jumpstart guide for siem in aws
TRANSCRIPT
©2019 SANSTM Institute | www.sans.org Sponsored by:
JumpStart Guide for SIEM in AWSMonthly Webinar Series
in conjunction with
©2019 SANSTM Institute | www.sans.org Sponsored by:
Sponsored by
Jumpstart Guide for Security Information and Event
Management (SIEM) in AWS
©2019 SANSTM Institute | www.sans.org Sponsored by:
Today’s Speakers
• J. Michael Butler, SANS Analyst and Information Security Consultant
• Jay Austad, VP, Orchestration and Automation Solutions, Optiv
• David Aiken, Solutions Architect Manager, AWS Marketplace
3
©2019 SANSTM Institute | www.sans.org Sponsored by:
Today’s Agenda
• Integrating Security Information and Event Management (SIEM) to the cloud
• Benefits and Options
• On premises vs. cloud
• Growing adoption of Security Orchestration and Automated Response (SOAR)
• Goals of Integration
• AWS tools and options
4
©2019 SANSTM Institute | www.sans.org Sponsored by:
• SIEM systems continue to mature and add functionality.
• Adding SOAR capabilities increases value –(exponentially?)
• NIST: “Present [event] data as actionable information via a single interface” has cloud implications.
• There are advantages to pushing events to SIEM in the cloud.
Integrating SIEM to the Cloud
5
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Enhancements are regularly added to the cloud.
• Hardware, OS, software maintenance responsibilities that belong to provider
• Quickly adjust elastic resources to incident related events
• Security can be designed to ensure forensically sound log and data storage.
Benefits of SIEM in the cloud
6
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Governance, policies, and standards
• Reporting and metrics
• Budget, funding, and support
• Risk classifications
Business Considerations
7
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Requirements for compliance with policies and standards
• Capacity and speed—ingestion, analytics, and storage
• Agent-based vs. agentless
• Secure data in transit and at rest
• Operational and monitoring responsibility
• Development of processes and procedures
Technical and Operations Considerations
8
©2019 SANSTM Institute | www.sans.org Sponsored by:
On-Premises
• Limited scale
• Unknown and hidden costs
• Resources assigned
• Infrastructure in place
• Familiarity and internal documentation
• Long term storage
Cloud• Unlimited scale• Predictable costs• Documentation• Training• Infrastructure available as
needed• Support• Available storage tiers
On-Premises vs. Cloud
9
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Security Orchestration and Automated Response
• Growing Integration and Adoption into SIEM (Gartner)
• Analyze Events for Known Incident Patterns
• Incorporate Logic for Appropriate Response
• Test, Review, Refine, Reduce False Positives
• Use Threat and Vulnerability Data for Continuous Enhancement
Incident Response Automation
10
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Combine log data from on-prem and off-prem systems.
• Provide the best speed possible for ingestion and analysis.
• Close gaps that may exist in current infrastructure.
• Add automated incident response where possible.
• Abbreviate reaction and dwell time to incidents.
• Add ability to grow log collection and analysis to scale.
• Better resource management with predictable budgeting
Goals of Integration
11
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Move logging, analysis, alerting, and/or mitigation to the cloud?
• What current on-prem tools will continue to add value?
• Are there sufficient resources for training and management of “new” tools?
• How much is the budget for ongoing support?
Questions and Decisions
12
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Resource Constraints
• Cloud Context
• Efficiency
• Ease of use
• Integration requirements
• Availability of built-in tools
• Time to alert and reaction
AWS Considerations
13
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Have a plan
• Get C level buy in
• Build a team and get their buy in
• Consider partners
• Conduct Proof of Concept testing and evaluation
• Plan for growth and for long term
• Implement and integrate
Summary
14
KEY BENEFITS OF ADDING SOAR TO YOUR SIEM SOLUTIONJay Austad
VP, Orchestration and Automation Solutions, Optiv
CASE STUDY
16
Global Entertainment Company – SIEM Deployment
17
CHALLENGES
• Current licensing for legacy SIEM solution up
for renewal in less than 90 days
• Client required predictable TCO cost out 3
years
• Insufficient internal resources to deploy a new
platform in the required timeframe
• Any on-prem deployment would require a
significant acquisition of new hardware to
support the solution
18
SOLUTION
• Splunk in AWS
• Ingestion from multiple international datacenter
locations, office locations, as well as AWS
• Optiv services to deploy, integrate, and tune
19
OUTCOMES
• Solution fully deployed and in production within 6 weeks
from project start
• No additional hardware acquisition or deployment was
required, reducing the overall time to value
• No ongoing maintenance on server/OS platforms
required, reducing ongoing cost of ownership
• TCO was known up front without having to take into
account facility costs, power, labor for maintenance, etc
• The ability to scale quickly when required
• Deployment of Splunk in AWS saved the customer 75%
on initial deployment costs
SIEM/SOAR SYMBIOSIS
• The more effective a SIEM solution is, the greater the workload on the SOC because of increased quality alert volume
• SIEM solutions:
• Lack robust 3rd party API integration capabilities
• Require significant development for automation capabilities
• Are good at generating actionable alerts, but fail to be able to do advanced analysis of those alerts based on enrichment data, context, etc
• Lack a Case Management system that is robust or flexible enough for most customer needs
• SOAR leverages SIEM as the primary source of actionable alerts
• SOAR fills in the gaps where SIEM falls short
• SOAR is the communication bus for all of your disparate security (or non-security) tools
21
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
“My analysts spend 90% of their time performing
tedious and repetitive tasks.”
• Automation of tedious and repetitive tasks
• Improvement in job satisfaction, less turnover
• Recovery of hours and reduction in labor costs
• Lessens or removes the burden of off-hour shifts
The 7 Benefits of adding SOAR to your SIEM solution
22
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
“I bought all this stuff, how do I make it work together?”
• Built-in integrations for most common security tools
• Ability to easily write integrations for non-
supported tools
• No reliance on vendors to build support for other
vendors products
• Multiply the value of your existing tools and use
them more effectively
The 7 Benefits of adding SOAR to your SIEM solution
23
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
“I rely on people to accurately follow a written
process, and that doesn’t always happen.”
• Elimination of human error
• Guardrails to ensure a process is followed to
spec every time
• Audit trails to ensure all steps were followed
• Ability to automatically pivot the process based
on the context of the alert (on-prem or cloud)
The 7 Benefits of adding SOAR to your SIEM solution
24
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
“I have trouble showing the true value of our
solutions, and the effectiveness of our security
team.”
• Automatic collection of complex metrics
• ROI/Hours saved calculations
• Improved visibility of the overall operation of
the SOC
The 7 Benefits of adding SOAR to your SIEM solution
25
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unified Collaboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
”My people utilize several different platforms for incident
management, there is no one single source of truth.”
• Reduction in systems/platforms that analysts must
touch directly
• Purpose built case management for incident
response
• Increased analyst efficiency and ability to pivot
• Single source of truth for security incidents
The 7 Benefits of adding SOAR to your SIEM solution
26
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intelligence Amplification
7. Brokered Access
“My people do not have the information or the time to
effectively make accurate determinations on every
alert.”
• Ability to make an automated analysis based on 3rd
party threat intel, contextual information, or other
enrichment data
• Ability to use rules, algorithms, and machine
learning to improve the analysis of incidents
• Ability to use the analysis to kick off automated
remediation tasks
The 7 Benefits of adding SOAR to your SIEM solution
27
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
“I have to escalate certain tasks to higher tiers or other
teams for remediation, which adds a significant delay to
the resolution and puts my organization at risk.”
• Give analysts access to specific tasks without the
requirement of full administrative access to
systems.
• Lessens the need to escalate to higher tiers or other
teams for data collection or remediation.
• Dramatic reduction in Time to Resolution
The 7 Benefits of adding SOAR to your SIEM solution
CASE STUDY - HIA
28
Global 50 Organizationwith over 100,000 employees
29
CHALLENGES
No SOC and limited security tools that would
provide visibility and remediation capabilities
No good way to estimate alert volume in the new
SOC
Much greater volume of alerts than anticipated on
go-live date
30
SOLUTION
• Implementation of Splunk Phantom in AWS for rapid
deployment and ease of integration to Sumo Logic in AWS,
as well as on-prem platforms
• A Human Intelligence Amplification playbook to do all of
the initial true/false positive identification to lessen analyst
workload
Human Intelligence Amplification functions:
• Severity Adjustment based on:
• Alert content
• Host Context
• User context
• True positive identification based on a scoring mechanism
that uses rules and algorithms to assign a confidence score.
31
OUTCOMES
• Reduction in ATD and
signal-to-noise ratio
• Increased analyst efficiency
• Higher true positive rate
• Enriched data sets ->
improved analysis capability
and visualization (i.e.
clustering)
389376
399
129111
9987
41
240 240 240 240 240
180 180 180
97.1 102.6 110.2
24.613.9 6.8 4.8 4
1 2 3 4 5 6 7 8
Average Time to Detect (Critical Alerts) in Minutes - Weekly
ATD Actual
ATD Target SLA
(Critical Alerts)
Voume of Alerts
(x10)
SIEM/SOAR IN AWS OUTCOMES
• Predictable costs
• Rapid deployment
• Dramatic reduction in deployment LOE
• Elimination of capital expenditures related to hardware and facilities
• Ease of scale
• Disaster Recovery and High Availability options
• Ability to leverage AWS security features such as GuardDuty when traditional on-prem security platforms do not provide the required visibility or functionality in the cloud
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Discovering SIEM and SOAR
solutions available in AWS
Marketplace
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What SIEM and SOAR solutions are available in AWS
Marketplace?
SIEM and SOAR Portfolio
Splunk Cloud, Splunk Enterprise, and
Splunk Phantom offer comprehensive
SIEM and SOAR coverage.
Demisto Enterprise AMI
SOAR solution that can accelerate
incident response and security
operations.
Machine Data Analytics Service
Manage operation and security of
applications with machine learning
based analytics.
Alert Logic SIEMless Threat
Management
Security monitoring and threat
analysis from a certified security
team.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Blackstone increases security efficiency
Benefits:
• Reduced processing time of
malware alerts to 40 seconds
from 30+ minutes
• Ensured a repeatable,
auditable process for
investigating alerts
• Increased accuracy and
consistency of response
process
using Splunk Phantom SOAR technology
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits:
• Saved hundreds of hours
across security team through
automation
• Increased visibility aided
cross-departmental alignment
and problem solving
• Reduced time spent on
compliance efforts
Pokemon protects customer’s privacy
with cloud-native Machine Data Analytics Service
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AWS Marketplace?
Flexible consumption
and contract models Quick and
easy deployment
Trusted
Consulting Partners
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can you get started?
Complete the survey to learn more
on the solutions mentionedCloud Security Architecture
Assessment for AWS
©2019 SANSTM Institute | www.sans.org Sponsored by:
Please use GoToWebinar’sQuestions tool to submit questions to our panel.
Send to “Organizers” and tell us if it’s for a specific panelist.
Q&A
39
©2019 SANSTM Institute | www.sans.org Sponsored by:
And to our attendees, thank you for joining us today!
Acknowledgments
Thanks to our sponsor:
To our special guest:
40
David Aiken and Jay Austad