Security information and event management (SIEMS) tools provide a robust collection of data sources that can help companies take a more proactive approach to preventing threats and breaches.
However, implementing a SIEM often brings the challenges of a lengthy implementation, costly investment and the need for skilled security analysts to maintain it. Also, many SIEMs have been used in on-premise data centers, so what steps will you need to take if you want your SIEM to move with your data into the cloud?
2. Webinar: Best Practices in Responding to the Next Vulnerability
Agenda
• Intro to Webinar Speaker
• Cliff Turner, Alert Logic
• Background to SIEM
• Value of SIEM
• Modern SIEM
• Your Questions?
Housekeeping
• Use the question box anytime
• We’re recording today’s event and
will be available on- demand.
• Check the attachments section of
this webinar for slide deck and
other resources
4. Why are SIEMs Valuable
• Exponential increase in an organization’s security posture
- Through visibility and situational awareness
- Deployment of detective and protective controls
- Data from the network, system and applications to the
SIEM
- Allow for complex Cyber Security issues to be defined,
categorized and expressed in logic.
• The effectiveness of SIEM in detecting the pre and post
comprise activity is directly related to the success of
collecting data.
5. History of SIEMs
• Security Incident Event Management
• SIEM’s have been a tool and technology in use for over 15 years
• The past 5 to 10 years in SIEM has been dominated by the ‘value’ question
• Traditionally the total cost of ownership of a SIEM is expensive, even for small deployments - people,
process and technology
• For a successful SIEM deployment you needed a good IT team and highly talented and
experienced security professionals.
MS SQL Server 7 the
only commercial off
the shelf ‘tera server’
Placeholder Text
Pearl and Python scripts
constructed to help
organize and manage
repeatable tasks
Placeholder Text
Placeholder Text
1999
Year
Year
Year
Year
6. The Evolution of SIEM 3.0
T R A D I T I O N A L S I E M S
The Hybrid Data Center
• Cloud First/mobile First approach
by many companies
• Public cloud and Hybrid IT
environments mainstream
The Virtual Data Center
• Virtualization becomes
mainstream
• Public clouds launch
• Mobile devices proliferate
The Physical Data Center
• X86 server pre-dominant
• Primarily on-premises
• Hosting providers emerge
• Cloud options being developed
T H R E A T S A N D A T T A C K S
Next Generation Threats
• Advanced attacks
• Multi-vector approach
• Social engineering
• Targeted recon
• Long duration compromises
Catalyst for Change
• Proliferation of malware
• Organized hacking groups
• Access to information
• Financial gain motivation
The Early Days of Threats
• Basic malware
• Spray and pray
• Smash-n-grab
• Solo hackers
• Mischief motivation
EARLY 2000’s MID 2000’s 2014 & BEYOND
7. Infrastructure
(servers, etc)
What you need to make a Traditional SIEM
Hardware
Software
Integration
Experts Threat Intelligence
Correlation
Rules
Data sources to
feed the SIEM
Licensing
Lots of people,
Software, hardware,
process
Threat
Intelligence
Feeds
Write parsers, alert
and correlation rules
Ongoing tuning
Of 2f
Subscribe
& incorporate
Intelligence
feeds
Traditional
Relational DB
Review &
Respond to
Alerts
Traditional
SIEM
8. Why Traditional SIEMs Fail to Deliver Value
• The people cost came out in the usage of the
SIEM
• Big complex application that demanded the
user not only know SIEM but be expert in
understanding event sources.
• How else would you know what questions to
ask of the data?
9. Potential Pitfalls
• Licensing
• Capabilities
• Performance
• Move to the Cloud
• Support for DevOps
• Scalability
• Multiple Platforms
- Different cloud providers, OS, versions
10. Polling Question
What is your experience with SIEM?
- Running a traditional SIEM
- Running something SIEM-like, but not traditional
- Not Running a SIEM
- Investigating options
11. What is a Modern SIEM
• Fully managed
• Big data
• Unlimited scale
• Cloud ready
• Can collect data without access to
underlying cloud host infrastructure
• DevOps
12. What is Modern SIEM
• Supports DevOps, Config mgmt.
• Ex: Chef, Ansible, Cloud Formation Templates
• Support cloud provider data types
• Ex: AWS cloud trail
• Easily extensible
• Not limited by domain, source, message, or event frequency or
uniqueness
• Automatically incorporates 3rd party watch lists
• Dynamically generate watch lists based on real time data
13. Your Options for Getting a Modern SIEM
Do-It-Yourself Managed Security
Service Provider
Fully-managed
SIEM
14. How Cloud Defender Works
Continuous
protection
from
threats and
exposures
Big Data
Analytics
Platform
Threat
Intelligence
& Security
Content
Alert Logic
ActiveAnalytics
Alert Logic
ActiveIntelligence
Alert Logic
ActiveWatch
24 x 7
Monitoring
&
Escalation
Data
Collection
Customer IT
Environment
Cloud, Hybrid
On-Premises
Web Application Events
Network Events
Log Data
Alert Logic Web Security Manager
Alert Logic Threat Manager
Alert Logic Log Manager
Alert Logic
ActiveAnalytics
Alert Logic
ActiveIntelligence
Alert Logic
ActiveWatch
15. Creating Threat Intelligence to Feed a Modern SIEM
Customer
Security
Operations
Center
24/7
INCIDENTS
Honey Pot Network
Flow based Forensic Analysis
Malware Forensic Sandboxing
Intelligence Harvesting Grid
Alert Logic Threat Manager Data
Alert Logic Log Manager Data
Alert Logic Web Security Manager Data
Alert Logic ScanWatch Data
Asset Model Data
Customer Business Data
Security Content
Applied Analytics
Threat Intelligence
Research
INPUTS
Data Sources
16. What You Need to Solve the SIEM Problem
• Experts create and manage correlation
rules that identify threats and reduce false
positives
• Threat researchers continuously provide
content enabling detection of emerging
threats
• Threat coverage across the application
stack delivers broad visibility and
protection
• Integration of technology and security
expertise delivers results and goals of
SIEM investments
RULE CREATION
& MANAGEMENT
FULL STACK
CORRELATION
CONTINOUS
THREAT
RESEARCH
RESULTS
DELIVERED
17. Questions and Resources
Questions
Resources available under the “attachments” tab of this webinar:
451 Research Report
• Outlines Alert Logic approach to SIEM.
Zero Day Magazine
• New Magazine with the latest on IT Security trends.
Alert Logic Blog
• Detailed information on vulnerabilities and recommended patches.
Weekly Threat Newsletter
• Weekly update of breaches and vulnerabilities