SORT OUT YOUR SIEMwww.s iemstrategy.com

16 October 2013

1

• SIEM today

– How are you doing it?

• Why SIEM?

– Business benefits

– IT team benefits

• Introducing SIEM

– What it is, and what it isn’t

• Four foundations for SIEM

– Everything in place

– Platform approach

– Expert security contextualisation

– Resourcing for 24/7 monitoring

• Sorting out your SIEM

– In-house

– SIEM-as-a-Service

2

AGENDA

WHY SIEM?

We find IT leaders tend to operate in one of three ways when it comes to SIEM:

4

TODAY’S SIEM LANDSCAPE

Ignore it

Seats of the pants security

Do the minimum

Log collation and reporting for

compliance

Functioning SIEM

• Platform approach

• Proactive threat detection

WHY SIEM?

5

Business benefits

• Service availability / uptime / minimise downtime

• Early warning system• Better security intelligence• More ‘known’ risks

IT benefits

• Proactive threat detection prevents incidents and the need for fire-fighting

• Efficient – data logs from the entire network are viewed via a single dashboard

• All IT teams have full visibility of all logs to find the root cause faster

• Reduce spend on security hardware by getting more from your existing infrastructure

• Optimise IT resources on value-creation project

SIEM AS IT SHOULD BE

OPTIMISED SIEM ARCHITECTURE

7

SecureData 24x7 Security Operations Centre

SecureData 24x7 Security Operations Centre

Reports

Alerts

Alarm

s

Rep

orts

Rep

ort requests

WAN

INTERNET

SecureData Cloud Data Centre

Events

Event Manager and Advanced Intelligence

Logging

Com

pressed encrypted logs

Com

pressed encrypted logs

Managers

Compr

esse

d en

cryp

ted

logs

Compr

esse

d en

cryp

ted

logs

Customer Data Centre 1

Customer Data Centre n

Agent Agent

Applications

Database

Firewalls Firewalls

SwitchesSwitches

Routers Routers

Applications

Database

8

WHAT IS SIEM, AND WHAT IS IT NOT?

SIEM is not only: But it is about:

Storing logs / Logging

PCI orCompliance

Reports

Real time information

Device logs

Logs

Log correlation and contextualisation

Security intelligence

Real time information

Ability to view historical logs in a structured and targeted way

All IT logs – physical access systems, coffee machines etc

Traffic flow, process information, file monitoring

Four foundations of SIEM:

9

HOW TO ADDRESS SIEM

Everything in one place

Making it make sense – the need for an

expert eye

Logs glorious logs- think platform, not

just devices

Resourcing for monitoring and

threat mitigation

1 2 3 4

2 1 FOUR FOUNDATIONS FOR SIEM

Everything in one place

• 42% of IT managers see multiple logging systems as a security risk

• Centralise logs for real time correlation & analysis

• All logs, not just security devices logs• Use automation tools• Benchmark alarms for your

organisational norms• Provide full network visibility through

one pane of glass to identify the root cause

• Enable faster diagnostics and mitigation

10

Logs glorious logs

• Take a platform or a ‘big data’ approach to log correlation•Set the platform up in the right way•Pull in contextual data such as traffic, packet analysis, traffic flow, file management etc•Track security behaviour across the whole of the network•40% of IT managers have serious concerns about the time it takes to analyse data and logs

4 3 FOUR FOUNDATIONS FOR SIEM

11

Make it make sense

•Real time interpretation of SIEM monitoring is critical•It requires an expert, human interface•It’s important to distinguish the line between information and intelligence•Security experts need to review the alarms and alerts to determine the action in context of the organisation

Resourcing for monitoring and threat mitigation

•SIEM needs 24/7/365 monitoring•Security skills on a continuous basis are expensive and under-utilised on monitoring•Outputting a report each week is redundant practice in threat management•SIEM can free-up rather than use-up resources by acting as an early warning system•More time to mitigate threats enable resource planning and optimisation•Reduce the need to ‘drop everything’ for attack fire fighting

SORTING OUT SIEM

13

YOUR OPTIONS FOR SIEM

Internal

• Design, build, install

• Requires 24/7 resourcing

• Great if you have a SOC / NOC

• Security experts are expensive

Hybrid

• Fully managed SIEM by SecureData(some, or all)

• Equipment located on customer site

SIEM as a service

• Monitoring: log correlation, remote service monitoring, notifications

• Managed: remote diagnostics and assistance, remote vulnerability scans, remote system updates

14

AFFINITY

SecureData SIEM-as-a-Service- Wholly owned SOC across two sites- 24x7x365 fully-manned operations- Affinity platform for complete security monitoring

3 2 1

15

THE SECUREDATA DIFFERENCE

Proactive approach to security:We take a different approach to security, focusing on proactive monitoring and management to minimise business disruption for our clients. We offer the complete security spectrum from assessing risk to detecting threats, protecting valuable assets and responding to breaches when the happen.

Excellent customer service and supportWe offer independent consultancy through dedicated account managers and technical guardians to recommend business security solutions built on the leading security vendors in the industry. We work hard to partner with customers, and we offer flexibility to develop customised processes that fit with the customer. Our highly accredited technical staff give customers first-class support and fast resolution time with the desire to do the best possible job every time.

24/7 security operations platform We operate our own support teams and SOC providing global reach with full responsibility for 24/7 security monitoring and management for customers. Owning the SOC enables us to better synthesise information, intelligence and transactions to proactively mitigate more threats before they impact the customer.

16

THANK YOU

www.siemstrategy.com

For more information, contact:info@secdata.com+44 1622 723456www.secdata.com

17