Not your Father s SIEM

Similar documents
RSA Security Analytics

Incident Response Agility: Leverage the Past and Present into the Future

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

GDPR: An Opportunity to Transform Your Security Operations

Integrated, Intelligence driven Cyber Threat Hunting

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Changing face of endpoint security

Top 10 use cases of HP ArcSight Logger

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

RSA NetWitness Suite Respond in Minutes, Not Months

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

SIEM: Five Requirements that Solve the Bigger Business Issues

securing your network perimeter with SIEM

RULES VERSUS MODELS IN YOUR SIEM

Un SOC avanzato per una efficace risposta al cybercrime

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Network Security: Firewall, VPN, IDS/IPS, SIEM

Transforming Security from Defense in Depth to Comprehensive Security Assurance

SIEM Solutions from McAfee

SIEM Product Comparison

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Built-in functionality of CYBERQUEST

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

How Vectra Cognito enables the implementation of an adaptive security architecture

Compare Security Analytics Solutions

SentryWire Next generation packet capture and network security.

SentryWire Next generation packet capture and network security.

Sustainable Security Operations

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Noam Ikar R&DVP. Complex Event Processing and Situational Awareness in the Digital Age

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

IBM services and technology solutions for supporting GDPR program

MEETING ISO STANDARDS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

THE ACCENTURE CYBER DEFENSE SOLUTION

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Don t Be the Next Data Loss Story

Ransomware A case study of the impact, recovery and remediation events

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Optimizing Security for Situational Awareness

TRUE SECURITY-AS-A-SERVICE

About NitroSecurity. Application Data Monitor. Log Mgmt Database Monitor SIEM IDS / IPS. NitroEDB

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Enhancing Threat Intelligence Data. 05/24/2017 DC416

McAfee MVISION Cloud. Data Security for the Cloud Era

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Behavioral Analytics A Closer Look

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Threat Intel for All: There s More to Your Data than Meets the Eye

Security Information & Event Management (SIEM)

Software-Defined Secure Networks. Sergei Gotchev April 2016

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Ransomware A case study of the impact, recovery and remediation events

Empower stakeholders with single-pane visibility and insights Enrich firewall security data

ForeScout Extended Module for Splunk

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Splunk. Plataforma de Datos. Denise Roca / Gerente de Software

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Stopping Advanced Persistent Threats In Cloud and DataCenters

RSA IT Security Risk Management

ArcSight Activate Framework

Imperva Incapsula Website Security

Driving more value from your Security Operations Center (SOC) Platform. James Hanlon Director, Splunk Security Markets Specialization, EMEA

Building Resilience in a Digital Enterprise

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

SIEMLESS THREAT MANAGEMENT

Simplify, Streamline and Empower Security with ISecOps

the SWIFT Customer Security

ForeScout ControlFabric TM Architecture

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

The McGill University Health Centre (MUHC)

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Securing Your Digital Transformation

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

The Future of Threat Prevention

how dtex fights insider threats

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

NIST Special Publication

Enterprise Situational Intelligence

Transcription:

Not your Father s SIEM Getting Better Insights & Results Bill Thorn Director, Security Operations Apollo Education Group

Agenda Why use a SIEM? What is a SIEM? Benefits of Using a SIEM Considerations Before Implementing Put the Crown Jewels First Advanced SIEM Features & Benefits Use Cases - Walkthrough Lessons Learned

THE SIEM

Why Use a SIEM? Evolving Needs - More of the Same Enterprises and security leaders constantly need better information Increasing amounts of data to cull Need for better intelligence Resource constraints and contentions Budgets are tight Knowledge deficits

What is a SIEM? Security Information & Event Manager Single pane of glass to manage events and output from all security tools and critical inputs Hardware Software Applications Processes

What is a SIEM?

Benefits of Using a SIEM Central repository for security-relevant data Structured or unstructured data Real-time event aggregation and monitoring Real-time correlation and alerting Identify baseline versus anomalies Investigation, analysis, and forensics Compliance, Reporting, Trending, and Analytics Apply contextual factors to security events

Considerations Before Implementing What is the problem being solved? What data will feed the SIEM? What are the anticipated outputs? Who will use the information and how will they use it? Incident workflow Systems integration Reporting

Advanced SIEM Features & Benefits Big Data approach Ability to take automated responses Provide better views and insights into the larger security ecosystem Active lists/watch lists Zones & asset groups Custom criticality Threat intelligence feeds

USE CASES

Put the Crown Jewels First Bring in events from the most critical assets first Don t try and boil the ocean Tuning critical assets as needed will make bringing in subsequent systems easier Starting small allows you to tune processes and procedures as well

Potential Use Cases are Endless Once rules for the Crown Jewels are in place open the throttle up Consider all the data movement in and out of your enterprise Mobility Vendors 3 rd Party Cloud Services

Map Out Your Use Cases

Context Through Data Enrichment Data enrichment is information that makes the events more meaningful: Asset criticality Watch lists Vulnerability data Embargoed countries Threat intelligence

Use of Watch lists Lists can be of set timeframes to allow efficient information turnover Watch lists can provide context Watch lists can be comprised of: system names IP addresses Ports user names file names file hashes

Firewall Dropped/Blocked Connects Source IP s for multiple dropped connections are added to a 10-day Watch List Subsequent successful connections then alert as suspicious activity to be investigated

Host Malware Detection The detection triggers a number of automatic actions: 1. System is added to 3 separate watch lists 2. Full system scan is triggered 3. More restrictive host intrusion policies are enabled 4. Logs, Netstat details, running process info gathered 5. Incident record created 6. Suspicious new executables are uploaded to McAfee for examination Antivirus identifies a suspected Trojan based on heuristics The suspected file is deleted

Repeated Malware Detection Malware detection on a system already in 24-hour watch list Detection triggers the following actions: System isolation Logs, Netstat details, running process info gathered Incident record created Suspicious new executables are uploaded to McAfee for examination

Failed Admin Account Logins Accounts with 5 failed attempts in 20 minutes are added to watch list Subsequent successful logins alert

Using File Hashes Watch lists can be set up to compare hash values Use hashes to identify files that have changed Use hashes to identify unwanted software

Additional Use Case Considerations User profiling to identify high-risk users Job board visits and data exfiltration VPN and mobility usage Connection profiling to identify system connection anomalies Use of NetFlow data to identify abnormal patterns

Lessons Learned A Review Start with the end in mind Know what data you want and Know who and how it will be handled Concentrate on the most important data elements first Tune the rules and tune the process Take advantage of data enrichment and automation opportunities to improve insights and outcomes

QUESTIONS

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback