Weitere ähnliche Inhalte Ähnlich wie Is SIEM really Dead ? OR Can it evolve into a Platform ? (20) Kürzlich hochgeladen (20) Is SIEM really Dead ? OR Can it evolve into a Platform ?1. Copyright © Aujas All rights reserved.
Risk Advisory and Security Intelligence Services
Is SIEM Dead or Evolving
Aujas Networks Private Ltd.
“Aujas” in Sanskrit means “Strength & Energy in a Warrior”
Chandra Prakash Suryawanshi
chandra.prakash@aujas.com
2. Copyright © Aujas All rights reserved.
SIEM is Dead ?
2
• 2 Decade old Technology
• Was great in managing compliance
• Evolved from log management to correlation and providing
single pane of glass
• Reduces signal to noise
• But got soon got reduced to limited sight as attackers tools,
techniques and procedures advanced and became stealthy
• And finally Compliance management is no more risk
management ?
3. Copyright © Aujas All rights reserved.
And data from monitoring capabilities suggests SIEM is dead
3
Different Threat Actors Have Different Motivations... And Tactics
The Facts states that attackers are getting smarter, targeted and persistent
* Source - Mandiant
Number of US companies
hit by APT
Average compromise time
before discovered
Compromises take minutes
or hours
Number of victims re-
compromised within a year
Intrusions are low difficulty
= no special skills or
resources
83%
78%
38%
84%
9 M
4. Copyright © Aujas All rights reserved.
So why is SIEM not able to detect advanced threats ?
4
Security Procedures and Agility
Risk Reduction and Compliance Efforts
Volume of Threats and
Vulnerabilities
Speed and
Sophistication of
Attacks
“Mind the Gap”
Security Exposures
Increasing Exponentially
Progression of Adversary and Motive Over Time
Sophistication
Attack speed and sophistication advancing due to mature underground economy; most attacks
don’t leave logs.
New Technologies provide new supply of vulnerabilities to be exploited; attackers are
persistent and behave normally that is difficult to detect.
Old threats don’t always disappear; new threats add to the total threat landscape.
* Source - IBM
5. Copyright © Aujas All rights reserved.
5
So what is the alternative
• What all patterns have been built and what algorithm the
technology uses for machine learning
• How accurate is the system in detecting anomalies for
malware and behavior
• How does it compare it with other similar products; what
criteria should be used for evaluation.
• Threat Intelligence comes in many forms, difficult to
ingest and requires capabilities and continuous analysis
and actionables
MACHINE LEARNING AND ARTIFICIAL
INTELLIGENCE
SECURITY ANALYTICS – NBAD AND
END POINT AND USER ANALYTICS
THREAT INTELLIGENCE
6. Copyright © Aujas All rights reserved.
6
Or IS really SIEM Dead – Yes ? / No ?
• SIEM is good at collecting logs from disparate systems and
aid in correlation and compliance but limits the analytical
capability for threat detection and forensics
• SIEM is reactive and driven by rules, wherein the security is
not static that one can implement rules and sleep, the security
is continuous process and evolving
• SIEM cannot provide entire attack vector in a single window,
i.e. the attack behavior?
• Most modern and advanced attacks do not leave logs and in
some cases transaction and other logging is difficult
• Organization still need data aggregation and
correlation
• SIEM provides single pane of glass and forms the
backbone of monitoring capabilities
• One can create better attack and kill chain methods
of use cases to drive behavior to move away from
point security tool detection capabilities
• Automate and integrate multiple technologies with
SIEM for better threat detection
7. Copyright © Aujas All rights reserved.
SIEM is Evolving as a Platform
7
• Data collection capabilities and compliance benefits of log management,
• The correlation, normalization and analysis capabilities of SIEM (security information and event management)
• The network visibility and advanced threat detection of NBAD (network behavior anomaly detection), and user
behavior anomaly detection by machine learning - User Behavior Analytics
• The ability to reduce breaches and ensure compliance provided by Risk Management,
• The network traffic and application content insight afforded by Network Forensics.
• The automation of Incident Response by Artificial Intelligence / Run Books
• IOC / VM Management by Threat Intelligence
• Reporting and Visualization provided by Presentation Layer
SIEM as a platform should be a truly integrated solution built on a common codebase, with a single data
management architecture and a single user interface.
8. Copyright © Aujas All rights reserved.
8
SIEM as a Platform
Monitor everything
Logs, network traffic, user activity
Correlate intelligently
Connect the dots of disparate activity
Detect anomalies
Unusual yet hidden behavior
Prioritize for action
Attack high-priority incidents
Threat Intelligence
• Logs
• Contextual Data
• Vulnerability
Assessments
• Asset Inventories
• Reports and Analytics
Internal
• XFORCE
• CrowdStrike
• SecureWorks
• Deepsight
External
Threat Ingestion - Structured Threat
Information eXpression (STIX™)
SIEM
Environment
Single, Unified and
Integrated Management
Console
Machine Learning – Analytics
Artificial Intelligence
Incident Management
Automation
9. Copyright © Aujas All rights reserved.
9
SIEM Platform: Conceptual Integration Architecture
Email Gateway
Malware Protection IBM IPS
McAfee IPS
Anti Virus
End Point Sec
Full Packet Capture
Proxy
Configuration Mgt
DDOSWirelessIPSAPTSolution
DLP SIEM
SourceFire IPS
IT GRC
Compliance Tool
VulnerabilityMgt
AppSec
1 2
The following figure
(from our prior work)
depicts a “sample”
conceptual integration
architecture for SOC
10. Copyright © Aujas All rights reserved.
The benefits of a fully integrated Security Intelligence function
Components
SIEM function NOT fully
integrated
SIEM as a Platform Benefits
Technology
SEM Tool only
Limited data sets
SIEM and Big Data Platform
Data analytics and Visualization tools
Integration of VM and Threat Intelligence
Multi-disciplinary data sets
Incident Response Run books
Richer visibility into the
environment
Coverage for unknown / unknown
threats
Leverage threat intelligence for
proactive response
Process
Integrated with SOC only
Implement recommendations to
Detect attacks for SOC (SEM
Tool)
Integrated with entire Security Program and
cross functional areas
Operational processes – Incident, escalation,
forensics. governance and foundation
processes fully integrated and workflow driven
with full automation
Robust method driven
management
Reduction in costs by reducing
the number of incidents
Run book automation
Governance /
People
Number of attacks detected by
SOC due to Security Intelligence
Recommendations
Cross functional committee only
prioritize projects within SOC’s
scope
Number of attacks Detected and Prevented by
SOC, Security Controls and Business
Functions due to Security Intelligence
Recommendations
Apply data breach cost avoidance value for
each attack Prevented
Cost of Service Quality
Data breach cost avoidance
Focus on Cyber Attack metrics
Vs. Compliance metrics
11. Copyright © Aujas All rights reserved.
11
Client Challenges in Implementing SIEM as a Platform
• Availability of Talent:
• Threat Hunting is a dedicated job and need expertise and breadth of knowledge and expertise in
vulnerability research, IOC Management, reverse malware analysis and business acumen
• Application Integration and business use case building needs application owners buy-in and their
time. It needs parser building and customizations, a different set of talent from programming
background
• For SOC operations - Need minimum 10 people to manage 24*7 coverage with different set of
expertise
• Forensics is specialized skill and difficult to manage, retain and nurture talent.
• Extremely costly to implement the full suite of technologies; Need investment in SIEM platform tools,
consulting services, Threat Intelligence feeds & Infrastructure Management
• Analytics as a function is slow in learning and need large data sets, managing it with right set of data,
fine tuning needs continuous efforts and time
• Need a roadmap to Walk, Crawl and Run and handholding across the programme over its lifecycle.
13. Copyright © Aujas Information Risk Services
Aujas Service and Value Proposition
13
TOOLS & METHODS
Security
operations
Tools at
Customer
Premise
Security operations
staff
Customer Org
Aujas SAVP platform for SIEM data feed
console integration and parser & API
integration for security point tools
Console monitoring, Incident
workflow, reporting, SIEM
administration & service management
Single console to visualize SLA driven
services, risk and compliance reports
and incident lifecycle metrics
SERVICEPLATFORM
SIEM Policy Management
• Perform updates to existing policy rules;
• Setup correlation rules to process and detect advanced patterns
• Manage SIEM system health; manage users and permissions
Log Source Management
• Verify data collection and log continuity
• Perform device on-boarding and log source addition
Custom Parser Development
• Develop custom parsers and properties and convert customized logs to common
log format for SIEM consumption
Analysis and Reporting
• Generate daily and weekly reports;
• Investigate anomalous data;
• Manage report distribution; and
Dashboard and Visualization
• Provide role based dashboards for Executives,
engineers and resolution teams
• Extend visualization capabilities for security posture
assessment and trending.
SIEM ADMINISTRATION
ANALYSIS, REPORTING AND
DASHBOARD
Monitoring and Notification
• Monitor alerts and policy exceptions
• Validate incidents and eliminate false positives
• Classify security Incidents and manage escalation
Incident Response Management
• Provide remediation/countermeasure
recommendations, if applicable;
• Manage lifecycle of incidents – creating, tracking,
escalation and closure of incident tickets
INCIDENT MANAGEMENT
SERVICES
14. Copyright © Aujas All rights reserved.
14
Aujas advantage
Co-Managed / Hybrid SOC model advantages:
Aujas extends its Platform for managing incidents, workflow based escalations and reporting and visualization
Trained resources with full 24*7 coverage
Manages entire program; client can also subscribe to on-demand services like Use case build, application integration,
device integration, vulnerability and threat management and forensics support.
Highly scalable model, adapts well to changing needs
Strikes balance between In-House / Outsourced service
Leverage Aujas expertise and best practices like use case accelerators, process kick start, parsers etc.
Provide access to ongoing training and education
Low cost to implement
Quick startup between 30 to 60 days
Minimizes operating costs
15. Copyright © Aujas All rights reserved.
15
Aujas Information Risk Services
400+ Customers
served across 22 countries
340+ Employees
globally with more than 190
specialists
290+ Certified employees
across standards, technologies &
industry certifications
Aujas helps organizations manage information security risks by protecting data, software, people and identities in line with
compliance requirements and best practices; we also help strengthen security governance and intelligence frameworks.
Investors:
• Seed Funding
• IDG Ventures – Boston, MA
• Series B Funding
• IDG Ventures – Boston, MA
• IvyCap Ventures – Bay Area, CA
• RVCF - India
Global Presence:
Hinweis der Redaktion The World of SIEM has changed, it is a 2 decade old technology
Was great in managing compliance
evolved from log management to correlation and providing single pane of glass
reduces signal to noise
But got soon got reduced to limited sight due to its limitations I was surprised to see the report from Mandiant that states the following facts -
100% of the breaches had updated Anti-Virus software
63% of the breaches were reported by third parties
It took 243 days to detect an attack
Situation Continued:
The number and variety of new adversaries and threats continues to grow
Adversary’s continue to get more sophisticated in their attacks due to the proliferation of cyber weapons in the underground economy. Vulnerabilities and exploits available to attackers continue to increase as company’s leverage Mobile, Cloud and the Internet of Everything. This provides adversary’s an almost unlimited supply of attack scenarios to achieve an objective
Complication: Traditional SOCs are not equipped (agile enough) to deal with the volume and advancement in cyber attacks
Machine learning systems automatically learn programs from data” (*)
You don’t really code the program, but it is inferred from data.
Instead of trying to mimic the way the brain learns: that's where terms like artificial intelligence come from.
We are drowning in information, but starved for knowledge
So much noise that finding the signal is difficult
Limitation
Adversaries - Exploiting the learning process (Understand the model, understand the machine, and you can circumvent it)
Any predictive model on InfoSec will be pushed to the limit e.g. think how the SPAM engines evolved. SIEM is dead because
Reactive and driven by rules, wherein the security is not static that one can implement rules and sleep, the security is continuous process and evolving
It might collect logs from desperate sources but most attacks and malware do not leave logs/ logging is difficult; one may not monitor transactional logs or limitation of collecting logs from end points other than Host FW/IPS/DLP
Cannot provide information about attack vector but only detect
SIEM is rapidly losing trust because of its inability to adapt to address new APT challenges