Siem Overview 2009

Security Information and

Event Management:

Know Your Stuff

What is SIEM?

Security and Compliance Challenges

Cost Benefits

Benefits of Automated Security Analysis

MORE Hackers, Malware, and Attacks

MORE Penalties

LESS Headcount

What you need

Bot, Worm, and Virus Attacks

Hacker Detection

Bandwidth Hogs and Policy Violations

UnauthorisedApplication Access

MORE Penalties

LESS Headcount

Rolling the Dice on The “Unlucky Seven”

VPN Sneak Attacks

System and User Impact

Failed Audits, Fines and Penalties

What malware is infiltrating my environment, and how is it propagating?

Is my AntiVirus system able to mitigate malware threats?

Public Network

Home VPN

Public VPN

Remote Workers

Corporate HQ

Wireless

Hot-Spot

Branch Office

Public Network

Home VPN

Public VPN

Remote Workers

Corporate HQ

Wireless

Hot-Spot

Branch Office

Who is attacking me and where are they attacking from?

Which of my internal systems are they attacking?

What internal systems are used most, and from where?

Who is using the most bandwidth and what protocols, services or applications are they

accessing?

Public Network

Home VPN

Public VPN

Remote Workers

Wireless

Hot-Spot

Branch Office

Mobile Users

Corporate HQ

Which systems have suspicious access/ application activity?

Are terminated accounts still being used?

Which accounts are being used from suspicious locations?

Public Network

Home VPN

Public VPN

Remote Workers

Corporate HQ

Mobile Users

Wireless

Hot-Spot

Branch Office

Which systems have suspicious access/ application activity?

Are terminated accounts still being used?

Which accounts are being used from suspicious locations?

Where are my remote users coming from, what are they accessing?

Are the remote computers coming in remotely secure and up to date?

Public Network

Home VPN

Public VPN

Remote Workers

Corporate HQ

Mobile Users

Wireless

Hot-Spot

Branch Office

What users and equipment are affected?

What is the level of degradation in my environment?

Definition of SIM / SEM / SIEM

Four major functions of SIEM

Log Consolidation

Threat Correlation

Incident Management

Reporting

Remaining Events of Interest

510,618,423 events

Event Consolidation

3,805,226

207,499

Anomaly

Filter

Positive

Filter

3,803,598 1628

Negative

Filter

506,813,197

Rules/Logic/Correlation Engines 5633

BO

Co

nn

ecto

r

& E

SM

Pla

tfo

rm

Normalization

& Aggregation

Security Event

Worm - Client

Not Vulnerable

1 Incident

(21 Events)

Security Event

Suspicious

Activity

3 Incidents

(32 Events)

Security Event

Benign

5532 Events

Security Event

System /

Application

1 Incident

(48 Events)

Info

rmatio

n fro

m R

ule

s, In

tellig

en

ce,

Scan

nin

g, T

ren

din

g &

Au

ditin

g

Incident Handling Process: Aggregate, Correlate, Categorize, Assess Threat, and Respond

Incident is logged for future

correlation and reporting, but

no further action required.

Low Threat

Incident requires near term

intervention by incident

response team and/or the

client to prevent availability or

security issue.

Medium Threat

Incident requires immediate

intervention by incident response

team and the client to prevent

and/or remediate availability or

security issue in progress.

High Threat

26 Firewalls 10 IDS / IPS 271 Servers / Other

BO

Peo

ple

&

Pro

cess

Inform Client

http://images.google.com/imgres?imgurl=www.cintrix.net/images/server.gif&imgrefurl=http://www.cintrix.net/html/products.htm&h=165&w=180&prev=/images?q=server&start=120&svnum=10&hl=en&lr=&ie=UTF-8&oe=UTF-8&sa=N



http://images.google.co.uk/imgres?imgurl=http://lincoln.senate.gov/contact/images/ContactUs-1_1.jpg&imgrefurl=http://lincoln.senate.gov/contact/&usg=__yG9_XWsNefj2mMi2sSnKR2YIVvc=&h=310&w=465&sz=15&hl=en&start=1&sig2=4IOEDKCixL5MLVlK4qk9Kw&tbnid=a9uywc2CPDkpoM:&tbnh=85&tbnw=128&prev=/images?q=contact&gbv=2&hl=en&ei=_S0oSuWGH4XN-QbmuNCzAQ

Bot, Worm and Virus Attack Visibility and Alerting

• What malware is infiltrating my environment, and how is it propagating?

• Is my Anti-Virus infrastructure able to handle malware?

Hacker Detection

• Who is attacking me?

• What are they attacking?

Bandwidth Hogs and Policy Violations

• What users are bandwidth hogs?

• What protocols, services and applications are they accessing?

Application Access Monitoring

• Which Systems have suspicious access/application activity?

• Are terminated accounts still being used?

• Which accounts are being used from suspicious locations?

Remote Access

• Where are my remote users coming from and what are they accessing?

• Are the remote computers coming in secure and up to date?

System and User Impact

• What users and equipment are compromised?

• How much degradation is there in my IT environment?

Are my compliance controls working?

• Will I pass my next audit?

• Am I subject to fines and penalties?

Better Collection Fits all IT environments

Stronger Correlation Catches all incidents

Automated Expertise Requires less resources

Boxing Orange

SIEM Service

Industry Leading

SIEM Platform

Software as a Service Platform

Industry Leading

24x7 SOC

8 years of delivering Managed Security Services

24hr Security Operations CentreInnovative Security Solutions and Service

Highly skilled professional services team & support analysts

Wide experience in multi vendor environments

PCI:SSC ASV accredited

Thank You

Siem Overview 2009

Documents

Transcript of Siem Overview 2009