The Crisis You Didn’t SeeA case for real-time security monitoring
Maxim Elliott-MassourasPrincipal Architect
Agenda
1.Introductions2.Why are we here?3.What are the challenges?4.How do we start?
So who are Eduserv?….
www.eduserv.org.uk
IntroductionsEduserv
• Managed Cloud & Identity Mgmt SaaS offerings• UK NFP (More than 20 years old)• ~170 Staff (>80% Technical)• Sell exclusively into UK public & 3rd sectors• ~80% of our business is from regional & central
government customers
What are we protecting?….
Context
~ 2 4 0 0 + M a n a g e d s e r v e r s
~ 4 M i l l i o n S a a S u s e r s
Quick Terminology Refresh….
This is what we are protecting
Quick Terminology
• SIEM• Security Information and Event Management
• SIRO• Senior Information Risk Owner
• CSI• Continual Service Improvement
Why are we here?….
Industry View
"Organisations are outgunned and outmatched…"Forrester report
"71% of staff think they have access to company data they should probably not see"
Ponemon Institute
"anti-virus becoming irrelevant..." MobileIron
i.e. attacks are more sophisticated so relying on “traditional” tools alone wont work
Look at our activity map….
There is a Consensus…
There is now industry wide consensus:Most now consider a breach inevitable, so detecting early is the focus.
• Industry has shifted towards detecting attacks not preventing…
Breaches alone are not the issue – data loss, embarrassment and trust are the issues – so think about damage limitation!
An effective SIEM is the key early warning system.because of its real-time monitoring aspects
Visibility when you need it most….
Visibility…
Source: Bit9
Who is targeting you?….
If attacked you need to act fast, do you have…• Inventory Information• landscape knowledge, the basics…
62% Of Incident Responders said that customers own knowledge of their estate and customer asset/inventory management is the greatest challenge in an IR engagement.
38%Said the biggest challenge was due to tooling, insufficient customer documentation and ‘other’
Matchmaking
State Sponsored
Hacktivists
Professionals
Committed Amateurs
Breached but don’t know or
haven’t disclosed it
Will be breached, its
just a matter of time
Too insignificant to attract attention
Could there now be only2 Organisation Types?
Planning and risk priorities….
Q: Who do you think you are attracting?
Planning: What are you protecting?
Ask someone…
• What risks are we trying to mitigate?• Who are the threat actors?• What are our most valuable info assets• What do we want to get out of our SIEM
function?
SIEM can help you with…
Risks + value of assets should
relate to the time & budget
invested…
Security Compliance
PCI
Regime 2
Regime 1
Threat 2
Threat 1
Reso
urce
s ar
e tig
ht &
prio
ritie
s ar
e ju
xtap
osed
…Being compliant doesn’t
mean you are secure
Make compliance a by-product of securityChoose SIEM tools that help both
Solutions...
ITCHALLENGES
•Increased security risks
•Compressed response time
•Uptime visibility
•Escalating costs
•Cloud, on-premise, hybrid
•Higher user expectations
EXISTING SOLUTIONS• Not designed for cloud
• Legacy silo solutions
• Non-real time insights
• Multiple tools
• Lack of reporting flexibility
• Unknown cost
Visualise a diverse landscape…
…are often mismatched
VirtualNetworks
Virtual Infrastructure
CloudInfrastructure
Physical Infrastructure
PhysicalSwitches
VirtualServers
PhysicalServers
PublicCloud
PrivateCloud
Thousands of Devices
Hundreds of Apps Deployed
Generating Billions of Events
per day and TBs of Data
Big Data
Consumerisation
Internet ofThings
SaaS
DevOps
Mobile
The IT Landscape Has Evolved
A problem or the problem…
Disparate, heterogeneous & spread across platforms….
You can fix A problem by buying a tool or hiring someone, but not THE
problem.
Understand the value…
Other Challenges….• Understanding the risks – Means
understanding the value• Getting executive sponsorship
-Don’t proceed without sponsorship!
• Beware of being ‘blinded by science’• Must be business led with support and buy-in
from IT• Security can clash with DevOps, concentrate
SIEM on visibility and ‘knowing’ instead of saying ‘No’
Misconceptions…
Common Misconceptions
• SIEM is too technical:• SIEM is 9/10’s Process – Deployments are technical, but operating
SIEM puts focus on good management and process
• SIEM is expensive:• This was true 5 years ago, costs have reduced dramatically,
awareness is higher, creating a larger market with lots of choice
• SIEM is someone's else's responsibility:• Knowing, who, what, where and when has become an obligation
on all data owners/aggregators (i.e any organisation)
• “I have firewalls, so I am safe”:• Firewalls are only as good as the operator, sophisticated app level
attacks exploit openings that some firewalls cannot close
Lets break it down…
SIEM Dismantled
Tools
People
Processes
(Great tools and great people are a good start)
We are under attack!
What do we do?Who do we tell?
We found suspicious activity…
Now what? It is not my problem. Tell
someone else…
How should we see SIEM…
A set of rules & principles. Underpinned by tools, people processes
A single pane of glassA single point of contact
A service that anyone can call upon
Perspective…
Perspective
SIEM Service and SecOps
Your Staff Your Customers
Your Partners& Suppliers Your Systems
Processes Policies Vetted People Leadership &Escalation
Wrapping up…
Almost there….3 Business Benefits
1. SIEM brings you closer to the truth
2. SIEM helps both Security and Compliance teams – The force multiplier
3. SIEM is a real-time magnifying glass
Key Takeaways…
“You wont know what you did without it”
Top Related