SIEM (Security Information Event Management)

Similar documents
National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

SIEM Solutions from McAfee

BUILDING AND MAINTAINING SOC

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Reduce Your Network's Attack Surface

Unlocking the Power of the Cloud

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Nebraska CERT Conference

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Module 2: AlienVault USM Basic Configuration and Verifying Operations

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

RSA NetWitness Suite Respond in Minutes, Not Months

Defining cybersecurity.

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Compare Security Analytics Solutions

RSA IT Security Risk Management

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

Version 5.3 Rev A Student Guide

Click to edit Master title style. DIY vs. Managed SIEM

RSA Security Analytics

AlienVault USM Appliance for Security Engineers 5 day course outline. Module 2: USM Appliance Basic Configuration and Verifying Operations

Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Ransomware A case study of the impact, recovery and remediation events

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Agile Security Solutions

4/13/2018. Certified Analyst Program Infosheet

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

esendpoint Next-gen endpoint threat detection and response

Ransomware A case study of the impact, recovery and remediation events

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

IBM Security SiteProtector System User Guide for Security Analysts

Snort: The World s Most Widely Deployed IPS Technology

CASE STUDY: REGIONAL BANK

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

locuz.com SOC Services

Novetta Cyber Analytics

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cyber Security Technologies

IBM Security Vaš digitalni imuni sistem. Dejan Vuković Security BU Leader South East Europe IBM Security

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

Datacenter Security: Protection Beyond OS LifeCycle

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Cybersecurity Auditing in an Unsecure World

CYBERSECURITY RISK LOWERING CHECKLIST

Managed Endpoint Defense

Security Terminology Related to a SOC

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Un SOC avanzato per una efficace risposta al cybercrime

Designing and Building a Cybersecurity Program

CYBER THREAT INTEL: A STATE OF MIND. Internal Audit, Risk, Business & Technology Consulting

Protecting organisations from the ever evolving Cyber Threat

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

IBM Security Network Protection Solutions

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Resolving Security s Biggest Productivity Killer

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

CloudSOC and Security.cloud for Microsoft Office 365

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Training for the cyber professionals of tomorrow

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Intelligent and Secure Network

CyberArk Privileged Threat Analytics

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Cisco ASA 5500-X NGFW

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Fidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases

empow s Security Platform The SIEM that Gives SIEM a Good Name

ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017

Consolidation Committee Final Report

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

50+ Incident Response Preparedness Checklist Items.

SECURITY OPERATIONS CENTER BUY BUILD BUY. vs. Which Solution is Right for You?

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Speed Up Incident Response with Actionable Forensic Analytics

Transcription:

SIEM (Security Information Event Management) Topic: SECURITY and RISK Presenter: Ron Hruby

Topics Threat landscape Breaches and hacks Leadership and accountability Evolution of security technology What is SIEM? SIEM overview and use cases Pitfalls of SIEM implementations Is SIEM a nice to have or need?

Director of Commercial Cybersecurity for Vertek, based out of Colchester VT 20 Years of IT solutioning, telecom and security experience I ve been both a buyer and a supplier of telecom and security related services Co-Founder of the MSSP (Managed Security Service Provider) Division at Vertek Vertek provides BPO, BI, Order Management, Network Migration Services, enoc, MSSP/SOC and Consulting services to CP, MSPs, SMB, and Large Enterprise MSSP Division provides managed SOC services, including 24x7 network monitoring, security intelligence and breach detection Background

Can your IT Department detect a breach today?

Attacker machine running client program Command and control (C2) Infect and control clients Compromised hosts (botnet clients) - Millions of devices Target of attack Multiple compromised hosts are used by an attacker to send incoming traffic, flooding their target causing a Denial of Service (DoS) attack DDoS Attack Distributed denial-of-service attack

Defcon.pro website also lists the following features: 24/7 Support, Private Methods, Skype Resolver, 99% uptime, Dedicated Servers, PayPal/Bitcoin, Stop Button, IP Geolocation, Cloudfare resolver, Domain Resolver, Amazing Power, Easy to use Interface

Pastebin is a txt storage site where users can store plain text. Most commonly used to share short source code snippets for code review via Internet Relay Chat (IRC) Special shout out to #39 on this list

Pwned?

Verizon DBIR 2017

Many organizations don t have the basics covered Shodan.io

VNC is a graphical desktop sharing program that allows someone to remotely control another computer Workstation running VNC Viewer Workstation running VNC Server VNC Virtual Network Computing

Foot-in-the door through a vendor Supply Chain Attacks Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads -- 2.3 Million Infected CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software. https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleanercybersecurity-app-infected-with-backdoor/#abf997e316a8

Among other things, our obligation is to protect CPNI, SPI, PII, PCI,PHI, Non-Public, etc. Simple Principles Where is it on your network Who has access to it How is it secured Who is monitoring it Who is periodically reviewing it

Leveraging Frameworks Sample Requirements Assess and classify assets and information according to risk Continuously scan and assess unpatched software and system vulnerabilities Identify malicious entities probing systems and network Continuously monitor network traffic and system events for potential unsecure behaviors Respond to identified malicious events to remediate them Audit and report effectiveness http://www.27000.org/ Cybersecurity Framework As suppliers we see this language on contracts. We also require it.

Evolution of security technology

Desperate security log and event sources Manual correlation of events Single pane of glass for security log and events Cross correlation of events Log retention Router Threat Feeds Scans Switch Router IDS IDS Server SIEM Switch FW Threat Feeds Scans Server FW SIEM Security Information Event Management SIEM Components: Sensor - Logger - Server

Security Information Event Management SIEM The need for early targeted attack detection and response is driving the expansion of new and existing SIEM deployments TRADITIONAL SIEM LOG MANAGEMENT ASSET DISCOVERY EVENT CORRELATION FORENSIC ANALYSIS TICKETING REPORTING THREAT FEEDS VENDER FEATURES NETWORK VULNERABILITY SCANNING NETWORK IDS HOST IDS / FIM NETFLOW PACKET CAPTURE OTX / FEED / IOC INTERGRATION POLICY VIOLATIONS

Sample SIEM Dash

Assets and Groups

Plugin Normalized Data Raw log mapped to a taxonomy subtype = SIEM can read it.

Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Internet IDS Critical SIEM Log Source Sort (Sourcefire) Signatures Firewall VLAN 20 VLAN 10 IDS Server Workstation Signature vs. Anomaly Based

Internet Vuln Scanning Critical SIEM Log Source OpenVas - Network Vulnerability Testing (NVT) Definitions/Signatures VLAN 20 Server Firewall Vulnerability Scanner VLAN 10 Workstation NVT s

Many technologies support OTX Open Threat Exchange Key SIEM IoC source https://www.alienvault.com/open-threat-exchange

Correlation Suspicious Inbound Connections Suspicious Outbound Connections Critical Vulnerabilities Policy Violations Attacks Brute Force DDOS Malware Network Scanning User Contributed

Informationisbeautiful.net

Alarm and Forensics

IR BPM Ticket and Triage

Reporting Security Incidents / Events Action Items Vulnerabilities Change SIEM Lifecycle Policy Items Tuning Performance Trends

Pitfalls of SIEM Implementations 01 02 03 04 05 Scope Business drivers for implementing Developing use cases Planning Sizing, EPS and retention Log sources Features Policy Monitoring to much or too little Generating Alerts on nonpriority events Alert Fatigue / Lack of Context Alerts may be generating that staff may not understand A certain # of false positives is good, too many can lead to alert fatigue, false negative Inadequate staffing A SIEM needs to be monitored, maintained, and tuned to be effective

Striking the balance Is a SIEM nice or have or need? Technologies like Firewalls, IDS/IPS, Content Filtering, and Vulnerability Scanning, ARE NOT a replacement for SIEM Firewalls provide a way to allow traffic in and out of your network IDS provide a way to monitor traffic in and out of your network IPS sits inline to prevent traffic based on IDS events. Under tuned it can block legitimate traffic. Over suppressed it has the potential to miss events. URL filtering provides a way to monitor and control web traffic Vulnerability scanning provides a way to scan and detect vulnerabilities Manual tasks required to correlate events Checks and balance within security roles (engineering, administration, analyst) Responsibilities (assigned, concerned, responsible)

Among other things, our obligation is to protect CPNI, SPI, PII, PCI,PHI, Non-Public, etc. Simple Principles Where is it on your network Who has access to it How is it secured Who is monitoring it Who is periodically reviewing it 3 rd party testing Combination of red team blue team tactics Checks and balance

1+1 should be >2 SIEM does not implement itself. It knows nothing about your environment, your assets or your risks Business requirements should drive directives and tuning Turn industry advisories into actionable Indicators of Compromise (IoCs) and or action items to discuss during security reviews Signatures, directives and threat feeds are extremely important to detect new and emerging threats Ultimately the team managing the SIEM and reviewing the reports will make or break its success Technology (SIEM)+ People (Sr. Security Analyst)

Don t bet on luck Be well prepared rhruby@vertek.com ManagedThreatIntelligence.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback