siem alone is not enough
TRANSCRIPT
SIEM Alone is Not Enough
Cindy Valladares, Product Marketing ManagerEd Rarick, Product Evangelist
Follow the conversation on Twitter using #siemWebcast
SIEM Alone is Not Enough
3 Questions That Need Fast Answers – SIEM Answers Only 1
5
What was the
impact?
What happened and when?
Security Triad
How quickly can I fix it?How to prevent it from happening again?What will it take to roll it back?
What events occurred?What was the path of attack?
When did this happen?What actually changed?Who made the change?
Did it take me out of my secure state?Am I out of compliance?Is my sensitive data safe?Where any of my critical systems affected?
How do I fix it?
#siemWebcast
SIEM Alone is Not Enough
A Better Approach: More Context Through Better Intelligence
6
System State Intelligence
Less false positives and noise
Leading indicators of risk
Security rules State and policy
#siemWebcast
SIEM Alone is Not Enough
What is System State Intelligence
7
Knowing…
Change-triggered Configuration Management
True File Integrity Monitoring
Dynamic Change Assessment
Security Event Context
What it is now
Hashing, Size, Content, Attributes, Severities (Weight
/Risk)
What it was
Versions, Forensics, Before and After Details
What it should be
Policy Parameters, IT rules, Comparison to Reference Master
Delivered by integrating…
#siemWebcast
SIEM Alone is Not Enough
Configuration Management: typical approach
When did failures begin: not sure What caused failures: not sure
#siemWebcast8
SIEM Alone is Not Enough
Configuration Management: Tripwire approach
Know when failure begins: change triggers testing Know what caused failure: change & test results
associated and maintained
#siemWebcast9
SIEM Alone is Not Enough
File Integrity Monitoring: typical approach
Limited platforms Limited attributes Limited architecture
#siemWebcast10
SIEM Alone is Not Enough
File Integrity Monitoring: Tripwire approach
Broad coverage Extensive integrity information Efficient and fast Monitor the enterprise – large or small
#siemWebcast11
SIEM Alone is Not Enough
Change Assessment: typical approach
Shows what changed not what to investigate Pass an audit, miss the catastrophe…..for weeks or
months
#siemWebcast12
SIEM Alone is Not Enough
Change Assessment: Tripwire approach
Analyze change dynamically …to multiple criteria Know what to investigate Intelligence as change happens
#siemWebcast13
SIEM Alone is Not Enough
Security Event Context: typical approach
Login successful10 failed logins
FTP Enabled Host not generating events
Windows event log cleared
SIEM Event Deluge Lack of Context
>> What else was going on?
>> Was compliance level lowered?
Most breaches detected by 3rd party Weeks or months after-the-fact SIEM alone is not enough
#siemWebcast14
SIEM Alone is Not Enough
Security Event Context : Tripwire approach
Correlate Changes of Interest to SIEM Events Provide leading indicators of risk Add context to reduce false-positives and noise
#siemWebcast15
SIEM Alone is Not Enough
System State Intelligence
16
Event Data
High-risk security incident
Anomaly detection
Leading indicators of threat
Event/change info correlation
Access to critical systems
Privileged user activity
Events of interest
Change & Config. Data
Configuration changes
Known & trusted deviation
Context and granularity
Current pass v. fail # and %
Score improvements / declines
Granular change details
File changes from baseline
Context
#siemWebcast
SIEM Alone is Not Enough
Reduce massive volume of data• Correlate suspicious
changes & events
Distill intelligent information
• Apply context to situation
Respond immediately • Get info into the right hands
• Make risk-based decision
Automation
17 #siemWebcast
SIEM Alone is Not Enough
Additional Assets
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
http://bit.ly/velc3n
Supercharging SIEM with Change & Configuration Data
http://bit.ly/tgXtz6
18 #siemWebcast
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!
Cindy ValladaresEd Rarick
19 #siemWebcast
SIEM Alone is Not Enough
The Tripwire Difference
Content Context Analytics Workflow
System Hardening
Incident Detection
Continuous Monitoring
20 #siemWebcast