jumpstart guide for siem in aws

©2019 SANSTM Institute | www.sans.org Sponsored by:

JumpStart Guide for SIEM in AWSMonthly Webinar Series

in conjunction with


Sponsored by

Jumpstart Guide for Security Information and Event

Management (SIEM) in AWS


Today’s Speakers

• J. Michael Butler, SANS Analyst and Information Security Consultant

• Jay Austad, VP, Orchestration and Automation Solutions, Optiv

• David Aiken, Solutions Architect Manager, AWS Marketplace

3


Today’s Agenda

• Integrating Security Information and Event Management (SIEM) to the cloud

• Benefits and Options

• On premises vs. cloud

• Growing adoption of Security Orchestration and Automated Response (SOAR)

• Goals of Integration

• AWS tools and options

4


• SIEM systems continue to mature and add functionality.

• Adding SOAR capabilities increases value –(exponentially?)

• NIST: “Present [event] data as actionable information via a single interface” has cloud implications.

• There are advantages to pushing events to SIEM in the cloud.

Integrating SIEM to the Cloud

5


• Enhancements are regularly added to the cloud.

• Hardware, OS, software maintenance responsibilities that belong to provider

• Quickly adjust elastic resources to incident related events

• Security can be designed to ensure forensically sound log and data storage.

Benefits of SIEM in the cloud

6


• Governance, policies, and standards

• Reporting and metrics

• Budget, funding, and support

• Risk classifications

Business Considerations

7


• Requirements for compliance with policies and standards

• Capacity and speed—ingestion, analytics, and storage

• Agent-based vs. agentless

• Secure data in transit and at rest

• Operational and monitoring responsibility

• Development of processes and procedures

Technical and Operations Considerations

8


On-Premises

• Limited scale

• Unknown and hidden costs

• Resources assigned

• Infrastructure in place

• Familiarity and internal documentation

• Long term storage

Cloud• Unlimited scale• Predictable costs• Documentation• Training• Infrastructure available as

needed• Support• Available storage tiers

On-Premises vs. Cloud

9


• Security Orchestration and Automated Response

• Growing Integration and Adoption into SIEM (Gartner)

• Analyze Events for Known Incident Patterns

• Incorporate Logic for Appropriate Response

• Test, Review, Refine, Reduce False Positives

• Use Threat and Vulnerability Data for Continuous Enhancement

Incident Response Automation

10


• Combine log data from on-prem and off-prem systems.

• Provide the best speed possible for ingestion and analysis.

• Close gaps that may exist in current infrastructure.

• Add automated incident response where possible.

• Abbreviate reaction and dwell time to incidents.

• Add ability to grow log collection and analysis to scale.

• Better resource management with predictable budgeting

Goals of Integration

11


• Move logging, analysis, alerting, and/or mitigation to the cloud?

• What current on-prem tools will continue to add value?

• Are there sufficient resources for training and management of “new” tools?

• How much is the budget for ongoing support?

Questions and Decisions

12


• Resource Constraints

• Cloud Context

• Efficiency

• Ease of use

• Integration requirements

• Availability of built-in tools

• Time to alert and reaction

AWS Considerations

13


• Have a plan

• Get C level buy in

• Build a team and get their buy in

• Consider partners

• Conduct Proof of Concept testing and evaluation

• Plan for growth and for long term

• Implement and integrate

Summary

14

KEY BENEFITS OF ADDING SOAR TO YOUR SIEM SOLUTIONJay Austad

VP, Orchestration and Automation Solutions, Optiv

CASE STUDY

16

Global Entertainment Company – SIEM Deployment

17

CHALLENGES

• Current licensing for legacy SIEM solution up

for renewal in less than 90 days

• Client required predictable TCO cost out 3

years

• Insufficient internal resources to deploy a new

platform in the required timeframe

• Any on-prem deployment would require a

significant acquisition of new hardware to

support the solution

18

SOLUTION

• Splunk in AWS

• Ingestion from multiple international datacenter

locations, office locations, as well as AWS

• Optiv services to deploy, integrate, and tune

19

OUTCOMES

• Solution fully deployed and in production within 6 weeks

from project start

• No additional hardware acquisition or deployment was

required, reducing the overall time to value

• No ongoing maintenance on server/OS platforms

required, reducing ongoing cost of ownership

• TCO was known up front without having to take into

account facility costs, power, labor for maintenance, etc

• The ability to scale quickly when required

• Deployment of Splunk in AWS saved the customer 75%

on initial deployment costs

SIEM/SOAR SYMBIOSIS

• The more effective a SIEM solution is, the greater the workload on the SOC because of increased quality alert volume

• SIEM solutions:

• Lack robust 3rd party API integration capabilities

• Require significant development for automation capabilities

• Are good at generating actionable alerts, but fail to be able to do advanced analysis of those alerts based on enrichment data, context, etc

• Lack a Case Management system that is robust or flexible enough for most customer needs

• SOAR leverages SIEM as the primary source of actionable alerts

• SOAR fills in the gaps where SIEM falls short

• SOAR is the communication bus for all of your disparate security (or non-security) tools

21

1. Automation

2. Integration

3. Process Enforcement

4. Metrics and KPIs

5. Unif ied Col laboration/Case Mgmt

6. Human Intel l igence Amplif icat ion

7. Brokered Access

“My analysts spend 90% of their time performing

tedious and repetitive tasks.”

• Automation of tedious and repetitive tasks

• Improvement in job satisfaction, less turnover

• Recovery of hours and reduction in labor costs

• Lessens or removes the burden of off-hour shifts

The 7 Benefits of adding SOAR to your SIEM solution

22

1. Automation

2. Integration


4. Metrics and KPIs



7. Brokered Access

“I bought all this stuff, how do I make it work together?”

• Built-in integrations for most common security tools

• Ability to easily write integrations for non-

supported tools

• No reliance on vendors to build support for other

vendors products

• Multiply the value of your existing tools and use

them more effectively


23

1. Automation

2. Integration


4. Metrics and KPIs



7. Brokered Access

“I rely on people to accurately follow a written

process, and that doesn’t always happen.”

• Elimination of human error

• Guardrails to ensure a process is followed to

spec every time

• Audit trails to ensure all steps were followed

• Ability to automatically pivot the process based

on the context of the alert (on-prem or cloud)


24

1. Automation

2. Integration


4. Metrics and KPIs



7. Brokered Access

“I have trouble showing the true value of our

solutions, and the effectiveness of our security

team.”

• Automatic collection of complex metrics

• ROI/Hours saved calculations

• Improved visibility of the overall operation of

the SOC


25

1. Automation

2. Integration


4. Metrics and KPIs

5. Unified Collaboration/Case Mgmt


7. Brokered Access

”My people utilize several different platforms for incident

management, there is no one single source of truth.”

• Reduction in systems/platforms that analysts must

touch directly

• Purpose built case management for incident

response

• Increased analyst efficiency and ability to pivot

• Single source of truth for security incidents


26

1. Automation

2. Integration


4. Metrics and KPIs


6. Human Intelligence Amplification

7. Brokered Access

“My people do not have the information or the time to

effectively make accurate determinations on every

alert.”

• Ability to make an automated analysis based on 3rd

party threat intel, contextual information, or other

enrichment data

• Ability to use rules, algorithms, and machine

learning to improve the analysis of incidents

• Ability to use the analysis to kick off automated

remediation tasks


27

1. Automation

2. Integration


4. Metrics and KPIs



7. Brokered Access

“I have to escalate certain tasks to higher tiers or other

teams for remediation, which adds a significant delay to

the resolution and puts my organization at risk.”

• Give analysts access to specific tasks without the

requirement of full administrative access to

systems.

• Lessens the need to escalate to higher tiers or other

teams for data collection or remediation.

• Dramatic reduction in Time to Resolution


CASE STUDY - HIA

28

Global 50 Organizationwith over 100,000 employees

29

CHALLENGES

No SOC and limited security tools that would

provide visibility and remediation capabilities

No good way to estimate alert volume in the new

SOC

Much greater volume of alerts than anticipated on

go-live date

30

SOLUTION

• Implementation of Splunk Phantom in AWS for rapid

deployment and ease of integration to Sumo Logic in AWS,

as well as on-prem platforms

• A Human Intelligence Amplification playbook to do all of

the initial true/false positive identification to lessen analyst

workload

Human Intelligence Amplification functions:

• Severity Adjustment based on:

• Alert content

• Host Context

• User context

• True positive identification based on a scoring mechanism

that uses rules and algorithms to assign a confidence score.

31

OUTCOMES

• Reduction in ATD and

signal-to-noise ratio

• Increased analyst efficiency

• Higher true positive rate

• Enriched data sets ->

improved analysis capability

and visualization (i.e.

clustering)

389376

399

129111

9987

41

240 240 240 240 240

180 180 180

97.1 102.6 110.2

24.613.9 6.8 4.8 4

1 2 3 4 5 6 7 8

Average Time to Detect (Critical Alerts) in Minutes - Weekly

ATD Actual

ATD Target SLA

(Critical Alerts)

Voume of Alerts

(x10)

SIEM/SOAR IN AWS OUTCOMES

• Predictable costs

• Rapid deployment

• Dramatic reduction in deployment LOE

• Elimination of capital expenditures related to hardware and facilities

• Ease of scale

• Disaster Recovery and High Availability options

• Ability to leverage AWS security features such as GuardDuty when traditional on-prem security platforms do not provide the required visibility or functionality in the cloud


What SIEM and SOAR solutions are available in AWS

Marketplace?

SIEM and SOAR Portfolio

Splunk Cloud, Splunk Enterprise, and

Splunk Phantom offer comprehensive

SIEM and SOAR coverage.

Demisto Enterprise AMI

SOAR solution that can accelerate

incident response and security

operations.

Machine Data Analytics Service

Manage operation and security of

applications with machine learning

based analytics.

Alert Logic SIEMless Threat

Management

Security monitoring and threat

analysis from a certified security

team.


Blackstone increases security efficiency

Benefits:

• Reduced processing time of

malware alerts to 40 seconds

from 30+ minutes

• Ensured a repeatable,

auditable process for

investigating alerts

• Increased accuracy and

consistency of response

process

using Splunk Phantom SOAR technology


Benefits:

• Saved hundreds of hours

across security team through

automation

• Increased visibility aided

cross-departmental alignment

and problem solving

• Reduced time spent on

compliance efforts

Pokemon protects customer’s privacy

with cloud-native Machine Data Analytics Service


Why AWS Marketplace?

Flexible consumption

and contract models Quick and

easy deployment

Trusted

Consulting Partners


How can you get started?

Complete the survey to learn more

on the solutions mentionedCloud Security Architecture

Assessment for AWS


Please use GoToWebinar’sQuestions tool to submit questions to our panel.

Send to “Organizers” and tell us if it’s for a specific panelist.

Q&A

39


And to our attendees, thank you for joining us today!

Acknowledgments

Thanks to our sponsor:

To our special guest:

40

David Aiken and Jay Austad

jumpstart guide for siem in aws

Documents