advanced siem operations
TRANSCRIPT
![Page 1: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/1.jpg)
Michael Leland | SIEM Evangelist
Advanced SIEM OperationsRealizing the Benefits of a Results-Driven SIEM
![Page 2: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/2.jpg)
.
Agenda
• The Challenges of Deploying an Effective SIEM
• Mapping SIEM Operations to the Cyber Attack Chain
• Transition from Detection to Correction
• Identifying Potential Threats
• Improving Situational Awareness
• Leveraging Threat Intelligence
2
![Page 3: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/3.jpg)
McAfee Confidential3
.
Questions to Ask:
• Resources needed for deployment and management of the SIEM solution?
• Is initial deployment simple?
• Are configurations and customizations intuitive?
• Can it deliver the performance, scalability and intelligence needed?
Goal:
• Improve both security posture and operational efficiencies
• Real life usability is a key considerationSource: August 2014. Intel Security Special Report: When Minutes Count.
Planning for Success
Assessing your Deployment
![Page 4: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/4.jpg)
McAfee Confidential4
.
4
SIEM Deployment Challenges
Operational Difficulties• Onboarding Data Sources
• Integrating Security Platforms
Measurable Value• Reducing Mean-Time-to-Discovery
• Improving Threat Response Time
• Reducing Breach Impact
Continuous Learning & Enrichment• Threat Lifecycle
• Organizational Context
• Automating Remediation Workflow
Evolving Expectations of Security Event Analysis
![Page 5: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/5.jpg)
.
Mapping SIEM to the Attack Chain
5
Protect Detect Correct
Traditional approaches are failing(breaches are occurring)
Signature-based defenses
Lack of intent based analysis
Siloed technologies
Breaches dwell too long (stay active)
Fragmented visibility
Information overload
Lack of context
Organization lack agility to respond quickly
Cumbersome workflows
Information overload
Restrictive tools
Recon DeliverWeaponize Exploit Control Execute Persist
HOURS to MONTHS SECONDS WEEKS to MONTHS
Along the entire attack chain…
![Page 6: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/6.jpg)
.
Evolving from Find to Fix
• Endpoint quarantine and triage
• Blacklist offending address/host
• Perform targeted vulnerability scan
“75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours)..”
Source: Verizon 2015 Data Breach Investigations Report
Orchestrating common remediation tasks
![Page 7: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/7.jpg)
.
Automate Time-Consuming Tasks
• Generating scheduled reports
• Identifying anomalous activities
• On-boarding new data sources
• Updating watchlist values
Reduce Operational Overhead
![Page 8: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/8.jpg)
.
8
Recon Weaponize | Deliver Exploit Control Execute Persist
PROTECT DETECT CORRECT
Recon detection Anti-Evasion SandboxingCovert Channel
detectionCallback Detection
Network/Host Analysis
ACLs Browser EmulationNetwork-Endpoint
InterlockAnti-Botnet Anti-Botnet
Host BehaviorAnalysis
Traffic Learning Sandboxing Application Control Application Control Data Exfiltration
Deep File Analysis Virtual Patching IP ReputationHost Behavior
Analysis
WebFiltering/ACLs
User Behavior Analysis
User Behavior Analysis
User Behavior Analysis
DDoS Mitigation
Actionable response to active threatsNetwork Security Mitigation Matrix
![Page 9: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/9.jpg)
.
Traditional Incident Response Challenges
9
Number of events
Time
Pre-breach Post-breach
Opportunisticattacks blocked
Targeted attacks have prolonged dwell time
Protect CorrectDetect
Difficult signal isolation
Excessive operational
friction
![Page 10: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/10.jpg)
.
Security Connected Approach
10
Dramatically compressed Incident Response
Minimized dwell time
Number of events
Time
Pre-breach Post-breach
Protect Detect Correct
Prolonged dwell time
Rapidoutlier
detection
Fluid operational
response
Adaptivethreat
reduction
A connected ecosystem of sensors, controls and management will strengthen security posture and enhance visibility
• Detect and adapt to breaches more quickly
• Prioritize and facilitate fluid responses
• Accelerate decision making process
![Page 11: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/11.jpg)
.
Integrating the 5 Styles of Security Analytics
11
Network Traffic Analysis
Network Forensics
PayloadAnalysis
Endpoint Behavior Analysis
Endpoint Forensics
Network Traffic Analysis
Network Forensics
Payload Analysis
Endpoint Behavior Analysis
Endpoint Forensics
Source: Gartner “Five Styles of Advanced Threats”
![Page 12: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/12.jpg)
McAfee Confidential12
.
Rapid Threat Detection
12
Reduce Prolonged Risk Exposure
Effective event & flow correlation
Real-time alarms and actions
Historical forensic analysis
• Leverage rule, risk & historical correlation Rule: Simple Boolean pattern match
IF ((A & (B or C)) & NOT D)
Risk: Weighted score using asset classification and reputation(X [in CriticalSystems] * Reputation)
Historical: Retroactive event analysis of previously collected events/flowOver N duration of time, which Rule or Risk correlations would have been identified
Standard Deviation
![Page 13: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/13.jpg)
McAfee Confidential13
.
13
All Threats are Not Created EqualPrioritize Threat Response
• Correlated Events Typically represent higher magnitude of threat
• Anomalous Behaviors Should be identified and addressed
• Risk Profiling Adds context (user/asset/reputation)
• Severity – Not Volume Determines threat level and appropriate response
![Page 14: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/14.jpg)
.
Reducing Threat Discovery TimeAutomating remediation and protection actions
14:29:44 - New file seen for first time in enterprise
14:30:40 - New file detected with unknown reputation – assumed ‘dirty’
14:30:43 - Sample submitted to ATD sandbox – identified as malicious
14:30:44 - TIE reputation changed from ‘unknown’ to ‘known dirty’
14:31:00+ - All subsequent attempts to execute malicious file blocked
Time to Detect: 59s
Time to Protect: 1m
![Page 15: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/15.jpg)
.
Improving Situational Awareness
Context EnrichmentData Sources
Leverage greater content AND context during forensic investigations
Authentications
Web Transactions
Network Flows
Identity
Cloud
Security Logs
Database Applications Email File Access
Anomaly Detection Organizational Hierarchy User Identity Geolocation
Reputation Risk Score Vulnerability Payload
![Page 16: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/16.jpg)
McAfee Confidential16
.
16
Threat IntelligenceImprove situational awareness
Leverage vendor-supplied and industry threat sources to better understand the context of a threat
• Identify activities to/from a ‘bad actor’
• Threat feeds should be: Consumable
Relevant
Accurate
Timely
• Industry-specific threat intelligence Healthcare
Finance
Retail
![Page 17: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/17.jpg)
.
Static• Threat Lists Artifacts Age Relevance Attribution
• Sources Emerging Threats Malc0de
Threat Intelligence Sources
17
Multiple Threat Vector Analysis
Dynamic• IoC Sources Artifacts Boolean Logic Behavioral Campaigns
• Local Intelligence Sandbox Analysis Manual Assignment
![Page 18: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/18.jpg)
.
The Security ChallengeDetect and Remediate threats before they impact your business
Source: Ponemon Institute 2014 Cost of Cyber Crime study
Mean Number of days to resolution
31 DAYSAverage cost per day
$20,758
Hours Weeks Months
DISCOVERY CONTAINMENTATTACK COMPROMISE
![Page 19: Advanced SIEM Operations](https://reader031.vdocuments.site/reader031/viewer/2022021506/587b44f71a28ab9c0e8b67e5/html5/thumbnails/19.jpg)
.