remediation 29
DEPLOYMENT DASHBOARD Identify potential data sources to integrate Set up vulnerability assessment and asset inventory scans Implement suggestions to improve visibility
TOP 6 STEPS TO SIEM SUCCESS 1. Avoid single-purpose SIEM tools (Reduce integration complexities - look for built-in security detection sources) 2. 3. 4. 5. 6. Know what use cases you’ll need FIRST. (this will dictate what data sources to prioritize) Imagine all the worst case scenarios for your business. (this will inform your incident response strategy) Include built-in threat intelligence as a must-have requirement. (threats move way too quickly not to operationalize your defenses) Use IP reputation data to prioritize alarms & monitor your own rep. (Identify exposures – both inside and outside your network) Automate your deployment. (yes, hard to believe, but this *is* possible)
QUESTIONS FOR SIEM VENDORS HINT: PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU….       How long will it take to go from software installation to security insight? For reals. How many staff members or outside consultants will I need for the integration work? What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)? What is the anticipated mix of licensing costs to consulting and implementation fees? Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations? Is IP reputation data included in the threat intelligence content? 32
NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? hello@alienvault.com

More Related Content

PDF
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
byAlienVault
 
PPTX
Beginner's Guide to SIEM
byAlienVault
 
PDF
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
PPTX
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
byAlienVault
 
PPTX
Malware detection how to spot infections early with alien vault usm
byAlienVault
 
PPTX
Creating Correlation Rules in AlienVault
byAlienVault
 
PPTX
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
byAlienVault
 
PPTX
IDS for Security Analysts: How to Get Actionable Insights from your IDS
byAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
byAlienVault
 
Beginner's Guide to SIEM
byAlienVault
 
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
byAlienVault
 
Malware detection how to spot infections early with alien vault usm
byAlienVault
 
Creating Correlation Rules in AlienVault
byAlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
byAlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
byAlienVault
 

What's hot

PDF
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
PPTX
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
PPTX
Improve Situational Awareness for Federal Government with AlienVault USM
byAlienVault
 
PPTX
How to Detect System Compromise & Data Exfiltration with AlienVault USM
byAlienVault
 
PPTX
Improve Threat Detection with OSSEC and AlienVault USM
byAlienVault
 
PPTX
Alienvault threat alerts in spiceworks
byAlienVault
 
PPTX
Configuring Data Sources in AlienVault
byAlienVault
 
PPTX
How to Detect SQL Injections & XSS Attacks with AlienVault USM
byAlienVault
 
PPTX
Improve threat detection with hids and alien vault usm
byAlienVault
 
PPTX
Improve Security Visibility with AlienVault USM Correlation Directives
byAlienVault
 
PPTX
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
byAlienVault
 
PPTX
SIEM 101: Get a Clue About IT Security Analysis
byAlienVault
 
PPTX
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
bySymantec
 
PPTX
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
byAlienVault
 
PPT
Redefining Endpoint Security
byBurak DAYIOGLU
 
PPTX
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
byAlienVault
 
PPTX
Incident response live demo slides final
byAlienVault
 
PDF
Avoid Meltdown from the Spectre - How to measure impact and track remediation
byQualys
 
PPTX
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
byAlienVault
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
byAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
byAlienVault
 
Alienvault threat alerts in spiceworks
byAlienVault
 
Configuring Data Sources in AlienVault
byAlienVault
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
byAlienVault
 
Improve threat detection with hids and alien vault usm
byAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
byAlienVault
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
byAlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
byAlienVault
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
bySymantec
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
byAlienVault
 
Redefining Endpoint Security
byBurak DAYIOGLU
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
byAlienVault
 
Incident response live demo slides final
byAlienVault
 
Avoid Meltdown from the Spectre - How to measure impact and track remediation
byQualys
 
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 

Similar to Six Steps to SIEM Success

PDF
SIEM evaluator guide for soc analyst
byInfosecTrain
 
PPTX
Operational Security Intelligence
bySplunk
 
PPTX
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
byAnton Chuvakin
 
PPTX
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
byAnton Chuvakin
 
PPTX
Information Security: Advanced SIEM Techniques
byReliaQuest
 
PPTX
Generic siem how_2017
byAnton Chuvakin
 
PPT
Security Outsourcing - Couples Counseling - Atif Ghauri
byAtif Ghauri
 
PPTX
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
PPTX
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
byAnton Chuvakin
 
PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
PPT
Top 10 SIEM Best Practices, SANS Ask the Expert
byAccelOps
 
PPTX
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
PPTX
Operationalizing Security Intelligence
bySplunk
 
PPTX
5 Steps to an Effective Vulnerability Management Program
byTripwire
 
PDF
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
byCODE BLUE
 
PDF
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
PPTX
SIEM-plifying security monitoring: A different approach to security visibility
byAlienVault
 
PPTX
How to Simplify Audit Compliance with Unified Security Management
byAlienVault
 
PDF
Why so many SIEM Implmentations Fail
byRita Barry
 
PDF
Accel Ops Csobc Sans Webcast 090210.Ppt
byStephen Tsuchiyama
 
SIEM evaluator guide for soc analyst
byInfosecTrain
 
Operational Security Intelligence
bySplunk
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
byAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
byAnton Chuvakin
 
Information Security: Advanced SIEM Techniques
byReliaQuest
 
Generic siem how_2017
byAnton Chuvakin
 
Security Outsourcing - Couples Counseling - Atif Ghauri
byAtif Ghauri
 
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
byAnton Chuvakin
 
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
Top 10 SIEM Best Practices, SANS Ask the Expert
byAccelOps
 
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
Operationalizing Security Intelligence
bySplunk
 
5 Steps to an Effective Vulnerability Management Program
byTripwire
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
byCODE BLUE
 
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
SIEM-plifying security monitoring: A different approach to security visibility
byAlienVault
 
How to Simplify Audit Compliance with Unified Security Management
byAlienVault
 
Why so many SIEM Implmentations Fail
byRita Barry
 
Accel Ops Csobc Sans Webcast 090210.Ppt
byStephen Tsuchiyama
 

More from AlienVault

PDF
Security operations center 5 security controls
byAlienVault
 
PDF
Insider Threat Detection Recommendations
byAlienVault
 
PDF
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
PPTX
Best Practices for Configuring Your OSSIM Installation
byAlienVault
 
PDF
The State of Incident Response - INFOGRAPHIC
byAlienVault
 
PPTX
How Malware Works
byAlienVault
 
PDF
Alien vault sans cyber threat intelligence
byAlienVault
 
PPTX
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
byAlienVault
 
PPTX
Spice world 2014 hacker smackdown
byAlienVault
 
PPTX
Demo how to detect ransomware with alien vault usm_gg
byAlienVault
 
PPTX
Security by Collaboration: Rethinking Red Teams versus Blue Teams
byAlienVault
 
PPTX
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
byAlienVault
 
PDF
Malware Invaders - Is Your OS at Risk?
byAlienVault
 
Security operations center 5 security controls
byAlienVault
 
Insider Threat Detection Recommendations
byAlienVault
 
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
Best Practices for Configuring Your OSSIM Installation
byAlienVault
 
The State of Incident Response - INFOGRAPHIC
byAlienVault
 
How Malware Works
byAlienVault
 
Alien vault sans cyber threat intelligence
byAlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
byAlienVault
 
Spice world 2014 hacker smackdown
byAlienVault
 
Demo how to detect ransomware with alien vault usm_gg
byAlienVault
 
Security by Collaboration: Rethinking Red Teams versus Blue Teams
byAlienVault
 
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
byAlienVault
 
Malware Invaders - Is Your OS at Risk?
byAlienVault
 

Recently uploaded

PPT
Carole BirdCarole BirdCarole BirdCarole Bird.ppt
byk4n3kictf
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PDF
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
PDF
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
PPTX
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
PDF
The Next10 Exponential Innovation 2026 TH
bypantapong
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Measuring Fidelity Decay: How Meaning Collapses in Generative AI Systems
bySemantic Fidelity Lab
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
PDF
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
PDF
RaaS™ — Research as a Service | Sovereign-Grade Energy & Infrastructure
byTheRDE GROUP
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
DOCX
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
PDF
Regenerative Agriculture Finance : Environmental impact
byrose mason
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PDF
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
PPTX
Cyber_Pitch_Presentationggggggg (2).pptx
bysanthoshsathyamoorth1
 
PDF
Uplers' Wrapped | Talent Edition | Year 2025
byUplers
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
PDF
Groq Series A Investment Memo - Chamath Palihapitiya
byRazin Mustafiz
 
Carole BirdCarole BirdCarole BirdCarole Bird.ppt
byk4n3kictf
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
The Next10 Exponential Innovation 2026 TH
bypantapong
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Measuring Fidelity Decay: How Meaning Collapses in Generative AI Systems
bySemantic Fidelity Lab
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
RaaS™ — Research as a Service | Sovereign-Grade Energy & Infrastructure
byTheRDE GROUP
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
Regenerative Agriculture Finance : Environmental impact
byrose mason
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
Cyber_Pitch_Presentationggggggg (2).pptx
bysanthoshsathyamoorth1
 
Uplers' Wrapped | Talent Edition | Year 2025
byUplers
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
Groq Series A Investment Memo - Chamath Palihapitiya
byRazin Mustafiz
 

Six Steps to SIEM Success

  • 1.
    SIX STEPS TOSIEM SUCCESS Jim Hansen Sr. Director, Product Management
  • 2.
    Step 1: Avoid single-purpose Avoidsingle-purpose SIEM tools. SIEM tools. 2
  • 3.
    LOOK FOR BUILT-INESSENTIAL SECURITY CONTROLS. At a minimum, the SIEM should include this core set of functionality: Asset discovery and inventory Vulnerability assessment Network analysis / netflow (packet capture) Wireless intrusion detection (WIDS) Host-based intrusion detection (HIDS) Network-based intrusion detection (NIDS) File Integrity Monitoring Log management VS.
  • 4.
    BENEFITS OF BUILT-INSECURITY CONTROLS IN SIEM   Accelerated time to value - Reduce cost and complexity -  Go from install to insight QUICKLY At deployment time: Focus on integrating the infrastructure event data only Over the long term: Manage all through the same console, better workflow, etc. More coordinated detection for accurate alarms - Built-in event correlation rules Known sources mean more accurate correlation
  • 5.
    Step 2: Know whatuse cases Know what use you need FIRST. cases you’ll need FIRST. 5
  • 6.
    WHAT ARE YOURSIEM USE CASES?    Figure this out BEFORE you evaluate or invest Use cases define your scope and your priorities (e.g. Pass a PCI audit vs. Detect malware infections) Differences between a business & technology use cases - Business use cases (fewer) translate to: - Technology use cases (many more)
  • 7.
    TRANSLATING BUSINESS USECASES INTO TECHNOLOGY Privileged user monitoring requires knowing: Logs  Who your privileged users are (users)  What constitutes privileged activity (commands) - Logins = rlogins / ssh User permission changes (e.g. sudo or LDAP) - Critical servers, applications, network devices, and network traffic (action sequences) Endpoints…? Whose?  Where you care to focus (devices) -
  • 8.
    EVENT CORRELATION STEPS Whatwe really want to know… Who is abusing privileged access? 1. Identify the goal for each rule (and use case). To detect unauthorized access user activity – including privilege escalation 2. Determine the conditions for the alert. Privilege escalation with no corresponding change request 3. Select the relevant data sources. Active directory, user management system, change control system 4. Test the rule. 5. Determine response strategies, and document them.
  • 9.
    Step 3: What arethe worst case Imagine all the worstscenarios for your business? case scenarios for YOUR business.
  • 10.
    GLOBAL VS. LOCALBAD SCENARIOS    Global bad scenarios - Botnets, malware, C&C traffic, rootkits, trojans, etc. Local bad scenarios - Unique to your business and priorities Only YOU and your mgmt team can answer this Example: - Outbound FTP connections to a former business partner’s network AFTER you’ve canceled the contract. - Service availability “hiccups” during peak operational windows.
  • 11.
    PLAN FOR THEWORST, EXPECT THE BEST    Plan for each of those “worst case” scenarios Ask yourself: How would we know when these happen? - Types of events, and their sequences Devices in scope - Let’s get those data sources added FIRST; First step is finding them (automated asset discovery is a must) How do we respond when we discover them? - Develop standard operational procedures, and train staff - SIEM should have built-in documentation for standard operational procedures  Customized guidance that’s attached to each alert  Details on assets, their owners, contact info, etc.
  • 12.
    Step 4: Include built-inthreat intelligence as a MUST-HAVE.
  • 13.
    OPERATIONALIZED THREAT INTELLIGENCE Threat intelligence should provide info on: - WHO the bad actors are WHAT to focus on HOW to respond when threats are detected WHERE these threats are in your environment  Threat intelligence should also… - Provide instructions on what to do when X happens to Y And… be easily and rapidly consumable – part of your SOP
  • 14.
    ALIENVAULT LABS THREATINTELLIGENCE:        COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint
  • 15.
    Step 5: Use IPreputation data to prioritize alarms & monitor your own reputation. 15
  • 16.
    DISRUPT THE INCIDENTRESPONSE CYCLE A traditional cycle … 1. 2. Prevent Detect Respond 3. Prevents known threats. Detects new threats in the environment. Respond to the threats – as they happen. This isolated closed loop offers no opportunity to learn from what others have experienced ….no advance notice
  • 17.
    THE POWER OFTHE “CROWD” FOR THREAT DETECTION     Cyber criminals are using (and reusing) the same exploits against others (and you). Sharing (and receiving) collaborative threat intelligence makes us all more secure. Using this data, identify, flag and block known attackers by source IP addresses. Organizations can’t build this “neighborhood watch” infrastructure on their own… that’s where AlienVault comes in…
  • 18.
    TRADITIONAL RESPONSE First Street CreditUnion Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 19.
    TRADITIONAL RESPONSE Attack First Street CreditUnion Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 20.
    TRADITIONAL RESPONSE Attack First Street CreditUnion Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 21.
    TRADITIONAL RESPONSE Attack First Street CreditUnion Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 22.
    TRADITIONAL RESPONSE Attack First Street CreditUnion Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 23.
    OTX ENABLES PREVENTATIVERESPONSE Through an automated, real-time, threat exchange framework
  • 24.
    A REAL-TIME THREATEXCHANGE FRAMEWORK Puts Preventative Response Measures in Place Through Shared Experience Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
  • 25.
    A REAL-TIME THREATEXCHANGE FRAMEWORK Protects Others in the Network With the Preventative Response Measures Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
  • 26.
    GLOBAL THREAT DETECTIONFOR LOCAL RESPONSE
  • 27.
    Step 6: Automate yourSIEM deployment. 27 27
  • 28.
    DATA INTEGRATION WITHA SINGLE-PURPOSE SIEM 1 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Integrate data and event feeds into SIEM 28
  • 29.
    DATA INTEGRATION WITHALIENVAULT USM Reduced licensing costs 1 Automated via Auto-Deploy Dashboard 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Built-in asset discovery, vuln assessment, threat detection, behavioral monitoring, and more… Integrate data and event feeds into SIEM Simpler security management, faster remediation 29
  • 30.
    DEPLOYMENT DASHBOARD Identify potentialdata sources to integrate Set up vulnerability assessment and asset inventory scans Implement suggestions to improve visibility
  • 31.
    TOP 6 STEPSTO SIEM SUCCESS 1. Avoid single-purpose SIEM tools (Reduce integration complexities - look for built-in security detection sources) 2. 3. 4. 5. 6. Know what use cases you’ll need FIRST. (this will dictate what data sources to prioritize) Imagine all the worst case scenarios for your business. (this will inform your incident response strategy) Include built-in threat intelligence as a must-have requirement. (threats move way too quickly not to operationalize your defenses) Use IP reputation data to prioritize alarms & monitor your own rep. (Identify exposures – both inside and outside your network) Automate your deployment. (yes, hard to believe, but this *is* possible)
  • 32.
    QUESTIONS FOR SIEMVENDORS HINT: PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU….       How long will it take to go from software installation to security insight? For reals. How many staff members or outside consultants will I need for the integration work? What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)? What is the anticipated mix of licensing costs to consulting and implementation fees? Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations? Is IP reputation data included in the threat intelligence content? 32
  • 33.
    NOW FOR SOMEQ&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? hello@alienvault.com

Editor's Notes

  • #2 SIEM, or security intelligence, has become the current standard for achieving complete visibility into your compliance status and any threats to your organization’s data and infrastructure. The challenge is that the first wave of SIEM vendors only focused on the logic or analysis layer, basically the event correlation engine - not on how to deploy it or how to feed it. And without those two key success factors, SIEM becomes shelf-ware.Alright so let’s get started… what are those six steps?========Security intelligence has become the current standard for getting
  • #3 SIEM arose from the fact that most of the security products out there have started and evolved as point products. So we all needed something to tie these things together. But if a SIEM only does one thing – it becomes yet another single purpose point product. Just like a single purpose hotdog cooker/hot dog bun toaster. Or should I say “hot dog production solution”. I agree it might be best of breed, but it wastes valuable space on my counter!
  • #4 Not everyone has all this stuff already in place, if you do, yes we can integrate. But if you don’t, or you don’t want the hassle of managing multiple consoles, this eases those issues.
  • #7 Figure this out BEFORE you evaluate or investThese will depend on WHY you’re implementing SIEMThis defines scope and your priorities (e.g. Pass a PCI audit vs. Detect malware infections)Differences between a business use case & how it’s translated into a technology use caseBusiness use case (fewer) = e.g. monitor all privileged user activity for PCI-DSS requirementsTechnology use case (many more) = e.g. alert on all “sudo” events for Linux servers, especially failed root logins, and prioritize those that occur during X time windows, etc.
  • #8 Priv user monitoring for PCI-DSS will be a different scope than if you wanted to do it for a broader purpose…
  • #28 SIEM is too complex. Collecting the right data, aggregating it, normalizing and correlating disparate technologies for that one common view is not a trivial task. And most of the time, the SIEM vendor will expect the client or the client’s service provider to bear the brunt of that deployment challenge. “Feeding the beast” requires multiple hours spent with system administrators who manage those data sources to reroute the event information over to the SIEM. Technically, this isn’t so complex for a single system, but at scale it can get very complicated.
  • #29 Evaluate, select, and purchase third party security tools (e.g. IDS, vulnerability scanners, etc.).Implement and configure these products.Fine-tune and integrate these feeds into the SIEM.Manage and administer them each with a different console than the SIEM.Identify which additional data sources are needed: Firewalls, routers, proxies, switches etc.Web-servers, database servers, LDAP/AD servers, file directories, etc.Repeat steps #3-4.
  • #31 Reduces the burden of integrating data sources Provides suggestions for improving visibilityWhere is the monitoring deficient? What can be done to improve it?
  • #32 So the goal of today’s session is to give you the secrets of success in terms of planning for a solution that works with your environment, your use cases, can be deployed quickly, and can easily scale and be managed over time. Oh yeah, and it needs to be continually updated with the latest threat intelligence, so you’re not trying to figure out how to write rules on your own every time something wicked this way comes.We’re going to focus on each one of these as we go through our presentation today. So here’s just the overview.Most of the reason why SIEM takes so long to deploy is because these tools do only one thing. They correlate data, but they don’t develop the data they’re correlating. They’re reliant on other tools from other vendors who do things like asset discovery, vulnerability assessment, threat detection, tools like IDS, log management, and the list goes on and on. So look for more than just a fancy reporting tool and event correlation engine.The second point is to know why you’re evaluating a tool that provides SIEM functionality. What do you want to do with it? What do you want to know? What are you prepared to act on if it happens? We’ll spend time talking through how to build your use cases. Because this will dictate what data sources you’ll need to prioritize.The next one is probably pretty familiar territory for us security geeks. Ultimately, security professionals spend a lot of time thinking through worst case scenarios… it comes with the territory… we need to. We need to know what terrible things would happen that would have X impact in Y dollars to Z business initiative. And then we build an incident response program out of it.Threat intelligence is an absolute must-have these days. Attackers are continually morphing and adapting their tools, techniques, and there’s too much coming at you and your network to know what to focus on and when. So we’ll talk about the need not just to know the latest threats, but give you the ability to operationalize your consumption of emerging threat intelligence, so you actually have the ability to act on it.The fifth step is all about taking a collaborative approach to threat management – IP reputation data gives you that perspective. When you correlate data from everyone else’s network – a crowd-sourced approach – you now start to turn the tables on those trying to attack you. So we’ll talk about how to use IP reputation data to prioritize events and alarms as well as monitor the reputation of your own public-facing assets.Finally, SIEM deployment is a dirty word. The good news… you can honestly automate the deployment process. At least critical pieces of it…and we’ll talk about how that’s done later in the presentation. So let’s focus on our first step.
  • #33 Demand more from your SIEM vendor. Ask direct and detailed questions to understand how to avoid these typical problems – before you make the leap to purchase. Make sure to get the most value out of every security investment you make in 2013 and beyond. Here are few questions to get you started.