The Next Generation of SIEM - TAG Cyber · The Next Generation of SIEM ... CTO at AlienVault (the...
Transcript of The Next Generation of SIEM - TAG Cyber · The Next Generation of SIEM ... CTO at AlienVault (the...
TAG CYBER WEBINAR SERIESROGER THORNTON, CTO ALIENVAULT
The Next Generation of SIEMOR THE END OF SIEM AS WE KNOW IT…
Agenda
A Little HistoryThe problem with SIEM What was our goal?The next generation of SIEMPaths forward
Let’s Define Terms
Log management: Simple collection and storage of log messages and audit trails[5]
Security information management (SIM): Long-term storage, analysis and reporting of log data.
Security event manager (SEM): Real-time monitoring, correlation of events, notifications and console views.
Security information and event management (SIEM): Combines SIM and SEM and provides real-time analysis of security alerts generatedby network hardware and applications.[6][7]
* Thank you Gartner - Mark Nicolette and Amrit Williams (2005)
“SIEM Kindof Sucks!”“SIEM Kindof Sucks!”- Roger L Thornton 2010
Hard to Hide From the Facts
Has an average of 17K Alerts per weekConsiders 81% of those un-reliableSpends 2/3 of response (an average of $25K per week) on false alarms
Source: Netwrix 2016 SIEM Efficiency Survey
Getting Worse…Not Better
Ponemon Institute, “The cost of Malware Containment”, Jan 2015
According to the Ponemon Institute, the typical SIEM customer: Netwrix “2016 SIEM Efficiency Survey”
Getting Worse, Not Better
“There are no SIEM customers, just victims locked into a vendor.”
Deutsche Bank tech growth conference Cyber Security Panel. 9/13/2016
Let’s not forget the cost
Chart comes directly from the IBM website, $1.4M in costs and bragging that is took on average 5.5 months to implement!
IBM QRadar Security Intelligence; Independently conducted by Ponemon
Institute LLC, February 2014
Fortune 500 Oil & Gas CorporationCase Study
0101010001101000011001010111001001100101001000000110001101100001011011100010000001100010011001010010000001101111 0110111001101100011110010010000001101111011011100110010100100001
0101010001101000011001010111001001100101001000000110001101100001011011100010000001100010011001010010000001101111 0110111001101100011110010010000001101111011011100110010100100001
TheSIEMproblemforus…
• Toomanyalerts• TraditionalSIEM– oneevent/incident=onealert• “Ain’t nobodygottimeforthat”
• Understaffed• Verylimitednumberoffolksforreviewthealerts
• Lackofunderstandingforinternalasset• Assetunderstandingisthekey
• Potentiallycompliancedriven• Complianceisnotsecurityandsecurityisnotcompliance
• Continuouscost
0101010001101000011001010111001001100101001000000110001101100001011011100010000001100010011001010010000001101111 0110111001101100011110010010000001101111011011100110010100100001
0101010001101000011001010111001001100101001000000110001101100001011011100010000001100010011001010010000001101111 0110111001101100011110010010000001101111011011100110010100100001
SIEMVendors
• Typicalvendor:Justthrowallthelogsintoitandyouwillfindbadness• Myresponse:• Yesandno• ThemorelogsyouthrowataSIEMthemoreexpensive• Youdon’tneedallthelogs/events• Youneedtofindevilnotbadness
• Buyerbeware
“Traditional SIEM doesn’t work in our environment”“There was not enough time, resources, money”
So What’s in a SIEM (according to Gartner)
It’s generally considered polite for a SIEM product to have the following capabilities:
• Ability for you to perform one-off or hard-wire the collection of data from just about any source
• Normalization and storage of that data so that you may perform analysis (“correlation”)
• Provides the appropriate dashboard, reports, integration and workflow so that you may run a SOC
“SIEM Primer” - Dr. Anton Chuvakin, 4/2011
How SIEM (sortof) Works
SIEM or
Big Data Platform
1Data Integration: Get all of your data (repeat forever as technology and threats evolve)
Security Research: Determine what to look for & how (repeat forever as technology & threats evolve)
2
Security Analysis: Search and query; write correlation rules, or “listen to your data”… mileage may vary
3
• Allow you to perform one-off or hard-wire the collection of data from just about any source
• Normalize and store that data so that you may perform analysis (“correlation”)
• Provide the appropriate dashboard, reports, integration and workflow so that you may run a SOC
Lets Boil That Down
A toolkit for integrating data
A platform for data analytics
A platform for building and automating a SOC
SIEM is not a solution to anything, it is a (powerful) toolkit & platform for building your own solutions
For 90% of the market the problem with SIEM is SIEM!
Then why are we doing this?
Prevention has its limits
"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I’m not even too sure about that one" -- Dennis Huges, FBI.
safe computing
Before it became all about SIEM, compliance, and “big data with machine
learning” we just wanted to catch the bad guys!
14
Attacker’s Advantage & Intruder’s Dilemma
http://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html
Advantage:
Attacker enjoys exclusive knowledge of the where, when and how
Dilemma:
A stranger in a strange place (controlled entirely by the defender)
Not a new idea..
Effective Security Transcends Prevention
Given:• At some point prevention inhibits primary business goals• The attacker always has an advantage • The intruder is at a disadvantage operating in our domain
“Protect and Pray” naturally gives way to: Protect, Detect, Respond
Protect-Detect-RespondKeep bad guys out &
valuables safeAuthentication, Access
Control, Encryption Firewalls, AV, IAM,
DLP, etc
Clean up the mess
Learn & Improve
Digital (data & systems), Legal, Regulatory
Catch the Intruder
Threat Detection, IDS, Log collection, VA, Security Analytics
Post mortem analysis for refinement of protective & detective controls
The Promise of SIEM
Data source for incident response and forensic evidence.
The source of knowledge and platform for automation
The platform for continual analysis
and automated detection (alarms)
Delivery on that promise has proven difficult at
best and broadly elusive
Not enough to just do it (or promise it), you have to be good at it!
Protect - Detect - Respond
20
Lesson from another domainWe lost sight of the real goal
The SIEM Hypothesis: If we have SEIM (or Big Data), we will be good at Threat Detection.
“Did you want SEIM? …”
Hypothesis: If we have robots, we must be good at manufacturing.
“Did you want robots? If so, I am happy for you. I don’t know if you are good at manufacturing”
What was the Goal?
Following this cookbook? Or Catching the Bad Guys?
My Own Personal History With SIEM
First 15+ years creating technology products (creating security problems)• Cypress Semiconductor, Apple Computer, Sun MicroSystems
Friends started a big-data company in 2000 (Arcsight)Founded Fortify in 2003Acquired along with Arcsight by HP 2010
• Spent 18 months at HP meeting angry SIEM customersCTO at AlienVault (the maker’s of OSSIM) 2013
What if you had an entirely clean sheet to start with?
How would you catch the bad guys?
Experience at AlienVault
Business Hypothesis (based on what we saw at HP):• SIEM is challenging for the largest & most capable companies and it is
out of reach for the average company (mid-sized enterprise)• Massive opportunity delivering on the promise of SIEM for the mid-market
• 2M Mid-market enterprises in the US aloneAn opportunity to rethink the approach
• New market segment - little or no baggage • 48% Did not even know what the term “SIEM” means
Launched “USM” (not SIEM) in 2012• 300 customers in 2012 -> 5K in 2016
How USM Works
1Deploy Sensor(s):Builtin capabilities (Asset discovery, NIDS, HIDS, VA). AlienApps integrate 3rd party products (vendor-vendor)
Security Research: AlienVault does this for you. What to look for & how (we repeat forever as technology & threats evolve).
Detection & Response: Login to USM (Server or cloud) respond to alarms. Or hire an MSSP to do this for you.
2
Office Data Center Cloud
OTX Partners (33 & counting)
Security Analysis: AlienVault does this for you too. Tune sensor controls and maintain correlation rules based on research.
The USM Atlas Architecture
SensorController
Sensor
AlienApps
USM Sensor• Cloud, virtual or HW appliance performs passive and active
discovery and analysis of assets and network.
USM Controller• Data Storage and analytics platform provides common
reporting and IR workflow.
AlienGrid• Elastically scalable computing platform made up of 1 or more
USM Controllers working in concert.
AlienApps• Extensions enabling integration and orchestration with third
party or custom components.
OTX/AlienVault Threat Intelligence• Crowd sourced threat intelligence (OTX) and proprietary
research that provides specific tuning to detect latest threats.
27
No Clean Sheet?
Blow it up Iterate and Refine
This Look Familiar?
Lots of logs
13-36 products in use
The old SIEM project
The new Big Data project
A Next Generation Approach
Capture EVERYTHING (1-3 years), focus on low cost and scale. Good repurpose of the old SIEM project
The Forensic Store
Forward alarms and salient data for review and analysis. Good focus for the new Big Data project
The Analysis Workbench
Still need something to simplify & automate data capture
Send salient data to a service for analysis and alarm generation. (AlienVault USM Anywhere plug goes here)
The Alarm Monitor