The Crisis You Didn’t SeeA case for real-time security monitoring

Maxim Elliott-MassourasPrincipal Architect

Agenda

1.Introductions2.Why are we here?3.What are the challenges?4.How do we start?

So who are Eduserv?….

www.eduserv.org.uk

IntroductionsEduserv

• Managed Cloud & Identity Mgmt SaaS offerings• UK NFP (More than 20 years old)• ~170 Staff (>80% Technical)• Sell exclusively into UK public & 3rd sectors• ~80% of our business is from regional & central

government customers

What are we protecting?….

Context

~ 2 4 0 0 + M a n a g e d s e r v e r s

~ 4 M i l l i o n S a a S u s e r s

Quick Terminology Refresh….

This is what we are protecting

Quick Terminology

• SIEM• Security Information and Event Management

• SIRO• Senior Information Risk Owner

• CSI• Continual Service Improvement

Why are we here?….

Starting With Why?

VISIBILITYChanges

User Activity

Machine behaviours

There is industry consensus…

Industry View

"Organisations are outgunned and outmatched…"Forrester report

"71% of staff think they have access to company data they should probably not see"

Ponemon Institute

"anti-virus becoming irrelevant..." MobileIron

i.e. attacks are more sophisticated so relying on “traditional” tools alone wont work

Look at our activity map….

Visibility…

GLOBAL 365 day view of activity picked up by our SIEM

There is a Consensus…

There is now industry wide consensus:Most now consider a breach inevitable, so detecting early is the focus.

• Industry has shifted towards detecting attacks not preventing…

Breaches alone are not the issue – data loss, embarrassment and trust are the issues – so think about damage limitation!

An effective SIEM is the key early warning system.because of its real-time monitoring aspects

Visibility when you need it most….

Visibility…

Source: Bit9

Who is targeting you?….

If attacked you need to act fast, do you have…• Inventory Information• landscape knowledge, the basics…

62% Of Incident Responders said that customers own knowledge of their estate and customer asset/inventory management is the greatest challenge in an IR engagement.

38%Said the biggest challenge was due to tooling, insufficient customer documentation and ‘other’

Matchmaking

State Sponsored

Hacktivists

Professionals

Committed Amateurs

Breached but don’t know or

haven’t disclosed it

Will be breached, its

just a matter of time

Too insignificant to attract attention

Could there now be only2 Organisation Types?

Planning and risk priorities….

Q: Who do you think you are attracting?

Planning: What are you protecting?

Ask someone…

• What risks are we trying to mitigate?• Who are the threat actors?• What are our most valuable info assets• What do we want to get out of our SIEM

function?

SIEM can help you with…

Risks + value of assets should

relate to the time & budget

invested…

The Big Challenges

versus

Resources

Security Compliance

A balancing act….

Security Compliance

PCI

Regime 2

Regime 1

Threat 2

Threat 1

Reso

urce

s ar

e tig

ht &

prio

ritie

s ar

e ju

xtap

osed

…Being compliant doesn’t

mean you are secure

Make compliance a by-product of securityChoose SIEM tools that help both

Solutions...

ITCHALLENGES

•Increased security risks

•Compressed response time

•Uptime visibility

•Escalating costs

•Cloud, on-premise, hybrid

•Higher user expectations

EXISTING SOLUTIONS• Not designed for cloud

• Legacy silo solutions

• Non-real time insights

• Multiple tools

• Lack of reporting flexibility

• Unknown cost

Visualise a diverse landscape…

…are often mismatched

VirtualNetworks

Virtual Infrastructure

CloudInfrastructure

Physical Infrastructure

PhysicalSwitches

VirtualServers

PhysicalServers

PublicCloud

PrivateCloud

Thousands of Devices

Hundreds of Apps Deployed

Generating Billions of Events

per day and TBs of Data

Big Data

Consumerisation

Internet ofThings

SaaS

DevOps

Mobile

The IT Landscape Has Evolved

A problem or the problem…

Disparate, heterogeneous & spread across platforms….

You can fix A problem by buying a tool or hiring someone, but not THE

problem.

Understand the value…

Other Challenges….• Understanding the risks – Means

understanding the value• Getting executive sponsorship

-Don’t proceed without sponsorship!

• Beware of being ‘blinded by science’• Must be business led with support and buy-in

from IT• Security can clash with DevOps, concentrate

SIEM on visibility and ‘knowing’ instead of saying ‘No’

Misconceptions…

Common Misconceptions

• SIEM is too technical:• SIEM is 9/10’s Process – Deployments are technical, but operating

SIEM puts focus on good management and process

• SIEM is expensive:• This was true 5 years ago, costs have reduced dramatically,

awareness is higher, creating a larger market with lots of choice

• SIEM is someone's else's responsibility:• Knowing, who, what, where and when has become an obligation

on all data owners/aggregators (i.e any organisation)

• “I have firewalls, so I am safe”:• Firewalls are only as good as the operator, sophisticated app level

attacks exploit openings that some firewalls cannot close

Lets break it down…

SIEM Dismantled

Tools

People

Processes

(Great tools and great people are a good start)

We are under attack!

What do we do?Who do we tell?

We found suspicious activity…

Now what? It is not my problem. Tell

someone else…

How should we see SIEM…

A set of rules & principles. Underpinned by tools, people processes

A single pane of glassA single point of contact

A service that anyone can call upon

Perspective…

Perspective

SIEM Service and SecOps

Your Staff Your Customers

Your Partners& Suppliers Your Systems

Processes Policies Vetted People Leadership &Escalation

Wrapping up…

Almost there….3 Business Benefits

1. SIEM brings you closer to the truth

2. SIEM helps both Security and Compliance teams – The force multiplier

3. SIEM is a real-time magnifying glass

Key Takeaways…

“You wont know what you did without it”

Next Steps & Takeaways

• Get sponsorship• Check where you are most at risk• Find a partner - not just a supplier• Agree terms & the scope internally - don’t ‘boil the

ocean’, understand this is a continual improvement process

Always: Strategise – Plan – Act…in that order!

Questions please…