NEXT-GENERATION SIEM:
DELIVERED FROM THE
CLOUD
James Brown. Director of Cloud
Computing & Solution Architecture

Before We Begin
Housekeeping Speaker
• Turn on your system’s sound to
hear the streaming presentation
• Questions? Submit them to the
presenter at anytime into the
question box
• The presentation slides will be
available to download from the
attachment tab after the webinar
• The webinar will be recorded
and published on BrightTalk
• Technical Problems? Click
“Help”
• James Brown
• Director of Cloud Computing &
Security Architecture, Alert Logic

The Evolution of Technology and Attacks
T R A D I T I O N A L S I E M S
The Hybrid Data Center
• Cloud First/mobile First
approach by many companies
• Public cloud and Hybrid IT
environments mainstream
The Virtual Data Center
• Virtualization becomes
mainstream
• Public clouds launch
• Mobile devices proliferate
The Physical Data Center
• X86 server pre-dominant
• Primarily on-premises
• Hosting providers emerge
• Cloud options being developed
T H R E A T S A N D A T T A C K S
Next Generation Threats
• Advanced attacks
• Multi-vector approach
• Social engineering
• Targeted recon
• Long duration compromises
Catalyst for Change
• Proliferation of malware
• Organized hacking groups
• Access to information
• Financial gain motivation
The Early Days of Threats
• Basic malware
• Spray and pray
• Smash-n-grab
• Solo hackers
• Mischief motivation
EARLY 2000’s MID 2000’s 2014 & BEYOND

Today’s Attacks are Becoming More Complex
• Attacks are multi-stage using multiple threat vectors
• Takes organisations months to identify they have been compromised1
- 229 days on average before detection of compromise
• Over two-thirds of organizations find out from a 3rd party they have been
compromised2
Initial
Attack
Identify &
Recon
Comman
d &
Control
Discover &
Spread
Extract &
Exfiltrate
The Impact
• Financial loss
• Harm brand and
reputation
• Scrutiny from
regulators
1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast
2 – 2014 mTrends Threat Report

Why SIEMs are valuable
• Security is getting to the point of information overload
• Increase in an organisation’s security posture
- Through visibility and situational awareness
- Deployment of detective and protective controls
- Data from the network, system and applications to
the SIEM
- Allow for complex issues to be defined,
categorized and expressed in logic
• The effectiveness of SIEM in detecting the pre and
post comprise activity is directly related to the success
of collecting data.
• It is all about the data

What is a SIEM?
Infrastructure
(servers, etc)Hardware
Software
Integration
Experts Threat Intelligence
Correlation
Rules
Data sources to
feed the SIEM
Licensing
Lots of people,
Software, hardware,
process
Threat
Intelligence
Feeds
Write parsers, alert
and correlation rules
Ongoing tuning
Subscribe
& incorporate
Intelligence
feeds
Databases
Review &
Respond to
Alerts

Do Traditional SIEMs deliver value?
• The people cost was more than expected in
the usage of the SIEM
• Big complex applications that demanded the
user not only know SIEM but be expert in
understanding event sources.
• Lengthy implementations
• Burden of on-going operational support
(configuration, tuning, etc.)

Potential Pitfalls in the Cloud
• Licensing
• Capabilities
• Performance
• Move to the Cloud
• Support for DevOps
• Scalability
• Multiple Platforms
- Different cloud providers, OS, versions

The Characteristics of a Modern SIEM
• Fully managed
- Infrastructure
- Security content and correlation rules
- Monitored 24x7
• Big data
• Unlimited scale
• Cloud ready
• Can collect data without access to
underlying cloud host infrastructure
• DevOps

The Characteristics of a Modern SIEM
• Configuration Management
- Ex: Chef, Ansible, AWS Cloud Formation Templates
• Support cloud provider data types
- Ex: AWS cloud trail
• Easily extensible
• Not limited by domain, source, message, or event frequency or
uniqueness
• Automatically incorporates 3rd party watch lists
• Dynamically generate watch lists based on real time data

Monitoring your Environment
A L E R T L O G I C C L O U D D E F E N D E R
Identify
Attacks
& Protect
Customers
Big Data
Analytics
Platform
Threat
Intelligence
& Security
Content
24 x 7
Monitoring
&
Escalation
Alert Logic
ActiveAnalytics
Alert Logic
ActiveIntelligence
Alert Logic
ActiveWatch
Cloud, Hybrid
On-Premises
Customer IT
Environmen
t
Web
application
events
Log data
Network
incidents

Creating Threat Intelligence to Feed a Modern SIEM
Customer
Security
Operations
Center
24/7
INCIDENT
S
Honey Pot Network
Flow based Forensic Analysis
Malware Forensic Sandboxing
Intelligence Harvesting Grid
Alert Logic Threat Manager Data
Alert Logic Log Manager Data
Alert Logic Web Security Manager Data
Alert Logic ScanWatch Data
Asset Model Data
Customer Business Data
Security Content
Applied Analytics
Threat Intelligence
Research
INPUTS
Data Sources

What You Need to Solve the SIEM Problem
• Experts create and manage correlation
rules that identify threats and reduce
false positives
• Threat researchers continuously provide
content enabling detection of emerging
threats
• Threat coverage across the application
stack delivers broad visibility and
protection
• It must work in a highly agile multi-
platform environment.
RULE CREATION
& MANAGEMENT
CONTINOUS
THREAT
RESEARCH
RESULTS
DELIVERED
FULL STACK
CORRELATION

Get Connected
www.alertlogic.com
@alertlogic
linkedin.com/company/alert-logic
alertlogic.com/resources/blog/
youtube.com/user/AlertLogicTV
brighttalk.com/channel/11587
Resources
All available under the “Attachments”
tab of the webinar:
• 451 Research Report
• Outlines Alert Logic approach to
SIEM
• Zero Day Magazine
• Weekly Threat Newsletter

Thank you.