TAG CYBER WEBINAR SERIESROGER THORNTON, CTO ALIENVAULT

The Next Generation of SIEMOR THE END OF SIEM AS WE KNOW IT…

Agenda

A Little HistoryThe problem with SIEM What was our goal?The next generation of SIEMPaths forward

Let’s Define Terms

Log management: Simple collection and storage of log messages and audit trails[5]

Security information management (SIM): Long-term storage, analysis and reporting of log data.

Security event manager (SEM): Real-time monitoring, correlation of events, notifications and console views.

Security information and event management (SIEM): Combines SIM and SEM and provides real-time analysis of security alerts generatedby network hardware and applications.[6][7]

* Thank you Gartner - Mark Nicolette and Amrit Williams (2005)

“SIEM Kindof Sucks!”“SIEM Kindof Sucks!”- Roger L Thornton 2010

(more on this later)

Hard to Hide From the Facts

Has an average of 17K Alerts per weekConsiders 81% of those un-reliableSpends 2/3 of response (an average of $25K per week) on false alarms

Source: Netwrix 2016 SIEM Efficiency Survey

Getting Worse…Not Better

Ponemon Institute, “The cost of Malware Containment”, Jan 2015

According to the Ponemon Institute, the typical SIEM customer: Netwrix “2016 SIEM Efficiency Survey”

Getting Worse, Not Better

“There are no SIEM customers, just victims locked into a vendor.”

Deutsche Bank tech growth conference Cyber Security Panel. 9/13/2016

Let’s not forget the cost

Chart comes directly from the IBM website, $1.4M in costs and bragging that is took on average 5.5 months to implement!

IBM QRadar Security Intelligence; Independently conducted by Ponemon

Institute LLC, February 2014

Fortune 500 Oil & Gas CorporationCase Study

0101010001101000011001010111001001100101001000000110001101100001011011100010000001100010011001010010000001101111 0110111001101100011110010010000001101111011011100110010100100001

0101010001101000011001010111001001100101001000000110001101100001011011100010000001100010011001010010000001101111 0110111001101100011110010010000001101111011011100110010100100001

TheSIEMproblemforus…

• Toomanyalerts• TraditionalSIEM– oneevent/incident=onealert• “Ain’t nobodygottimeforthat”

• Understaffed• Verylimitednumberoffolksforreviewthealerts

• Lackofunderstandingforinternalasset• Assetunderstandingisthekey

• Potentiallycompliancedriven• Complianceisnotsecurityandsecurityisnotcompliance

• Continuouscost

0101010001101000011001010111001001100101001000000110001101100001011011100010000001100010011001010010000001101111 0110111001101100011110010010000001101111011011100110010100100001

0101010001101000011001010111001001100101001000000110001101100001011011100010000001100010011001010010000001101111 0110111001101100011110010010000001101111011011100110010100100001

SIEMVendors

• Typicalvendor:Justthrowallthelogsintoitandyouwillfindbadness• Myresponse:• Yesandno• ThemorelogsyouthrowataSIEMthemoreexpensive• Youdon’tneedallthelogs/events• Youneedtofindevilnotbadness

• Buyerbeware

“Traditional SIEM doesn’t work in our environment”“There was not enough time, resources, money”

So What’s in a SIEM (according to Gartner)

It’s generally considered polite for a SIEM product to have the following capabilities:

• Ability for you to perform one-off or hard-wire the collection of data from just about any source

• Normalization and storage of that data so that you may perform analysis (“correlation”)

• Provides the appropriate dashboard, reports, integration and workflow so that you may run a SOC

“SIEM Primer” - Dr. Anton Chuvakin, 4/2011

How SIEM (sortof) Works

SIEM or

Big Data Platform

1Data Integration: Get all of your data (repeat forever as technology and threats evolve)

Security Research: Determine what to look for & how (repeat forever as technology & threats evolve)

2

Security Analysis: Search and query; write correlation rules, or “listen to your data”… mileage may vary

3

• Allow you to perform one-off or hard-wire the collection of data from just about any source

• Normalize and store that data so that you may perform analysis (“correlation”)

• Provide the appropriate dashboard, reports, integration and workflow so that you may run a SOC

Lets Boil That Down

A toolkit for integrating data

A platform for data analytics

A platform for building and automating a SOC

SIEM is not a solution to anything, it is a (powerful) toolkit & platform for building your own solutions

For 90% of the market the problem with SIEM is SIEM!

Then why are we doing this?

Prevention has its limits

"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I’m not even too sure about that one" -- Dennis Huges, FBI.

safe computing

Before it became all about SIEM, compliance, and “big data with machine

learning” we just wanted to catch the bad guys!

14

Attacker’s Advantage & Intruder’s Dilemma

http://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html

Advantage:

Attacker enjoys exclusive knowledge of the where, when and how

Dilemma:

A stranger in a strange place (controlled entirely by the defender)

Not a new idea..

Effective Security Transcends Prevention

Given:• At some point prevention inhibits primary business goals• The attacker always has an advantage • The intruder is at a disadvantage operating in our domain

“Protect and Pray” naturally gives way to: Protect, Detect, Respond

Protect-Detect-RespondKeep bad guys out &

valuables safeAuthentication, Access

Control, Encryption Firewalls, AV, IAM,

DLP, etc

Clean up the mess

Learn & Improve

Digital (data & systems), Legal, Regulatory

Catch the Intruder

Threat Detection, IDS, Log collection, VA, Security Analytics

Post mortem analysis for refinement of protective & detective controls

The Promise of SIEM

Data source for incident response and forensic evidence.

The source of knowledge and platform for automation

The platform for continual analysis

and automated detection (alarms)

Delivery on that promise has proven difficult at

best and broadly elusive

Not enough to just do it (or promise it), you have to be good at it!

Protect - Detect - Respond

20

Lesson from another domainWe lost sight of the real goal

The SIEM Hypothesis: If we have SEIM (or Big Data), we will be good at Threat Detection.

“Did you want SEIM? …”

Hypothesis: If we have robots, we must be good at manufacturing.

“Did you want robots? If so, I am happy for you. I don’t know if you are good at manufacturing”

What was the Goal?

Following this cookbook? Or Catching the Bad Guys?

My Own Personal History With SIEM

First 15+ years creating technology products (creating security problems)• Cypress Semiconductor, Apple Computer, Sun MicroSystems

Friends started a big-data company in 2000 (Arcsight)Founded Fortify in 2003Acquired along with Arcsight by HP 2010

• Spent 18 months at HP meeting angry SIEM customersCTO at AlienVault (the maker’s of OSSIM) 2013

What if you had an entirely clean sheet to start with?

How would you catch the bad guys?

Experience at AlienVault

Business Hypothesis (based on what we saw at HP):• SIEM is challenging for the largest & most capable companies and it is

out of reach for the average company (mid-sized enterprise)• Massive opportunity delivering on the promise of SIEM for the mid-market

• 2M Mid-market enterprises in the US aloneAn opportunity to rethink the approach

• New market segment - little or no baggage • 48% Did not even know what the term “SIEM” means

Launched “USM” (not SIEM) in 2012• 300 customers in 2012 -> 5K in 2016

How USM Works

1Deploy Sensor(s):Builtin capabilities (Asset discovery, NIDS, HIDS, VA). AlienApps integrate 3rd party products (vendor-vendor)

Security Research: AlienVault does this for you. What to look for & how (we repeat forever as technology & threats evolve).

Detection & Response: Login to USM (Server or cloud) respond to alarms. Or hire an MSSP to do this for you.

2

Office Data Center Cloud

OTX Partners (33 & counting)

Security Analysis: AlienVault does this for you too. Tune sensor controls and maintain correlation rules based on research.

The USM Atlas Architecture

SensorController

Sensor

AlienApps

USM Sensor• Cloud, virtual or HW appliance performs passive and active

discovery and analysis of assets and network.

USM Controller• Data Storage and analytics platform provides common

reporting and IR workflow.

AlienGrid• Elastically scalable computing platform made up of 1 or more

USM Controllers working in concert.

AlienApps• Extensions enabling integration and orchestration with third

party or custom components.

OTX/AlienVault Threat Intelligence• Crowd sourced threat intelligence (OTX) and proprietary

research that provides specific tuning to detect latest threats.

27

No Clean Sheet?

Blow it up Iterate and Refine

This Look Familiar?

Lots of logs

13-36 products in use

The old SIEM project

The new Big Data project

A Next Generation Approach

Capture EVERYTHING (1-3 years), focus on low cost and scale. Good repurpose of the old SIEM project

The Forensic Store

Forward alarms and salient data for review and analysis. Good focus for the new Big Data project

The Analysis Workbench

Still need something to simplify & automate data capture

Send salient data to a service for analysis and alarm generation. (AlienVault USM Anywhere plug goes here)

The Alarm Monitor