Supercharging SIEM with Change & Configuration Data
•Download as PPTX, PDF•
1 like•1,390 views
Most organizations capture log data that could indicate a breach occurred. Yet not a single breach investigated in the Verizon 2011 Data Breach Investigation Report was detected through log analysis or review. Learn how adding Tripwire Enterprise change and configuration data makes all the difference in detecting critical events.
Recommended
Recommended
More Related Content
Similar to Supercharging SIEM with Change & Configuration Data
Similar to Supercharging SIEM with Change & Configuration Data (20)
More from Tripwire
More from Tripwire (20)
Recently uploaded
Recently uploaded (20)
Supercharging SIEM with Change & Configuration Data
- 1. Supercharging SIEM with Change & Configuration Data
- 3. Log analysis/review discovered 0% no breaches 2011
- 4. Change is Needed! Existing technology isn’t providing expected ROI, is too expensive and complex, and only delivers data Log analysis/review discovered 0% no breaches 2011
- 5. Too much data! All of one type!
- 7. SECURITY COMPLIANCE Compromise Failed Audits $$$$ Labor Intensive Branding Project Delays
- 8. SECURITY OPERATIONS COMPLIANCE Compromise Longer MTTR Failed Audits $$$$ Unplanned Work Labor Intensive Branding Budget Pressure Project Delays
- 9. 0%: Log analysis/review discovered no breaches Capturing Data…. Is Not The Same As Knowing When Something Bad Just Happened!
- 10. “Context of Change” Windows event log cleared Were undesired changes made? Who made them? Was compliance level lowered? Did changes enable SIEM events? Or enable other events? Login successful FTP Enabled 10 failed logins Host not generating events
- 11. “Context of Change” Windows event log cleared Were undesired changes made? Who made them? Was compliance level lowered? Logging turned off Did changes enable SIEM events? Or enable other events? Login successful Policy test fails FTP Enabled 10 failed logins Host not generating events
- 12. Raw Log Data Detect Change Good & Bad No Intelligence No Context No Security Just Data! Report Change Good & Bad
- 13. “Context” Raw Log Data Detect Change Good & Bad Configuration Policy Failures Change Policy Failures Dynamic Analysis Change Authorization Failures Changes of Interest = Changes of Interest! Report & Alert
- 14. 10 failed logins Login successful Changes of Interest Windows event log cleared correlated with Log Events of Interest Logging turned off turn Raw Data into FTP Enabled timely, actionable Information Host not generating events Policy test fails
- 16. • File ‘Sales_Forecast_2011.xls’ was changed on node ‘PROD_FINANCE’ by Ed Rarick. • There were 15 Medium Severity Changes on node ‘PROD_DC1’. • Node ‘PROD_DC1’ had an additional 2 tests fail from policy ‘PCI 2.1’ after the last scan. 15 tests passed and 30 failed. • Node ‘PROD_DC1’ decreased its score by 2.53 on policy ‘PCI 2.1’ after the last scan.
- 17. Maintain Desired State Non-stop monitoring & collection Dynamic analysis to find suspicious activities Assess & Achieve Alert on impact to policy Remediate options to speed remedy Time
- 18. Answers For Your Questions
Editor's Notes
- More organizations have deployed more compliance and security tools and are capturing and analyzing more data than ever.Unfortunately, they are not getting stellar results as noted in the Verizon 2011 Data Breach Report.Each year we learn that—even with more data being captured—the number of attacks increases, most organizations had to have a 3rd party tell them they had been hacked, and the resulting breaches were avoidable through simple controls.What was so interesting and new in the 2011 report was the fact that “ZERO” breaches were discovered through log analysis or review!!!
- In other words, Log management and SIEM solutions did not deliver on the promise of
- TZ: Ed, what exactly is this “data deluge problem?’Ed: Over the last several years many organizations have put collection systems in place to meet PCI requirements. They put in log management and FIM along with other security tools. And they have been collecting a ton of data ever since. So they have plenty of data to meet compliance requirements. But the problem is they have too much data for it to be useful. And it is almost impossible to quickly know if any of the data is indicating a security issue. It’s like trying to find a single land-mine in a massive land-fill before it goes off and caused damage.TZ (to transition to next): and this here is some data to show what the “deluge” actually means in terms of volume.
- ER: The cost of this time delay is enormous.These organizations not only suffer monetarily, their “mojo” is also badly damaged.They loose shareholder trust and value.Their name remains in the press and presentation like this for a very long time.TZ (to transition to next slide): Going back to our title which is about ensuring security and compliance in light of this vast sea of data, we at Tripwire offer a Pragmatic approach to compliance and security. Let’s spend a moment talking about what that means.
- ER: The cost of this time delay is enormous.These organizations not only suffer monetarily, their “mojo” is also badly damaged.They loose shareholder trust and value.Their name remains in the press and presentation like this for a very long time.TZ (to transition to next slide): Going back to our title which is about ensuring security and compliance in light of this vast sea of data, we at Tripwire offer a Pragmatic approach to compliance and security. Let’s spend a moment talking about what that means.
- Having tools in place that just capture the things that are changing does not help close the time gap problem.Capturing data is NOT the same as knowing when something BAD is happening.And isolating the bad from the good is what is needed to make it possible to find and fix bad events within minutes of them happening.
- Event Integration Framework benefits:Aggregate change data based on criticalityCan integrate a single criticality level into a single log messageEIF reports “who” made the changeReports on patterns of compliance (change reduces compliance level of a box then report it – not just in or out of a compliant state)
- Event Integration Framework benefits:Aggregate change data based on criticalityCan integrate a single criticality level into a single log messageEIF reports “who” made the changeReports on patterns of compliance (change reduces compliance level of a box then report it – not just in or out of a compliant state)