SIEM evolution

SIEM EVOLUTION
A day in the life of a Security Architect

Stijn Vande Casteele

28 September 2009

Who are we / Key Brands

www.arcsight.com © 2009 ArcSight Confidential 2

International presence:
Leading ICT integrator in Western Europe

• Leading ICT integrator in Belgium,
France & Luxembourg
• 32 affiliates in Western Europe
• Global reach through strategic partners

Sensitivity : "Unrestricted" 28 September 2009 Slide


What do I do?

• My team provides solutions to underpin the on-site and managed SIEM
services, with a focus on the what and the how!
• Engineer a grid/cloud/infrastructure to deliver these services to customers
(enterprises) with a focus on security operations.
• Steer the service catalogue with fresh use cases (add value).
• Integrate technologies with our architecture to build automations and enhance
the richness of our SIEM clouds.
• Data sources configuration documents
• Automatic ticket creation
• Portal visualizations
• Self monitoring
• 2nd line support for security management related infrastructure
(application/systems) and forensic security investigations.
• Advice in general on a diverse range of pre-sales and service questions within
this domain.

• Objective: centre of excellence (SIEM think-thank for the Belgacom group)

Agenda

• Security Monitoring
• SIEM architectures
• Use Cases


Firewall Security Monitoring

Outbound

Logs

SIEM
Inbound Top Drops Outbound Top Drops
Active list with Can spot infected
confirmed scanners from internal systems or
Internet configuration errors (eg.
If firewall accepts from IP wrong DNS or NTP client
addresses in the active list, configuration)
increase event priority


Security Analysis

• Unlike firewalls, IDS/IPS provides information up to OSI layer 7 via
signature based detection methods
• Typical attacks detected by IDS/IPS: Worms, Exploits, Brute force
attacks, Backdoors, Cover channels.
• IDS/IPS are best placed where “threat x asset value” is high (eg. DMZ,
server farm)
• IDS/IPS provide input for SIEM tools to correlate with Vulnerability
and Asset (VA) data
Z

Z


Monitoring WiFi GUEST traffic

END-USER CISCO ASA
CISCO WLC

Internet

End-User MAC Address End-User IP Address
End-User IP Address Web Target Address
End-User Account Name Web Target Port

End-User MAC Address
End-User IP Address
End-User Account Name
Web Target Address
Web Target Port

Monitoring business risks

Confidentiality
Protecting sensitive information from
unauthorised disclosure or malicious
interception.

Business
Availability
Ensuring that vital IT services and
information are available when
impact
required.
Integrity
safeguarding the accuracy and
completeness of information


Agenda

• Use Cases


Some history…

ArcSight 2.1 (Sept 2003)
ArcSight 2.2 (POC)
ArcSight 2.5 (Production Jan 2004)
ArcSight 3.0 (Production Oct 2004)
ArcSight 3.5 (Production Mar 2006)
ArcSight 4.0 (Production Sept 2007)


Telindus hardware tests

Two different hardware platforms were tested from an ArcSight manager
performance perspective:

Model Architecture CPU RAM OS
Sun SPARC SPARC T1 1 x 8 core (1.2 GHz) 32 GB Solaris 10
T2000
Sun Fire X2100 AMD X_64 1 x dual core (1.8 GHz) 4GB Red Hat 4.5

• As the biggest factor in database performance is the available RAM and
the SAN read / write speed, the OS / architecture is not so influential.

• It seems to Telindus that ArcSight 4.0 JRE is not optimized to make use of
the multi-thread (CMT) possibilities of the SUN T1 processor. The AMD
X_64 / Red Hat platform significantly outperformed the SPARC T1 /
Solaris platform.


ArcSight test graph

Y-Axis = EPS (000’s) X-Axis = Number of core CPUs
Y-Axis = EPS (000’s) X-Axis = Number of core CPUs


Security Event Lifecycle


Log Sources

Security

Network Intrusion
events and
information
Prevention Systems
NIPS

Firewalls
AV VA data
HIPS

FW Web
Content
screening

NBA Reverse
Routers &
switches proxy
Diameter is proportional to the
Monitoring
logs Web event amounts
servers

Proxy

OS logs
DB logs
AIM
relevance with respect to
Email /
smartphone security information and
gateways
correlation capabilities
Network and
Application events /
information
security information value


Standardized data collection?

We need a uniform way how computer events are
described, logged, and exchanged.


Agenda

• Use Cases


Use Case library

Insider
threat

Use Case
Library

Perimeter Regulatory
Defence compliance


SIEM audit report


Security Operations


Event Management


Conclusions

• Carefully plan your SIEM migrations with business and operations!
• Make checklists, cheat sheets and technical notes to educate your
security analysts on new evolutions.
• Keep a change log for SIEM content adaptations.
• Think out-of-the-box, SIEM has a lot of potential but KISS towards
the outside.
• Request (simple) KPI’s on how your application/service is evolving.
• Use intake templates to facilitate the scoping exercise towards your
client.
• Centralize your efforts, look for partners and create centre of
excellence in your organization around security monitoring.


Questions?

stijn.vandecasteele@telindus.be

http://www.linkedin.com/in/ictsecurity

http://www.twitter.com/securityworld


SIEM evolution

More Related Content

What's hot

Viewers also liked

Similar to SIEM evolution

Recently uploaded

SIEM evolution