SIEM: The Integralis Differencefiles.ctctcdn.com/290dfe10101/865473b6-1640-4831-bcb1-fdb206f9… ·...
Transcript of SIEM: The Integralis Differencefiles.ctctcdn.com/290dfe10101/865473b6-1640-4831-bcb1-fdb206f9… ·...
SIEM: The Integralis Difference
January, 2013
Avoid the SIEM Pitfalls Get it right the first time
Common SIEM challenges
08/02/2013 2
• Maintaining staffing levels 24/7
• Blended skills set, continuous building of rules and logic
• Escalation of issues – to decentralized Network, Systems and
Application support teams
• Local knowledge of network infrastructure
• Reporting, trending, KPI and business reporting tasks
• Complex architecture required to provide relevant information - context
behind events
Common deployment challenges
08/02/2013 3
• Complex technical architecture
• Complex logic and integration between products
• Business process integration
• Phased implementation - combined with ongoing management
• Continual need for ongoing service improvement
• Skill set / resources to manage
• Ongoing network and business change
Event Funnel Modeling – What SIEM Vendors don’t tell you
196
Critical Events
91
Escalated Tickets
91 True Positive Escalations*
17,560 Viewable Events
2,000,000
Total Events Escalating When It Matters
5 minutes per Critical Event
16 Hours of Analysis
10 minutes per Ticket Escalation
15 Hours of Ticket Escalation
Doesn’t include Ticket Closure Time
77% of all escalations were true
positives
Vendor default signatures average 6%
3.79 True Positive every hour
Head Count Requirements – 24X7 – 7
FTE
Head Count Requirments - 9X6 – 4 FTE
SIEM Correlation,
Deduplication,
etc
Critical Events Per Day
“Potential Tickets”
SOC Analysis and
Investigation
Filling the gaps - Situational Awareness
• As defined by Gartner, a situational awareness capability requires organizations to collect, analyze, correlate, and report on all security data:
• Customers are at an inflection point in the market – Compliance driven projects Security driven projects
• Security point products (SIEM, configuration audit, NBA, etc.) do not meet these requirements by themselves!
“Situational Awareness is Needed by Government and Enterprise Security Organizations for Effective Threat Discovery and Risk Mitigation”
- Gartner, “Delivering Situational Awareness” (July, 2011)
Situational Awareness Capability `
SIEM Logs and other event-based data
Threat Intelligence Threat feeds and known countermeasures
Asset Vulnerability State Vulnerability assessment data
User Activity IDM/IAM and directory data
Connectivity State Performance and availability data
Asset Criticality Asset and inventory data
Configuration State System security configuration data
Forensics All security data
The Need for Situational Awareness: Threat Drivers
Time < 2000 > 2012
State- and
State-
Sponsored
Actors
Organized
Crime/
Monetization
Individual
Hit-and-Run
Thre
at S
ourc
e M
otivation a
nd A
ttack C
om
ple
xity
Hacking
Groups
Level of Security Intelligence Required to Detect, Protect and Respond to
Threats
DOS Attacks
DDOS Attacks
Virus/Trojans/Malware
Identity Theft
Wikileaks/Insider Threats
IP Theft
APTs
Bots
SIEMial Engineering
• Log
Aggregation
• Manual Log
Monitoring
• SIEM-based
security
monitoring
• Log and
vulnerability
data correlation
Log
Mgm
t.
SIEM
Situ
atio
na
l A
war
en
ess
• Correlation
across multiple
data types
• Collection,
normalization,
analysis,
alerting and
reporting on all
security data
• Asset inventory
and change
data
• Threat
intelligence
integration
• Advanced
profiling
Cyberterrorism
The Need for Situational Awareness: Compliance Drivers
Compliance Program Optimization TACTICAL STRATEGIC
Continuous
Monitoring
Reactive,
Post-Audit
Focused
Com
plia
nce P
rogra
m R
equirem
ents
Compliance Program Maturity and Optimization Requirements
NO TOOLS / MINIMAL TOOLS
• Incomplete, inconsistent data
• Unknown state of security
controls
• Substantial audit findings and
sanctions
SIEM / LOG MANAGEMENT
TOOLSET
• Standardized reporting
• Manual audits
• Multiple tools, often with
inconsistent and/or overlapping
data
• Extended audit periods
Eve
nt-
Dri
ven
Au
dit
-Dri
ven
Inte
grat
ed
Bu
sin
ess
Pro
cess
SITUATIONAL AWARENESS
TOOLSET
• Fully automated
• Single source of information for all
compliance-related attestation
and reporting
• Continuous monitoring across all
aspects of security data
• Historical trend analysis for
compliance reporting
• Fast, efficient audit periods
The Need for Integralis Situational Awareness
User Context
Asset Criticality
Threat Intelligence
System Configuration Monitoring
Network Behavioral Analysis
Log Monitoring and SIEM
File Integrity Monitoring
Pick essential security controls, put in place without
exception
Change default credentials, create unique passwords and don't
share them
Regularly review active accounts to make sure they are valid, necessary,
properly configured and given only appropriate privileges
Secure remote access services
Monitor and filter outbound traffic for suspicious communications
Define, monitor and alert on
anomalous network behavior
Implement effective monitoring for and
response to critical log data
Test applications, review
code and encourage
developers to write more
secure code
Regularly review basic breach indicators
Run regular incident tests and
practice responses Restrict and monitor privileged users
Increase awareness of SIEMial
engineering
Log Mgmt and
SIEM Tools
Configuration
Audit Tools
Sit
ua
tio
nal A
wa
ren
es
s
No
Ga
ps in
Se
cu
rity
Da
ta
Co
mp
lete
Co
nte
xt
Scope of Common Security Threats
Identified by 2012 Verizon Data Breach Incident Report (DBIR)
Hacking, e.g. Use of Stolen Credentials, Channel Exploitation
Malware, e.g. Backdoors, Rootkits, Command-and-Control
Physical Tampering
Keyloggers / Form Grabbers / Spyware
SIEMial Engineering (Pretexting)
Brute-Force Attacks
SQL Injection Attacks
Unauthorized Access via Default Credentials
Phishing / Spear Phishing / Vishing
2012 DBIR
Security Control
Recommendations
SIEM Operational Architecture - Integralis
Log Aggregation
Raw Log Viewing
Storage & HA
Data Mining
Forensic Apps
SIEM
Normalization
Correlation
SecPolicy Enforcement
Reporting
Incident Forensics
False Positive Analysis
SOC
Monitoring
Case Management
Reporting
GRC
Forensic Analysis
Staffing
Separation of Duties
SOC
SIEM
NAC
DLP
IT Tech & Deployment
OSCE Staff
APIs WMI
SDEE
RDEP
CPMI
dozens more
Protocols syslog
ssh
snmp MIB/trap
netflow
dozens more
Optional
Agent
native FIM
Directory monitor
Registry monitor
USB monitor
NA
TIV
E
CO
LL
EC
TIO
N Universal
Parser (UP)
new syslog
sources
ODBC sources
SDK any data
type, using
a simple
XML-based
API
Example
Sources
log mgmt tools
SIEM tools
config mgmt tools
NMCs
custom apps
SD
K
Achieving Situational Awareness with Integralis
IT Assets
Logs and Events
Known Vulnerabilities
Log Management or SIEM
Tools
Asset Inventory
Security Configuration
Settings
Configuration Audit
Tools
Netflow Data
NBA
Tools
Performance Metrics
SNMP
Tools
File Integrity
Data
FIM
Tools
Threat Intelligence
Data
Threat Intel
Tools
The Point Security Tool Approach
Problems with this Approach:
No Cross-Correlation = No Situational Awareness
Operational Inefficiency
No Compliance Automation
High TCO
The Integralis Situational Awareness Approach
and/or
Heavily indexed and optimized for ad hoc query
activity, and the long-term storage of historical
event, context and state data
UN
IFIE
D
DA
TA
MO
DE
L
Correlation
Database
Forensic
Database
Reporting
Database
UI Dashboards Reports Monitors Alerts Workflow Visualization Forensics
User Data
IDM/Directory
Tools
A New Approach to SIEM
• Integralis employs skilled Service Delivery Managers
and a business-savvy approach.
• SDMs are dedicated to your organization
– Establish an enterprise wide uniformity in responding and
addressing security incidents and events
– Understand legal, regulatory, and contractual requirements
– Review and develop SIEM policies and guidelines
– Increase efficiency through centralization and correlation
– Analyze and validate the true depth of enterprise security
visibility
– Develop a workable Incident Response Process
– Improve an existing SIEM implementation
How Do We Differentiate Our Service?
Typical Approach Integralis SDM Approach Assurances
2/8/2013
Integralis Proprietary and Confidential
Collect
Aggregate
Correlate
Asses Respond
Report
Audit
Collect
Index
Store
Report
Integralis SIEM Offerings
•SIEM Architecture & Product Selection
•Technology Deployment
•Policy Creation & Tuning
•SIEM Managed Services
•SIEM Program Review
•Policy Review
•Log Source Discovery & Assessment
•Report Creation
•SIEM Pre-Assessment & GAP Analysis
•SIEM Sizing, Risk Based Asset modeling
•SIEM Product Evaluation and competitive testing
Introductory Service
Advisory Services
Technology Services
Follow-Up Services
2/8/2013 Integralis Proprietary and Confidential - Page 13
Thank You & Questions?
Dale A. Tesch Jr
Director MaPs – NAC & SIEM Leader
http://www.linkedin.com/pub/dale-a-tesch-jr/1/194/85
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052601