Unlike security cameras, going from installation to insight with a traditional SIEM is far from straightforward. During this session, we’ll cover a few common problems with SIEM technologies, and how you can avoid those pitfalls with AlienVault Unified Security Management. You’ll walk away with a new perspective on an old problem – reducing the cost of security visibility.
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Expect More From Your SIEM
1. Expect More From Your SIEM
Sandy Hawke, CISSP
VP, Product Marketing
@sandybeachSF
2. Top 5 Problems with SIEM
1. SIEM is too complex.
2. SIEM takes too long to deploy.
3. SIEM is too expensive.
4. SIEMs are too noisy.
5. SIEMs aren’t typically “cloud-friendly.”
4. Necessary data sources for meaningful
SIEM
Network flow / network analysis
Asset discovery and inventory
Vulnerability assessment
Log management
Wireless intrusion detection (WIDS)
Host-based intrusion detection (HIDS)
Network-based intrusion detection (NIDS)
File Integrity Monitoring
+all of the network, system, and application-specific events
Security-specific data sources:
5. Necessary steps to integrate data into the SIEM
1. Evaluate, select, and purchase
third party security tools (e.g.
IDS, vulnerability scanners, etc.).
2. Implement and configure these
products.
3. Fine-tune and integrate these
feeds into the SIEM.
4. Manage and administer them
each with a different console
than the SIEM.
11. When everything requires your attention, nothing
will get it…
Adding more haystacks doesn’t
help you find more needles.
SIEMs should alert you when
you need to do something about an
event.
And… they should tell you what to do,
how to do it, and why it’s important.
15. Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
Identify ways the
target could be
compromised
How do
we secure
our
company?
Figure out what
is valuable
16. Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
Identify ways the
target could be
compromised
How do
we secure
our
company?
Asset
Discovery
Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software Inventory
17. Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
How do
we secure
our
company?
Asset
Discovery
Vulnerability
Assessment
Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software Inventory
Vulnerability Assessment
• Network Vulnerability Testing
18. Piece it all
together
Look for strange
activity which could
indicate a threat
How do
we secure
our
company?
Asset
Discovery
Vulnerability
Assessment
Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software Inventory
Vulnerability Assessment
• Network Vulnerability Testing
Threat Detection
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
Threat
Detection
19. Piece it all
together
How do
we secure
our
company?
Asset
Discovery
Vulnerability
Assessment
Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software Inventory
Vulnerability Assessment
• Network Vulnerability Testing
Threat Detection
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
Threat
Detection
Behavioral Monitoring
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
Behavioral
Monitoring
23. Auto-Deploy
Reduces the burden of integrating data sources
Identify potential data sources with integrated asset discovery
Provides suggestions for improving visibility
Where is the monitoring deficient? What can be done to improve
it?
25. Dynamic Incident Response Templates
DMZ_Sensor has detected a possible SQL Injection [reference] attack against the host 10.49.100.131,
originating from 198.228.217.190
The goal of a SQL Injection attack is to obtain access directly to the database behind a web
application, by passing data to the application that is unintentionally interpreted as SQL commands by
the database itself.
1. Contain Breach
Destination IP 100.49.100.131 is the Corporate DMZ network segment
• Contact owner of 10.49.100.131: Joe Namath
• Cross-reference events from other hosts located in 10.49.100.131 network
(Corporate_DMZ) for other suspicious activity.
• Alerts in Corporate MZ
• Analyze Netflow
2. Identify Attacker
Source IP 198.228.217.190 is not in your local network
• Identify the organization that owns 198.228.217.190 – determine if it is a private
organization or available to third parties hosting provider, etc).
• WHOIS 198.228.217.190
27. Securing the Cloud vs. Cloud-delivered Security
Following clients to the cloud vs. setting up yet another cloud…
28. Questions for SIEM Vendors
How long will it take to go from software installation to
security insight? For reals.
How many staff members or outside consultants will I need
for the integration work?
What can I do if I don’t have all of the external security
technologies in place that can feed the SIEM (e.g. asset
inventories, IDS, vulnerability scans, netflows, etc.)?
What is the anticipated mix of licensing costs to consulting
and implementation fees?
Do your alerts and alarms provide step-by-step instructions
for how to mitigate and respond to investigations?
PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU….
29. Expect More From Your SIEM
It should go where you do.
Cloud, hybrid cloud, mobile apps, etc.
It should tell you what to do.
More than alerts, directional guidance on
actions to take.
It shouldn’t require more work.
Built-in security controls so that integration
doesn’t take forever.
“Smart” deployments: remove the
“guesswork”
30. Next Steps / Q&A
Request an AlienVault USM demo at:
www.alienvault.com/schedule-demo.html
Request a free trial of AlienVault USM:
http://www.alienvault.com/free-trial
Not quite ready for all that? Test drive our open
source project - OSSIM here:
communities.alienvault.com/
Need more info to get started? Try our knowledge
base here:
alienvault.bloomfire.com
These resources are also in the Attachments section
Join the
conversation!
@alienvault
#AlienIntel
30
Notas do Editor
SIEM is too complex. Collecting the right data, aggregating it, normalizing and correlating disparate technologies for that one common view is not a trivial task. And most of the time, the SIEM vendor will expect the client or the client’s service provider to bear the brunt of that deployment challenge. “Feeding the beast” requires multiple hours spent with system administrators who manage those data sources to reroute the event information over to the SIEM. Technically, this isn’t so complex for a single system, but at scale it can get very complicated. In some cases, this can take months. SIEM takes too long to deploy. Most organizations looking to invest in a SIEM do so with a sense of urgency. They need answers and they need them now. Questions like “What’s going on in our network?” “Who is attacking me?” “Are we leaking data?” “Which threats require my attention now?” “What’s going to be an issue for our audit next week?” will need to wait to be answered until integration is completed (typically months after the initial installation). The event correlation rules that provide the “security intelligence” advertised by the vendor will not be of any use until external data sources are pulled in and fine-tuned. And that’s takes time and as we know time is…SIEM is too expensive. The licensing costs for the SIEM are just the start. Since virtually nothing is functional out of the SIEM box, organizations will likely need to hire expensive consultants and architects to design and implement the integration, fine-tune the data feeds, and schedule imports across all of the various external data sources. Additionally, in order to make sense for each organization’s business and security priorities, these teams will also need to customize event correlation rules so that the alarms are relevant to them. As a result, consulting services fees can often exceed the software licensing costs. So prepare to double the cost of the software alone, just to get meaningful information out of your SIEM.SIEMs are too noisy. More doesn’t always mean “better” when it comes to alerts and alarms. Typically, out-of-the-box, SIEMs will err on the side of alerting on items that aren’t considered relevant or important to an organization. When everything requires your attention, nothing will get it. Furthermore, these alerts often lack the actionable intelligence security analysts need in order to respond and investigate. It doesn’t help me to know that a particular event occurred if I don’t know what to do about it.SIEMs aren’t typically “cloud friendly”. Let’s face it. Whether you planned it or not, there are some corporate assets that are already in the cloud. Depending upon where you are on your “cloud evolution”, you probably have a mix of assets in your data center as well as a public cloud like Amazon’s EC2 or other provider. If so, it’s highly likely that your SIEM implementation doesn’t provide visibility into those assets that are within the cloud provider’s network. Even if these don’t house mission-critical or sensitive information today, they may likely in the future – and security visibility at that point is essential. Ultimately, your SIEM should go wherever you do… whether that’s in the cloud, on the move, or in your data center.
SIEM is too complex. Collecting the right data, aggregating it, normalizing and correlating disparate technologies for that one common view is not a trivial task. And most of the time, the SIEM vendor will expect the client or the client’s service provider to bear the brunt of that deployment challenge. “Feeding the beast” requires multiple hours spent with system administrators who manage those data sources to reroute the event information over to the SIEM. Technically, this isn’t so complex for a single system, but at scale it can get very complicated.
SIEM takes too long to deploy. Most organizations looking to invest in a SIEM do so with a sense of urgency. They need answers and they need them now. Questions like “What’s going on in our network?” “Who is attacking me?” “Are we leaking data?” “Which threats require my attention now?” “What’s going to be an issue for our audit next week?” will need to wait to be answered until integration is completed (typically months after the initial installation). The event correlation rules that provide the “security intelligence” advertised by the vendor will not be of any use until external data sources are pulled in and fine-tuned.
SIEM is too expensive. The licensing costs for the SIEM are just the start. Since virtually nothing is functional out of the SIEM box, organizations will likely need to hire expensive consultants and architects to design and implement the integration, fine-tune the data feeds, and schedule imports across all of the various external data sources. Additionally, in order to make sense for each organization’s business and security priorities, these teams will also need to customize event correlation rules so that the alarms are relevant to them. As a result, consulting services fees can often exceed the software licensing costs. So prepare to double the cost of the software alone, just to get meaningful information out of your SIEM.
SIEMs are too noisy. More doesn’t always mean “better” when it comes to alerts and alarms. Typically, out-of-the-box, SIEMs will err on the side of alerting on items that aren’t considered relevant or important to an organization. When everything requires your attention, nothing will get it. Furthermore, these alerts often lack the actionable intelligence security analysts need in order to respond and investigate. It doesn’t help me to know that a particular event occurred if I don’t know what to do about it.
SIEMs aren’t typically “cloud friendly”. Let’s face it. Whether you planned it or not, there are some corporate assets that are already in the cloud. Depending upon where you are on your “cloud evolution”, you probably have a mix of assets in your data center as well as a public cloud like Amazon’s EC2 or other provider. If so, it’s highly likely that your SIEM implementation doesn’t provide visibility into those assets that are within the cloud provider’s network. Even if these don’t house mission-critical or sensitive information today, they may likely in the future – and security visibility at that point is essential. Ultimately, your SIEM should go wherever you do… whether that’s in the cloud, on the move, or in your data center.
Extend SIEM functionality past the alertProvide workflow driven response procedures for alerts to help guide / train IR teamDynamically populate template with information from environment and alertProvide simple links to access relevant informationGeneral Analysis Guidelines:Remember that you are looking for SQL commands (SELECT, UPDATE, DELETE, UNION, JOIN, etc) in the communication from 10.49.100.131 to 198.228.217.190Although there are many tools to assist in compromising a system via SQL Inject, this attack requires nothing more than a web browser to perform. SQL Injection can be used as both a means to gain entry to a system, but also as a means to exfiltrate data from a system too.
SIEMs aren’t typically “cloud friendly”. Let’s face it. Whether you planned it or not, there are some corporate assets that are already in the cloud. Depending upon where you are on your “cloud evolution”, you probably have a mix of assets in your data center as well as a public cloud like Amazon’s EC2 or other provider. If so, it’s highly likely that your SIEM implementation doesn’t provide visibility into those assets that are within the cloud provider’s network. Even if these don’t house mission-critical or sensitive information today, they may likely in the future – and security visibility at that point is essential. Ultimately, your SIEM should go wherever you do… whether that’s in the cloud, on the move, or in your data center.
Demand more from your SIEM vendor. Ask direct and detailed questions to understand how to avoid these typical problems – before you make the leap to purchase. Make sure to get the most value out of every security investment you make in 2013 and beyond. Here are few questions to get you started.
Expect more from your SIEM.It should go where you do. Cloud, hybrid cloud, mobile apps, etc.“I want to leverage the cloud, but I don’t want to sacrifice my security visibility.”It should tell you what to do. More than alerts, directional guidance on actions to take. (Incident Response workflow feature in v4.1)“Real-time alerts and alarms are great, but if I don’t know what to do with them, they just become more noise.”It shouldn’t require more work.Essential security capabilities that are already pre-integrated.Auto-deploy functionality so you know exactly where you are in the deployment process, and where the holes are.“I thought SIEM would help me with audits and managing threats, but after months we’re still not fully integrated and deployed.”