Security Meetup Scotland - August 2017 (Deconstructing SIEM)Harry McLaren
There are many misconceptions about what a SIEM is and why they should still be the heart of an operational capability when it comes to security controls and monitoring. This topic will outline what makes a powerful SIEM and why creating it yourself is increasingly challenging. We'll explore the frameworks at the heart of a SIEM and how Splunk has developed Enterprise Security with these in mind; finishing with some general lessons learned for SIEM implementation projects.
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
SIEM is a technological solution that collects and aggregates logs from various data sources, discovers trends, and alerts when it spots anomalous activity, like a possible security threat.
Big Data For Threat Detection & ResponseHarry McLaren
Slides used at the University of Edinburgh SIGINT group (cybersecurity society). Covering what is big data, the value for security use cases, hunting for threats/actions, using Splunk to detect and respond, SIEM use and some useful searches (which were demoed).
Limitless XDR with Elastic Security introduces the first free and open extended detection and response (XDR) solution that unifies security information and event management (SIEM) and endpoint security. XDR modernizes security operations by enabling analytics across all data sources, automating key processes, and providing native endpoint security to every host. Elastic Security provides limitless visibility through hundreds of integrations, limitless data through long-term storage, and limitless analysis across multi-cloud environments.
This presentation addresses:
-True shortcomings of traditional SIEM solutions
-Why security controls that are utilized in isolation are limited in providing useful indicators of data breaches
-How an alternative approach to IT security that combines state data from multiple security controls provides more advanced incident detection, adds a layer of risk context, and provides more intelligent security for protecting your data
SIEM systems provide security event monitoring and log management by collecting security data from across an organization's network and systems. The first SIEM was developed in 1996 and major players today include IBM QRadar, HP ArcSight, and McAfee Nitro. SIEMs aggregate logs from various sources, use correlation engines to identify related security events, and generate alerts when multiple events indicate a higher risk threat. They provide visibility across an organization's security infrastructure and help with compliance, operations, and forensic investigations. SIEM is important for threat detection, compliance, and gaining insights from security event data.
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...IBM Security
IBM Resilient customers are building versatile, adaptable incident response playbooks and workflows with expanded functions and community applications – recently released on the IBM Security App Exchange.
With the new IBM Resilient community, you can collaborate with fellow security experts on today’s top security challenges, share incident response best practices, and gain insights into the newest integrations.
This document discusses the concept of stateless security architecture. It notes that traditional security models are broken due to changes in business, data, and technology models. Factors like increased mobility, BYOD, and cloud computing are driving the need for a stateless model where security controls are decoupled from infrastructure and trust is dynamically assessed. The document outlines four steps to building a stateless architecture, including leveraging ecosystem capabilities, and provides examples of how stateless identity management and encryption could work. Key benefits of stateless security include agile, contextual protection of data regardless of location and ability to change infrastructure without rebuilding protections.
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Harry McLaren
There are many misconceptions about what a SIEM is and why they should still be the heart of an operational capability when it comes to security controls and monitoring. This topic will outline what makes a powerful SIEM and why creating it yourself is increasingly challenging. We'll explore the frameworks at the heart of a SIEM and how Splunk has developed Enterprise Security with these in mind; finishing with some general lessons learned for SIEM implementation projects.
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
SIEM is a technological solution that collects and aggregates logs from various data sources, discovers trends, and alerts when it spots anomalous activity, like a possible security threat.
Big Data For Threat Detection & ResponseHarry McLaren
Slides used at the University of Edinburgh SIGINT group (cybersecurity society). Covering what is big data, the value for security use cases, hunting for threats/actions, using Splunk to detect and respond, SIEM use and some useful searches (which were demoed).
Limitless XDR with Elastic Security introduces the first free and open extended detection and response (XDR) solution that unifies security information and event management (SIEM) and endpoint security. XDR modernizes security operations by enabling analytics across all data sources, automating key processes, and providing native endpoint security to every host. Elastic Security provides limitless visibility through hundreds of integrations, limitless data through long-term storage, and limitless analysis across multi-cloud environments.
This presentation addresses:
-True shortcomings of traditional SIEM solutions
-Why security controls that are utilized in isolation are limited in providing useful indicators of data breaches
-How an alternative approach to IT security that combines state data from multiple security controls provides more advanced incident detection, adds a layer of risk context, and provides more intelligent security for protecting your data
SIEM systems provide security event monitoring and log management by collecting security data from across an organization's network and systems. The first SIEM was developed in 1996 and major players today include IBM QRadar, HP ArcSight, and McAfee Nitro. SIEMs aggregate logs from various sources, use correlation engines to identify related security events, and generate alerts when multiple events indicate a higher risk threat. They provide visibility across an organization's security infrastructure and help with compliance, operations, and forensic investigations. SIEM is important for threat detection, compliance, and gaining insights from security event data.
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...IBM Security
IBM Resilient customers are building versatile, adaptable incident response playbooks and workflows with expanded functions and community applications – recently released on the IBM Security App Exchange.
With the new IBM Resilient community, you can collaborate with fellow security experts on today’s top security challenges, share incident response best practices, and gain insights into the newest integrations.
This document discusses the concept of stateless security architecture. It notes that traditional security models are broken due to changes in business, data, and technology models. Factors like increased mobility, BYOD, and cloud computing are driving the need for a stateless model where security controls are decoupled from infrastructure and trust is dynamically assessed. The document outlines four steps to building a stateless architecture, including leveraging ecosystem capabilities, and provides examples of how stateless identity management and encryption could work. Key benefits of stateless security include agile, contextual protection of data regardless of location and ability to change infrastructure without rebuilding protections.
Automation: Embracing the Future of SecOpsIBM Security
Join Mike Rothman, Analyst & President of Securosis and Ted Julian, VP of Product Management and co-founder of IBM Resilient, for a webinar on common automation use cases for the Security Operations Center (SOC).
Security Orchestration, Automation and Response (SOAR) tools are garnering interest in enterprise security teams due to tangible short-term benefits.
Watch the recording: https://event.on24.com/wcc/r/2007717/385A881A097E8EFCE493981972303416?partnerref=LI
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
Everyone has become increasingly aware of the danger hackers pose—they can steal data, dismantle systems, and cause damage that can take years to recover from. However, organizations often have a false sense of safety when it comes to their security environments. There are countless ways that businesses are making it easier for a threat actor to find their way in undetected.
Join cybersecurity expert Bob Erdman, senior security product manager, as he outlines the most common ways organizations unintentionally put themselves at risk against threats like:
Insider attacks
Alert and console fatigue
Shortage of security staff
Misconfigurations
Excessive access
By better understanding what and where the challenges are, organizations can be better equipped to find solutions. This webinar will also highlight different strategies for mitigating risk, from specific Security Information and Event Management (SIEM) tools to employee education.
Orchestrate Your Security Defenses; Protect Against Insider Threats IBM Security
This document summarizes IBM QRadar User Behavior Analytics, a solution for detecting insider threats and risks. It notes the growing risks from insiders as attacks and security incidents increase while the number of skilled security professionals fails to keep pace. The solution aims to simplify security operations, deliver faster insights, streamline investigations, and improve analyst productivity with a comprehensive data set and open analytics to identify malicious user behavior based on patterns, profiles, anomalies and other contextual factors.
Optimize IT security management and simplify compliance with SIEM tools.
Your Challenge
In the face of increasing regulatory pressures and headline-grabbing hacking activities, enterprises are deploying an ever increasing volume of dedicated security tools. As a result they are drowning in log and alert data to the point where the tools inhibit their own value.
Implementing SIEM allows enterprises to manage and respond to an ever-widening range of threats and compliance requirements by consolidating, aggregating, correlating, and reporting on security events. Taking action based on correlated data is accelerated, and detailed reporting supports obligations to demonstrate the specific measures the enterprise is taking to be compliant.
Getting a strong product evaluation allows organizations to enhance enterprise security at a manageable cost. Making the wrong choice could mean higher costs, lower security, or both.
Our Advice
Critical Insight
The SIEM market is undergoing rapid developments. In existence for just over a decade, the market is still maturing and product sets continue to be rationalized. Market consolidation is constantly occurring with large security vendors purchasing smaller dedicated SIEM vendors. The threat and regulatory landscape is making SIEM a more and more attractive technology for security firms and customers. Major leaps are being made in advanced capabilities as specialized correlation and analytic features are commercialized.
At first glance a SIEM may cause a panic attack. It will highlight various threats, risks, and vulnerabilities you may have not known about. Stay calm and realize the technology is providing a greater visibility into your organization’s security standing.
Various deployment and management options are making SIEM technology available to all levels of security organizations. Near full out-of-the-box solutions are being used by smaller organizations. Managed security service provider (MSSP) offerings are appearing, and can reduce the ongoing costs to a manageable level. High-demand organizations are using SIEM to augment their security operations command with as many as five full-time equivalents (FTEs) monitoring and managing the system to responds to threats in real time.
Impact and Result
Understand what’s new in the SIEM market and where it’s heading.
Develop a strong understanding of the top SIEM vendors and their offerings to identify a best-fit product for your organization.
Cultivate vendor management tactics through a tailored request for proposal and a demo script in order to get the features and functionality you need for either security management, compliance adherence, or overall risk reduction.
7 Reasons your existing SIEM is not enoughCloudAccess
For many enterprises, SIEM has evolved into a ubiquitous and useful tool. It is meant to detect, correlate and alert users to potential threats. In fact, it is an excellent tool to collect and aggregate information in real-time from across the enterprise and present an actionable review of security issues... HOWEVER there are several mission critical aspects of the current generation of SIEM that don't meet modern security needs.
This document discusses security information and event management (SIEM) systems. It defines log files and events, and explains that SIEM systems allow organizations to monitor security events and write correlation rules to detect patterns of attacks. The document outlines typical SIEM architectures and notes that SIEM systems present detailed information about attack scenarios by correlating disparate security-related events from various sources.
Conferencia principal: Evolución y visión de Elastic SecurityElasticsearch
Los equipos de SecOps asumen más responsabilidad que nunca para aumentar actividad desde una fuerza de trabajo recientemente remota, lo que acelera la necesidad de la transformación digital. Conoce cómo evolucionó Elastic Security para ayudar a los equipos de SecOps tomar un enfoque más amplio e inclusivo en base a la seguridad y preparar a sus organizaciones para el éxito. Además, conoce la visión de lo que vendrá.
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
SIEM technology has been around for years and continues to enjoy broad market adoption. Companies continue to rely on SIEM capabilities to handle proactive security monitoring, detection and response, and regulatory compliance. However, with today’s staggering volume of cyber-security threats and the number of security devices, network infrastructures and system logs, IT security staff can become quickly overwhelmed.
Gartner projects that by 2020:
-- 50% of new SIEM implementations will be delivered via SIEM as a service.
-- 60% of all advanced security analytics will be delivered from the cloud as part of SIEM-as-a-service offerings.
Accelerating SOC Transformation with IBM Resilient and Carbon BlackIBM Security
Security Operation Centers (SOCs) today are complex environments. They often have too many separate tools, uncoordinated analysts in the response process, and confusion around alert prioritization. Because of this, SOCs consistently struggle responding to the most urgent incidents.
The integration between IBM Resilient and Carbon Black helps SOCs overcome these challenges. IBM Resilient’s Intelligent Orchestration combined with Carbon Black Response provides a single view for all relevant response data and streamlines the entire security process. This makes it simpler for analysts to quickly and efficiently remediate cyberattacks.
Join experts Chris Berninger, Business Development Engineer, Carbon Black, and Hugh Pyle, Product Manager, IBM Resilient, for this webinar, to learn:
- How the IBM Resilient-Carbon Black integration works within your SOC to accelerate incident response improvement
- Strategies to implement Intelligent Orchestrate and automation into your incident response process
- Actions that can be taken today for maximizing the effectiveness of your SOC
Integrated Response with v32 of IBM ResilientIBM Security
Email integration is an important tool in the IR process. Email ingestion allows alerts to be consumed from external tools that do not have available APIs. Email-driven phishing attacks are also one of the most common investigations for most security teams. A key capability v32 of the Resilient platform is a complete overhaul of the email connector. This updated email capability, now integrated into the core Resilient platform, simplifies the ability of IR teams to capture email-borne malware of phishing attacks and generate incidents and artifacts.
View the corresponding webinar to learn how the new features in the v32 release can help improve your integrated response to attacks and how native email integration can be leveraged as part of workflows and playbooks. You'll also learn what to expect with the updated look and feel of the Resilient platform and significant updates to the Privacy Module to support global regulations.
View the recording: https://ibm.biz/Bd2Yvt
In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.
The document discusses cyber security challenges and solutions. It notes that the cyber landscape is evolving with increased complexity and cost due to globalization. The growth of the Internet of Things means that machines will make more decisions based on data, requiring clean analytics. Moving forward, cyber security approaches will focus more on risk management and implementing defense in multiple layers. The presentation promotes the Predix platform's cyber security features such as micro-containerization, data lineage tracking, standardized certifications, anomaly detection, and multi-party security operations to help customers address these challenges.
The document discusses the evolving cyber security landscape for industrial systems and the internet of things. It notes that while connectivity is growing, only a small percentage of industrial data is currently utilized. However, increased use of data analytics from connected machines also increases the risks of cyber attacks propagating through networks and causing widespread damage. The document advocates for secure design practices, standardized security controls, and taking a risk-based approach to defense in order to protect industrial organizations from emerging cyber threats.
The document outlines the functions of an IT Cyber Security Operations team. It introduces the different teams within IT Cyber Security including Cyber Security Operations, Engineering, and Security Incident Management. It describes the key functions of each team such as security monitoring, network attack monitoring, and incident response. The document also reviews the current detection capabilities including the tools used, such as QRadar for security information and event management, Splunk for security analytics, and Symantec for web/email detection. It concludes by discussing planned improvements like greater insider threat detection, operational enhancements to triage and monitoring, and new cybersecurity controls and increased detection capabilities being delivered through the Cyber Programme.
Building in-house breach detection and response capabilities is difficult. When chosen right, your managed detection and response service provider actually become your cyber security partner: its capabilities become an extension of your own. One of the biggest reasons why your organization should consider a managed security service instead of an in-house SIEM (security information and event management) deployment for breach detection and response: cost, cost, cost!
So You Got That SIEM. NOW What Do You Do? by Dr. Anton ChuvakinAnton Chuvakin
So You Got That SIEM. Now What Do You Do? Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin)
Many organization that acquired Security Information and Event Management (SIEM) tools and even simpler log management tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use" and "totally intuitive."
So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful?
At this presentation, you will learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course! As a bonus track, how to revive a FAILED SIEM deployment you inherited at your new job will be discussed.
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationIBM Security
This document discusses intelligent orchestration for security operations centers. It begins with an overview of the challenges facing SOCs and how intelligent orchestration can help by combining human and machine intelligence with automation. It then provides an example use case of how intelligent orchestration allows a SOC to quickly investigate and remediate a phishing incident through automated tools and dynamic playbooks. The document emphasizes that intelligent orchestration acts as a force multiplier for analysts by automating repetitive tasks and providing greater visibility into security tools. It estimates the example incident response was completed in around 65 minutes faster due to intelligent orchestration capabilities.
10 Steps to Better Security Incident DetectionTripwire
* Why many organizations don’t successfully detect security breaches
* How to best use existing security information and event management and log management tools
* Other sources, including external ones, that can provide early indicators of a security breach
* How to maximize the security resources you already have
Watch the webcast here: http://www.tripwire.com/register/10-steps-to-better-security-incident-detection/
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
view on-demand webinar: https://event.on24.com/wcc/r/1241904/E7C5BDA81308626F69D20F843B229534
An alarming number of organizations today are doing the bare minimum to meet compliance regulations. They are completely unaware of the “data security race” taking place against malicious insiders and criminal hackers creating risk, flying past them in a to win over sensitive data. These organizations are spending their time doing just enough to check the compliance ‘checkbox’ and pass their audits. While being compliance-ready is absolutely important and represents a great first step along the road to data security, it won't win you the gold.
View this on-demand webcast to learn more about how to shift your thinking and compete to win by using your compliance efforts to springboard you into a successful data security program - one that can safeguard data from internal and external threats, allowing you to be the champion and protector of your customers, your brand, and the sensitive data the fuels your business.
IBM: Cognitive Security Transformation for the Enrgy SectorFMA Summits
We encourage the energy sector to think about their security imperatives across IT and OT in a more organized fashion. Structured and centered around a core discipline of security analytics and services. This core is enabled by cognitive intelligence that continuously learns the many variables within IT and Operations domains.
How to Choose the Right Security Information and Event Management (SIEM) Solu...IBM Security
View on-demand webinar: https://securityintelligence.com/events/choose-right-security-information-event-management-siem-solution/
Learn what matters most when choosing a SIEM solution. In this session, we take a tour of the 2015 Gartner Magic Quadrant for SIEM, and IBM experts will discuss what we believe has set IBM Security QRadar® apart from other vendors for 7 consecutive years.
Automation: Embracing the Future of SecOpsIBM Security
Join Mike Rothman, Analyst & President of Securosis and Ted Julian, VP of Product Management and co-founder of IBM Resilient, for a webinar on common automation use cases for the Security Operations Center (SOC).
Security Orchestration, Automation and Response (SOAR) tools are garnering interest in enterprise security teams due to tangible short-term benefits.
Watch the recording: https://event.on24.com/wcc/r/2007717/385A881A097E8EFCE493981972303416?partnerref=LI
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
Everyone has become increasingly aware of the danger hackers pose—they can steal data, dismantle systems, and cause damage that can take years to recover from. However, organizations often have a false sense of safety when it comes to their security environments. There are countless ways that businesses are making it easier for a threat actor to find their way in undetected.
Join cybersecurity expert Bob Erdman, senior security product manager, as he outlines the most common ways organizations unintentionally put themselves at risk against threats like:
Insider attacks
Alert and console fatigue
Shortage of security staff
Misconfigurations
Excessive access
By better understanding what and where the challenges are, organizations can be better equipped to find solutions. This webinar will also highlight different strategies for mitigating risk, from specific Security Information and Event Management (SIEM) tools to employee education.
Orchestrate Your Security Defenses; Protect Against Insider Threats IBM Security
This document summarizes IBM QRadar User Behavior Analytics, a solution for detecting insider threats and risks. It notes the growing risks from insiders as attacks and security incidents increase while the number of skilled security professionals fails to keep pace. The solution aims to simplify security operations, deliver faster insights, streamline investigations, and improve analyst productivity with a comprehensive data set and open analytics to identify malicious user behavior based on patterns, profiles, anomalies and other contextual factors.
Optimize IT security management and simplify compliance with SIEM tools.
Your Challenge
In the face of increasing regulatory pressures and headline-grabbing hacking activities, enterprises are deploying an ever increasing volume of dedicated security tools. As a result they are drowning in log and alert data to the point where the tools inhibit their own value.
Implementing SIEM allows enterprises to manage and respond to an ever-widening range of threats and compliance requirements by consolidating, aggregating, correlating, and reporting on security events. Taking action based on correlated data is accelerated, and detailed reporting supports obligations to demonstrate the specific measures the enterprise is taking to be compliant.
Getting a strong product evaluation allows organizations to enhance enterprise security at a manageable cost. Making the wrong choice could mean higher costs, lower security, or both.
Our Advice
Critical Insight
The SIEM market is undergoing rapid developments. In existence for just over a decade, the market is still maturing and product sets continue to be rationalized. Market consolidation is constantly occurring with large security vendors purchasing smaller dedicated SIEM vendors. The threat and regulatory landscape is making SIEM a more and more attractive technology for security firms and customers. Major leaps are being made in advanced capabilities as specialized correlation and analytic features are commercialized.
At first glance a SIEM may cause a panic attack. It will highlight various threats, risks, and vulnerabilities you may have not known about. Stay calm and realize the technology is providing a greater visibility into your organization’s security standing.
Various deployment and management options are making SIEM technology available to all levels of security organizations. Near full out-of-the-box solutions are being used by smaller organizations. Managed security service provider (MSSP) offerings are appearing, and can reduce the ongoing costs to a manageable level. High-demand organizations are using SIEM to augment their security operations command with as many as five full-time equivalents (FTEs) monitoring and managing the system to responds to threats in real time.
Impact and Result
Understand what’s new in the SIEM market and where it’s heading.
Develop a strong understanding of the top SIEM vendors and their offerings to identify a best-fit product for your organization.
Cultivate vendor management tactics through a tailored request for proposal and a demo script in order to get the features and functionality you need for either security management, compliance adherence, or overall risk reduction.
7 Reasons your existing SIEM is not enoughCloudAccess
For many enterprises, SIEM has evolved into a ubiquitous and useful tool. It is meant to detect, correlate and alert users to potential threats. In fact, it is an excellent tool to collect and aggregate information in real-time from across the enterprise and present an actionable review of security issues... HOWEVER there are several mission critical aspects of the current generation of SIEM that don't meet modern security needs.
This document discusses security information and event management (SIEM) systems. It defines log files and events, and explains that SIEM systems allow organizations to monitor security events and write correlation rules to detect patterns of attacks. The document outlines typical SIEM architectures and notes that SIEM systems present detailed information about attack scenarios by correlating disparate security-related events from various sources.
Conferencia principal: Evolución y visión de Elastic SecurityElasticsearch
Los equipos de SecOps asumen más responsabilidad que nunca para aumentar actividad desde una fuerza de trabajo recientemente remota, lo que acelera la necesidad de la transformación digital. Conoce cómo evolucionó Elastic Security para ayudar a los equipos de SecOps tomar un enfoque más amplio e inclusivo en base a la seguridad y preparar a sus organizaciones para el éxito. Además, conoce la visión de lo que vendrá.
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
SIEM technology has been around for years and continues to enjoy broad market adoption. Companies continue to rely on SIEM capabilities to handle proactive security monitoring, detection and response, and regulatory compliance. However, with today’s staggering volume of cyber-security threats and the number of security devices, network infrastructures and system logs, IT security staff can become quickly overwhelmed.
Gartner projects that by 2020:
-- 50% of new SIEM implementations will be delivered via SIEM as a service.
-- 60% of all advanced security analytics will be delivered from the cloud as part of SIEM-as-a-service offerings.
Accelerating SOC Transformation with IBM Resilient and Carbon BlackIBM Security
Security Operation Centers (SOCs) today are complex environments. They often have too many separate tools, uncoordinated analysts in the response process, and confusion around alert prioritization. Because of this, SOCs consistently struggle responding to the most urgent incidents.
The integration between IBM Resilient and Carbon Black helps SOCs overcome these challenges. IBM Resilient’s Intelligent Orchestration combined with Carbon Black Response provides a single view for all relevant response data and streamlines the entire security process. This makes it simpler for analysts to quickly and efficiently remediate cyberattacks.
Join experts Chris Berninger, Business Development Engineer, Carbon Black, and Hugh Pyle, Product Manager, IBM Resilient, for this webinar, to learn:
- How the IBM Resilient-Carbon Black integration works within your SOC to accelerate incident response improvement
- Strategies to implement Intelligent Orchestrate and automation into your incident response process
- Actions that can be taken today for maximizing the effectiveness of your SOC
Integrated Response with v32 of IBM ResilientIBM Security
Email integration is an important tool in the IR process. Email ingestion allows alerts to be consumed from external tools that do not have available APIs. Email-driven phishing attacks are also one of the most common investigations for most security teams. A key capability v32 of the Resilient platform is a complete overhaul of the email connector. This updated email capability, now integrated into the core Resilient platform, simplifies the ability of IR teams to capture email-borne malware of phishing attacks and generate incidents and artifacts.
View the corresponding webinar to learn how the new features in the v32 release can help improve your integrated response to attacks and how native email integration can be leveraged as part of workflows and playbooks. You'll also learn what to expect with the updated look and feel of the Resilient platform and significant updates to the Privacy Module to support global regulations.
View the recording: https://ibm.biz/Bd2Yvt
In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.
The document discusses cyber security challenges and solutions. It notes that the cyber landscape is evolving with increased complexity and cost due to globalization. The growth of the Internet of Things means that machines will make more decisions based on data, requiring clean analytics. Moving forward, cyber security approaches will focus more on risk management and implementing defense in multiple layers. The presentation promotes the Predix platform's cyber security features such as micro-containerization, data lineage tracking, standardized certifications, anomaly detection, and multi-party security operations to help customers address these challenges.
The document discusses the evolving cyber security landscape for industrial systems and the internet of things. It notes that while connectivity is growing, only a small percentage of industrial data is currently utilized. However, increased use of data analytics from connected machines also increases the risks of cyber attacks propagating through networks and causing widespread damage. The document advocates for secure design practices, standardized security controls, and taking a risk-based approach to defense in order to protect industrial organizations from emerging cyber threats.
The document outlines the functions of an IT Cyber Security Operations team. It introduces the different teams within IT Cyber Security including Cyber Security Operations, Engineering, and Security Incident Management. It describes the key functions of each team such as security monitoring, network attack monitoring, and incident response. The document also reviews the current detection capabilities including the tools used, such as QRadar for security information and event management, Splunk for security analytics, and Symantec for web/email detection. It concludes by discussing planned improvements like greater insider threat detection, operational enhancements to triage and monitoring, and new cybersecurity controls and increased detection capabilities being delivered through the Cyber Programme.
Building in-house breach detection and response capabilities is difficult. When chosen right, your managed detection and response service provider actually become your cyber security partner: its capabilities become an extension of your own. One of the biggest reasons why your organization should consider a managed security service instead of an in-house SIEM (security information and event management) deployment for breach detection and response: cost, cost, cost!
So You Got That SIEM. NOW What Do You Do? by Dr. Anton ChuvakinAnton Chuvakin
So You Got That SIEM. Now What Do You Do? Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin)
Many organization that acquired Security Information and Event Management (SIEM) tools and even simpler log management tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use" and "totally intuitive."
So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful?
At this presentation, you will learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course! As a bonus track, how to revive a FAILED SIEM deployment you inherited at your new job will be discussed.
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationIBM Security
This document discusses intelligent orchestration for security operations centers. It begins with an overview of the challenges facing SOCs and how intelligent orchestration can help by combining human and machine intelligence with automation. It then provides an example use case of how intelligent orchestration allows a SOC to quickly investigate and remediate a phishing incident through automated tools and dynamic playbooks. The document emphasizes that intelligent orchestration acts as a force multiplier for analysts by automating repetitive tasks and providing greater visibility into security tools. It estimates the example incident response was completed in around 65 minutes faster due to intelligent orchestration capabilities.
10 Steps to Better Security Incident DetectionTripwire
* Why many organizations don’t successfully detect security breaches
* How to best use existing security information and event management and log management tools
* Other sources, including external ones, that can provide early indicators of a security breach
* How to maximize the security resources you already have
Watch the webcast here: http://www.tripwire.com/register/10-steps-to-better-security-incident-detection/
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
view on-demand webinar: https://event.on24.com/wcc/r/1241904/E7C5BDA81308626F69D20F843B229534
An alarming number of organizations today are doing the bare minimum to meet compliance regulations. They are completely unaware of the “data security race” taking place against malicious insiders and criminal hackers creating risk, flying past them in a to win over sensitive data. These organizations are spending their time doing just enough to check the compliance ‘checkbox’ and pass their audits. While being compliance-ready is absolutely important and represents a great first step along the road to data security, it won't win you the gold.
View this on-demand webcast to learn more about how to shift your thinking and compete to win by using your compliance efforts to springboard you into a successful data security program - one that can safeguard data from internal and external threats, allowing you to be the champion and protector of your customers, your brand, and the sensitive data the fuels your business.
IBM: Cognitive Security Transformation for the Enrgy SectorFMA Summits
We encourage the energy sector to think about their security imperatives across IT and OT in a more organized fashion. Structured and centered around a core discipline of security analytics and services. This core is enabled by cognitive intelligence that continuously learns the many variables within IT and Operations domains.
How to Choose the Right Security Information and Event Management (SIEM) Solu...IBM Security
View on-demand webinar: https://securityintelligence.com/events/choose-right-security-information-event-management-siem-solution/
Learn what matters most when choosing a SIEM solution. In this session, we take a tour of the 2015 Gartner Magic Quadrant for SIEM, and IBM experts will discuss what we believe has set IBM Security QRadar® apart from other vendors for 7 consecutive years.
Ray Menard plagiarized text from Hugh Farringdon in his document about network security monitoring. The document discusses IBM's QRadar SIEM product and how it can help network and security professionals deal with the large volumes of information they receive. It provides an overview of QRadar SIEM's capabilities, such as event correlation, network flow capture and analysis, and compliance monitoring. The document also presents several use cases where QRadar SIEM can provide valuable visibility, such as complex threat detection, malicious activity identification, and network and asset discovery.
This document discusses the evolution of security from perimeter controls pre-2005 to cognitive, cloud, and collaborative security approaches from 2015 onward. It introduces IBM's QRadar security intelligence solution and how IBM's Watson for Cyber Security can be used with QRadar Advisor to accelerate security investigations. Watson uses cognitive capabilities like machine learning to identify threats and relationships between entities faster than human analysts alone. The document reviews the types of observables that may be sent to Watson to aid its analysis while maintaining privacy, security and control over the data.
Security intelligence involves analyzing all available security data sources in an organization to generate actionable information. It is essential due to increasingly sophisticated attacks, disappearing network perimeters, and security teams facing high volumes of data with limited resources. IBM's QRadar security intelligence platform provides automation, integration, and intelligence to help organizations optimize security through advanced threat detection, compliance, and eliminating data silos. It uses embedded intelligence to identify true security incidents from massive amounts of data through automated collection, analysis, and reduction. Virtual appliance models are available in different capacities to suit organizations' needs.
Security intelligence involves analyzing all available security data sources in an organization to generate actionable information. It is essential due to increasingly sophisticated attacks, disappearing network perimeters, and security teams facing high volumes of data with limited resources. IBM's QRadar security intelligence platform provides automation, integration, and intelligence to help organizations optimize security through advanced threat detection, compliance, and eliminating data silos. It uses embedded intelligence to identify true security incidents from massive amounts of data through automated collection, analysis, and reduction. Virtual appliances are available in different models and capacities to support SMBs and enterprises.
The document discusses IBM QRadar Security Intelligence Platform. It describes how QRadar addresses challenges organizations face from increasingly sophisticated attacks and resource constraints. QRadar provides automated, integrated, and intelligent security through log management, security intelligence, network activity monitoring, risk management, vulnerability management, and network forensics. It allows organizations to identify and remediate threats faster through comprehensive security intelligence and incident forensics.
the IBM Security Intelligence Platform, also known as QRadar®, integrates SIEM, log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified, highly scalable, real-time solution that provides superior threat detection, greater ease of use, and low total cost of ownership compared with competitive products
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
View ondemand webinar: https://securityintelligence.com/events/qradar-investment-2016/
Helping you stay ahead of cybercriminals means our work at IBM Security is never done. With data coming from every direction to collect, you need real time and historical analytics to discover anomalistic conditions that often provide the early warning signs of an attacker’s presence. Join us to hear about new features in IBM Security QRadar that can provide you with better visibility into what’s happening on your network and new integrations that will help you multiply your investment and help speed your remediation efforts.
1) The document discusses the challenges facing security teams like escalating attacks, increasing complexity, and resource constraints.
2) It outlines IBM's security intelligence strategy of establishing security as an integrated system across threat research, endpoints, applications, identity, and other areas.
3) IBM QRadar is positioned as the centerpiece for integrating these security capabilities to help organizations detect, respond to, and prevent advanced threats across the attack lifecycle.
Csirs Trabsport Security September 2011 V 3.6David Spinks
This document discusses cyber security threats, especially advanced persistent threats (APTs), in real-time systems. It notes that the Stuxnet virus changed the landscape by showing the sophistication that threats can achieve. Insider threats are also discussed as being very dangerous due to immediate access inside security perimeters. The document recommends implementing baseline security measures but also more advanced measures like data loss prevention and log analysis to help detect and mitigate APTs, noting they are difficult to find and defend against. Executive sponsorship of security is key to protecting against these evolving threats.
At Seceon, Our team of dedicated security experts works around the clock to monitor your systems, providing real-time threat intelligence and rapid incident response whenever and wherever you need it. With Seceon-Inc by your side, you can rest assured that your business is protected at all times, day or night.
This document provides an overview of an IBM Security QRadar SIEM Foundations course. The course covers topics such as QRadar data flow architecture, deployment options, navigating the user interface, building searches and reports, managing assets and rules. It describes how QRadar integrates various security tools and uses correlation to detect threats. The document highlights how QRadar provides security intelligence through network flow analysis, cognitive analytics, and an open ecosystem.
How to Add Advanced Threat Defense to Your EMMSkycure
View recorded webinar here: http://hubs.ly/y0SRV90
In this webinar presentation we discuss how to:
- Stop mobile attacks before they make it to the enterprise by leveraging crowd wisdom
- Dynamically enforce BYOD, security and compliance policies based on actively detected threats
- Leverage risk-based enterprise mobility management to detect and protect against corporate espionage via infiltrated mobile devices
The document discusses DTS's cyber security services across 10 domains including strategy, operations, response, and resilience. It outlines their approach to cyber security challenges facing enterprises and provides examples of solutions around areas like risk management, compliance, security operations centers, incident response, and red/purple teaming. Case studies and contact information is also included.
SIEM (security information and event management) technology collects and analyzes log and event data from across an organization's IT infrastructure to provide visibility into security threats and other events. EDR (endpoint detection and response) technology focuses specifically on monitoring endpoints like desktops and servers to detect and respond to threats. Using both SIEM and EDR provides a more complete picture of an organization's security posture and cybersecurity threats. Together, they can improve threat detection, response, investigation and remediation compared to using either technology alone. Leading security service providers use both SIEM and EDR solutions to more effectively protect their clients.
DSS and Security Intelligence @IBM_Connect_2014_AprilAndris Soroka
DSS participated in this year's "IBM Connect" event organized by regional IBM's VAD - ALSO Baltics. DSS spoke about importance of IT Security in new - digital world that is developing. New technologies bring new business opportunities but as well bring also new security threats and risks that have to be considered in first place.
IBM Security Strategy Intelligence, Integration and Expertise
by Marc van Zadelhoff, VP, WW Strategy and Product Management and Joe Ruthven IBM MEA Security Leader
Cyber Services provides cyber security services including ethical hacking, threat analysis, cyber exercises, security awareness training, and course development. Led by CEO Ferenc Frész, the company was founded in 2015 and employs over 30 security experts and technical staff. Services are delivered to clients including NATO, UAE, EU Council, and private sector organizations.
Symantec Cyber Security Services: Security Simulation strengthens cyber-readiness by providing live-fire simulation of today’s most sophisticated, advanced targeted attacks. Our cloud-based, virtual training experience provides multi-staged attack scenarios allowing participants to take on the identity of their adversaries to learn their motives, tactics and tools. This gamification of security education helps level the playing field by providing a more engaging, immersive real-world experience than traditional security skills training.
Security Simulation allows participants to assess their game performance and provides structured guidance for on-going skills development. It also allows security leaders to strengthen their team by providing insight into individual and team performance, visibility of functional gaps within the team and the option of performing pre-hire skill assessments.
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
Security Operations & MITRE ATT&CK
Description: A two topic talk covering the core functions of the blue team (security operations), common roles and the required skills to be successful. Then an overview of the threat-led knowledgebase MITRE ATT&CK and how to put it to good use for threat detection and response.
Modern Security Operations & Common Roles/Competencies Harry McLaren
This document provides an overview of modern security operations technologies and frameworks from the perspective of Harry McLaren, a cybersecurity professional with 14 years of experience. It discusses the evolution of security operations functions from basic monitoring to advanced detection, analysis, and response. Key components of a security operations center are described, including threat modeling, detection configuration, and the MITRE ATT&CK framework for mapping threats, techniques, and countermeasures. Implementing a DevOps approach and config-as-code is advocated to improve effectiveness, faster adaptation, and increased scalability. Common security analyst roles and competencies such as technical skills, behaviors, and emotional intelligence are also covered.
This session will outline common roles for cyber defenders, including areas like Security Operations, Engineering and Consultancy. It will focus on the fundamental competencies (skills/behaviours) expected of entry level applicants getting into cybersecurity and how to build yourself into a confident professional working to defend your employer and their customers.
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
We’ll be exploring some of the more advanced capabilities of Phantom and also discussing the security framework from MITRE “ATT&CK” and it’s valued use when integrating it with Splunk Enterprise! We’ll also have two SplunkTrust members available for some general Q&A in our own ‘Meet the Experts’.
- Splunk Phantom Workbook Automation - SOAR (Security Orchestration, Automation & Response)
-- Tom Wise (Phantom Security Solutions Engineer & Trainer)
- Threat Hunting, Or: How I Learned to Stop Worrying & Love ATT&CK
-- Cian Heasley / Fraser Dumayne (Security Engineers)
- Meet the Experts with SplunkTrust
-- Harry McLaren (Senior Splunk Consultant)
-- Tom Wise (Splunk Consultant, Phantom Security Solutions Engineer & Trainer)
Security operations centres are made up of several roles and each role benefits from a person with specific skills and competencies. This presentation was presented at Napier University on the 13/11/2019 at their 'Cyber Breakfast'.
Hunting Hard & Failing Fast (ScotSoft 2019)Harry McLaren
Many organisations have invested millions in building security operations teams, deploying powerful monitoring and reporting tools and then asking for continual improvement in the form of tuning, threat hunting and developing new threat models. However, within large enterprises, these types of changes either represent a risk of making changes to a live production platform or take weeks or months to go through the development and release process or route-to-live. This session outlines some DevOps principals and associate framework for enforcing change management, but still supporting rapid changes to code and configuration.
* SOC Capabilities
* OODA & Threat Hunting
* Balancing SOC Risk
* Using Splunk for an Agile SIEM
* Result: Empowered Hunters
* Resources & Questions
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Harry McLaren
We'll be coving the latest and greatest updates to Phantom (SOAR Platform), the ins-and-outs of the new Endpoint Data Model and what you can use it for and finally showcase some of the awesome beta features just released as part of the Splunk Security Essentials App which includes MITRE ATT&CK and Kill Chain Mappings!
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Harry McLaren
Two presentations at the January Splunk User Group in Edinburgh. Presenters were Harry McLaren and Tomasz Dziwok.
Topics covered are collecting AWS based logs at scale with Splunk and what the new object-based storage feature is within Splunk Enterprise (SmartStore).
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Harry McLaren
We explore "Metrics, mstats and Me: Splunking Human Data” and also have some insights into the KV Store and javascript use in dashboards. We’ll also re-cover the conf18 updates for those who couldn’t attend our last session.
Covering off some of the latest announcements at Splunk's user conference (.conf), an Add-on created to Splunk config files and also the presentation delivered at .conf18 on SplDevOps!
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...Harry McLaren
As Splunk scales, it grows with more Splunk engineers, developers and users. Maintaining proper knowledge object development, deployment changes and best practices can become a daunting task where fear-driven development takes its toll. In this session we present our enhancement of Splunk’s scalability in terms of software management, continuous integration and continuous delivery (CI/CD) by providing a framework which consists of DevOps tooling in combination with our Splunk expertise. Specifically, we are able to maintain a proper Splunk development cycle by using Docker containers, configuration and secret management with Ansible and version control with Git (VCS), all achieved by taking advantage of Splunk's ".conf" versatility. Our result is a CI/CD development-to-testing-to-production framework that complements Splunk’s scalability with modern DevOps culture and facilitates a smoother yet moderated development experience.
Lessons on Human Vulnerability within InfoSec/CyberHarry McLaren
Truths and lessons from a cybersecurity consultant who shares his experience with failure, vulnerability and the lessons we can all take forward to be kinder and healthier professionals.
This was also recorded here: https://youtu.be/-Rcfn1iFb1g?t=7m56s
OWASP - Analyst, Engineer or Consultant?Harry McLaren
The slides used at the March 2018 OWASP Edinburgh meetup to share a look at common roles within cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentHarry McLaren
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
Some interesting talks about using TSTATS and the internal Splunk logs, have a Splunk Trainer share his journey with Splunk and how he's managed to achieve every possible Splunk certification (over 10!), and a short discussion about emerging thoughts of using development/release frameworks with Splunk deployments.
Cyber Scotland Connect: What is Security Engineering?Harry McLaren
Harry McLaren is a managing consultant at ECS who gives a presentation on cybersecurity engineering. Cybersecurity engineering involves building systems, deploying configurations, integrating systems, and developing solutions to protect against, detect, and respond to threats. It is important for engineering projects to consider people, process, technology, the end user, support requirements, and how the solution fits within the business and IT strategies. The presentation provides examples of scenario walkthroughs and best practices for engineers, such as using automation, version control, containers, and cloud technologies.
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Harry McLaren
Getting into Cybersecurity: Advice, tips and tricks from an experienced cybersecurity consultant.
Slides by: Robert Williamson
Website: https://cyberscotlandconnect.com/
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Harry McLaren
Getting into Cybersecurity: Advice, tips and tricks from an experienced recruitment consultant.
Slides by: Stefanie Corlay
Website: https://cyberscotlandconnect.com/
We'll aim to do a brief intro to the event and an overview of our Mission Statement + Purpose (we promise to keep the boring stuff short!)
Our aim is to mix some short interactive sessions with some Q&A's, some brilliant speakers and other bits and pieces to hopefully deliver some real value to people attending.
Slides by: Stuart Turner
Website: https://cyberscotlandconnect.com/
Latest Updates to Splunk from .conf 2017 Announcements Harry McLaren
Session detailing some of the best announcements from the recent Splunk users conference. Delivered at the Splunk User Group in Edinburgh on October 16, 2017.
Securing the Enterprise/Cloud with Splunk at the CentreHarry McLaren
Using orchestration tools with Splunk to automate and respond to events of interest and what types of use cases and logs you can leverage AWS/Cloud as the source.
Delivered as part of the Splunk User Group in Edinburgh in August 2017
Steam: http://productfor.ge/SUGE0817
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeWalaa Eldin Moustafa
Dynamic policy enforcement is becoming an increasingly important topic in today’s world where data privacy and compliance is a top priority for companies, individuals, and regulators alike. In these slides, we discuss how LinkedIn implements a powerful dynamic policy enforcement engine, called ViewShift, and integrates it within its data lake. We show the query engine architecture and how catalog implementations can automatically route table resolutions to compliance-enforcing SQL views. Such views have a set of very interesting properties: (1) They are auto-generated from declarative data annotations. (2) They respect user-level consent and preferences (3) They are context-aware, encoding a different set of transformations for different use cases (4) They are portable; while the SQL logic is only implemented in one SQL dialect, it is accessible in all engines.
#SQL #Views #Privacy #Compliance #DataLake
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...Social Samosa
The Modern Marketing Reckoner (MMR) is a comprehensive resource packed with POVs from 60+ industry leaders on how AI is transforming the 4 key pillars of marketing – product, place, price and promotions.
End-to-end pipeline agility - Berlin Buzzwords 2024Lars Albertsson
We describe how we achieve high change agility in data engineering by eliminating the fear of breaking downstream data pipelines through end-to-end pipeline testing, and by using schema metaprogramming to safely eliminate boilerplate involved in changes that affect whole pipelines.
A quick poll on agility in changing pipelines from end to end indicated a huge span in capabilities. For the question "How long time does it take for all downstream pipelines to be adapted to an upstream change," the median response was 6 months, but some respondents could do it in less than a day. When quantitative data engineering differences between the best and worst are measured, the span is often 100x-1000x, sometimes even more.
A long time ago, we suffered at Spotify from fear of changing pipelines due to not knowing what the impact might be downstream. We made plans for a technical solution to test pipelines end-to-end to mitigate that fear, but the effort failed for cultural reasons. We eventually solved this challenge, but in a different context. In this presentation we will describe how we test full pipelines effectively by manipulating workflow orchestration, which enables us to make changes in pipelines without fear of breaking downstream.
Making schema changes that affect many jobs also involves a lot of toil and boilerplate. Using schema-on-read mitigates some of it, but has drawbacks since it makes it more difficult to detect errors early. We will describe how we have rejected this tradeoff by applying schema metaprogramming, eliminating boilerplate but keeping the protection of static typing, thereby further improving agility to quickly modify data pipelines without fear.
Predictably Improve Your B2B Tech Company's Performance by Leveraging DataKiwi Creative
Harness the power of AI-backed reports, benchmarking and data analysis to predict trends and detect anomalies in your marketing efforts.
Peter Caputa, CEO at Databox, reveals how you can discover the strategies and tools to increase your growth rate (and margins!).
From metrics to track to data habits to pick up, enhance your reporting for powerful insights to improve your B2B tech company's marketing.
- - -
This is the webinar recording from the June 2024 HubSpot User Group (HUG) for B2B Technology USA.
Watch the video recording at https://youtu.be/5vjwGfPN9lw
Sign up for future HUG events at https://events.hubspot.com/b2b-technology-usa/
The Ipsos - AI - Monitor 2024 Report.pdfSocial Samosa
According to Ipsos AI Monitor's 2024 report, 65% Indians said that products and services using AI have profoundly changed their daily life in the past 3-5 years.
Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...Kaxil Naik
Navigating today's data landscape isn't just about managing workflows; it's about strategically propelling your business forward. Apache Airflow has stood out as the benchmark in this arena, driving data orchestration forward since its early days. As we dive into the complexities of our current data-rich environment, where the sheer volume of information and its timely, accurate processing are crucial for AI and ML applications, the role of Airflow has never been more critical.
In my journey as the Senior Engineering Director and a pivotal member of Apache Airflow's Project Management Committee (PMC), I've witnessed Airflow transform data handling, making agility and insight the norm in an ever-evolving digital space. At Astronomer, our collaboration with leading AI & ML teams worldwide has not only tested but also proven Airflow's mettle in delivering data reliably and efficiently—data that now powers not just insights but core business functions.
This session is a deep dive into the essence of Airflow's success. We'll trace its evolution from a budding project to the backbone of data orchestration it is today, constantly adapting to meet the next wave of data challenges, including those brought on by Generative AI. It's this forward-thinking adaptability that keeps Airflow at the forefront of innovation, ready for whatever comes next.
The ever-growing demands of AI and ML applications have ushered in an era where sophisticated data management isn't a luxury—it's a necessity. Airflow's innate flexibility and scalability are what makes it indispensable in managing the intricate workflows of today, especially those involving Large Language Models (LLMs).
This talk isn't just a rundown of Airflow's features; it's about harnessing these capabilities to turn your data workflows into a strategic asset. Together, we'll explore how Airflow remains at the cutting edge of data orchestration, ensuring your organization is not just keeping pace but setting the pace in a data-driven future.
Session in https://budapestdata.hu/2024/04/kaxil-naik-astronomer-io/ | https://dataml24.sessionize.com/session/667627
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...sameer shah
"Join us for STATATHON, a dynamic 2-day event dedicated to exploring statistical knowledge and its real-world applications. From theory to practice, participants engage in intensive learning sessions, workshops, and challenges, fostering a deeper understanding of statistical methodologies and their significance in various fields."
1. DECONSTRUCTING
SIEM
What are SIEM platforms made of and why
are frameworks so important?
Harry McLaren – Senior Security Consultant at ECS
2. HARRY MCLAREN
•Alumnus of Edinburgh Napier
•Senior Security Consultant at ECS
• Splunk Consultant & Architect
• SOC Build & Use Case Development
3. Security Information & Event
Management (SIEM)
Software products and services combine
security information management (SIM)
and security event management (SEM).
They provide real-time analysis of security alerts
generated by network hardware and applications.
Source: Wikipedia & Gartner
4. SIEM USE CASES
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN
THREATS
DETECTING
UNKNOWN
THREATS
INCIDENT
INVESTIGATION
S & FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
5. SIEM EVOLUTION
Term Initially
Coined in 2005
by Gartner
v1.0 Ticketing &
Workflow
Integrations
v1.5 Risk Based
Analysis &
“Intelligence”
v2.0 “Next-Gen SIEM”v3.0
Initial Rule Sets
& Event Queues
Environment Awareness
& Correlation
Searches
Risk Management
& Threat Data
Intelligence
Machine Learning
& Orchestration
14. A
B
C
D
INTEGRATION
Maximize cross-silo visibility by on-boarding ALL data sources.
Automate repetitive tasks and setup orchestration for the rest.
PREPARATION
Understand your project’s input and output requirements.
Champion the project and identify project dependencies.
SUCCESS CRITERIA
Identify the problem(s) you’re trying to solve.
Document the risks/threats this control mitigates or minimises.
EMBEDDING
Position SIEM project as part of transformative change.
Enable and engage SecOps to own and evolve platform.
SUCCESSFUL SIEM
15. SPLUNK USER GROUP - EDINBURGH
• What:
• Splunking at Home (Homegrown Lab)
• Supporting Splunk at Scale
• Overview of Splunk Enterprise Security
• When:
• Tuesday, 27th of June, 5:30pm-8pm
• Where:
• Edinburgh Napier University, 10 Colinton
Road, Edinburgh, EH10 5DT
• Register:
https://usergroups.splunk.com/group/spl
unk-user-group-edinburgh.html
Presentation Title: Deconstructing the SIEM Platform
There are many misconceptions about what a SIEM is and why they should still be the heart of an operational capability when it comes to security controls and monitoring. This topic will outline what makes a powerful SIEM and why creating it yourself is increasingly challenging. We'll explore the frameworks at the heart of a SIEM and how Splunk has developed Enterprise Security with these in mind; finishing with some general lessons learned for SIEM implementation projects.
1min
Short Bio:
Harry McLaren is a Senior Consultant at ECS and is responsible for service delivery, technical leadership and people development in the rapidly growing Splunk consulting practice and is responsible for growing our team of talented Splunk Consultants. ECS, a specialist in enterprise IT services, has an award-winning IT security capability which is focused on Cybersecurity Operations Centres and IT security consulting.
1min
Define ‘Big Data’
Define ’SIEM’
2mins
Few Security based use cases you have leverage big data platforms for, but how?
1mins
SIEM evolution and the (often fallacy) that is ‘next-gen’ SIEM. “Next-gen” shouldn’t even be a term as your security operational capability to grow organically and the tools should be able to keep up.
How a platform which can grow as your security maturity and technical ability also grows (not limited to only “out-of-the-box features”).
2mins
Building full featured SIEMs is hard.
Many try, many fail.
Big data platforms only provide access to (hopefully) easy to search data.
Most end up as very basic rule engines similar in function to a distributed IDS (NIDS or HIDS).
2mins
Rules
Threshold Based
Anomaly/Behaviour Based
Boolean Based
Context
Asset & Identity Awareness
Risk Profiling/Analytics
Approved Types of Activity vs Not
Frameworks
Scalability (Volume, Complexity)
User Empowerment (without being a platform expert)
Expansion and development of custom use cases.
Integration
Data Source Compatibility (Schema vs Write one, read multiple ways).
Workflow Integration & Centralised Investigation
Orchestration
3mins
Example high-level architecture of a SIEM platform.
Lots of components working together.
Inputs, procedures and outputs are covered.
Five frameworks mentioned covered in more detail.
Not going to talk all the way through each one, purpose is to show the types of frameworks required and illustrate the contents of them.
2mins
This is about what is important to you, what does your threat modelling identify as ‘at risk’ and the framework to identify, group and report of these events of interest.
Workflow management, including analyst actions and status of event/events of interest.
1min
Contextual awareness within an organisation involves telling the SIEM who your users are and what assets are within your estate.
Dynamic updates are a priority as context changes (JML).
1min
Not my favourite term… So lets pretend it says ‘Threat Data’.
Up to date information is key, various types of data provider.
Additional context, terms unknowns into knowns. From a potential threat (unlikely to be triaged), so a known threat.
1min
Correlation between contextual sources.
Custom inputs / outputs.
Useful for more mature threat assessment of behaviour.
1min
Most recent addiction to most SIEM platforms. Splunk supported calling scripts / APIs, but all were custom and not part of a ecosystem.
Major next step in rapid response to threat and taking action to halt the threat before the end of the kill-chain/attack cycle.
Builds up operational capability with the ability to gather relevant context automatically, then triage and act in a flued and informed manner.
1mins
Understand the reasons for the project, use cases, motivations and what constraints might apply.
Prepare, prepare, prepare. Ensure you have scoped all required inputs, outputs and the level of dependencies between them.
Integrate everything! Not just the data sources, but workflow, automation and orchestration.
SIEM can be very powerful tools, however if the team which is going to own it/use it doesn’t know how, it’ll go to waste. SecOps teams should be a the forefront of exploring the data, hunting and defining their own use cases.
2mins