NEXT-GENERATION SIEM: DELIVERED FROM THE CLOUD

James Brown. Director of Cloud Computing & Solution Architecture

Before We Begin

Housekeeping Speaker

• Turn on your system’s sound to

hear the streaming presentation

• Questions? Submit them to the

presenter at anytime into the

question box

• The presentation slides will be

available to download from the

attachment tab after the webinar

• The webinar will be recorded

and published on BrightTalk

• Technical Problems? Click

“Help”

• James Brown

• Director of Cloud Computing &

Security Architecture, Alert Logic

The Evolution of Technology and Attacks

T R A D I T I O N A L S I E M S

The Hybrid Data Center

• Cloud First/mobile First

approach by many companies

• Public cloud and Hybrid IT

environments mainstream

The Virtual Data Center

• Virtualization becomes

mainstream

• Public clouds launch

• Mobile devices proliferate

The Physical Data Center

• X86 server pre-dominant

• Primarily on-premises

• Hosting providers emerge

• Cloud options being developed

T H R E A T S A N D A T T A C K S

Next Generation Threats

• Advanced attacks

• Multi-vector approach

• Social engineering

• Targeted recon

• Long duration compromises

Catalyst for Change

• Proliferation of malware

• Organized hacking groups

• Access to information

• Financial gain motivation

The Early Days of Threats

• Basic malware

• Spray and pray

• Smash-n-grab

• Solo hackers

• Mischief motivation

EARLY 2000’s MID 2000’s 2014 & BEYOND

Today’s Attacks are Becoming More Complex

• Attacks are multi-stage using multiple threat vectors

• Takes organisations months to identify they have been compromised1

- 229 days on average before detection of compromise

• Over two-thirds of organizations find out from a 3rd party they have been compromised2

Initial

Attack

Identify &

Recon

Comman

d &

Control

Discover &

Spread

Extract &

Exfiltrate

The Impact

• Financial loss

• Harm brand and

reputation

• Scrutiny from

regulators

1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast

2 – 2014 mTrends Threat Report

Why SIEMs are valuable

• Security is getting to the point of information overload

• Increase in an organisation’s security posture

- Through visibility and situational awareness

- Deployment of detective and protective controls

- Data from the network, system and applications to

the SIEM

- Allow for complex issues to be defined,

categorized and expressed in logic

• The effectiveness of SIEM in detecting the pre and

post comprise activity is directly related to the success

of collecting data.

• It is all about the data

What is a SIEM?

Infrastructure

(servers, etc) Hardware

Software

Integration

Experts

Threat Intelligence

Correlation

Rules

Data sources to

feed the SIEM

Licensing

Lots of people,

Software, hardware,

process

Threat

Intelligence

Feeds

Write parsers, alert

and correlation rules Ongoing tuning

Subscribe

& incorporate

Intelligence

feeds

Databases Review &

Respond to

Alerts

Do Traditional SIEMs deliver value?

• The people cost was more than expected in

the usage of the SIEM

• Big complex applications that demanded the

user not only know SIEM but be expert in

understanding event sources.

• Lengthy implementations

• Burden of on-going operational support

(configuration, tuning, etc.)

Potential Pitfalls in the Cloud

• Licensing

• Capabilities

• Performance

• Move to the Cloud

• Support for DevOps

• Scalability

• Multiple Platforms

- Different cloud providers, OS, versions

The Characteristics of a Modern SIEM

• Fully managed

- Infrastructure

- Security content and correlation rules

- Monitored 24x7

• Big data

• Unlimited scale

• Cloud ready

• Can collect data without access to

underlying cloud host infrastructure

• DevOps

The Characteristics of a Modern SIEM

• Configuration Management

- Ex: Chef, Ansible, AWS Cloud Formation Templates

• Support cloud provider data types

- Ex: AWS cloud trail

• Easily extensible

• Not limited by domain, source, message, or event frequency or uniqueness

• Automatically incorporates 3rd party watch lists

• Dynamically generate watch lists based on real time data

Monitoring your Environment

A L E R T L O G I C C L O U D D E F E N D E R

Identify

Attacks

& Protect

Customers

Big Data

Analytics

Platform

Threat

Intelligence

& Security

Content

24 x 7

Monitoring

&

Escalation

Alert Logic

ActiveAnalytics Alert Logic

ActiveIntelligence

Alert Logic

ActiveWatch

Cloud, Hybrid

On-Premises

Customer IT

Environmen

t

Web

application

events

Log data

Network

incidents

Creating Threat Intelligence to Feed a Modern SIEM

Customer

Security

Operations

Center

24/7

INCIDENT

S

Honey Pot Network

Flow based Forensic Analysis

Malware Forensic Sandboxing

Intelligence Harvesting Grid

Alert Logic Threat Manager Data

Alert Logic Log Manager Data

Alert Logic Web Security Manager Data

Alert Logic ScanWatch Data

Asset Model Data

Customer Business Data

Security Content

Applied Analytics

Threat Intelligence

Research

INPUTS

Data Sources

What You Need to Solve the SIEM Problem

• Experts create and manage correlation

rules that identify threats and reduce

false positives

• Threat researchers continuously provide

content enabling detection of emerging

threats

• Threat coverage across the application

stack delivers broad visibility and

protection

• It must work in a highly agile multi-

platform environment.

RULE CREATION

& MANAGEMENT CONTINOUS

THREAT

RESEARCH

RESULTS

DELIVERED FULL STACK

CORRELATION

Get Connected

www.alertlogic.com

@alertlogic

linkedin.com/company/alert-logic

alertlogic.com/resources/blog/

youtube.com/user/AlertLogicTV

brighttalk.com/channel/11587

Resources

All available under the “Attachments”

tab of the webinar:

• 451 Research Report

• Outlines Alert Logic approach to

SIEM

• Zero Day Magazine

• Weekly Threat Newsletter

Thank you.