SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very...
Transcript of SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very...
![Page 1: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/1.jpg)
Igor Volovich, CISSP,CISM,CISA,CRISC,CIPP Scott Sattler, CISSP,CISM,CISA,CRISC,CCNP,CFE
SIEM: GOLDEN GOOSE OR MONEY PIT ?
© 2013 VOLOVICH | SATTLER
![Page 2: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/2.jpg)
In this session • SIEM 101 – a quick primer • Capabilities vs. technologies • Common SIEM pain points • Key concepts for a happy SIEM • Getting SIEM wrong • Doing SIEM right • Sensory instrumentation approach • SIEM service deployment models • Q & A Session
![Page 3: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/3.jpg)
SIEM functional components
SENSORY DATA SOURCES
EVENT/DATA AGGREGATION
EVENT/DATA CORRELATION
ALERTING REPORTING VISUALIZATION RETENTION ANALYTICS
EVENT/DATA COLLECTION
ENDPOINT SYSTEMS NETWORK SYSTEMS SECURITY SYSTEMS
APP INFRASTRUCTURE IDENTITY/ACCESS VULNERABILITY MGMT
CMDB/CONFIG
DATA INVENTORY
THREAT & VULNERABILITY MANAGEMENT PROCESSES (TVM/CSIRT)
Preparation
Detection
Analysis
Containment
Eradication Recovery
Debrief
![Page 4: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/4.jpg)
SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to
examine events” Quality of detection, analysis unknown Complex platforms are difficult to manage ROI hard to measure, harder to achieve/show Vendors oversell and under-deliver Most issues are NOT technology failures Customer expectations unrealistic Vendor attitude is “fire-and-forget”
![Page 5: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/5.jpg)
Key concepts
Objectives are primary, tradecraft secondary Focus on capabilities, not tools SIEM as a service in your enterprise First, know your (platform’s) purpose Second, have a plan Look for “Indicators of Compromise” Anything can be a sensor!
![Page 6: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/6.jpg)
How to get it wrong Forget strategy – let’s just collect stuff Not sure what to log – let’s collect it ALL! Look, a magic box - stuff goes in, qualified
actionable security alerts come out! It’s too noisy, this platform sucks It’s too quiet, we must be impregnable It’s too difficult, let’s just outsource I thought we were getting “security-
compliance-reporting-alerting” in a box?
![Page 7: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/7.jpg)
Getting it wrong, part II Setup is a “Five-day Quick Start” – that’s it Finally, our long-awaited log dump is here! Wait, we need “people” to run this thing?! Hey, what’s this button here do? I know we didn’t buy it for this, but… Vendor also said it could bake tasty pies It’s ok, we’ll just hire a consultant to tune it Why can’t I have your log data? Executive buy-in – what’s that?
![Page 8: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/8.jpg)
How to get it right Focus on capabilities, not flashy gimmicks Assess your monitoring objectives Know your environment and data mapping Capture and mature existing processes Set clear goals for platform implementation Invest time into vendor/platform selection Recognize commitment of self-run SIEM Is self-hosted/self-managed for us? Talk to your CFO: CAPEX or OPEX?
![Page 9: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/9.jpg)
Sensory instrumentation Develop use cases to inform your source
selection process Determine event/data acquisition constraints Parsing ability Event rates Payload fidelity
Don’t collect just because you can Focus on protection target, not infrastructure Smart sensors = intelligent events
![Page 10: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/10.jpg)
Anything can be a sensor
email AV
routers/network infrastructure email
logs
user accounts
firewall
NIDS HIDS
event correlation
aggregation
event/data collection
proxy AV
web proxy
data repositories
![Page 11: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/11.jpg)
Intelligent sensors - rich data Data Loss Prevention (Vontu) Next-Gen Firewalls (PaloAlto) Endpoint security agents (Bit9, CyberArk) NAC technologies (ForeScout) Purpose-built platforms (FireEye, Damballa) Web App Firewalls (Imperva) VPN/RAS systems (Juniper, Citrix) Wireline solutions, IPS (Netwitness, Solera) Identity Management systems
![Page 12: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/12.jpg)
Deployment Options
![Page 13: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/13.jpg)
Self-hosted, self-managed
Cl Ag Cr Vz Al An Rp Re
In-house █ █ █ █ █ █ █ █
MSSP
![Page 14: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/14.jpg)
Self-hosted, MSSP-managed
Cl Ag Cr Vz Al An Rp Re
In-house █
MSSP █ █ █ █ █ █ █
![Page 15: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/15.jpg)
Self-hosted, jointly managed
Cl Ag Cr Vz Al An Rp Re
In-house █ █ █ █ █ █ █ █
MSSP █ █ █ █ █ █ █
![Page 16: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/16.jpg)
Cloud, MSSP-managed
Cl Ag Cr Vz Al An Rp Re
In-house
MSSP █ █ █ █ █ █ █ █
![Page 17: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/17.jpg)
Cloud, jointly managed
Cl Ag Cr Vz Al An Rp Re
In-house █ █ █ █ █
MSSP █ █ █ █ █ █ █ █
![Page 18: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/18.jpg)
Cloud, self-managed
Cl Ag Cr Vz Al An Rp Re
In-house █ █ █ █ █ █
MSSP █ █
![Page 19: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/19.jpg)
Hybrid model, jointly managed
Cl Ag Cr Vz Al An Rp Re
In-house █ █ █ █ █ █ █ █
MSSP █ █ █ █ █ █ █ █
![Page 21: SIEM: Golden goose or money pit...SIEM pain points Too much data – not enough intelligence Very quantitative – “need more people to examine events” Quality of detection, analysis](https://reader036.fdocuments.in/reader036/viewer/2022070801/5f026cbd7e708231d404348f/html5/thumbnails/21.jpg)
© 2013 VOLOVICH | SATTLER | securelabs.net