SecureData reveals the four foundations for SIEM
- Everything in one place
- Logs glorious logs
- Make it make sense
- Resourcing for monitoring and threat mitigation
2. AGENDA
• SIEM today
– How are you doing it?
• Why SIEM?
– Business benefits
– IT team benefits
• Introducing SIEM
– What it is, and what it isn’t
• Four foundations for SIEM
– Everything in place
– Platform approach
– Expert security contextualisation
– Resourcing for 24/7 monitoring
• Sorting out your SIEM
– In-house
– SIEM-as-a-Service
2
4. TODAY’S SIEM LANDSCAPE
We find IT leaders tend to operate in one of three ways
when it comes to SIEM:
Ignore it
Seats of the
pants security
Do the
minimum
Log collation
and reporting
for compliance
Functioning
SIEM
•
•
Platform
approach
Proactive
threat
detection
4
5. WHY SIEM?
Business benefits
•
•
•
•
Service availability / uptime / minimise
downtime
Early warning system
Better security intelligence
More ‘known’ risks
IT benefits
•
•
•
•
•
Proactive threat detection prevents
incidents and the need for fire-fighting
Efficient – data logs from the entire
network are viewed via a single
dashboard
All IT teams have full visibility of all
logs to find the root cause faster
Reduce spend on security hardware by
getting more from your existing
infrastructure
Optimise IT resources on valuecreation project
5
7. SecureData 24x7
Security Operations
Centre
SecureData 24x7 Security
Operations Centre
OPTIMISED SIEM ARCHITECTURE
Reports
Alerts
Reports
WAN
SecureData Cloud Data Centre
Events
Event Manager and
Advanced Intelligence
Logging
Managers
INTERNET
Customer
Data
Centre n
Customer Data
Centre 1
Agent
Agent
Firewalls
Firewalls
Applications
Applications
Switches
Switches
Database
Database
Routers
Routers
7
8. WHAT IS SIEM, AND WHAT IS IT NOT?
SIEM is not only:
But it is about:
Storing logs / Logging
Log correlation and
contextualisation
PCI or
Compliance
Security intelligence
Reports
Real time information
Real time information
Ability to view historical logs in a
structured and targeted way
Device logs
All IT logs – physical access
systems, coffee machines etc
Logs
Traffic flow, process
information, file monitoring
8
9. HOW TO ADDRESS SIEM
Four foundations of SIEM:
1
3
Everything in one
place
Making it make sense
– the need for an
expert eye
2
4
Logs glorious logsthink platform, not
just devices
Resourcing for
monitoring and
threat mitigation
9
10. 1
2
FOUR FOUNDATIONS FOR SIEM
Everything in one place
•
•
•
•
•
•
•
42% of IT managers see multiple
logging systems as a security risk
Centralise logs for real time
correlation & analysis
All logs, not just security devices
logs
Use automation tools
Benchmark alarms for your
organisational norms
Provide full network visibility through
one pane of glass to identify the root
cause
Enable faster diagnostics and
mitigation
Logs glorious logs
• Take a platform or a ‘big data’ approach
to log correlation
•Set the platform up in the right way
•Pull in contextual data such as traffic,
packet analysis, traffic flow, file
management etc
•Track security behaviour across the
whole of the network
•40% of IT managers have serious
concerns about the time it takes to
analyse data and logs
10
11. 3
4
FOUR FOUNDATIONS FOR SIEM
Make it make sense
•Real time interpretation of SIEM
monitoring is critical
•It requires an expert, human interface
•It’s important to distinguish the line
between information and intelligence
•Security experts need to review the
alarms and alerts to determine the
action in context of the organisation
Resourcing for monitoring and
threat mitigation
•SIEM needs 24/7/365 monitoring
•Security skills on a continuous basis are
expensive and under-utilised on monitoring
•Outputting a report each week is redundant
practice in threat management
•SIEM can free-up rather than use-up
resources by acting as an early warning
system
•More time to mitigate threats enable resource
planning and optimisation
•Reduce the need to ‘drop everything’ for
attack fire fighting
11
13. YOUR OPTIONS FOR SIEM
Hybrid
Internal
•
•
•
•
Design, build,
install
Requires 24/7
resourcing
Great if you
have a SOC /
NOC
Security
experts are
expensive
•
•
Fully managed
SIEM by
SecureData(so
me, or all)
Equipment
located on
customer site
SIEM as a
service
•
•
Monitoring: log
correlation,
remote service
monitoring,
notifications
Managed:
remote
diagnostics and
assistance,
remote
vulnerability
scans, remote
system updates
13
15. THE SECUREDATA DIFFERENCE
1
2
Proactive approach to security:
We take a different approach to security, focusing on proactive monitoring and
management to minimise business disruption for our clients. We offer the
complete security spectrum from assessing risk to detecting threats, protecting
valuable assets and responding to breaches when the happen.
Excellent customer service and support
We offer independent consultancy through dedicated account managers and
technical guardians to recommend business security solutions built on the
leading security vendors in the industry. We work hard to partner with
customers, and we offer flexibility to develop customised processes that fit with
the customer. Our highly accredited technical staff give customers first-class
support and fast resolution time with the desire to do the best possible job every
time.
3
24/7 security operations platform
We operate our own support teams and SOC providing global reach with full
responsibility for 24/7 security monitoring and management for customers.
Owning the SOC enables us to better synthesise information, intelligence and
transactions to proactively mitigate more threats before they impact the
customer.
15