Weitere ähnliche Inhalte
Ähnlich wie What is the Future of SIEM? (20)
Mehr von Elasticsearch (20)
Kürzlich hochgeladen (20)
What is the Future of SIEM?
- 1. www.semplicityinc.com
WHAT IS THE FUTURE OF
SIEM?
Elastic{ON} Roadshow Atlanta
January 22, 2019
Leveraging Elastic to Modernize SIEM & Log Management
George Boitano, President
617-524-0171 (direct)
gboitano@semplicityinc.com
www.semplicityinc.com
© Copyright 2019 SEMplicity, Inc.
- 2. www.semplicityinc.com © Copyright 2019 SEMplicity, Inc.
What does a legacy SIEM do?
2
SIEM (2006) is a marriage of older SIM and SEM
technologies:
• SIM stores security log records centrally and
enables searching and some analysis;
• SEM correlates incoming logs and alerts upon
detected security events.
- 3. www.semplicityinc.com © Copyright 2019 SEMplicity, Inc.
SIEM/Log Management – Yesterday
3
Compliance
Correlation
Evidentiary
Storage
Reporting
Alerting
Search
Operations
- 4. www.semplicityinc.com © Copyright 2019 SEMplicity, Inc.
The problem: now everybody wants in!
4
• As the threat landscape expands, more types of log
records become relevant to security, from:
• Applications;
• Databases;
• Physical Access Systems;
• DNS/Routers/Netflow devices.
• Meanwhile, the volume of logs from monitored
devices continually expands non-linearly.
• Finally, new event detection use cases keep
emerging:
• Long-range, non-realtime correlation;
• Unsupervised machine learning anomaly detection;
• Security log analytics.
• How can SIEM keep up?
- 5. www.semplicityinc.com © Copyright 2019 SEMplicity, Inc.
SIEM/Log Management – Today
5
Big
Data!
License
Enforcement
Legacy
UE
Machine
Learning
Analytics
New
Use
Cases
Tech
Lock-In
Integration
Customers
- 6. www.semplicityinc.com © Copyright 2018-2019 SEMplicity, Inc.
The SIEM/Log Management Pyramid
6
Log Secure
Transport
Parsing &
Enrichment
High Availability
Ingestion
Evidentiary Log
Storage
Very Fast Search
& Visualizations
Correlation
& Alerting
Analytics
& Machine
Learning
- 8. www.semplicityinc.com © Copyright 2019 SEMplicity, Inc.
Why Parse Logs?
8
Parsing logs attaches meaning:
• Naming fields according to a common schema enables correlation;
• Deriving fields like categories, severity and behavior enables
analytics;
• Only humans can attach meaning to anything…including log records!
Parsing is hard…but necessary.
Logs
Meaning
Parsers
- 9. www.semplicityinc.com © Copyright 2019 SEMplicity, Inc.
Why Enrich Logs?
9
Log enrichment enables higher level use-cases:
• Network information eases prioritization of event response;
• Threat intelligence, both public, private and internal, greatly assists in event
detection and correlation;
• Identity information such as roles and privileges enables user analytics and
sensitive user monitoring;
• Vulnerability information helps determine root cause and remediation;
• Host and user state and history also help determine root cause and assists analysts
to build cases.
All this enrichment empowers anomaly detection and many other forms of
analytics!
Logs
There’s GOLD
in them there
logs!
- 10. www.semplicityinc.com © Copyright 2019 SEMplicity, Inc.
Why Denormalize?
10
Denormalization avoids joining data between different structures:
• Enables much faster and easier searching and analysis;
• Costs more in terms of disk space and ingestion;
• Log records, which are written once and accessed many times, are
best denomalized;
• We must always prioritize human time over machine resources…unless
you want this guy:
- 11. www.semplicityinc.com © Copyright 2019 SEMplicity, Inc.
Elastic!
SIEM/Log Management – Tomorrow
11
Compliance
Analytics
Big Data
Correlation
Alerting Machine
Learning
Open
Integration
Evidentiary
Storage
???
- 13. www.semplicityinc.com © Copyright 2019 SEMplicity, Inc.
Connecting the Best of Both Worlds
13
Who We Are
– SEMplicity is an official, licensed Elastic Managed Services Provider
(MSP).
– SEMplicity is the largest Micro Focus services provider for ArcSight.
– SEMplicity offers a cloud-based or on-prem managed service to store,
search, visualize and analyze legacy SIEM logs in Elasticsearch.