Expect More From Your SIEM
•
3 gostaram•1,180 visualizações
Unlike security cameras, going from installation to insight with a traditional SIEM is far from straightforward. During this session, we’ll cover a few common problems with SIEM technologies, and how you can avoid those pitfalls with AlienVault Unified Security Management. You’ll walk away with a new perspective on an old problem – reducing the cost of security visibility.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais de AlienVault
Mais de AlienVault (20)
Último
Último (20)
Expect More From Your SIEM
- 1. Expect More From Your SIEM Sandy Hawke, CISSP VP, Product Marketing @sandybeachSF
- 2. Top 5 Problems with SIEM 1. SIEM is too complex. 2. SIEM takes too long to deploy. 3. SIEM is too expensive. 4. SIEMs are too noisy. 5. SIEMs aren’t typically “cloud-friendly.”
- 3. SIEM is too complex.
- 4. Necessary data sources for meaningful SIEM Network flow / network analysis Asset discovery and inventory Vulnerability assessment Log management Wireless intrusion detection (WIDS) Host-based intrusion detection (HIDS) Network-based intrusion detection (NIDS) File Integrity Monitoring +all of the network, system, and application-specific events Security-specific data sources:
- 5. Necessary steps to integrate data into the SIEM 1. Evaluate, select, and purchase third party security tools (e.g. IDS, vulnerability scanners, etc.). 2. Implement and configure these products. 3. Fine-tune and integrate these feeds into the SIEM. 4. Manage and administer them each with a different console than the SIEM.
- 6. SIEM takes too long to deploy.
- 7. Bringing disparate tools together takes time
- 8. SIEM is too expensive.
- 9. “Feeding” the SIEM *is* costly.
- 10. SIEMs are too noisy.
- 11. When everything requires your attention, nothing will get it… Adding more haystacks doesn’t help you find more needles. SIEMs should alert you when you need to do something about an event. And… they should tell you what to do, how to do it, and why it’s important.
- 12. SIEMs aren’t typically cloud-friendly.
- 13. Your SIEM should see your clouds too. Threats can follow you to the cloud, your security visibility tool should too.
- 14. Unified Security Management Saves time, money, and resources
- 15. Piece it all together Look for strange activity which could indicate a threat Start looking for threats Identify ways the target could be compromised How do we secure our company? Figure out what is valuable
- 16. Piece it all together Look for strange activity which could indicate a threat Start looking for threats Identify ways the target could be compromised How do we secure our company? Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory
- 17. Piece it all together Look for strange activity which could indicate a threat Start looking for threats How do we secure our company? Asset Discovery Vulnerability Assessment Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing
- 18. Piece it all together Look for strange activity which could indicate a threat How do we secure our company? Asset Discovery Vulnerability Assessment Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection
- 19. Piece it all together How do we secure our company? Asset Discovery Vulnerability Assessment Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring
- 20. How do we secure our company? Asset Discovery Vulnerability Assessment Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring Security Intelligence • SIEM Correlation • Incident Response Security Intelligence
- 21. Asset Discovery Vulnerability Assessment Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring Security Intelligence • SIEM Correlation • Incident Response Security Intelligence Unified Security Management
- 22. Building security in saves money and time …
- 23. Auto-Deploy Reduces the burden of integrating data sources Identify potential data sources with integrated asset discovery Provides suggestions for improving visibility Where is the monitoring deficient? What can be done to improve it?
- 24. Unified Security Reduces TCO, Accelerates Visibility
- 25. Dynamic Incident Response Templates DMZ_Sensor has detected a possible SQL Injection [reference] attack against the host 10.49.100.131, originating from 198.228.217.190 The goal of a SQL Injection attack is to obtain access directly to the database behind a web application, by passing data to the application that is unintentionally interpreted as SQL commands by the database itself. 1. Contain Breach Destination IP 100.49.100.131 is the Corporate DMZ network segment • Contact owner of 10.49.100.131: Joe Namath • Cross-reference events from other hosts located in 10.49.100.131 network (Corporate_DMZ) for other suspicious activity. • Alerts in Corporate MZ • Analyze Netflow 2. Identify Attacker Source IP 198.228.217.190 is not in your local network • Identify the organization that owns 198.228.217.190 – determine if it is a private organization or available to third parties hosting provider, etc). • WHOIS 198.228.217.190
- 26. Unified Security Management & Visibility: In the cloud and “on the ground”
- 27. Securing the Cloud vs. Cloud-delivered Security Following clients to the cloud vs. setting up yet another cloud…
- 28. Questions for SIEM Vendors How long will it take to go from software installation to security insight? For reals. How many staff members or outside consultants will I need for the integration work? What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)? What is the anticipated mix of licensing costs to consulting and implementation fees? Do your alerts and alarms provide step-by-step instructions for how to mitigate and respond to investigations? PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU….
- 29. Expect More From Your SIEM It should go where you do. Cloud, hybrid cloud, mobile apps, etc. It should tell you what to do. More than alerts, directional guidance on actions to take. It shouldn’t require more work. Built-in security controls so that integration doesn’t take forever. “Smart” deployments: remove the “guesswork”
- 30. Next Steps / Q&A Request an AlienVault USM demo at: www.alienvault.com/schedule-demo.html Request a free trial of AlienVault USM: http://www.alienvault.com/free-trial Not quite ready for all that? Test drive our open source project - OSSIM here: communities.alienvault.com/ Need more info to get started? Try our knowledge base here: alienvault.bloomfire.com These resources are also in the Attachments section Join the conversation! @alienvault #AlienIntel 30
Notas do Editor
- SIEM is too complex. Collecting the right data, aggregating it, normalizing and correlating disparate technologies for that one common view is not a trivial task. And most of the time, the SIEM vendor will expect the client or the client’s service provider to bear the brunt of that deployment challenge. “Feeding the beast” requires multiple hours spent with system administrators who manage those data sources to reroute the event information over to the SIEM. Technically, this isn’t so complex for a single system, but at scale it can get very complicated. In some cases, this can take months. SIEM takes too long to deploy. Most organizations looking to invest in a SIEM do so with a sense of urgency. They need answers and they need them now. Questions like “What’s going on in our network?” “Who is attacking me?” “Are we leaking data?” “Which threats require my attention now?” “What’s going to be an issue for our audit next week?” will need to wait to be answered until integration is completed (typically months after the initial installation). The event correlation rules that provide the “security intelligence” advertised by the vendor will not be of any use until external data sources are pulled in and fine-tuned. And that’s takes time and as we know time is…SIEM is too expensive. The licensing costs for the SIEM are just the start. Since virtually nothing is functional out of the SIEM box, organizations will likely need to hire expensive consultants and architects to design and implement the integration, fine-tune the data feeds, and schedule imports across all of the various external data sources. Additionally, in order to make sense for each organization’s business and security priorities, these teams will also need to customize event correlation rules so that the alarms are relevant to them. As a result, consulting services fees can often exceed the software licensing costs. So prepare to double the cost of the software alone, just to get meaningful information out of your SIEM.SIEMs are too noisy. More doesn’t always mean “better” when it comes to alerts and alarms. Typically, out-of-the-box, SIEMs will err on the side of alerting on items that aren’t considered relevant or important to an organization. When everything requires your attention, nothing will get it. Furthermore, these alerts often lack the actionable intelligence security analysts need in order to respond and investigate. It doesn’t help me to know that a particular event occurred if I don’t know what to do about it.SIEMs aren’t typically “cloud friendly”. Let’s face it. Whether you planned it or not, there are some corporate assets that are already in the cloud. Depending upon where you are on your “cloud evolution”, you probably have a mix of assets in your data center as well as a public cloud like Amazon’s EC2 or other provider. If so, it’s highly likely that your SIEM implementation doesn’t provide visibility into those assets that are within the cloud provider’s network. Even if these don’t house mission-critical or sensitive information today, they may likely in the future – and security visibility at that point is essential. Ultimately, your SIEM should go wherever you do… whether that’s in the cloud, on the move, or in your data center.
- SIEM is too complex. Collecting the right data, aggregating it, normalizing and correlating disparate technologies for that one common view is not a trivial task. And most of the time, the SIEM vendor will expect the client or the client’s service provider to bear the brunt of that deployment challenge. “Feeding the beast” requires multiple hours spent with system administrators who manage those data sources to reroute the event information over to the SIEM. Technically, this isn’t so complex for a single system, but at scale it can get very complicated.
- SIEM takes too long to deploy. Most organizations looking to invest in a SIEM do so with a sense of urgency. They need answers and they need them now. Questions like “What’s going on in our network?” “Who is attacking me?” “Are we leaking data?” “Which threats require my attention now?” “What’s going to be an issue for our audit next week?” will need to wait to be answered until integration is completed (typically months after the initial installation). The event correlation rules that provide the “security intelligence” advertised by the vendor will not be of any use until external data sources are pulled in and fine-tuned.
- SIEM is too expensive. The licensing costs for the SIEM are just the start. Since virtually nothing is functional out of the SIEM box, organizations will likely need to hire expensive consultants and architects to design and implement the integration, fine-tune the data feeds, and schedule imports across all of the various external data sources. Additionally, in order to make sense for each organization’s business and security priorities, these teams will also need to customize event correlation rules so that the alarms are relevant to them. As a result, consulting services fees can often exceed the software licensing costs. So prepare to double the cost of the software alone, just to get meaningful information out of your SIEM.
- SIEMs are too noisy. More doesn’t always mean “better” when it comes to alerts and alarms. Typically, out-of-the-box, SIEMs will err on the side of alerting on items that aren’t considered relevant or important to an organization. When everything requires your attention, nothing will get it. Furthermore, these alerts often lack the actionable intelligence security analysts need in order to respond and investigate. It doesn’t help me to know that a particular event occurred if I don’t know what to do about it.
- SIEMs aren’t typically “cloud friendly”. Let’s face it. Whether you planned it or not, there are some corporate assets that are already in the cloud. Depending upon where you are on your “cloud evolution”, you probably have a mix of assets in your data center as well as a public cloud like Amazon’s EC2 or other provider. If so, it’s highly likely that your SIEM implementation doesn’t provide visibility into those assets that are within the cloud provider’s network. Even if these don’t house mission-critical or sensitive information today, they may likely in the future – and security visibility at that point is essential. Ultimately, your SIEM should go wherever you do… whether that’s in the cloud, on the move, or in your data center.
- Extend SIEM functionality past the alertProvide workflow driven response procedures for alerts to help guide / train IR teamDynamically populate template with information from environment and alertProvide simple links to access relevant informationGeneral Analysis Guidelines:Remember that you are looking for SQL commands (SELECT, UPDATE, DELETE, UNION, JOIN, etc) in the communication from 10.49.100.131 to 198.228.217.190Although there are many tools to assist in compromising a system via SQL Inject, this attack requires nothing more than a web browser to perform. SQL Injection can be used as both a means to gain entry to a system, but also as a means to exfiltrate data from a system too.
- SIEMs aren’t typically “cloud friendly”. Let’s face it. Whether you planned it or not, there are some corporate assets that are already in the cloud. Depending upon where you are on your “cloud evolution”, you probably have a mix of assets in your data center as well as a public cloud like Amazon’s EC2 or other provider. If so, it’s highly likely that your SIEM implementation doesn’t provide visibility into those assets that are within the cloud provider’s network. Even if these don’t house mission-critical or sensitive information today, they may likely in the future – and security visibility at that point is essential. Ultimately, your SIEM should go wherever you do… whether that’s in the cloud, on the move, or in your data center.
- Demand more from your SIEM vendor. Ask direct and detailed questions to understand how to avoid these typical problems – before you make the leap to purchase. Make sure to get the most value out of every security investment you make in 2013 and beyond. Here are few questions to get you started.
- Expect more from your SIEM.It should go where you do. Cloud, hybrid cloud, mobile apps, etc.“I want to leverage the cloud, but I don’t want to sacrifice my security visibility.”It should tell you what to do. More than alerts, directional guidance on actions to take. (Incident Response workflow feature in v4.1)“Real-time alerts and alarms are great, but if I don’t know what to do with them, they just become more noise.”It shouldn’t require more work.Essential security capabilities that are already pre-integrated.Auto-deploy functionality so you know exactly where you are in the deployment process, and where the holes are.“I thought SIEM would help me with audits and managing threats, but after months we’re still not fully integrated and deployed.”