siem alone is not enough

SIEM Alone is Not Enough

SIEM Alone

is Not Enough


Cindy Valladares, Product Marketing ManagerEd Rarick, Product Evangelist

Follow the conversation on Twitter using #siemWebcast


Key Trends

Being Attacked is a Statistical Certainty

4 #siemWebcast


3 Questions That Need Fast Answers – SIEM Answers Only 1

5

What was the

impact?

What happened and when?

Security Triad

How quickly can I fix it?How to prevent it from happening again?What will it take to roll it back?

What events occurred?What was the path of attack?

When did this happen?What actually changed?Who made the change?

Did it take me out of my secure state?Am I out of compliance?Is my sensitive data safe?Where any of my critical systems affected?

How do I fix it?

#siemWebcast


A Better Approach: More Context Through Better Intelligence

6

System State Intelligence

Less false positives and noise

Leading indicators of risk

Security rules State and policy

#siemWebcast


What is System State Intelligence

7

Knowing…

Change-triggered Configuration Management

True File Integrity Monitoring

Dynamic Change Assessment

Security Event Context

What it is now

Hashing, Size, Content, Attributes, Severities (Weight

/Risk)

What it was

Versions, Forensics, Before and After Details

What it should be

Policy Parameters, IT rules, Comparison to Reference Master

Delivered by integrating…

#siemWebcast


Configuration Management: typical approach

When did failures begin: not sure What caused failures: not sure

#siemWebcast8


Configuration Management: Tripwire approach

Know when failure begins: change triggers testing Know what caused failure: change & test results

associated and maintained

#siemWebcast9


File Integrity Monitoring: typical approach

Limited platforms Limited attributes Limited architecture

#siemWebcast10


File Integrity Monitoring: Tripwire approach

Broad coverage Extensive integrity information Efficient and fast Monitor the enterprise – large or small

#siemWebcast11


Change Assessment: typical approach

Shows what changed not what to investigate Pass an audit, miss the catastrophe…..for weeks or

months

#siemWebcast12


Change Assessment: Tripwire approach

Analyze change dynamically …to multiple criteria Know what to investigate Intelligence as change happens

#siemWebcast13


Security Event Context: typical approach

Login successful10 failed logins

FTP Enabled Host not generating events

Windows event log cleared

SIEM Event Deluge Lack of Context

>> What else was going on?

>> Was compliance level lowered?

Most breaches detected by 3rd party Weeks or months after-the-fact SIEM alone is not enough

#siemWebcast14


Security Event Context : Tripwire approach

Correlate Changes of Interest to SIEM Events Provide leading indicators of risk Add context to reduce false-positives and noise

#siemWebcast15


System State Intelligence

16

Event Data

High-risk security incident

Anomaly detection

Leading indicators of threat

Event/change info correlation

Access to critical systems

Privileged user activity

Events of interest

Change & Config. Data

Configuration changes

Known & trusted deviation

Context and granularity

Current pass v. fail # and %

Score improvements / declines

Granular change details

File changes from baseline

Context

#siemWebcast


Reduce massive volume of data• Correlate suspicious

changes & events

Distill intelligent information

• Apply context to situation

Respond immediately • Get info into the right hands

• Make risk-based decision

Automation

17 #siemWebcast


Additional Assets

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security

http://bit.ly/velc3n

Supercharging SIEM with Change & Configuration Data

http://bit.ly/tgXtz6

18 #siemWebcast

http://bit.ly/velc3n

http://bit.ly/tgXtz6

www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980

THANK YOU!

Cindy ValladaresEd Rarick

19 #siemWebcast


The Tripwire Difference

Content Context Analytics Workflow

System Hardening

Incident Detection

Continuous Monitoring

20 #siemWebcast


The Tripwire Solution

21 #siemWebcast

siem alone is not enough

Technology

secure state

continuous configuration

secure configuration

compliant state

desired state

reliable state

hardened state

configuration settings