Not your Father s SIEM Getting Better Insights & Results Bill Thorn Director, Security Operations Apollo Education Group
Agenda Why use a SIEM? What is a SIEM? Benefits of Using a SIEM Considerations Before Implementing Put the Crown Jewels First Advanced SIEM Features & Benefits Use Cases - Walkthrough Lessons Learned
THE SIEM
Why Use a SIEM? Evolving Needs - More of the Same Enterprises and security leaders constantly need better information Increasing amounts of data to cull Need for better intelligence Resource constraints and contentions Budgets are tight Knowledge deficits
What is a SIEM? Security Information & Event Manager Single pane of glass to manage events and output from all security tools and critical inputs Hardware Software Applications Processes
What is a SIEM?
Benefits of Using a SIEM Central repository for security-relevant data Structured or unstructured data Real-time event aggregation and monitoring Real-time correlation and alerting Identify baseline versus anomalies Investigation, analysis, and forensics Compliance, Reporting, Trending, and Analytics Apply contextual factors to security events
Considerations Before Implementing What is the problem being solved? What data will feed the SIEM? What are the anticipated outputs? Who will use the information and how will they use it? Incident workflow Systems integration Reporting
Advanced SIEM Features & Benefits Big Data approach Ability to take automated responses Provide better views and insights into the larger security ecosystem Active lists/watch lists Zones & asset groups Custom criticality Threat intelligence feeds
USE CASES
Put the Crown Jewels First Bring in events from the most critical assets first Don t try and boil the ocean Tuning critical assets as needed will make bringing in subsequent systems easier Starting small allows you to tune processes and procedures as well
Potential Use Cases are Endless Once rules for the Crown Jewels are in place open the throttle up Consider all the data movement in and out of your enterprise Mobility Vendors 3 rd Party Cloud Services
Map Out Your Use Cases
Context Through Data Enrichment Data enrichment is information that makes the events more meaningful: Asset criticality Watch lists Vulnerability data Embargoed countries Threat intelligence
Use of Watch lists Lists can be of set timeframes to allow efficient information turnover Watch lists can provide context Watch lists can be comprised of: system names IP addresses Ports user names file names file hashes
Firewall Dropped/Blocked Connects Source IP s for multiple dropped connections are added to a 10-day Watch List Subsequent successful connections then alert as suspicious activity to be investigated
Host Malware Detection The detection triggers a number of automatic actions: 1. System is added to 3 separate watch lists 2. Full system scan is triggered 3. More restrictive host intrusion policies are enabled 4. Logs, Netstat details, running process info gathered 5. Incident record created 6. Suspicious new executables are uploaded to McAfee for examination Antivirus identifies a suspected Trojan based on heuristics The suspected file is deleted
Repeated Malware Detection Malware detection on a system already in 24-hour watch list Detection triggers the following actions: System isolation Logs, Netstat details, running process info gathered Incident record created Suspicious new executables are uploaded to McAfee for examination
Failed Admin Account Logins Accounts with 5 failed attempts in 20 minutes are added to watch list Subsequent successful logins alert
Using File Hashes Watch lists can be set up to compare hash values Use hashes to identify files that have changed Use hashes to identify unwanted software
Additional Use Case Considerations User profiling to identify high-risk users Job board visits and data exfiltration VPN and mobility usage Connection profiling to identify system connection anomalies Use of NetFlow data to identify abnormal patterns
Lessons Learned A Review Start with the end in mind Know what data you want and Know who and how it will be handled Concentrate on the most important data elements first Tune the rules and tune the process Take advantage of data enrichment and automation opportunities to improve insights and outcomes
QUESTIONS