siem-plifying security monitoring: a different approach to security visibility
Post on 15-Jan-2015
549 Views
Preview:
DESCRIPTION
TRANSCRIPT
SIEM-plifying security monitoring: A different approach to security
visibility
Dave Shackleford, Voodoo Security and SANSJoe Schreiber, AlienVault
© 2014 The SANS™ Institute - www.sans.org
Introduction
• Many organizations are still experiencing data breaches– Attackers are more advanced– But…we’ve got preventive and
detective controls, right?• More proactive threat intelligence
and time on internal detection capabilities will help– But what do you need?– How can you succeed with limited
time and/or budget?
© 2014 The SANS™ Institute - www.sans.org 2
First…security intelligence
• Security/threat intelligence is all the rage these days…in theory
• Today, most organizations are gathering external threat intelligence from sources such as:– The SANS Internet Storm Center– Blog sites– Commercial feeds– ISACs and other public-private
collaboration groups
© 2014 The SANS™ Institute - www.sans.org 3
External Threat Intel Data
• Intel about attacks and attackers may include:– Source
IP/hostnames/domains
– Ports/services in use
– Source countries– Attack types– Packet traces– Malware– File names
• DNS entries that are or should be blacklisted
• Countries of origin with specific reputation criteria
• Types of events to look out for:– Application attacks– Ports and IP
addresses– Specific types of
malware detected• Vertical-specific
likelihood
© 2014 The SANS™ Institute - www.sans.org 4
Internal sources of threat intel data
• Baseline security controls:– Firewalls and router ACLs– IDS/IPS– Antivirus– Proxies and load balancers– Log management
• More advanced controls– SIEM– Host IDS/whitelisting– Malware sandboxing
• So why are we still getting hacked?!
© 2014 The SANS™ Institute - www.sans.org 5
Collaborative Threat Intelligence
• Diversity in Threat Intelligence limits attackers’ ability to isolate targets by industry, location, size, etc
• The AlienVault Open Threat ExchangeTM (OTX) is the world’s largest collaborative threat intelligence system
• AlienVault Labs validates threat data and contributes from their research
© 2014 The SANS™ Institute - www.sans.org 6
SIEM Challenges Abound
• Many SIEM users have had challenges getting needed insights
• Why?• A vast variety of issues can lead us
here:– Difficulty deploying– Lack of integration– Challenging UI and usability– No threat intelligence– Difficult correlation rules– Poor planning
© 2014 The SANS™ Institute - www.sans.org 7
© 2014 The SANS™ Institute - www.sans.org 8
Lessons Learned the Hard Way
• Situation: "Tribal" knowledge and a move to an MSSP– Lesson Learned: Improve
documentation and planning around internal data types and use cases
• Situation: “You are what you eat”– Lesson Learned: Review your data
sources before AND after your deployment
© 2014 The SANS™ Institute - www.sans.org 9
Getting More From a SIEM
• There are several important things organizations can do to improve SIEM success:– Assess integration with data/tools– Discuss outcomes/use cases– Assess ease-of-use and
implementation– Look for threat intelligence
integration - both external and internal
© 2014 The SANS™ Institute - www.sans.org 10
Fundamental SIEM Integration Points
• Asset discovery and inventory• Vulnerability assessment• Network packet/flow analysis
(packet capture)• Wireless intrusion detection (WIDS)• Host-based intrusion detection
(HIDS)• Network-based intrusion detection
(NIDS)• File Integrity Monitoring• Log management
© 2014 The SANS™ Institute - www.sans.org 11
Discuss Outcomes & Use Cases
• Every organization is different– Business use cases– Compliance/security priorities– Existing gaps
• Build technical rule implementations of business use cases– Identify & monitor privileged users– Build behavior profiles– Detect C&C channels more rapidly
© 2014 The SANS™ Institute - www.sans.org 12
Ease-of-use & Implementation
• Many SIEM solutions have been notoriously difficult to implement and use
• SIEM platforms should be:– Relatively simple to install– Intuitive for analysts using the GUI or other
tools– Easy to expand or upgrade– Understandable without a PhD
© 2014 The SANS™ Institute - www.sans.org 13
Questions for SIEM VendorsHint: Print this out for the next time they call you…
How long will it take to go from software installation to security insight? For reals.
How many staff members or outside consultants will I need for the integration work?
What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)?
What is the anticipated mix of licensing costs to consulting and implementation fees?
Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations?
© 2014 The SANS™ Institute - www.sans.org 14
Threat Intelligence: Questions to Ask
• What sources of threat intelligence are available?
• Are intelligence sources widely distributed, representing a range of organizations and technology?
• How is threat intelligence integrated with internal data sets?
• How can threat intelligence be shared securely?
© 2014 The SANS™ Institute - www.sans.org 15
Coordinated Analysis, Actionable Guidance
• 200-350,000 IPs validated daily
• 8,000 collection points
• 140 countries
Collaborative Threat Intelligence:
AlienVault Open Threat ExchangeTM (OTX)
Join OTX: www.alienvault.com/open-threat-exchange
Powered by
AV Labs Threat
Intelligence
AlienVault
USMTM
ASSET DISCOVERY
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software
Inventory
VULNERABILITY ASSESSMENT
• Continuous
Vulnerability Monitoring
• Authenticated / Unauthenticated Active Scanning
BEHAVIORAL MONITORING
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
THREAT DETECTION
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
A Unified Approach
SECURITY INTELLIGENCE
• SIEM Event Correlation
• Incident Response
Conclusion
• Some organizations have traditionally been afraid of SIEM…– But do they need to be?
• SIEM platforms *can* be implemented and managed without horror stories
• They key is planning up front, and asking key questions of potential vendors
• A unified approach will prove more successful with limited resources
© 2014 The SANS™ Institute - www.sans.org 18
Questions?
Q@SANS.ORG
Thank You!
© 2014 The SANS™ Institute - www.sans.org 19
Three Ways to Test Drive AlienVault
USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/alienvault-usm-live-
demo
top related