Post on 11-Nov-2014
description
Innovations in data security
SIEM based GRC
Andris Soroka, Raivis Kalniņš,
15.05.2013
Together with
“Data Security Solutions” brief intro
Specialization – IT Security
IT Security consulting (vulnerability assessment tests, security audit, new systems integration, HR training, technical support)
Innovative & selected software / hardware & hybrid solutions from leading technology vendors from over 10 different countries
Prologue..
It doesn’t matter what framework and standard You are working with as an auditor
It doesn’t matter if You are internal or external auditor, CSO, CIO, technical or business person
Automated and real time «Security Intelligence» is what You need as mandatory for GRC –
Risk Assessment & ManagementIT Security Governance & ManagementControl of activities and environmentPerformance measurement and improvementBenefits from better alignment with business (costs saving, efficiency etc.)
AgendaIntroduction
Security Information and Events Management (SIEM)
Use cases of SIEM
SIEM based Risk Management
Q&A
Defenses in 21st Century
Around 1500 IT Security vendors for Endpoint Security
Platforms and point solutionsData Security & Encryption
DLP suites and point solutionsNetwork Security
Gateway solutionsNAC, visibility, NBAAuthentication, authorization etc.Traditional and next generation’s
Identity protectionVirtualization and cloud securityIT Security governanceOperational management & SecurityMobile Security
Today’s reality, intro..
Network and security professionals focus tends to be on preventing bad things from happening on the network
There is aleready significant amount of spending on tools designed to prevent bad things from getting in the network
When things go bad, it is because the network and security practitioner doesn’t know what they don’t know
User and System Activity
Runaway Application
Customer Transaction
Email BCC
Failed Logon
Security Breach
File Up/Download
Credit CardData Access
Information Leak
Privileges Assigned/Changed
50%?
Logs, flows, maze
What logs –Audit logsTransaction logsIntrusion logsConnection logsSystem performance recordsUser activity logsBusiness systems alerts and different other systems messages
From where - Firewalls / Intrusion
prevention Routers / SwitchesIntrusion detectionServers, desktops, mainframesBusiness applicationsDatabasesAntivirus softwareVPN’s
There is no standard format, transportation method for logs, there are more than 800 log file formats used..
Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation. It could be even called as Security Mega-System.
Security Intelligence--noun 1. the real-time collection, normalization, and analytics of the
data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise
Move from defense to offense mode!
Plug & Play and Automated Intelligence
Analyze
Act
Monitor
Auto-discovery of log sources, applications and assetsAsset auto-groupingCentralized log mgmt.Automated configuration audits
Auto-tuning Auto-detect threatsThousands of pre-defined rules and role based reportsEasy-to-use event filteringAdvanced security analytics
Asset-based prioritizationAuto-update of threatsAuto-responseDirected remediation
One Console Security
• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.• Sophisticated event analytics• Asset profiling and flow analytics• Offense management and workflow
• Predictive threat modeling & simulation• Scalable configuration monitoring and audit• Advanced threat visualization and impact analysis
• Network analytics• Behavior and anomaly detection• Fully integrated with SIEM
• Layer 7 application monitoring• Content capture• Physical and virtual environments
SIEM
Log Management
Risk Management
Network Activity & Anomaly Detection
Network and Application
Visibility
One Console Security
Built on a Single Data Architecture
Security intelligence ..
What was the attack?
Who was responsible?
How many targets involved?
Was it successful?
Where do I find them?
Are any of them vulnerable?
How valuable are they to the business?
Where is all the evidence?
Clear & concise delivery of the most relevant information …
Q1 in action - Malware activity
IRC on port 80?QFlow enables detection of a covert channel.
Irrefutable Botnet CommunicationLayer 7 data contains botnet command and control instructions.
Potential Botnet Detected?This is as far as traditional SIEM can go.
Q1 in action - User activity monitoring
Authentication FailuresPerhaps a user who forgot their
password?
Brute Force Password Attack
Numerous failed login attempts against different user accounts.
Host CompromisedAll this followed by a successful login.
Automatically detected, no custom tuning required.
Q1 in action - complex threat detection
Sounds Nasty…But how to we know this?
The evidence is a single click away.
Buffer OverflowExploit attempt seen by
Snort
Network ScanDetected by QFlow
Targeted Host Vulnerable
Detected by Nessus
Total VisibilityConvergence of Network, Event and Vulnerability data.
Q1 in action – data loss prevention
Potential Data Loss?Who? What? Where?
Who?An internal user
What?Oracle data
Where?Gmail
SIEM Based Risk Management
SIEM Based Risk Management
Assessing the risks =Log management +Event management +Network activity monitoring +Configuration +
Most successful attacks are result of poor configurationConfiguration audits are expensive, labor intensive and time consumingConfig files are inconsistent accross the vendors and product / technology typesCompliance is mandatory in many industries
Vulnerability Assessment +VA scanners don’t prioritize based on network contextVulnerability prioritization is historically complex
SIEM Based Risk Management
SIEM Based Risk Management
SIEM Based Risk Management
SIEM Based Risk Management
SIEM Based Risk Management
SIEM Based Risk Management
SIEM Based Risk Management
SIEM Based Risk Management
SIEM Based Risk Management
SIEM Based Risk Management
SIEM is a foundation to security management in 21st Century for provides mostly the post-exploit valueRisk Manager based on SIEM gives detailed assessment of network security risk using broad risk indicators such as:
WHAT HAS HAPPENED? (from network activity data and behaviour analysis)WHAT CAN HAPPEN? (from topology and configuration)WHAT HAS BEEN ATTEPMTED? (from events and contect data)WHAT IS VULNERABLE AND AT RISK? (from scanners)
SIEM Based Risk Management Summary
Prediction & Prevention Reaction & Remediation
IBM Security Intelligence
Simulation of incidentsError & anomaly detectionAttack path visualizationCompliance automationRisk Assessment
Continuous real time auditSingle consoleIntegrated IntelligenceVizualizationHighest level of protection
SIEM Based Risk Management
Security intelligence
Predict Risk
Detect InsiderFraud
ConsolidateData Silos
ExceedRegulation Mandates
Detect ThreatsOthers Miss
IBM Security division’s vision
Think security first
www.dss.lvandris@dss.lv / raivis@dss.lv