More Related Content Similar to SIEM evolution (20) SIEM evolution2. Who are we / Key Brands
www.arcsight.com © 2009 ArcSight Confidential 2
3. International presence:
Leading ICT integrator in Western Europe
• Leading ICT integrator in Belgium,
France & Luxembourg
• 32 affiliates in Western Europe
• Global reach through strategic partners
Sensitivity : "Unrestricted" 28 September 2009 Slide
www.arcsight.com © 2009 ArcSight Confidential 3
4. What do I do?
• My team provides solutions to underpin the on-site and managed SIEM
services, with a focus on the what and the how!
• Engineer a grid/cloud/infrastructure to deliver these services to customers
(enterprises) with a focus on security operations.
• Steer the service catalogue with fresh use cases (add value).
• Integrate technologies with our architecture to build automations and enhance
the richness of our SIEM clouds.
• Data sources configuration documents
• Automatic ticket creation
• Portal visualizations
• Self monitoring
• 2nd line support for security management related infrastructure
(application/systems) and forensic security investigations.
• Advice in general on a diverse range of pre-sales and service questions within
this domain.
• Objective: centre of excellence (SIEM think-thank for the Belgacom group)
www.arcsight.com © 2009 ArcSight Confidential 4
5. Agenda
• Security Monitoring
• SIEM architectures
• Use Cases
www.arcsight.com © 2009 ArcSight Confidential 5
6. Firewall Security Monitoring
Outbound
Logs
SIEM
Inbound Top Drops Outbound Top Drops
Active list with Can spot infected
confirmed scanners from internal systems or
Internet configuration errors (eg.
If firewall accepts from IP wrong DNS or NTP client
addresses in the active list, configuration)
increase event priority
www.arcsight.com © 2009 ArcSight Confidential 6
7. Security Analysis
• Unlike firewalls, IDS/IPS provides information up to OSI layer 7 via
signature based detection methods
• Typical attacks detected by IDS/IPS: Worms, Exploits, Brute force
attacks, Backdoors, Cover channels.
• IDS/IPS are best placed where “threat x asset value” is high (eg. DMZ,
server farm)
• IDS/IPS provide input for SIEM tools to correlate with Vulnerability
and Asset (VA) data
Z
Z
www.arcsight.com © 2009 ArcSight Confidential 7
8. Monitoring WiFi GUEST traffic
END-USER CISCO ASA
CISCO WLC
Internet
End-User MAC Address End-User IP Address
End-User IP Address Web Target Address
End-User Account Name Web Target Port
End-User MAC Address
End-User IP Address
End-User Account Name
Web Target Address
Web Target Port
www.arcsight.com © 2009 ArcSight Confidential 8
9. Monitoring business risks
Confidentiality
Protecting sensitive information from
unauthorised disclosure or malicious
interception.
Business
Availability
Ensuring that vital IT services and
information are available when
impact
required.
Integrity
safeguarding the accuracy and
completeness of information
www.arcsight.com © 2009 ArcSight Confidential 9
10. Agenda
• Security Monitoring
• SIEM architectures
• Use Cases
www.arcsight.com © 2009 ArcSight Confidential 10
11. Some history…
ArcSight 2.1 (Sept 2003)
ArcSight 2.2 (POC)
ArcSight 2.5 (Production Jan 2004)
ArcSight 3.0 (Production Oct 2004)
ArcSight 3.5 (Production Mar 2006)
ArcSight 4.0 (Production Sept 2007)
www.arcsight.com © 2009 ArcSight Confidential 11
12. Telindus hardware tests
Two different hardware platforms were tested from an ArcSight manager
performance perspective:
Model Architecture CPU RAM OS
Sun SPARC SPARC T1 1 x 8 core (1.2 GHz) 32 GB Solaris 10
T2000
Sun Fire X2100 AMD X_64 1 x dual core (1.8 GHz) 4GB Red Hat 4.5
• As the biggest factor in database performance is the available RAM and
the SAN read / write speed, the OS / architecture is not so influential.
• It seems to Telindus that ArcSight 4.0 JRE is not optimized to make use of
the multi-thread (CMT) possibilities of the SUN T1 processor. The AMD
X_64 / Red Hat platform significantly outperformed the SPARC T1 /
Solaris platform.
www.arcsight.com © 2009 ArcSight Confidential 12
13. ArcSight test graph
Y-Axis = EPS (000’s) X-Axis = Number of core CPUs
Y-Axis = EPS (000’s) X-Axis = Number of core CPUs
www.arcsight.com © 2009 ArcSight Confidential 13
15. Log Sources
Security
Network Intrusion
events and
information
Prevention Systems
NIPS
Firewalls
AV VA data
HIPS
FW Web
Content
screening
NBA Reverse
Routers &
switches proxy
Diameter is proportional to the
Monitoring
logs Web event amounts
servers
Proxy
OS logs
DB logs
AIM
relevance with respect to
Email /
smartphone security information and
gateways
correlation capabilities
Network and
Application events /
information
security information value
www.arcsight.com © 2009 ArcSight Confidential 15
16. Standardized data collection?
We need a uniform way how computer events are
described, logged, and exchanged.
www.arcsight.com © 2009 ArcSight Confidential 16
17. Agenda
• Security Monitoring
• SIEM architectures
• Use Cases
www.arcsight.com © 2009 ArcSight Confidential 17
18. Use Case library
Insider
threat
Use Case
Library
Perimeter Regulatory
Defence compliance
www.arcsight.com © 2009 ArcSight Confidential 18
22. Conclusions
• Carefully plan your SIEM migrations with business and operations!
• Make checklists, cheat sheets and technical notes to educate your
security analysts on new evolutions.
• Keep a change log for SIEM content adaptations.
• Think out-of-the-box, SIEM has a lot of potential but KISS towards
the outside.
• Request (simple) KPI’s on how your application/service is evolving.
• Use intake templates to facilitate the scoping exercise towards your
client.
• Centralize your efforts, look for partners and create centre of
excellence in your organization around security monitoring.
www.arcsight.com © 2009 ArcSight Confidential 22
23. Questions?
stijn.vandecasteele@telindus.be
http://www.linkedin.com/in/ictsecurity
http://www.twitter.com/securityworld
www.arcsight.com © 2009 ArcSight Confidential 23