Siem Overview 2009
-
Upload
johndyson1 -
Category
Documents
-
view
637 -
download
3
description
Transcript of Siem Overview 2009
Security Information and
Event Management:
Know Your Stuff
What is SIEM?
Security and Compliance Challenges
Cost Benefits
Benefits of Automated Security Analysis
MORE Hackers, Malware, and Attacks
MORE Penalties
LESS Headcount
What you need
Bot, Worm, and Virus Attacks
Hacker Detection
Bandwidth Hogs and Policy Violations
UnauthorisedApplication Access
MORE Penalties
LESS Headcount
Rolling the Dice on The “Unlucky Seven”
VPN Sneak Attacks
System and User Impact
Failed Audits, Fines and Penalties
What malware is infiltrating my environment, and how is it propagating?
Is my AntiVirus system able to mitigate malware threats?
Public Network
Home VPN
Public VPN
Remote Workers
Corporate HQ
Wireless
Hot-Spot
Branch Office
Public Network
Home VPN
Public VPN
Remote Workers
Corporate HQ
Wireless
Hot-Spot
Branch Office
Who is attacking me and where are they attacking from?
Which of my internal systems are they attacking?
What internal systems are used most, and from where?
Who is using the most bandwidth and what protocols, services or applications are they
accessing?
Public Network
Home VPN
Public VPN
Remote Workers
Wireless
Hot-Spot
Branch Office
Mobile Users
Corporate HQ
Which systems have suspicious access/ application activity?
Are terminated accounts still being used?
Which accounts are being used from suspicious locations?
Public Network
Home VPN
Public VPN
Remote Workers
Corporate HQ
Mobile Users
Wireless
Hot-Spot
Branch Office
Which systems have suspicious access/ application activity?
Are terminated accounts still being used?
Which accounts are being used from suspicious locations?
Where are my remote users coming from, what are they accessing?
Are the remote computers coming in remotely secure and up to date?
Public Network
Home VPN
Public VPN
Remote Workers
Corporate HQ
Mobile Users
Wireless
Hot-Spot
Branch Office
What users and equipment are affected?
What is the level of degradation in my environment?
Definition of SIM / SEM / SIEM
Four major functions of SIEM
Log Consolidation
Threat Correlation
Incident Management
Reporting
Remaining Events of Interest
510,618,423 events
Event Consolidation
3,805,226
207,499
Anomaly
Filter
Positive
Filter
3,803,598 1628
Negative
Filter
506,813,197
Rules/Logic/Correlation Engines 5633
BO
Co
nn
ecto
r
& E
SM
Pla
tfo
rm
Normalization
& Aggregation
Security Event
Worm - Client
Not Vulnerable
1 Incident
(21 Events)
Security Event
Suspicious
Activity
3 Incidents
(32 Events)
Security Event
Benign
5532 Events
Security Event
System /
Application
1 Incident
(48 Events)
Info
rmatio
n fro
m R
ule
s, In
tellig
en
ce,
Scan
nin
g, T
ren
din
g &
Au
ditin
g
Incident Handling Process: Aggregate, Correlate, Categorize, Assess Threat, and Respond
Incident is logged for future
correlation and reporting, but
no further action required.
Low Threat
Incident requires near term
intervention by incident
response team and/or the
client to prevent availability or
security issue.
Medium Threat
Incident requires immediate
intervention by incident response
team and the client to prevent
and/or remediate availability or
security issue in progress.
High Threat
26 Firewalls 10 IDS / IPS 271 Servers / Other
BO
Peo
ple
&
Pro
cess
Inform Client
Bot, Worm and Virus Attack Visibility and Alerting
• What malware is infiltrating my environment, and how is it propagating?
• Is my Anti-Virus infrastructure able to handle malware?
Hacker Detection
• Who is attacking me?
• What are they attacking?
Bandwidth Hogs and Policy Violations
• What users are bandwidth hogs?
• What protocols, services and applications are they accessing?
Application Access Monitoring
• Which Systems have suspicious access/application activity?
• Are terminated accounts still being used?
• Which accounts are being used from suspicious locations?
Remote Access
• Where are my remote users coming from and what are they accessing?
• Are the remote computers coming in secure and up to date?
System and User Impact
• What users and equipment are compromised?
• How much degradation is there in my IT environment?
Are my compliance controls working?
• Will I pass my next audit?
• Am I subject to fines and penalties?
Better Collection Fits all IT environments
Stronger Correlation Catches all incidents
Automated Expertise Requires less resources
Boxing Orange
SIEM Service
Industry Leading
SIEM Platform
Software as a Service Platform
Industry Leading
24x7 SOC
8 years of delivering Managed Security Services
24hr Security Operations CentreInnovative Security Solutions and Service
Highly skilled professional services team & support analysts
Wide experience in multi vendor environments
PCI:SSC ASV accredited
Thank You