Redefining siem to real time security intelligence
1. Redefining SIEM to
Real Time Security Intelligence
David Osborne
Security Architect
September 18, 2012
2. Its not paranoia if they really are out to get
you
• Malware
• Malicious Insiders
• Exploited Vulnerabilities
• Careless Employees
• Mobile Devices
• Social Networking
• Social Engineering
• Zero-Day Exploits
• Cloud Computing Security
Threats
• Cyber Espionage
3. Reality of Compliance
• Audits happen quarterly or annually
• Effort and budget spent to get compliant
• Little focus or process to stay that way
4. SIEM – The Great Correlator
• Major SIEM Functions
– Collect
– Normalize
– Correlate
• Collect log and event data from systems across the network
– Security devices, applications, OS, databases, end-point protections, etc.
• Normalize similar events across disparate data sources
– Login events from a VPN, OS, or Application are all ―authentication events‖
• Correlate multiple events into known attack vectors or policy violations
– ―Multiple failed logins followed by a success‖ indicates brute force access
– Eliminates the need for an analyst to try to ―piece together‖ the event
5. Redefining SIEM
• Security is a Process, not a Product
– Each stage supports the next
– A ―weak link‖ breaks the process
– Tools need to automate each stage
– Integration provides actionable intelligence
• Legacy SIEMs are Limited
– Risk Assessment — limited to VA scan data
– Threat Detection — limited to event correlation
– Incident Response — limited to log analysis
– Compliance Reporting — limited to canned reports
6. SIEM is Still Evolving…To
• SIEM Content Awareness (Next Generation
SIEM)
– Content Awareness is Understanding the Payload at the
Application Layer
• What is actually being Communicated, Transferred, and Shared
over the Network.
• Examples of ―Content‖ Awareness is the understanding of:
– Email contents, including the attachments
– Social, IM and P2P Network Communications
– Document Contents
– Application Relationships with Database Queries and
Responses
– Database Monitoring
– Data Leakage – Sensitive Information within chat, email,
printed, etc
7. Adding Context to Logs
DNS name, Windows name, Other names?
What else happened at this time?
Whois info? Organization owner? Where does
Near this time?
the IP originate from (geo location info)? What
What is the time zone?
else happened on this host? Which other hosts
did this IP communicate with?
What is this service? What other
messages did it produce?
What other systems does it run on?
Log record
What is the hosts IP address? Who is this user? What is the users
Other names? Location on the access-level? What is the users
network/datacenter? real name, department, location? What is this port? Is this a
Who is the admin? Is this What other events from this user? normal port for this
system vulnerable to exploits?
service? What else is this
service being used for?
What does this number
mean? Is this
documented somewhere?
8. Broad Content and Context Correlation
Authentication
Application
& IAM Events from
Contents
Security Devices
User
Identity
Device & Application
Log Files
Malware Insider Advanced
Viruses Threats Threats
Trojans Exploits
Database
Transactions Location
OS events
VA Scan
Data
9. SIEM and Situational Awareness
• SIEM DOES NOT SOLVE APT, but Provides Situational Awareness
– THERE IS NO APT ―ALL IN ONE SOLUTION‖
• SIEM Can Help with Attacks
– Determining the Scope of Attack
• What Systems or Devices were Involved
• What DATA was Compromised
• What Evasion Techniques were Utilized
• Timelines
• Toolsets Utilized
• Work Flows and Processes of Attackers
– Heuristics for Historical Correlation
• Even with SIEM, Security Expertise and Experience is REQUIRED
– Well Trained Security Analysts, Highly Developed Security Policies and Procedures Combined with SIEM for
Situational Awareness is the BEST Strategy for dealing with Exploits, Low and Slow Attacks and APT
10. Scalability & Performance
• Unmatched Speed
– Industry’s Fastest SIEM
– 100x to 1,000x faster than current
solutions
– Queries, correlation and analysis in
minutes, not hours
• Unmatched Scale
– Collect all relevant data,
not selected sub-sets
– Analyze months and years of data,
not weeks
– Include higher layer context
and content information
– Scales easily to billions of data
records
11. NitroView Overview
“Single Pane-of-Glass”
McAfee ESM McAfee ELM McAfee Receiver
Unified Visibility & Analysis Log Management 3rd Party Log/Event Collection
Compliance & Reporting Compliant Log Storage Network Flow Data Collection
Policy Management
SAN/CIFS/NFS/Local Storage VMware Receivers Available
McAfee ADM McAfee DEM McAfee ACE
Application Data Monitor Database Activity Monitor Advanced Correlation
Layer 7 Decode Database Log Generation Risk-Based Correlation
Full Meta-Data Collection Session Audit Historical Correlation
Application Visibility Data Visibility Risk Scoring
100s of applications and 500+ document types Data traffic from leading databases Detect potential threats
Asset information/context
Vulnerability Information
Which assets are most at-risk
11 September 18, 2012
12. Global Threat Intelligence (GTI)
ESM ELM Receiver
Unified Visibility & Analysis Log Management 3rd Party Log/Event Collection
Compliance & Reporting Compliant Log Storage Network Flow Data Collection
Policy Management
SAN/CIFS/NFS/Local Storage VMware Receivers Available
ADM DEM ACE
Application Data Monitor Database Event Monitor Advanced Correlation
Layer 7 Decode Database Log Generation Risk-Based Correlation
Full Meta-Data Collection Session Audit Historical Correlation
Shared Threat Intelligence Application Visibility Data Visibility Risk Scoring
• Reputation-based WW visibility into all types of cyber threats
• Automatic, push feed
• Today – Bad Actors/Dangerous IPs
• Additional GTI capabilities:
• file, web, message & network connection reputation
• web categorization
12 September 18, 2012
13. How can SIEM help with MTTR?
• Advanced Correlation uses activity to determine Risk
14. How can SIEM help with MTTR?
• Baselines to determine deviations from normal activity
15. How can SIEM help with MTTR?
• Normalization of events into a common taxonomy
16. How can SIEM help with MTTR?
• Global Threat Intelligence to determine if I have any communication
with external known bad actors