SlideShare a Scribd company logo

SIEM evolution

Stijn Vande Casteele
Stijn Vande Casteele

Stijn Vande Casteele is a security architect who provides solutions to underpin SIEM services. His responsibilities include engineering infrastructure to deliver security monitoring services to customers, integrating new technologies, and advising on pre-sales and security questions. He aims to create a center of excellence for SIEM within his company. The presentation discusses the evolution of SIEM, different SIEM architectures, use cases, and concludes with recommendations around carefully planning SIEM migrations and centralizing security monitoring efforts.

Technology
1 of 23
Download to read offline
SIEM EVOLUTION A day in the life of a Security Architect Stijn Vande Casteele 28 September 2009
Who are we / Key Brands www.arcsight.com © 2009 ArcSight Confidential 2
International presence: Leading ICT integrator in Western Europe • Leading ICT integrator in Belgium, France & Luxembourg • 32 affiliates in Western Europe • Global reach through strategic partners Sensitivity : "Unrestricted" 28 September 2009 Slide www.arcsight.com © 2009 ArcSight Confidential 3
What do I do? • My team provides solutions to underpin the on-site and managed SIEM services, with a focus on the what and the how! • Engineer a grid/cloud/infrastructure to deliver these services to customers (enterprises) with a focus on security operations. • Steer the service catalogue with fresh use cases (add value). • Integrate technologies with our architecture to build automations and enhance the richness of our SIEM clouds. • Data sources configuration documents • Automatic ticket creation • Portal visualizations • Self monitoring • 2nd line support for security management related infrastructure (application/systems) and forensic security investigations. • Advice in general on a diverse range of pre-sales and service questions within this domain. • Objective: centre of excellence (SIEM think-thank for the Belgacom group) www.arcsight.com © 2009 ArcSight Confidential 4
Agenda • Security Monitoring • SIEM architectures • Use Cases www.arcsight.com © 2009 ArcSight Confidential 5
Firewall Security Monitoring Outbound Logs SIEM Inbound Top Drops Outbound Top Drops Active list with Can spot infected confirmed scanners from internal systems or Internet configuration errors (eg. If firewall accepts from IP wrong DNS or NTP client addresses in the active list, configuration) increase event priority www.arcsight.com © 2009 ArcSight Confidential 6
Security Analysis • Unlike firewalls, IDS/IPS provides information up to OSI layer 7 via signature based detection methods • Typical attacks detected by IDS/IPS: Worms, Exploits, Brute force attacks, Backdoors, Cover channels. • IDS/IPS are best placed where “threat x asset value” is high (eg. DMZ, server farm) • IDS/IPS provide input for SIEM tools to correlate with Vulnerability and Asset (VA) data Z Z www.arcsight.com © 2009 ArcSight Confidential 7
Monitoring WiFi GUEST traffic END-USER CISCO ASA CISCO WLC Internet End-User MAC Address End-User IP Address End-User IP Address Web Target Address End-User Account Name Web Target Port End-User MAC Address End-User IP Address End-User Account Name Web Target Address Web Target Port www.arcsight.com © 2009 ArcSight Confidential 8
Monitoring business risks Confidentiality Protecting sensitive information from unauthorised disclosure or malicious interception. Business Availability Ensuring that vital IT services and information are available when impact required. Integrity safeguarding the accuracy and completeness of information www.arcsight.com © 2009 ArcSight Confidential 9
Agenda • Security Monitoring • SIEM architectures • Use Cases www.arcsight.com © 2009 ArcSight Confidential 10
Some history… ArcSight 2.1 (Sept 2003) ArcSight 2.2 (POC) ArcSight 2.5 (Production Jan 2004) ArcSight 3.0 (Production Oct 2004) ArcSight 3.5 (Production Mar 2006) ArcSight 4.0 (Production Sept 2007) www.arcsight.com © 2009 ArcSight Confidential 11
Telindus hardware tests Two different hardware platforms were tested from an ArcSight manager performance perspective: Model Architecture CPU RAM OS Sun SPARC SPARC T1 1 x 8 core (1.2 GHz) 32 GB Solaris 10 T2000 Sun Fire X2100 AMD X_64 1 x dual core (1.8 GHz) 4GB Red Hat 4.5 • As the biggest factor in database performance is the available RAM and the SAN read / write speed, the OS / architecture is not so influential. • It seems to Telindus that ArcSight 4.0 JRE is not optimized to make use of the multi-thread (CMT) possibilities of the SUN T1 processor. The AMD X_64 / Red Hat platform significantly outperformed the SPARC T1 / Solaris platform. www.arcsight.com © 2009 ArcSight Confidential 12
ArcSight test graph Y-Axis = EPS (000’s) X-Axis = Number of core CPUs Y-Axis = EPS (000’s) X-Axis = Number of core CPUs www.arcsight.com © 2009 ArcSight Confidential 13
Security Event Lifecycle www.arcsight.com © 2009 ArcSight Confidential 14
Log Sources Security Network Intrusion events and information Prevention Systems NIPS Firewalls AV VA data HIPS FW Web Content screening NBA Reverse Routers & switches proxy Diameter is proportional to the Monitoring logs Web event amounts servers Proxy OS logs DB logs AIM relevance with respect to Email / smartphone security information and gateways correlation capabilities Network and Application events / information security information value www.arcsight.com © 2009 ArcSight Confidential 15
Standardized data collection? We need a uniform way how computer events are described, logged, and exchanged. www.arcsight.com © 2009 ArcSight Confidential 16
Agenda • Security Monitoring • SIEM architectures • Use Cases www.arcsight.com © 2009 ArcSight Confidential 17
Use Case library Insider threat Use Case Library Perimeter Regulatory Defence compliance www.arcsight.com © 2009 ArcSight Confidential 18
SIEM audit report www.arcsight.com © 2009 ArcSight Confidential 19
Security Operations www.arcsight.com © 2009 ArcSight Confidential 20
Event Management www.arcsight.com © 2009 ArcSight Confidential 21
Conclusions • Carefully plan your SIEM migrations with business and operations! • Make checklists, cheat sheets and technical notes to educate your security analysts on new evolutions. • Keep a change log for SIEM content adaptations. • Think out-of-the-box, SIEM has a lot of potential but KISS towards the outside. • Request (simple) KPI’s on how your application/service is evolving. • Use intake templates to facilitate the scoping exercise towards your client. • Centralize your efforts, look for partners and create centre of excellence in your organization around security monitoring. www.arcsight.com © 2009 ArcSight Confidential 22
Questions? stijn.vandecasteele@telindus.be http://www.linkedin.com/in/ictsecurity http://www.twitter.com/securityworld www.arcsight.com © 2009 ArcSight Confidential 23

Recommended

From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enoughCloudAccess
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 

Recommended

From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enoughCloudAccess
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMichael Nickle
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 Andris Soroka
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
SIEM
SIEMSIEM
SIEMvikasraina
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight Mohamed Zohair
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceCamilo Fandiño Gómez
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSightSridhar Karnam
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforcesreenivas1591
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...IBM Security
 
SIEM
SIEMSIEM
SIEMNapier University
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalManageEngine EventLog Analyzer
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 

More Related Content

What's hot

MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMichael Nickle
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 Andris Soroka
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceCamilo Fandiño Gómez
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSightSridhar Karnam
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...IBM Security
 

What's hot (20)

MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
SIEM
SIEMSIEM
SIEM
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSight
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforce
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
 
SIEM
SIEMSIEM
SIEM
 

Viewers also liked

Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis AlienVault
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015n|u - The Open Security Community
 
SANS Log Management 1
SANS Log Management 1SANS Log Management 1
SANS Log Management 1laurenfortune
 
建设SIEM/SOC/MSSP路上的点滴
建设SIEM/SOC/MSSP路上的点滴建设SIEM/SOC/MSSP路上的点滴
建设SIEM/SOC/MSSP路上的点滴Benjamin Tan
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIORapid7
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachRahul Neel Mani
 
What's New Logrhythm 5.1 Data Sheet
What's New Logrhythm 5.1 Data SheetWhat's New Logrhythm 5.1 Data Sheet
What's New Logrhythm 5.1 Data Sheetjordagro
 
LogRhythm Web Rhythm Data Sheet
LogRhythm Web Rhythm Data SheetLogRhythm Web Rhythm Data Sheet
LogRhythm Web Rhythm Data Sheetjordagro
 
LogRhythm Advanced Agent Data Sheet
LogRhythm Advanced Agent Data SheetLogRhythm Advanced Agent Data Sheet
LogRhythm Advanced Agent Data Sheetjordagro
 
LogRhythm Training Syllabus Data Sheet
LogRhythm Training Syllabus Data SheetLogRhythm Training Syllabus Data Sheet
LogRhythm Training Syllabus Data Sheetjordagro
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
Demo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_ggDemo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_ggAlienVault
 

Viewers also liked (17)

SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015
 
SANS Log Management 1
SANS Log Management 1SANS Log Management 1
SANS Log Management 1
 
建设SIEM/SOC/MSSP路上的点滴
建设SIEM/SOC/MSSP路上的点滴建设SIEM/SOC/MSSP路上的点滴
建设SIEM/SOC/MSSP路上的点滴
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIO
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a Breach
 
What's New Logrhythm 5.1 Data Sheet
What's New Logrhythm 5.1 Data SheetWhat's New Logrhythm 5.1 Data Sheet
What's New Logrhythm 5.1 Data Sheet
 
LogRhythm Web Rhythm Data Sheet
LogRhythm Web Rhythm Data SheetLogRhythm Web Rhythm Data Sheet
LogRhythm Web Rhythm Data Sheet
 
LogRhythm Advanced Agent Data Sheet
LogRhythm Advanced Agent Data SheetLogRhythm Advanced Agent Data Sheet
LogRhythm Advanced Agent Data Sheet
 
Securityanalytics
SecurityanalyticsSecurityanalytics
Securityanalytics
 
LogRhythm Training Syllabus Data Sheet
LogRhythm Training Syllabus Data SheetLogRhythm Training Syllabus Data Sheet
LogRhythm Training Syllabus Data Sheet
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
Demo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_ggDemo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_gg
 

Similar to SIEM evolution

CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6Irsandi Hasan
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsAhmed Habib
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product familyxKinAnx
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overviewali raza
 
Z111806 strengthen-security-sydney-v1910a
Z111806 strengthen-security-sydney-v1910aZ111806 strengthen-security-sydney-v1910a
Z111806 strengthen-security-sydney-v1910aTony Pearson
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
IBM Security Intelligence
IBM Security IntelligenceIBM Security Intelligence
IBM Security IntelligenceAnna Landolfi
 
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Tony Pearson
 
Z110932 strengthen-security-jburg-v1909c
Z110932 strengthen-security-jburg-v1909cZ110932 strengthen-security-jburg-v1909c
Z110932 strengthen-security-jburg-v1909cTony Pearson
 
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco #ITSitioEnRSA - Presentacion de Jeef Reed de Cisco
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco ITSitio.com
 
Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overviewMark Argent
 
ICS case studies v2
ICS case studies v2ICS case studies v2
ICS case studies v2Nguyen Binh
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...Community Protection Forum
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...Chrysostomos Christofi
 
General Version 9 21 09
General Version 9 21 09General Version 9 21 09
General Version 9 21 09tverbeck
 
Seguridad en la Nube
Seguridad en la NubeSeguridad en la Nube
Seguridad en la NubeMundo Contact
 

Similar to SIEM evolution (20)

CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product family
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internet
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overview
 
Z111806 strengthen-security-sydney-v1910a
Z111806 strengthen-security-sydney-v1910aZ111806 strengthen-security-sydney-v1910a
Z111806 strengthen-security-sydney-v1910a
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Sklm webinar
Sklm webinarSklm webinar
Sklm webinar
 
IBM Security Intelligence
IBM Security IntelligenceIBM Security Intelligence
IBM Security Intelligence
 
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
 
Z110932 strengthen-security-jburg-v1909c
Z110932 strengthen-security-jburg-v1909cZ110932 strengthen-security-jburg-v1909c
Z110932 strengthen-security-jburg-v1909c
 
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco #ITSitioEnRSA - Presentacion de Jeef Reed de Cisco
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco
 
Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overview
 
ICS case studies v2
ICS case studies v2ICS case studies v2
ICS case studies v2
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 
IBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorIBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - Ecuador
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
 
General Version 9 21 09
General Version 9 21 09General Version 9 21 09
General Version 9 21 09
 
Seguridad en la Nube
Seguridad en la NubeSeguridad en la Nube
Seguridad en la Nube
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

SIEM evolution

  • 1. SIEM EVOLUTION A day in the life of a Security Architect Stijn Vande Casteele 28 September 2009
  • 2. Who are we / Key Brands www.arcsight.com © 2009 ArcSight Confidential 2
  • 3. International presence: Leading ICT integrator in Western Europe • Leading ICT integrator in Belgium, France & Luxembourg • 32 affiliates in Western Europe • Global reach through strategic partners Sensitivity : "Unrestricted" 28 September 2009 Slide www.arcsight.com © 2009 ArcSight Confidential 3
  • 4. What do I do? • My team provides solutions to underpin the on-site and managed SIEM services, with a focus on the what and the how! • Engineer a grid/cloud/infrastructure to deliver these services to customers (enterprises) with a focus on security operations. • Steer the service catalogue with fresh use cases (add value). • Integrate technologies with our architecture to build automations and enhance the richness of our SIEM clouds. • Data sources configuration documents • Automatic ticket creation • Portal visualizations • Self monitoring • 2nd line support for security management related infrastructure (application/systems) and forensic security investigations. • Advice in general on a diverse range of pre-sales and service questions within this domain. • Objective: centre of excellence (SIEM think-thank for the Belgacom group) www.arcsight.com © 2009 ArcSight Confidential 4
  • 5. Agenda • Security Monitoring • SIEM architectures • Use Cases www.arcsight.com © 2009 ArcSight Confidential 5
  • 6. Firewall Security Monitoring Outbound Logs SIEM Inbound Top Drops Outbound Top Drops Active list with Can spot infected confirmed scanners from internal systems or Internet configuration errors (eg. If firewall accepts from IP wrong DNS or NTP client addresses in the active list, configuration) increase event priority www.arcsight.com © 2009 ArcSight Confidential 6
  • 7. Security Analysis • Unlike firewalls, IDS/IPS provides information up to OSI layer 7 via signature based detection methods • Typical attacks detected by IDS/IPS: Worms, Exploits, Brute force attacks, Backdoors, Cover channels. • IDS/IPS are best placed where “threat x asset value” is high (eg. DMZ, server farm) • IDS/IPS provide input for SIEM tools to correlate with Vulnerability and Asset (VA) data Z Z www.arcsight.com © 2009 ArcSight Confidential 7
  • 8. Monitoring WiFi GUEST traffic END-USER CISCO ASA CISCO WLC Internet End-User MAC Address End-User IP Address End-User IP Address Web Target Address End-User Account Name Web Target Port End-User MAC Address End-User IP Address End-User Account Name Web Target Address Web Target Port www.arcsight.com © 2009 ArcSight Confidential 8
  • 9. Monitoring business risks Confidentiality Protecting sensitive information from unauthorised disclosure or malicious interception. Business Availability Ensuring that vital IT services and information are available when impact required. Integrity safeguarding the accuracy and completeness of information www.arcsight.com © 2009 ArcSight Confidential 9
  • 10. Agenda • Security Monitoring • SIEM architectures • Use Cases www.arcsight.com © 2009 ArcSight Confidential 10
  • 11. Some history… ArcSight 2.1 (Sept 2003) ArcSight 2.2 (POC) ArcSight 2.5 (Production Jan 2004) ArcSight 3.0 (Production Oct 2004) ArcSight 3.5 (Production Mar 2006) ArcSight 4.0 (Production Sept 2007) www.arcsight.com © 2009 ArcSight Confidential 11
  • 12. Telindus hardware tests Two different hardware platforms were tested from an ArcSight manager performance perspective: Model Architecture CPU RAM OS Sun SPARC SPARC T1 1 x 8 core (1.2 GHz) 32 GB Solaris 10 T2000 Sun Fire X2100 AMD X_64 1 x dual core (1.8 GHz) 4GB Red Hat 4.5 • As the biggest factor in database performance is the available RAM and the SAN read / write speed, the OS / architecture is not so influential. • It seems to Telindus that ArcSight 4.0 JRE is not optimized to make use of the multi-thread (CMT) possibilities of the SUN T1 processor. The AMD X_64 / Red Hat platform significantly outperformed the SPARC T1 / Solaris platform. www.arcsight.com © 2009 ArcSight Confidential 12
  • 13. ArcSight test graph Y-Axis = EPS (000’s) X-Axis = Number of core CPUs Y-Axis = EPS (000’s) X-Axis = Number of core CPUs www.arcsight.com © 2009 ArcSight Confidential 13
  • 14. Security Event Lifecycle www.arcsight.com © 2009 ArcSight Confidential 14
  • 15. Log Sources Security Network Intrusion events and information Prevention Systems NIPS Firewalls AV VA data HIPS FW Web Content screening NBA Reverse Routers & switches proxy Diameter is proportional to the Monitoring logs Web event amounts servers Proxy OS logs DB logs AIM relevance with respect to Email / smartphone security information and gateways correlation capabilities Network and Application events / information security information value www.arcsight.com © 2009 ArcSight Confidential 15
  • 16. Standardized data collection? We need a uniform way how computer events are described, logged, and exchanged. www.arcsight.com © 2009 ArcSight Confidential 16
  • 17. Agenda • Security Monitoring • SIEM architectures • Use Cases www.arcsight.com © 2009 ArcSight Confidential 17
  • 18. Use Case library Insider threat Use Case Library Perimeter Regulatory Defence compliance www.arcsight.com © 2009 ArcSight Confidential 18
  • 19. SIEM audit report www.arcsight.com © 2009 ArcSight Confidential 19
  • 20. Security Operations www.arcsight.com © 2009 ArcSight Confidential 20
  • 21. Event Management www.arcsight.com © 2009 ArcSight Confidential 21
  • 22. Conclusions • Carefully plan your SIEM migrations with business and operations! • Make checklists, cheat sheets and technical notes to educate your security analysts on new evolutions. • Keep a change log for SIEM content adaptations. • Think out-of-the-box, SIEM has a lot of potential but KISS towards the outside. • Request (simple) KPI’s on how your application/service is evolving. • Use intake templates to facilitate the scoping exercise towards your client. • Centralize your efforts, look for partners and create centre of excellence in your organization around security monitoring. www.arcsight.com © 2009 ArcSight Confidential 22
  • 23. Questions? stijn.vandecasteele@telindus.be http://www.linkedin.com/in/ictsecurity http://www.twitter.com/securityworld www.arcsight.com © 2009 ArcSight Confidential 23