Download - Modern vs. Traditional SIEM
TRADITIONAL VS. MODERN SIEM
What you Need to Know
Webinar: Best Practices in Responding to the Next Vulnerability
Agenda
• Intro to Webinar Speaker • Cliff Turner, Alert Logic
• Background to SIEM • Value of SIEM • Modern SIEM • Your Questions?
Housekeeping
• Use the question box anytime • We’re recording today’s event and
will be available on- demand. • Check the attachments section of
this webinar for slide deck and other resources
Polling Question
Have you had experience with SIEM? - Yes - No
Why are SIEMs Valuable
• Exponential increase in an organization’s security posture
- Through visibility and situational awareness
- Deployment of detective and protective controls - Data from the network, system and applications to the
SIEM
- Allow for complex Cyber Security issues to be defined, categorized and expressed in logic.
• The effectiveness of SIEM in detecting the pre and post comprise activity is directly related to the success of collecting data.
History of SIEMs
• Security Incident Event Management • SIEM’s have been a tool and technology in use for over 15 years • The past 5 to 10 years in SIEM has been dominated by the ‘value’ question • Traditionally the total cost of ownership of a SIEM is expensive, even for small deployments - people,
process and technology • For a successful SIEM deployment you needed a good IT team and highly talented and
experienced security professionals.
MS SQL Server 7 the only commercial off the shelf ‘tera server’
Placeholder Text
Pearl and Python scripts constructed to help organize and manage repeatable tasks
Placeholder Text
Placeholder Text
1999
Year
Year
Year
Year
The Evolution of SIEM 3.0 T R A D I T I O N A L S I E M S
The Hybrid Data Center
• Cloud First/mobile First approach by many companies
• Public cloud and Hybrid IT environments mainstream
The Virtual Data Center
• Virtualization becomes mainstream
• Public clouds launch • Mobile devices proliferate
The Physical Data Center • X86 server pre-dominant • Primarily on-premises • Hosting providers emerge • Cloud options being developed
T H R E A T S A N D A T T A C K S Next Generation Threats
• Advanced attacks • Multi-vector approach • Social engineering • Targeted recon • Long duration compromises
Catalyst for Change
• Proliferation of malware • Organized hacking groups • Access to information • Financial gain motivation
The Early Days of Threats • Basic malware • Spray and pray • Smash-n-grab • Solo hackers • Mischief motivation
EARLY 2000’s MID 2000’s 2014 & BEYOND
Infrastructure (servers, etc)
What you need to make a Traditional SIEM
Hardware
Software
Integration
Experts
Threat Intelligence
Correlation Rules
Data sources to feed the SIEM
Licensing
Lots of people, Software, hardware,
process
Threat Intelligence Feeds
Write parsers, alert and correlation rules
Ongoing tuning Of 2f
Subscribe & incorporate
Intelligence feeds
Traditional Relational DB
Review & Respond to
Alerts
TraditionalSIEM
Why Traditional SIEMs Fail to Deliver Value
• The people cost came out in the usage of the SIEM
• Big complex application that demanded the user not only know SIEM but be expert in understanding event sources.
• How else would you know what questions to ask of the data?
Potential Pitfalls
• Licensing • Capabilities
• Performance
• Move to the Cloud
• Support for DevOps
• Scalability
• Multiple Platforms - Different cloud providers, OS, versions
Polling Question
What is your experience with SIEM? - Running a traditional SIEM - Running something SIEM-like, but not traditional - Not Running a SIEM - Investigating options
What is a Modern SIEM
• Fully managed • Big data
• Unlimited scale
• Cloud ready
• Can collect data without access to underlying cloud host infrastructure
• DevOps
What is Modern SIEM
• Supports DevOps, Config mgmt. • Ex: Chef, Ansible, Cloud Formation Templates • Support cloud provider data types • Ex: AWS cloud trail • Easily extensible • Not limited by domain, source, message, or event frequency or
uniqueness • Automatically incorporates 3rd party watch lists • Dynamically generate watch lists based on real time data
Your Options for Getting a Modern SIEM
Do-It-Yourself Managed Security Service Provider
Fully-managed SIEM
How Cloud Defender Works
Continuous protection
from threats and exposures
Big Data Analytics Platform
Threat
Intelligence & Security
Content
Alert Logic ActiveAnalytics
Alert Logic ActiveIntelligence
Alert Logic ActiveWatch
24 x 7 Monitoring
& Escalation
Data
Collection
Customer IT Environment Cloud, Hybrid On-Premises
Web Application Events
Network Events
Log Data
Alert Logic Web Security Manager Alert Logic Threat Manager
Alert Logic Log Manager
Alert Logic ActiveAnalytics
Alert Logic ActiveIntelligence
Alert Logic ActiveWatch
Creating Threat Intelligence to Feed a Modern SIEM
Customer
Security Operations
Center 24/7
INCIDENTS
Honey Pot Network
Flow based Forensic Analysis
Malware Forensic Sandboxing
Intelligence Harvesting Grid
Alert Logic Threat Manager Data
Alert Logic Log Manager Data
Alert Logic Web Security Manager Data
Alert Logic ScanWatch Data
Asset Model Data
Customer Business Data
Security Content
Applied Analytics
Threat Intelligence
Research
INPUTS
Data Sources
What You Need to Solve the SIEM Problem
• Experts create and manage correlation rules that identify threats and reduce false positives
• Threat researchers continuously provide content enabling detection of emerging threats
• Threat coverage across the application stack delivers broad visibility and protection
• Integration of technology and security expertise delivers results and goals of SIEM investments
RULE CREATION & MANAGEMENT
FULL STACK CORRELATION
CONTINOUS THREAT
RESEARCH
RESULTS DELIVERED
Questions and Resources
Questions
Resources available under the “attachments” tab of this webinar:
451 Research Report • Outlines Alert Logic approach to SIEM.
Zero Day Magazine • New Magazine with the latest on IT Security trends.
Alert Logic Blog • Detailed information on vulnerabilities and recommended patches.
Weekly Threat Newsletter • Weekly update of breaches and vulnerabilities
Thank you.
