Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Information and Event Management


Published on

An overview of Security Information and Event Management tools and beyond.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Information and Event Management

  1. 1. Security Information and Event Management (and more) February 28th, 2018
  2. 2. Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - Slack - #csg on Email -
  3. 3. Announcements Lab Hangouts - ECSS 4.619 - 4 PM Thursday - February 15 Pentesting Session -
  4. 4. Overview 1. Getting Started a. Security Onion b. Docker 2. SIEM a. Overview b. Tools c. Demonstration 3. Beyond SIEM a. UEBA b. SOAR 4. Threat Intelligence a. Attribution b. Distribution c. Simulation 5. Hunting a. Performance b. State
  5. 5. Getting Started
  6. 6. Getting Started Resources Security Onion - Infrastructure Security Appliance Docker - Containers great for testing security tooling
  7. 7. SIEM
  8. 8. Security Information and Event Management Aggregates incoming information from network sensors Single pane of glass for current network state Alerts analysts of current incidents and needs
  9. 9. SIEM - Events vs. Incidents Events - Real things that happened Incidents - Security “problems”
  10. 10. SIEM - Goal Alert analysts of incidents and give them the ability to correlate them to events
  11. 11. SIEM - Examples ● IBM QRadar ● HP ArcSight ● Splunk ● ElasticStack
  12. 12. ELK + Cowrie Demo
  13. 13. Beyond SIEM
  14. 14. SIEM Shortcomings Only as a good as the rules you provide Analysts find themselves doing repetitive tasks
  15. 15. User and Entity Behavior Analytics Behavioral whitelisting Applying BIG DATA and MACHINE LEARNING to security No open source solutions :(
  16. 16. Security Orchestration Automation and Response Many times, incidents can be handled automatically Patch management Evaluating security posture “Centralized source for all things security” MozDef? -
  17. 17. Threat Intelligence
  18. 18. Threat Intel - Attribution Turn attacks into indicators of compromise Turn indicators of compromise into threat profiles Associate that profile with an attacker
  19. 19. Threat Intel - Distribution Structured Threat Information Expression Trusted Automated Exchange of Intelligence Information AlienVault Open Threat Exchange
  20. 20. Threat Intel - Simulation ATT&CK Framework - Classifying attacker behavior Caldera - Simulating attackers
  21. 21. Hunting
  22. 22. Performance Looking for anomalies in performance data Solutions: Visualization: Grafana Storage: InfluxDB, Graphite Collection: Prometheus, Telegraf
  23. 23. State Looking for anomalies in current server state Solutions: OS query + Fleet Puppet + PuppetDB