Michael Leland | SIEM Evangelist

Advanced SIEM OperationsRealizing the Benefits of a Results-Driven SIEM

.

Agenda

• The Challenges of Deploying an Effective SIEM

• Mapping SIEM Operations to the Cyber Attack Chain

• Transition from Detection to Correction

• Identifying Potential Threats

• Improving Situational Awareness

• Leveraging Threat Intelligence

2

McAfee Confidential3

.

Questions to Ask:

• Resources needed for deployment and management of the SIEM solution?

• Is initial deployment simple?

• Are configurations and customizations intuitive?

• Can it deliver the performance, scalability and intelligence needed?

Goal:

• Improve both security posture and operational efficiencies

• Real life usability is a key considerationSource: August 2014. Intel Security Special Report: When Minutes Count.

Planning for Success

Assessing your Deployment

McAfee Confidential4

.

4

SIEM Deployment Challenges

Operational Difficulties• Onboarding Data Sources

• Integrating Security Platforms

Measurable Value• Reducing Mean-Time-to-Discovery

• Improving Threat Response Time

• Reducing Breach Impact

Continuous Learning & Enrichment• Threat Lifecycle

• Organizational Context

• Automating Remediation Workflow

Evolving Expectations of Security Event Analysis

.

Mapping SIEM to the Attack Chain

5

Protect Detect Correct

Traditional approaches are failing(breaches are occurring)

Signature-based defenses

Lack of intent based analysis

Siloed technologies

Breaches dwell too long (stay active)

Fragmented visibility

Information overload

Lack of context

Organization lack agility to respond quickly

Cumbersome workflows

Information overload

Restrictive tools

Recon DeliverWeaponize Exploit Control Execute Persist

HOURS to MONTHS SECONDS WEEKS to MONTHS

Along the entire attack chain…

.

Evolving from Find to Fix

• Endpoint quarantine and triage

• Blacklist offending address/host

• Perform targeted vulnerability scan

“75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours)..”

Source: Verizon 2015 Data Breach Investigations Report

Orchestrating common remediation tasks

.

Automate Time-Consuming Tasks

• Generating scheduled reports

• Identifying anomalous activities

• On-boarding new data sources

• Updating watchlist values

Reduce Operational Overhead

.

8

Recon Weaponize | Deliver Exploit Control Execute Persist

PROTECT DETECT CORRECT

Recon detection Anti-Evasion SandboxingCovert Channel

detectionCallback Detection

Network/Host Analysis

ACLs Browser EmulationNetwork-Endpoint

InterlockAnti-Botnet Anti-Botnet

Host BehaviorAnalysis

Traffic Learning Sandboxing Application Control Application Control Data Exfiltration

Deep File Analysis Virtual Patching IP ReputationHost Behavior

Analysis

WebFiltering/ACLs

User Behavior Analysis

User Behavior Analysis

User Behavior Analysis

DDoS Mitigation

Actionable response to active threatsNetwork Security Mitigation Matrix

.

Traditional Incident Response Challenges

9

Number of events

Time

Pre-breach Post-breach

Opportunisticattacks blocked

Targeted attacks have prolonged dwell time

Protect CorrectDetect

Difficult signal isolation

Excessive operational

friction

.

Security Connected Approach

10

Dramatically compressed Incident Response

Minimized dwell time

Number of events

Time

Pre-breach Post-breach

Protect Detect Correct

Prolonged dwell time

Rapidoutlier

detection

Fluid operational

response

Adaptivethreat

reduction

A connected ecosystem of sensors, controls and management will strengthen security posture and enhance visibility

• Detect and adapt to breaches more quickly

• Prioritize and facilitate fluid responses

• Accelerate decision making process

.

Integrating the 5 Styles of Security Analytics

11

Network Traffic Analysis

Network Forensics

PayloadAnalysis

Endpoint Behavior Analysis

Endpoint Forensics

Network Traffic Analysis

Network Forensics

Payload Analysis

Endpoint Behavior Analysis

Endpoint Forensics

Source: Gartner “Five Styles of Advanced Threats”

McAfee Confidential12

.

Rapid Threat Detection

12

Reduce Prolonged Risk Exposure

Effective event & flow correlation

Real-time alarms and actions

Historical forensic analysis

• Leverage rule, risk & historical correlation Rule: Simple Boolean pattern match

IF ((A & (B or C)) & NOT D)

Risk: Weighted score using asset classification and reputation(X [in CriticalSystems] * Reputation)

Historical: Retroactive event analysis of previously collected events/flowOver N duration of time, which Rule or Risk correlations would have been identified

Standard Deviation

McAfee Confidential13

.

13

All Threats are Not Created EqualPrioritize Threat Response

• Correlated Events Typically represent higher magnitude of threat

• Anomalous Behaviors Should be identified and addressed

• Risk Profiling Adds context (user/asset/reputation)

• Severity – Not Volume Determines threat level and appropriate response

.

Reducing Threat Discovery TimeAutomating remediation and protection actions

14:29:44 - New file seen for first time in enterprise

14:30:40 - New file detected with unknown reputation – assumed ‘dirty’

14:30:43 - Sample submitted to ATD sandbox – identified as malicious

14:30:44 - TIE reputation changed from ‘unknown’ to ‘known dirty’

14:31:00+ - All subsequent attempts to execute malicious file blocked

Time to Detect: 59s

Time to Protect: 1m

.

Improving Situational Awareness

Context EnrichmentData Sources

Leverage greater content AND context during forensic investigations

Authentications

Web Transactions

Network Flows

Identity

Cloud

Security Logs

Database Applications Email File Access

Anomaly Detection Organizational Hierarchy User Identity Geolocation

Reputation Risk Score Vulnerability Payload

McAfee Confidential16

.

16

Threat IntelligenceImprove situational awareness

Leverage vendor-supplied and industry threat sources to better understand the context of a threat

• Identify activities to/from a ‘bad actor’

• Threat feeds should be: Consumable

Relevant

Accurate

Timely

• Industry-specific threat intelligence Healthcare

Finance

Retail

.

Static• Threat Lists Artifacts Age Relevance Attribution

• Sources Emerging Threats Malc0de

Threat Intelligence Sources

17

Multiple Threat Vector Analysis

Dynamic• IoC Sources Artifacts Boolean Logic Behavioral Campaigns

• Local Intelligence Sandbox Analysis Manual Assignment

.

The Security ChallengeDetect and Remediate threats before they impact your business

Source: Ponemon Institute 2014 Cost of Cyber Crime study

Mean Number of days to resolution

31 DAYSAverage cost per day

$20,758

Hours Weeks Months

DISCOVERY CONTAINMENTATTACK COMPROMISE

.