Downloaded 58 times
Uploaded byAlienVault
SIEM-plifying security monitoring: A different approach to security visibility
The document discusses the challenges organizations face in improving their security monitoring through SIEM (Security Information and Event Management) systems, emphasizing the importance of threat intelligence integration. It outlines common issues with current SIEM implementations and offers strategies for enhancing their effectiveness, such as thorough planning, ease of use, and leveraging collaborative threat intelligence like AlienVault's OTX. Ultimately, it suggests that with proper planning and questioning of vendors, organizations can successfully implement SIEM without significant obstacles.
More Related Content
![Overview of the Cyber Kill Chain [TM]](https://cdn.slidesharecdn.com/ss_thumbnails/cybersecuritykillchain8-161209191549-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibility
- 1. SIEM-plifying security monitoring: Adifferent approach to security visibility Dave Shackleford, Voodoo Security and SANS Joe Schreiber, AlienVault © 2014 The SANS™ Institute - www.sans.org
- 2. Introduction • Many organizationsare still experiencing data breaches – Attackers are more advanced – But…we’ve got preventive and detective controls, right? • More proactive threat intelligence and time on internal detection capabilities will help – But what do you need? – How can you succeed with limited time and/or budget? © 2014 The SANS™ Institute - www.sans.org 2
- 3. First…security intelligence • Security/threatintelligence is all the rage these days…in theory • Today, most organizations are gathering external threat intelligence from sources such as: – The SANS Internet Storm Center – Blog sites – Commercial feeds – ISACs and other public-private collaboration groups © 2014 The SANS™ Institute - www.sans.org 3
- 4. External Threat IntelData • Intel about attacks and attackers may include: – Source IP/hostnames/do mains – Ports/services in use – Source countries – Attack types – Packet traces – Malware – File names • DNS entries that are or should be blacklisted • Countries of origin with specific reputation criteria • Types of events to look out for: – Application attacks – Ports and IP addresses – Specific types of malware detected • Vertical-specific likelihood © 2014 The SANS™ Institute - www.sans.org 4
- 5. Internal sources ofthreat intel data • Baseline security controls: – Firewalls and router ACLs – IDS/IPS – Antivirus – Proxies and load balancers – Log management • More advanced controls – SIEM – Host IDS/whitelisting – Malware sandboxing • So why are we still getting hacked?! © 2014 The SANS™ Institute - www.sans.org 5
- 6. Collaborative Threat Intelligence •Diversity in Threat Intelligence limits attackers’ ability to isolate targets by industry, location, size, etc • The AlienVault Open Threat ExchangeTM (OTX) is the world’s largest collaborative threat intelligence system • AlienVault Labs validates threat data and contributes from their research © 2014 The SANS™ Institute - www.sans.org 6
- 7. SIEM Challenges Abound •Many SIEM users have had challenges getting needed insights • Why? • A vast variety of issues can lead us here: – Difficulty deploying – Lack of integration – Challenging UI and usability – No threat intelligence – Difficult correlation rules – Poor planning © 2014 The SANS™ Institute - www.sans.org 7
- 8. © 2014 TheSANS™ Institute - www.sans.org 8
- 9. Lessons Learned theHard Way • Situation: "Tribal" knowledge and a move to an MSSP – Lesson Learned: Improve documentation and planning around internal data types and use cases • Situation: “You are what you eat” – Lesson Learned: Review your data sources before AND after your deployment © 2014 The SANS™ Institute - www.sans.org 9
- 10. Getting More Froma SIEM • There are several important things organizations can do to improve SIEM success: – Assess integration with data/tools – Discuss outcomes/use cases – Assess ease-of-use and implementation – Look for threat intelligence integration - both external and internal © 2014 The SANS™ Institute - www.sans.org 10
- 11. Fundamental SIEM Integration Points •Asset discovery and inventory • Vulnerability assessment • Network packet/flow analysis (packet capture) • Wireless intrusion detection (WIDS) • Host-based intrusion detection (HIDS) • Network-based intrusion detection (NIDS) • File Integrity Monitoring • Log management © 2014 The SANS™ Institute - www.sans.org 11
- 12. Discuss Outcomes &Use Cases • Every organization is different – Business use cases – Compliance/security priorities – Existing gaps • Build technical rule implementations of business use cases – Identify & monitor privileged users – Build behavior profiles – Detect C&C channels more rapidly © 2014 The SANS™ Institute - www.sans.org 12
- 13. Ease-of-use & Implementation •Many SIEM solutions have been notoriously difficult to implement and use • SIEM platforms should be: – Relatively simple to install – Intuitive for analysts using the GUI or other tools – Easy to expand or upgrade – Understandable without a PhD © 2014 The SANS™ Institute - www.sans.org 13
- 14. Questions for SIEMVendors Hint: Print this out for the next time they call you… How long will it take to go from software installation to security insight? For reals. How many staff members or outside consultants will I need for the integration work? What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)? What is the anticipated mix of licensing costs to consulting and implementation fees? Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations? © 2014 The SANS™ Institute - www.sans.org 14
- 15. Threat Intelligence: Questions toAsk • What sources of threat intelligence are available? • Are intelligence sources widely distributed, representing a range of organizations and technology? • How is threat intelligence integrated with internal data sets? • How can threat intelligence be shared securely? © 2014 The SANS™ Institute - www.sans.org 15
- 16. Collaborative Threat Intelligence: AlienVaultOpen Threat Exchange TM (OTX) Coordinated Analysis, Actionable Guidance • 200-350,000 IPs validated daily • 8,000 collection points • 140 countries Join OTX: www.alienvault.com/open-threat-exchange
- 17. A Unified Approach SECURITYINTELLIGENCE • SIEM Event Correlation • Incident Response AlienVault USMTM Powered by AV Labs Threat Intelligence BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning
- 18. Conclusion • Some organizationshave traditionally been afraid of SIEM… – But do they need to be? • SIEM platforms *can* be implemented and managed without horror stories • They key is planning up front, and asking key questions of potential vendors • A unified approach will prove more successful with limited resources © 2014 The SANS™ Institute - www.sans.org 18
- 19. Questions? Q@SANS.ORG Three Ways toTest Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/ali envault-usm-live-demo Thank You! © 2014 The SANS™ Institute - www.sans.org 19