modern vs. traditional siem

Download Modern vs. Traditional SIEM

Post on 18-Jul-2015

344 views

Category:

Technology

5 download

Embed Size (px)

TRANSCRIPT

  • TRADITIONAL VS. MODERN SIEM

    What you Need to Know

  • Webinar: Best Practices in Responding to the Next Vulnerability

    Agenda

    Intro to Webinar Speaker Cliff Turner, Alert Logic

    Background to SIEM Value of SIEM Modern SIEM Your Questions?

    Housekeeping

    Use the question box anytime Were recording todays event and

    will be available on- demand. Check the attachments section of

    this webinar for slide deck and other resources

  • Polling Question

    Have you had experience with SIEM? -Yes -No

  • Why are SIEMs Valuable

    Exponential increase in an organizations security posture - Through visibility and situational awareness - Deployment of detective and protective controls - Data from the network, system and applications to the

    SIEM

    - Allow for complex Cyber Security issues to be defined, categorized and expressed in logic.

    The effectiveness of SIEM in detecting the pre and post comprise activity is directly related to the success of collecting data.

  • History of SIEMs

    Security Incident Event Management SIEMs have been a tool and technology in use for over 15 years The past 5 to 10 years in SIEM has been dominated by the value question Traditionally the total cost of ownership of a SIEM is expensive, even for small deployments - people,

    process and technology For a successful SIEM deployment you needed a good IT team and highly talented and

    experienced security professionals.

    MS SQL Server 7 the only commercial off the shelf tera server

    Placeholder Text

    Pearl and Python scripts constructed to help organize and manage repeatable tasks

    Placeholder Text

    Placeholder Text

    1999

    Year

    Year

    Year

    Year

  • The Evolution of SIEM 3.0 T R A D I T I O N A L S I E M S

    The Hybrid Data Center

    Cloud First/mobile First approach by many companies

    Public cloud and Hybrid IT environments mainstream

    The Virtual Data Center

    Virtualization becomes mainstream

    Public clouds launch Mobile devices proliferate

    The Physical Data Center X86 server pre-dominant Primarily on-premises Hosting providers emerge Cloud options being developed

    T H R E A T S A N D A T T A C K S Next Generation Threats

    Advanced attacks Multi-vector approach Social engineering Targeted recon Long duration compromises

    Catalyst for Change

    Proliferation of malware Organized hacking groups Access to information Financial gain motivation

    The Early Days of Threats Basic malware Spray and pray Smash-n-grab Solo hackers Mischief motivation

    EARLY 2000s MID 2000s 2014 & BEYOND

  • Infrastructure (servers, etc)

    What you need to make a Traditional SIEM

    Hardware

    Software

    Integration

    Experts

    Threat Intelligence

    Correlation Rules

    Data sources to feed the SIEM

    Licensing

    Lots of people, Software, hardware,

    process

    Threat Intelligence Feeds

    Write parsers, alert and correlation rules

    Ongoing tuning Of 2f

    Subscribe & incorporate

    Intelligence feeds

    Traditional Relational DB

    Review & Respond to

    Alerts

    TraditionalSIEM

  • Why Traditional SIEMs Fail to Deliver Value

    The people cost came out in the usage of the SIEM

    Big complex application that demanded the user not only know SIEM but be expert in understanding event sources.

    How else would you know what questions to ask of the data?

  • Potential Pitfalls

    Licensing Capabilities Performance Move to the Cloud Support for DevOps Scalability Multiple Platforms

    -Different cloud providers, OS, versions

  • Polling Question

    What is your experience with SIEM? -Running a traditional SIEM -Running something SIEM-like, but not traditional -Not Running a SIEM -Investigating options

  • What is a Modern SIEM

    Fully managed Big data Unlimited scale Cloud ready Can collect data without access to

    underlying cloud host infrastructure

    DevOps

  • What is Modern SIEM

    Supports DevOps, Config mgmt. Ex: Chef, Ansible, Cloud Formation Templates Support cloud provider data types Ex: AWS cloud trail Easily extensible Not limited by domain, source, message, or event frequency or

    uniqueness Automatically incorporates 3rd party watch lists Dynamically generate watch lists based on real time data

  • Your Options for Getting a Modern SIEM

    Do-It-Yourself Managed Security Service Provider

    Fully-managed SIEM

  • How Cloud Defender Works

    Continuous protection

    from threats and exposures

    Big Data Analytics Platform

    Threat

    Intelligence & Security

    Content

    Alert Logic ActiveAnalytics

    Alert Logic ActiveIntelligence

    Alert Logic ActiveWatch

    24 x 7 Monitoring

    & Escalation

    Data

    Collection

    Customer IT Environment Cloud, Hybrid On-Premises

    Web Application Events

    Network Events

    Log Data

    Alert Logic Web Security Manager Alert Logic Threat Manager

    Alert Logic Log Manager

    Alert Logic ActiveAnalytics

    Alert Logic ActiveIntelligence

    Alert Logic ActiveWatch

  • Creating Threat Intelligence to Feed a Modern SIEM

    Customer

    Security Operations

    Center 24/7

    INCIDENTS

    Honey Pot Network

    Flow based Forensic Analysis

    Malware Forensic Sandboxing

    Intelligence Harvesting Grid

    Alert Logic Threat Manager Data

    Alert Logic Log Manager Data

    Alert Logic Web Security Manager Data

    Alert Logic ScanWatch Data

    Asset Model Data

    Customer Business Data

    Security Content

    Applied Analytics

    Threat Intelligence

    Research

    INPUTS

    Data Sources

  • What You Need to Solve the SIEM Problem

    Experts create and manage correlation rules that identify threats and reduce false positives

    Threat researchers continuously provide content enabling detection of emerging threats

    Threat coverage across the application stack delivers broad visibility and protection

    Integration of technology and security expertise delivers results and goals of SIEM investments

    RULE CREATION & MANAGEMENT

    FULL STACK CORRELATION

    CONTINOUS THREAT

    RESEARCH

    RESULTS DELIVERED

  • Questions and Resources

    Questions

    Resources available under the attachments tab of this webinar:

    451 Research Report Outlines Alert Logic approach to SIEM.

    Zero Day Magazine New Magazine with the latest on IT Security trends.

    Alert Logic Blog Detailed information on vulnerabilities and recommended patches.

    Weekly Threat Newsletter Weekly update of breaches and vulnerabilities

  • Thank you.