cover page template...cross-site scripting attacks and more • verified testing against more than...

COVER PAGETEMPLATE

2

Cybersecurity is harder than it should be…

3

SIEM can be harder than it should be…

If you think this is expensive, look twice, because it really is so.

So many options, that it can be bewildering.

Implementation tedious, support often overlooks known bugs,

interface clunky, non-intuitive.

Starting to show its age. Not keeping up with current

requirements.

Great out of the box for meeting compliance requirements, but

does not scale well.

Needs technical training to take advantage of its capabilities and

reporting.

4

Common Pitfalls

1 Overcoming Common Causes for SIEM Solution Deployment Failures, G00328573, 30 May 2017

Failure to Perform Detailed Planning Before Buying

5

Common Pitfalls


5

Failure to Define Scope

6

Common Pitfalls


Overly Simplistic Scoping

7

Common Pitfalls


Monitoring Noise

8

Common Pitfalls


Lack of Sufficient Context

9

Common Pitfalls


Insufficient Resources

10

A Real-World Example

• Tool selection (# tools x 5) 1/3 of project time

• Integration effort & maintenance 7business units, 40 offices, 4500 employees

• Local log storage (server and storage requirements)

• Agent deployments, disparate platforms and versions

• Kickoff / design / roll out (three quarters just for log data!)

11

A Real-World Example

• Configuration – noise / tuning, staffing, finally got to 2x/day manual review of alerts

• Staffing • 2 FTE to plan, execute, and manage roll out

• 1 FTE to manage tooling, 2 FTE for monitoring and ops

• 1 FTE for patching and change management• So, so much time spent convincing people to patch…

• 4x to hire security analyst as infrastructure engineer/admin, highest turnover rate (external opportunities, boredom of alert watching) = permanent state of hiring

Never delivered on promise after 2 years of best effort

12

Industry and size no predictor of risk

Attack automation and ‘spray and pray’

Web applications still top target

Threat Landscape Maturity13

Pro-active research become aware of vulnerability in community, disclosed by vendor or from customer data analysis

Research and Intel teams work to understand scope of threat, investigate customer data

Exploit proof of concept code published on dark web or other sites (e.g. ExploitDB)

Customer data manually investigated by research, exploit attempts seen based on POC code

Vulnerability scan data used to identify customers at risk, pro-active out-reach takes place

Telemetry detection content produced, research and content brief SOC

Manual incidents raised to customers affected by the emerging threat by SOC

Full automated,

false positive

tuned incident

content published

1.

2.

3.

4.

5.

6.

7.

8.

14

Recent Emerging Threats

• Drupal REST API Remote Code Execution• February 2019, critical remote code execution vulnerability against Drupal API

• Jenkins Plugins Remote Code Execution• Remote code execution allows web shell deployment

• Blueimp jQuery-File-Upload• Arbitrary file upload vulnerability allows unauthenticated attackers to upload any file to the

victim server

• Authentication Bypass in libssh Leaves Servers Vulnerable• exploited to gain complete control over vulnerable servers enabling attackers to steal

encryption keys and user data, install rootkits and erase logs

• Oracle WebLogic JSP File Upload Vulnerability• Successful exploitation of this vulnerability provides attackers with shell access to the web

server, which is a significant risk of compromise.

15

Attack Surface Penetration

IDENTIFY & RECON

INITIAL ATTACK

COMMAND & CONTROL

DISCOVER & SPREAD

EXTRACT & EXFILTRATE

Manage exposures

Ensure coding best practices

Coding best practices

Application monitoring

Network monitoring

Vulnerability management

Least privilege access

Role-based Access

Network monitoring

Log correlation

Vulnerability management

User lifecycle management

Network monitoring

Log correlation

File integrity monitoring

Application response monitoring

Network monitoring

Least privilege access

Role-based access

16

Introducing a Better Way

A Solution That SIEMlessly Works Across Environments

DETECTDEFEND

COMPLY

ASSESS

VULNERABILITY SCANNING

• Software CVEs• Network Config• Remediation workloads

AUDITING

• AWS Configuration exposures• Auto-discovery, topology

DATA INSPECTION

ANALYTICS LIVE EXPERTS

• Web (HTTP) requests & responses• System logs (Agent)• Network packets (IDS)

In-Line Web Application Firewall (WAF)

• Signatures & rules• Anomaly detection• Machine learning

• 24/7 monitoring• Validation & enrichment• Remediation advise

• PCI-DSS, GDPR, HIPAA, SOX, SOC2, ISO, NIST, and COBIT

• Attestation reporting• Log review & archiving

ActiveWatch™

Connected Devices

Incident Reports

Priority Alerts15 minute SLA

Alerts

App Owners

Dev/Ops Cloud

Security

ACTIVE DEFENSE

A Better Way for Your Peace of Mind: SIEMLess Threat Management™

18

We SIEMlessly Connect The Right Coverage for the Right Resources

Platform Intelligence Experts

Providing you

SIEMless by Design | Lower Total Cost | Always AdvancingAcross Any Environment

• Asset discovery

• Vulnerability scanning

• Cloud configuration checks

• Compliance

• Threat Risk Index

• Remediation guidance

• Prioritization and next steps

• Comprehensive vulnerability library

• 24/7 email and phone support

• PCI Scanning and ASV support

• Service health monitoring

• Threat monitoring and visibility

• Intrusion detection

• Security analytics

• Log collection and monitoring

• Extensive log search capabilities to support investigations

• Event insights and analysis

• Threat frequency, severity, and status intelligence

• Attack prevention capabilities

ActiveWatch Professional • 24/7 SOC with incident

management, escalation, and response support

• Always-on WAF defense against web attacks (e.g. OWASP Top 10, emerging threats, zero-day vulnerabilities)

• Protection from SQL Injection, DoS attacks, URL tampering, cross-site scripting attacks and more

• Verified testing against more than 2.1 million web application attacks

• Advanced detection capabilities to spot and block malicious activity

ActiveWatch Enterprise • Security Posture Review• Incident response

assistance• Threat hunting• Help with tuning strategies,

customized policies, and best practices

ON-PREMISES PUBLIC CLOUD PRIVATECLOUD

19

1. THREAT INTELIn 2013 research of Apache Struts vulnerability, development of signature

2. SECURITY PLATFORMAddition of signature (blocking) starting 2013

3. EXPERT DEFENDERSAble to alert and raise incidents for customers

4. THREAT INTELResearch of new variants, new defenses developed

5. SECURITY PLATFORMHardened defenses deployed in March 2017

6. EXPERT DEFENDERSMarch 6 Alert Logic proactively notifies customers

SIEMless Threat Management in Action: “Headline Risk Avoidance”

ALERT LOGIC CUSTOMERS ALREADY PROTECTED!In May 2017 a major credit rating agency discovers breach. In September 2017 the major credit rating agency publicly discloses breach

Alert Logic customers protectedAlert Logic hardens defenses proactively notifies customers

Alert Logicattack blocking in place

2013 Apache Struts vulnerability

2013 Apache Struts vulnerability

Breach discovered Breach disclosureTotal cost is $439M

cover page template...cross-site scripting attacks and more • verified testing against more than...

Documents