Mais conteúdo relacionado

Apresentações para você(20)


Similar a Next-Generation SIEM: Delivered from the Cloud (20)

Mais de Alert Logic (20)


Next-Generation SIEM: Delivered from the Cloud

  1. NEXT-GENERATION SIEM: DELIVERED FROM THE CLOUD James Brown. Director of Cloud Computing & Solution Architecture
  2. Before We Begin Housekeeping Speaker • Turn on your system’s sound to hear the streaming presentation • Questions? Submit them to the presenter at anytime into the question box • The presentation slides will be available to download from the attachment tab after the webinar • The webinar will be recorded and published on BrightTalk • Technical Problems? Click “Help” • James Brown • Director of Cloud Computing & Security Architecture, Alert Logic
  3. The Evolution of Technology and Attacks T R A D I T I O N A L S I E M S The Hybrid Data Center • Cloud First/mobile First approach by many companies • Public cloud and Hybrid IT environments mainstream The Virtual Data Center • Virtualization becomes mainstream • Public clouds launch • Mobile devices proliferate The Physical Data Center • X86 server pre-dominant • Primarily on-premises • Hosting providers emerge • Cloud options being developed T H R E A T S A N D A T T A C K S Next Generation Threats • Advanced attacks • Multi-vector approach • Social engineering • Targeted recon • Long duration compromises Catalyst for Change • Proliferation of malware • Organized hacking groups • Access to information • Financial gain motivation The Early Days of Threats • Basic malware • Spray and pray • Smash-n-grab • Solo hackers • Mischief motivation EARLY 2000’s MID 2000’s 2014 & BEYOND
  4. Today’s Attacks are Becoming More Complex • Attacks are multi-stage using multiple threat vectors • Takes organisations months to identify they have been compromised1 - 229 days on average before detection of compromise • Over two-thirds of organizations find out from a 3rd party they have been compromised2 Initial Attack Identify & Recon Comman d & Control Discover & Spread Extract & Exfiltrate The Impact • Financial loss • Harm brand and reputation • Scrutiny from regulators 1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast 2 – 2014 mTrends Threat Report
  5. Why SIEMs are valuable • Security is getting to the point of information overload • Increase in an organisation’s security posture - Through visibility and situational awareness - Deployment of detective and protective controls - Data from the network, system and applications to the SIEM - Allow for complex issues to be defined, categorized and expressed in logic • The effectiveness of SIEM in detecting the pre and post comprise activity is directly related to the success of collecting data. • It is all about the data
  6. What is a SIEM? Infrastructure (servers, etc)Hardware Software Integration Experts Threat Intelligence Correlation Rules Data sources to feed the SIEM Licensing Lots of people, Software, hardware, process Threat Intelligence Feeds Write parsers, alert and correlation rules Ongoing tuning Subscribe & incorporate Intelligence feeds Databases Review & Respond to Alerts
  7. Do Traditional SIEMs deliver value? • The people cost was more than expected in the usage of the SIEM • Big complex applications that demanded the user not only know SIEM but be expert in understanding event sources. • Lengthy implementations • Burden of on-going operational support (configuration, tuning, etc.)
  8. Potential Pitfalls in the Cloud • Licensing • Capabilities • Performance • Move to the Cloud • Support for DevOps • Scalability • Multiple Platforms - Different cloud providers, OS, versions
  9. The Characteristics of a Modern SIEM • Fully managed - Infrastructure - Security content and correlation rules - Monitored 24x7 • Big data • Unlimited scale • Cloud ready • Can collect data without access to underlying cloud host infrastructure • DevOps
  10. The Characteristics of a Modern SIEM • Configuration Management - Ex: Chef, Ansible, AWS Cloud Formation Templates • Support cloud provider data types - Ex: AWS cloud trail • Easily extensible • Not limited by domain, source, message, or event frequency or uniqueness • Automatically incorporates 3rd party watch lists • Dynamically generate watch lists based on real time data
  11. Monitoring your Environment A L E R T L O G I C C L O U D D E F E N D E R Identify Attacks & Protect Customers Big Data Analytics Platform Threat Intelligence & Security Content 24 x 7 Monitoring & Escalation Alert Logic ActiveAnalytics Alert Logic ActiveIntelligence Alert Logic ActiveWatch Cloud, Hybrid On-Premises Customer IT Environmen t Web application events Log data Network incidents
  12. Creating Threat Intelligence to Feed a Modern SIEM Customer Security Operations Center 24/7 INCIDENT S Honey Pot Network Flow based Forensic Analysis Malware Forensic Sandboxing Intelligence Harvesting Grid Alert Logic Threat Manager Data Alert Logic Log Manager Data Alert Logic Web Security Manager Data Alert Logic ScanWatch Data Asset Model Data Customer Business Data Security Content Applied Analytics Threat Intelligence Research INPUTS Data Sources
  13. What You Need to Solve the SIEM Problem • Experts create and manage correlation rules that identify threats and reduce false positives • Threat researchers continuously provide content enabling detection of emerging threats • Threat coverage across the application stack delivers broad visibility and protection • It must work in a highly agile multi- platform environment. RULE CREATION & MANAGEMENT CONTINOUS THREAT RESEARCH RESULTS DELIVERED FULL STACK CORRELATION
  14. Get Connected @alertlogic Resources All available under the “Attachments” tab of the webinar: • 451 Research Report • Outlines Alert Logic approach to SIEM • Zero Day Magazine • Weekly Threat Newsletter
  15. Thank you.