SIEM evolution


Published on

Back in 2003, Telindus developed a business case for delivering SIEM managed security services to the enterprise market. This session sheds light on the different tooling migrations and explains in depth the different evolutions we achieved from an architecture, security operations, services and content evolution standpoint. It is geared towards application developers, architects, SOC employees, business consultants and program managers.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SIEM evolution

  1. 1. SIEM EVOLUTION A day in the life of a Security Architect Stijn Vande Casteele 28 September 2009
  2. 2. Who are we / Key Brands © 2009 ArcSight Confidential 2
  3. 3. International presence: Leading ICT integrator in Western Europe • Leading ICT integrator in Belgium, France & Luxembourg • 32 affiliates in Western Europe • Global reach through strategic partners Sensitivity : "Unrestricted" 28 September 2009 Slide © 2009 ArcSight Confidential 3
  4. 4. What do I do? • My team provides solutions to underpin the on-site and managed SIEM services, with a focus on the what and the how! • Engineer a grid/cloud/infrastructure to deliver these services to customers (enterprises) with a focus on security operations. • Steer the service catalogue with fresh use cases (add value). • Integrate technologies with our architecture to build automations and enhance the richness of our SIEM clouds. • Data sources configuration documents • Automatic ticket creation • Portal visualizations • Self monitoring • 2nd line support for security management related infrastructure (application/systems) and forensic security investigations. • Advice in general on a diverse range of pre-sales and service questions within this domain. • Objective: centre of excellence (SIEM think-thank for the Belgacom group) © 2009 ArcSight Confidential 4
  5. 5. Agenda • Security Monitoring • SIEM architectures • Use Cases © 2009 ArcSight Confidential 5
  6. 6. Firewall Security Monitoring Outbound Logs SIEM Inbound Top Drops Outbound Top Drops Active list with Can spot infected confirmed scanners from internal systems or Internet configuration errors (eg. If firewall accepts from IP wrong DNS or NTP client addresses in the active list, configuration) increase event priority © 2009 ArcSight Confidential 6
  7. 7. Security Analysis • Unlike firewalls, IDS/IPS provides information up to OSI layer 7 via signature based detection methods • Typical attacks detected by IDS/IPS: Worms, Exploits, Brute force attacks, Backdoors, Cover channels. • IDS/IPS are best placed where “threat x asset value” is high (eg. DMZ, server farm) • IDS/IPS provide input for SIEM tools to correlate with Vulnerability and Asset (VA) data Z Z © 2009 ArcSight Confidential 7
  8. 8. Monitoring WiFi GUEST traffic END-USER CISCO ASA CISCO WLC Internet End-User MAC Address End-User IP Address End-User IP Address Web Target Address End-User Account Name Web Target Port End-User MAC Address End-User IP Address End-User Account Name Web Target Address Web Target Port © 2009 ArcSight Confidential 8
  9. 9. Monitoring business risks Confidentiality Protecting sensitive information from unauthorised disclosure or malicious interception. Business Availability Ensuring that vital IT services and information are available when impact required. Integrity safeguarding the accuracy and completeness of information © 2009 ArcSight Confidential 9
  10. 10. Agenda • Security Monitoring • SIEM architectures • Use Cases © 2009 ArcSight Confidential 10
  11. 11. Some history… ArcSight 2.1 (Sept 2003) ArcSight 2.2 (POC) ArcSight 2.5 (Production Jan 2004) ArcSight 3.0 (Production Oct 2004) ArcSight 3.5 (Production Mar 2006) ArcSight 4.0 (Production Sept 2007) © 2009 ArcSight Confidential 11
  12. 12. Telindus hardware tests Two different hardware platforms were tested from an ArcSight manager performance perspective: Model Architecture CPU RAM OS Sun SPARC SPARC T1 1 x 8 core (1.2 GHz) 32 GB Solaris 10 T2000 Sun Fire X2100 AMD X_64 1 x dual core (1.8 GHz) 4GB Red Hat 4.5 • As the biggest factor in database performance is the available RAM and the SAN read / write speed, the OS / architecture is not so influential. • It seems to Telindus that ArcSight 4.0 JRE is not optimized to make use of the multi-thread (CMT) possibilities of the SUN T1 processor. The AMD X_64 / Red Hat platform significantly outperformed the SPARC T1 / Solaris platform. © 2009 ArcSight Confidential 12
  13. 13. ArcSight test graph Y-Axis = EPS (000’s) X-Axis = Number of core CPUs Y-Axis = EPS (000’s) X-Axis = Number of core CPUs © 2009 ArcSight Confidential 13
  14. 14. Security Event Lifecycle © 2009 ArcSight Confidential 14
  15. 15. Log Sources Security Network Intrusion events and information Prevention Systems NIPS Firewalls AV VA data HIPS FW Web Content screening NBA Reverse Routers & switches proxy Diameter is proportional to the Monitoring logs Web event amounts servers Proxy OS logs DB logs AIM relevance with respect to Email / smartphone security information and gateways correlation capabilities Network and Application events / information security information value © 2009 ArcSight Confidential 15
  16. 16. Standardized data collection? We need a uniform way how computer events are described, logged, and exchanged. © 2009 ArcSight Confidential 16
  17. 17. Agenda • Security Monitoring • SIEM architectures • Use Cases © 2009 ArcSight Confidential 17
  18. 18. Use Case library Insider threat Use Case Library Perimeter Regulatory Defence compliance © 2009 ArcSight Confidential 18
  19. 19. SIEM audit report © 2009 ArcSight Confidential 19
  20. 20. Security Operations © 2009 ArcSight Confidential 20
  21. 21. Event Management © 2009 ArcSight Confidential 21
  22. 22. Conclusions • Carefully plan your SIEM migrations with business and operations! • Make checklists, cheat sheets and technical notes to educate your security analysts on new evolutions. • Keep a change log for SIEM content adaptations. • Think out-of-the-box, SIEM has a lot of potential but KISS towards the outside. • Request (simple) KPI’s on how your application/service is evolving. • Use intake templates to facilitate the scoping exercise towards your client. • Centralize your efforts, look for partners and create centre of excellence in your organization around security monitoring. © 2009 ArcSight Confidential 22
  23. 23. Questions? © 2009 ArcSight Confidential 23