SANS webcast on SIEM Best Practices

1. SANS “ASK THE EXPERT”
Putting the Top 10 SIEM
Best Practices To Work
x
Process, Metrics and Technologies
Also visit: WWW.ACCELOPS.NET/SIEMtop10.php
Sponsors:
AccelOps, Inc.
CSO Breakfast Club
© 2010 AccelOps, Inc. September 2, 2010

2. Roundtable Participants
 Bill Sieglein
 President, CSO Breakfast Club
 Dr. Anton Chuvakin
 Author/Blog @ Security Warrior
 Tim Mather CISSP, CISM
 I4, former Chief Security Strategist at RSA,
former CSO Symantec
 Randolph Barr, CISSP
 CSO Qualys, former CSO at WebEx Comm.
 Jamie Sanbower, CISSP
 Cyber Security Director @ Force3
 Scott Gordon CISSP
 Vice President, AccelOps
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 2

3. Ask the Experts:
 What is a SIEM? (rhetorical)
 A solution that aggregates,
normalizes, filters, correlates
and manages security and other
operational event / log data to
monitor, alert, report, analyze
and manage security and
compliance-relevant information.
 Send us your questions…
 CHAT to moderators
 Tweet Top10SIEMbpract
 Email siemtop10@accelops.net
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 3

4. Ask the Experts:
 Monitoring and Reporting
Requirements
 Establish key monitoring and
reporting requirements prior to
deployment, including objective,
targets, compliance controls,
implementation and workflow.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 4

5. Ask the Experts:
 Infrastructure audit activations
 Determine the scope of
implementation, infrastructure
audit targets, necessary
credentials and verbosity,
activation phases and activation.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 5

6. Ask the Experts:
 Audit data requirements
 Identify and assure adherence to
audit data requirements
including accessibility, integrity,
retention, evidentiary requisites,
disposal and storage
considerations.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 6

7. Ask the Experts:
 Access Controls
 Monitor, respond to and report
on key status, violations and
anomalous access to critical
resources.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 7

8. Ask the Experts:
 Perimeter Defenses
 Monitor, respond to and report
on key status, configuration
changes, violations/attacks and
anomalous activity associated
with perimeter defenses.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 8

9. Ask the Experts:
 Network and host defenses
 Monitor, respond to and report
on key status, configuration
changes, violations/attacks and
anomalous activity associated
with internal network and host
defenses.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 9

10. Ask the Experts:
 Network and system resource
integrity
 Monitor, respond to and report
on key status, configuration
changes, patches,
vulnerabilities, threats and
anomalous activity affecting
network and system resources.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 10

11. Ask the Experts:
 Malware Control
 Monitor, respond to and report
on key status, threats, issues,
violations and activity
supporting malware controls.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 11

12. Ask the Experts:
 Access management and
acceptable use
 Monitor, respond to and report
on key status, configuration
changes, violations and
anomalous activity affecting
access management, user
management and acceptable use
of resources
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 12

13. Ask the Experts:
 Application defenses
 Monitor, respond to and report
on key status, configuration
changes, violations and
anomalous activity with regard
to web, database and other
application defenses.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 13

14. Webcast Sponsor:
Challenges Integrated Data Center Monitoring
Complex Threats
and Environment
Monitoring, Search
& Reporting Scope
Implementation and
Scale Difficulty
 Single pane of glass – Intelligence at your fingertips
Timely & Extensive  End-to-end visibility – service, performance, availability, security,
Device Support change and compliance management
 SOC/NOC convergence – extensive operational visibility
IT Service  Efficiency – proactive monitoring, expedited root-cause analysis,
Awareness & Priority flexible search/reporting
 Value – easy to use, implement and scale with rich feature set
Budget for Isolated  Virtual Appliance or SaaS – out of the box use and readily scale
Security Tools
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 14

15. Ask the Experts:
 In Conclusion
 Map your requirements; output, audience, functional
 Scope implementation; size, deployment, activation
 Determine operating norms; what will you do with the
information, incident workflow, escalation…
 One size does not fit all; dovetail your infosec policy with
best practices that works best for your organization
 For more detailed and on-going contribution to SIEM
best practices visit: www.accelops.net.SIEMtop10.php
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 15

16. Ask the Experts:
 For a more extensive, on-going set of Top 10 SIEM Best
Practices visit: WWW.ACCELOPS.NET/SIEMtop10.php
 Released under a Creative Commons 3.0 Attribution
license: http://creativecommons.org/licenses/by/3.0/
 Thanks to content contribution from:
 Scott Gordon CISSP  Randolph Barr, CISSP
 Dr. Anton Chuvakin  Jamie Sanbower, CISSP
 Tim Mather CISSP, CISM  Bill Sieglein CISSP
 SANS.org in reference to…
 Top Cyber Security Risks
 20 Critical Security Controls
 April Russo (number graphics)
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 16