Advanced SIEM Operations
Transcript of Advanced SIEM Operations
Michael Leland | SIEM Evangelist
Advanced SIEM OperationsRealizing the Benefits of a Results-Driven SIEM
.
Agenda
• The Challenges of Deploying an Effective SIEM
• Mapping SIEM Operations to the Cyber Attack Chain
• Transition from Detection to Correction
• Identifying Potential Threats
• Improving Situational Awareness
• Leveraging Threat Intelligence
2
McAfee Confidential3
.
Questions to Ask:
• Resources needed for deployment and management of the SIEM solution?
• Is initial deployment simple?
• Are configurations and customizations intuitive?
• Can it deliver the performance, scalability and intelligence needed?
Goal:
• Improve both security posture and operational efficiencies
• Real life usability is a key considerationSource: August 2014. Intel Security Special Report: When Minutes Count.
Planning for Success
Assessing your Deployment
McAfee Confidential4
.
4
SIEM Deployment Challenges
Operational Difficulties• Onboarding Data Sources
• Integrating Security Platforms
Measurable Value• Reducing Mean-Time-to-Discovery
• Improving Threat Response Time
• Reducing Breach Impact
Continuous Learning & Enrichment• Threat Lifecycle
• Organizational Context
• Automating Remediation Workflow
Evolving Expectations of Security Event Analysis
.
Mapping SIEM to the Attack Chain
5
Protect Detect Correct
Traditional approaches are failing(breaches are occurring)
Signature-based defenses
Lack of intent based analysis
Siloed technologies
Breaches dwell too long (stay active)
Fragmented visibility
Information overload
Lack of context
Organization lack agility to respond quickly
Cumbersome workflows
Information overload
Restrictive tools
Recon DeliverWeaponize Exploit Control Execute Persist
HOURS to MONTHS SECONDS WEEKS to MONTHS
Along the entire attack chain…
.
Evolving from Find to Fix
• Endpoint quarantine and triage
• Blacklist offending address/host
• Perform targeted vulnerability scan
“75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours)..”
Source: Verizon 2015 Data Breach Investigations Report
Orchestrating common remediation tasks
.
Automate Time-Consuming Tasks
• Generating scheduled reports
• Identifying anomalous activities
• On-boarding new data sources
• Updating watchlist values
Reduce Operational Overhead
.
8
Recon Weaponize | Deliver Exploit Control Execute Persist
PROTECT DETECT CORRECT
Recon detection Anti-Evasion SandboxingCovert Channel
detectionCallback Detection
Network/Host Analysis
ACLs Browser EmulationNetwork-Endpoint
InterlockAnti-Botnet Anti-Botnet
Host BehaviorAnalysis
Traffic Learning Sandboxing Application Control Application Control Data Exfiltration
Deep File Analysis Virtual Patching IP ReputationHost Behavior
Analysis
WebFiltering/ACLs
User Behavior Analysis
User Behavior Analysis
User Behavior Analysis
DDoS Mitigation
Actionable response to active threatsNetwork Security Mitigation Matrix
.
Traditional Incident Response Challenges
9
Number of events
Time
Pre-breach Post-breach
Opportunisticattacks blocked
Targeted attacks have prolonged dwell time
Protect CorrectDetect
Difficult signal isolation
Excessive operational
friction
.
Security Connected Approach
10
Dramatically compressed Incident Response
Minimized dwell time
Number of events
Time
Pre-breach Post-breach
Protect Detect Correct
Prolonged dwell time
Rapidoutlier
detection
Fluid operational
response
Adaptivethreat
reduction
A connected ecosystem of sensors, controls and management will strengthen security posture and enhance visibility
• Detect and adapt to breaches more quickly
• Prioritize and facilitate fluid responses
• Accelerate decision making process
.
Integrating the 5 Styles of Security Analytics
11
Network Traffic Analysis
Network Forensics
PayloadAnalysis
Endpoint Behavior Analysis
Endpoint Forensics
Network Traffic Analysis
Network Forensics
Payload Analysis
Endpoint Behavior Analysis
Endpoint Forensics
Source: Gartner “Five Styles of Advanced Threats”
McAfee Confidential12
.
Rapid Threat Detection
12
Reduce Prolonged Risk Exposure
Effective event & flow correlation
Real-time alarms and actions
Historical forensic analysis
• Leverage rule, risk & historical correlation Rule: Simple Boolean pattern match
IF ((A & (B or C)) & NOT D)
Risk: Weighted score using asset classification and reputation(X [in CriticalSystems] * Reputation)
Historical: Retroactive event analysis of previously collected events/flowOver N duration of time, which Rule or Risk correlations would have been identified
Standard Deviation
McAfee Confidential13
.
13
All Threats are Not Created EqualPrioritize Threat Response
• Correlated Events Typically represent higher magnitude of threat
• Anomalous Behaviors Should be identified and addressed
• Risk Profiling Adds context (user/asset/reputation)
• Severity – Not Volume Determines threat level and appropriate response
.
Reducing Threat Discovery TimeAutomating remediation and protection actions
14:29:44 - New file seen for first time in enterprise
14:30:40 - New file detected with unknown reputation – assumed ‘dirty’
14:30:43 - Sample submitted to ATD sandbox – identified as malicious
14:30:44 - TIE reputation changed from ‘unknown’ to ‘known dirty’
14:31:00+ - All subsequent attempts to execute malicious file blocked
Time to Detect: 59s
Time to Protect: 1m
.
Improving Situational Awareness
Context EnrichmentData Sources
Leverage greater content AND context during forensic investigations
Authentications
Web Transactions
Network Flows
Identity
Cloud
Security Logs
Database Applications Email File Access
Anomaly Detection Organizational Hierarchy User Identity Geolocation
Reputation Risk Score Vulnerability Payload
McAfee Confidential16
.
16
Threat IntelligenceImprove situational awareness
Leverage vendor-supplied and industry threat sources to better understand the context of a threat
• Identify activities to/from a ‘bad actor’
• Threat feeds should be: Consumable
Relevant
Accurate
Timely
• Industry-specific threat intelligence Healthcare
Finance
Retail
.
Static• Threat Lists Artifacts Age Relevance Attribution
• Sources Emerging Threats Malc0de
Threat Intelligence Sources
17
Multiple Threat Vector Analysis
Dynamic• IoC Sources Artifacts Boolean Logic Behavioral Campaigns
• Local Intelligence Sandbox Analysis Manual Assignment
.
The Security ChallengeDetect and Remediate threats before they impact your business
Source: Ponemon Institute 2014 Cost of Cyber Crime study
Mean Number of days to resolution
31 DAYSAverage cost per day
$20,758
Hours Weeks Months
DISCOVERY CONTAINMENTATTACK COMPROMISE