DIY vs. Managed SIEM
Meet Paul Paul Caiazzo Principal, Chief Security Architect CISSP, CISA, CEH M.S. Information Security and Assurance 15+ years of experience in Information Security Connect with me: @Paul_Caiazzo https://www.linkedin.com/in/pcaiazzo pcaiazzo@trushieldinc.com
Meet TruShield We are a global cyber security company based in the Washington DC metro area. Provider of the following high-quality, concierge security services: Managed Security Services Risk Assessment Services Penetration Testing Vulnerability Assessments Threat Protection Incident Management Security Consulting Security Architecture
What is SIEM?
SIEM Basics Why do you need one? Global average compromise detection time is 210 days Compliance (PCI, ISO, FISMA, NCUA, etc) What kinds of SIEM are out there? PICK TWO, AND ONLY TWO: Effective/Inexpensive/Easy to Use
SIEM Basics How does a SIEM work? SIEM device(s) installed on network Collect event logs from nodes on network Normalize/Aggregate/Correlate Scrub against threat signatures or behavioral database Generate alerts someone has to review, investigate, and respond to http://resources.infosecinstitute.com/book-advanced-network-design/
SIEM Basics What is involved in configuring and installing a SIEM? Complex, many moving parts Misconfiguration or incomplete rollout are common pitfalls Management and administration tasks: Updates and management Dashboard and analyses Tuning, tuning, tuning
SIEM Basics And, in order to actually realize any value for all of that hard work
SIEM Basics Someone still has to monitor and actually respond to these alerts!
SIEM Costs SIEM License Average for Enterprise SIEM is ~$50,000 for mid-to large sized organizations License maintenance costs in out-years is usually 20% Hardware Software Installation and Configuration Management/administration Monitoring and response Companies waste a lot of money on SIEM by not adequately planning for monitoring and response
MSSP Basics How does Managed SIEM work?
MSSP Basics What are the key functional differences? Initial architecture and rollout included MSSP then manages and runs day-to-day operations 24/7/365 monitoring, alerting and incident response Dedicated team of cyber security professionals, incident handlers and researchers Certified forensics investigators
MSSP Basics http://trushieldinc.com/monthly-cyber-threat-intelligence-reports/ What are the key functional differences? Threat Intelligence extends far beyond your network boundary Big-data analysis on attack trends and indicators of compromise Threat Intelligence Reports published frequently Ongoing vulnerability and threat research delivered in the form of Threat Alerts, Advisories and recommended remediation strategies
MSSP Costs Per-device monthly subscription fee Options for service enhancements Active security appliance management (firewall, IDS/IPS, UTM, Web Content Filter, etc) Managed vulnerability scanning/remediation Patch Management Endpoint protection (anti-virus/anti-malware, encryption, DLP, etc)
Our Recommendation Do you have: The resources to buy a SIEM, considering all of its ancillary infrastructure and deployment costs? The resources to adequately manage and tune the SIEM? Sufficiently skilled and trained staff to monitor and investigate alerts? Sufficiently skilled and trained staff to respond to, contain, and eradicate threats? 24/7/365? If no to any of the above, we highly advise you consider an MSSP
Our Recommendation Key benefits you can realize via an MSSP Significantly reduced cost to achieve: Advanced threat detection capability 24/7 monitoring, alerting and response by a team of certified experts Actionable intelligence based upon actual events occurring on your network, in real time Global perspective on threat patterns and trends resulting in immediate reduction in risks Ability to focus on your core mission rather than chasing SIEM alerts
Q & A
Thank You! 877.583.2841 www.trushieldinc.com