Six Steps to SIEM Success
•
11 recomendaciones•6,040 vistas
This document outlines six steps to ensure SIEM success: 1) Avoid single-purpose SIEM tools and look for built-in security controls, 2) Know your use cases before evaluating tools, 3) Imagine worst case scenarios for your business, 4) Include built-in threat intelligence, 5) Use IP reputation data to prioritize alarms, and 6) Automate deployment. It emphasizes the importance of integrated security tools to reduce costs and complexity, and knowing business needs and threats to properly focus the SIEM.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Six Steps to SIEM Success
Similar a Six Steps to SIEM Success (20)
Más de AlienVault
Más de AlienVault (20)
Último
Último (20)
Six Steps to SIEM Success
- 1. SIX STEPS TO SIEM SUCCESS Jim Hansen Sr. Director, Product Management
- 2. Step 1: Avoid single-purpose Avoid single-purpose SIEM tools. SIEM tools. 2
- 3. LOOK FOR BUILT-IN ESSENTIAL SECURITY CONTROLS. At a minimum, the SIEM should include this core set of functionality: Asset discovery and inventory Vulnerability assessment Network analysis / netflow (packet capture) Wireless intrusion detection (WIDS) Host-based intrusion detection (HIDS) Network-based intrusion detection (NIDS) File Integrity Monitoring Log management VS.
- 4. BENEFITS OF BUILT-IN SECURITY CONTROLS IN SIEM Accelerated time to value - Reduce cost and complexity - Go from install to insight QUICKLY At deployment time: Focus on integrating the infrastructure event data only Over the long term: Manage all through the same console, better workflow, etc. More coordinated detection for accurate alarms - Built-in event correlation rules Known sources mean more accurate correlation
- 5. Step 2: Know what use cases Know what use you need FIRST. cases you’ll need FIRST. 5
- 6. WHAT ARE YOUR SIEM USE CASES? Figure this out BEFORE you evaluate or invest Use cases define your scope and your priorities (e.g. Pass a PCI audit vs. Detect malware infections) Differences between a business & technology use cases - Business use cases (fewer) translate to: - Technology use cases (many more)
- 7. TRANSLATING BUSINESS USE CASES INTO TECHNOLOGY Privileged user monitoring requires knowing: Logs Who your privileged users are (users) What constitutes privileged activity (commands) - Logins = rlogins / ssh User permission changes (e.g. sudo or LDAP) - Critical servers, applications, network devices, and network traffic (action sequences) Endpoints…? Whose? Where you care to focus (devices) -
- 8. EVENT CORRELATION STEPS What we really want to know… Who is abusing privileged access? 1. Identify the goal for each rule (and use case). To detect unauthorized access user activity – including privilege escalation 2. Determine the conditions for the alert. Privilege escalation with no corresponding change request 3. Select the relevant data sources. Active directory, user management system, change control system 4. Test the rule. 5. Determine response strategies, and document them.
- 9. Step 3: What are the worst case Imagine all the worstscenarios for your business? case scenarios for YOUR business.
- 10. GLOBAL VS. LOCAL BAD SCENARIOS Global bad scenarios - Botnets, malware, C&C traffic, rootkits, trojans, etc. Local bad scenarios - Unique to your business and priorities Only YOU and your mgmt team can answer this Example: - Outbound FTP connections to a former business partner’s network AFTER you’ve canceled the contract. - Service availability “hiccups” during peak operational windows.
- 11. PLAN FOR THE WORST, EXPECT THE BEST Plan for each of those “worst case” scenarios Ask yourself: How would we know when these happen? - Types of events, and their sequences Devices in scope - Let’s get those data sources added FIRST; First step is finding them (automated asset discovery is a must) How do we respond when we discover them? - Develop standard operational procedures, and train staff - SIEM should have built-in documentation for standard operational procedures Customized guidance that’s attached to each alert Details on assets, their owners, contact info, etc.
- 12. Step 4: Include built-in threat intelligence as a MUST-HAVE.
- 13. OPERATIONALIZED THREAT INTELLIGENCE Threat intelligence should provide info on: - WHO the bad actors are WHAT to focus on HOW to respond when threats are detected WHERE these threats are in your environment Threat intelligence should also… - Provide instructions on what to do when X happens to Y And… be easily and rapidly consumable – part of your SOP
- 14. ALIENVAULT LABS THREAT INTELLIGENCE: COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint
- 15. Step 5: Use IP reputation data to prioritize alarms & monitor your own reputation. 15
- 16. DISRUPT THE INCIDENT RESPONSE CYCLE A traditional cycle … 1. 2. Prevent Detect Respond 3. Prevents known threats. Detects new threats in the environment. Respond to the threats – as they happen. This isolated closed loop offers no opportunity to learn from what others have experienced ….no advance notice
- 17. THE POWER OF THE “CROWD” FOR THREAT DETECTION Cyber criminals are using (and reusing) the same exploits against others (and you). Sharing (and receiving) collaborative threat intelligence makes us all more secure. Using this data, identify, flag and block known attackers by source IP addresses. Organizations can’t build this “neighborhood watch” infrastructure on their own… that’s where AlienVault comes in…
- 18. TRADITIONAL RESPONSE First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
- 19. TRADITIONAL RESPONSE Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
- 20. TRADITIONAL RESPONSE Attack First Street Credit Union Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
- 21. TRADITIONAL RESPONSE Attack First Street Credit Union Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
- 22. TRADITIONAL RESPONSE Attack First Street Credit Union Respond Detect Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
- 23. OTX ENABLES PREVENTATIVE RESPONSE Through an automated, real-time, threat exchange framework
- 24. A REAL-TIME THREAT EXCHANGE FRAMEWORK Puts Preventative Response Measures in Place Through Shared Experience Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
- 25. A REAL-TIME THREAT EXCHANGE FRAMEWORK Protects Others in the Network With the Preventative Response Measures Attack First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Detect Open Threat Exchange Marginal Food Products
- 26. GLOBAL THREAT DETECTION FOR LOCAL RESPONSE
- 27. Step 6: Automate your SIEM deployment. 27 27
- 28. DATA INTEGRATION WITH A SINGLE-PURPOSE SIEM 1 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Integrate data and event feeds into SIEM 28
- 29. DATA INTEGRATION WITH ALIENVAULT USM Reduced licensing costs 1 Automated via Auto-Deploy Dashboard 5 Evaluate & purchase 3rd party security detection tools 2 Identify & integrate additional data sources Implement & configure these tools Repeat 3-4 4 Manage security detection tools on separate consoles 3 Built-in asset discovery, vuln assessment, threat detection, behavioral monitoring, and more… Integrate data and event feeds into SIEM Simpler security management, faster remediation 29
- 30. DEPLOYMENT DASHBOARD Identify potential data sources to integrate Set up vulnerability assessment and asset inventory scans Implement suggestions to improve visibility
- 31. TOP 6 STEPS TO SIEM SUCCESS 1. Avoid single-purpose SIEM tools (Reduce integration complexities - look for built-in security detection sources) 2. 3. 4. 5. 6. Know what use cases you’ll need FIRST. (this will dictate what data sources to prioritize) Imagine all the worst case scenarios for your business. (this will inform your incident response strategy) Include built-in threat intelligence as a must-have requirement. (threats move way too quickly not to operationalize your defenses) Use IP reputation data to prioritize alarms & monitor your own rep. (Identify exposures – both inside and outside your network) Automate your deployment. (yes, hard to believe, but this *is* possible)
- 32. QUESTIONS FOR SIEM VENDORS HINT: PRINT THIS OUT FOR THE NEXT TIME THEY CALL YOU…. How long will it take to go from software installation to security insight? For reals. How many staff members or outside consultants will I need for the integration work? What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)? What is the anticipated mix of licensing costs to consulting and implementation fees? Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations? Is IP reputation data included in the threat intelligence content? 32
- 33. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? hello@alienvault.com
Notas del editor
- SIEM, or security intelligence, has become the current standard for achieving complete visibility into your compliance status and any threats to your organization’s data and infrastructure. The challenge is that the first wave of SIEM vendors only focused on the logic or analysis layer, basically the event correlation engine - not on how to deploy it or how to feed it. And without those two key success factors, SIEM becomes shelf-ware.Alright so let’s get started… what are those six steps?========Security intelligence has become the current standard for getting
- SIEM arose from the fact that most of the security products out there have started and evolved as point products. So we all needed something to tie these things together. But if a SIEM only does one thing – it becomes yet another single purpose point product. Just like a single purpose hotdog cooker/hot dog bun toaster. Or should I say “hot dog production solution”. I agree it might be best of breed, but it wastes valuable space on my counter!
- Not everyone has all this stuff already in place, if you do, yes we can integrate. But if you don’t, or you don’t want the hassle of managing multiple consoles, this eases those issues.
- Figure this out BEFORE you evaluate or investThese will depend on WHY you’re implementing SIEMThis defines scope and your priorities (e.g. Pass a PCI audit vs. Detect malware infections)Differences between a business use case & how it’s translated into a technology use caseBusiness use case (fewer) = e.g. monitor all privileged user activity for PCI-DSS requirementsTechnology use case (many more) = e.g. alert on all “sudo” events for Linux servers, especially failed root logins, and prioritize those that occur during X time windows, etc.
- Priv user monitoring for PCI-DSS will be a different scope than if you wanted to do it for a broader purpose…
- SIEM is too complex. Collecting the right data, aggregating it, normalizing and correlating disparate technologies for that one common view is not a trivial task. And most of the time, the SIEM vendor will expect the client or the client’s service provider to bear the brunt of that deployment challenge. “Feeding the beast” requires multiple hours spent with system administrators who manage those data sources to reroute the event information over to the SIEM. Technically, this isn’t so complex for a single system, but at scale it can get very complicated.
- Evaluate, select, and purchase third party security tools (e.g. IDS, vulnerability scanners, etc.).Implement and configure these products.Fine-tune and integrate these feeds into the SIEM.Manage and administer them each with a different console than the SIEM.Identify which additional data sources are needed: Firewalls, routers, proxies, switches etc.Web-servers, database servers, LDAP/AD servers, file directories, etc.Repeat steps #3-4.
- Reduces the burden of integrating data sources Provides suggestions for improving visibilityWhere is the monitoring deficient? What can be done to improve it?
- So the goal of today’s session is to give you the secrets of success in terms of planning for a solution that works with your environment, your use cases, can be deployed quickly, and can easily scale and be managed over time. Oh yeah, and it needs to be continually updated with the latest threat intelligence, so you’re not trying to figure out how to write rules on your own every time something wicked this way comes.We’re going to focus on each one of these as we go through our presentation today. So here’s just the overview.Most of the reason why SIEM takes so long to deploy is because these tools do only one thing. They correlate data, but they don’t develop the data they’re correlating. They’re reliant on other tools from other vendors who do things like asset discovery, vulnerability assessment, threat detection, tools like IDS, log management, and the list goes on and on. So look for more than just a fancy reporting tool and event correlation engine.The second point is to know why you’re evaluating a tool that provides SIEM functionality. What do you want to do with it? What do you want to know? What are you prepared to act on if it happens? We’ll spend time talking through how to build your use cases. Because this will dictate what data sources you’ll need to prioritize.The next one is probably pretty familiar territory for us security geeks. Ultimately, security professionals spend a lot of time thinking through worst case scenarios… it comes with the territory… we need to. We need to know what terrible things would happen that would have X impact in Y dollars to Z business initiative. And then we build an incident response program out of it.Threat intelligence is an absolute must-have these days. Attackers are continually morphing and adapting their tools, techniques, and there’s too much coming at you and your network to know what to focus on and when. So we’ll talk about the need not just to know the latest threats, but give you the ability to operationalize your consumption of emerging threat intelligence, so you actually have the ability to act on it.The fifth step is all about taking a collaborative approach to threat management – IP reputation data gives you that perspective. When you correlate data from everyone else’s network – a crowd-sourced approach – you now start to turn the tables on those trying to attack you. So we’ll talk about how to use IP reputation data to prioritize events and alarms as well as monitor the reputation of your own public-facing assets.Finally, SIEM deployment is a dirty word. The good news… you can honestly automate the deployment process. At least critical pieces of it…and we’ll talk about how that’s done later in the presentation. So let’s focus on our first step.
- Demand more from your SIEM vendor. Ask direct and detailed questions to understand how to avoid these typical problems – before you make the leap to purchase. Make sure to get the most value out of every security investment you make in 2013 and beyond. Here are few questions to get you started.