siem evolution

SIEM EVOLUTION A day in the life of a Security Architect

Stijn Vande Casteele

28 September 2009

Who are we / Key Brands

www.arcsight.com © 2009 ArcSight Confidential 2

International presence: Leading ICT integrator in Western Europe

• Leading ICT integrator in Belgium, France & Luxembourg

• 32 affiliates in Western Europe

• Global reach through strategic partners

28 September 2009Sensitivity : "Unrestricted" Slide


What do I do?

• My team provides solutions to underpin the on-site and managed SIEM services, with a focus on the what and the how!

• Engineer a grid/cloud/infrastructure to deliver these services to customers (enterprises) with a focus on security operations.

• Steer the service catalogue with fresh use cases (add value).• Integrate technologies with our architecture to build automations and enhance

the richness of our SIEM clouds.• Data sources configuration documents• Automatic ticket creation• Portal visualizations• Self monitoring

• 2nd line support for security management related infrastructure (application/systems) and forensic security investigations.

• Advice in general on a diverse range of pre-sales and service questions within this domain.

• Objective: centre of excellence (SIEM think-thank for the Belgacom group)


Agenda

• Security Monitoring

• SIEM architectures

• Use Cases


Firewall Security Monitoring

Inbound Top DropsActive list with

confirmed scanners from Internet

Outbound Top DropsCan spot infected

internal systems or configuration errors (eg. wrong DNS or NTP client configuration)

Outbound

If firewall accepts from IP addresses in the active list, increase event priority

SIEMLogs


Security Analysis

• Unlike firewalls, IDS/IPS provides information up to OSI layer 7 via signature based detection methods

• Typical attacks detected by IDS/IPS: Worms, Exploits, Brute force attacks, Backdoors, Cover channels.

• IDS/IPS are best placed where “threat x asset value” is high (eg. DMZ, server farm)

• IDS/IPS provide input for SIEM tools to correlate with Vulnerability and Asset (VA) data

Z Z


Monitoring WiFi GUEST traffic

Internet

CISCO WLC CISCO ASAEND-USER

End-User MAC AddressEnd-User IP AddressEnd-User Account Name

End-User IP AddressWeb Target AddressWeb Target Port

End-User MAC AddressEnd-User IP AddressEnd-User Account NameWeb Target AddressWeb Target Port


Monitoring business risks

ConfidentialityProtecting sensitive information from

unauthorised disclosure or malicious interception.

Integritysafeguarding the accuracy and

completeness of information

Business impact Availability

Ensuring that vital IT services and information are available when

required.


Agenda



• Use Cases


Some history…

ArcSight 2.1 (Sept 2003)

ArcSight 2.2 (POC)

ArcSight 2.5 (Production Jan 2004)

ArcSight 3.0 (Production Oct 2004)

ArcSight 3.5 (Production Mar 2006)

ArcSight 4.0 (Production Sept 2007)


Two different hardware platforms were tested from an ArcSight manager performance perspective:

• As the biggest factor in database performance is the available RAM and the SAN read / write speed, the OS / architecture is not so influential.

Model Architecture CPU RAM OS Sun SPARC T2000

SPARC T1 1 x 8 core (1.2 GHz) 32 GB Solaris 10

Sun Fire X2100 AMD X_64 1 x dual core (1.8 GHz) 4GB Red Hat 4.5

Telindus hardware tests

• It seems to Telindus that ArcSight 4.0 JRE is not optimized to make use of the multi-thread (CMT) possibilities of the SUN T1 processor. The AMD X_64 / Red Hat platform significantly outperformed the SPARC T1 / Solaris platform.


ArcSight test graph

Y-Axis = EPS (000’s) X-Axis = Number of core CPUs

Y-Axis = EPS (000’s) X-Axis = Number of core CPUs


Security Event Lifecycle


Log Sources

Diameter is proportional to the event amounts

relevance with respect to security information and correlation capabilities

security information value

NIPS

VA data

HIPS

AV

FW

Routers & switches

Web servers

OS logs

Proxy

DB logs

Monitoringlogs

AIM

Reverse proxy

Security events and information

Network and Application events /

information

Web Content

screening

Email / smartphone

gateways

NBA

Network Intrusion Prevention Systems

Firewalls


Standardized data collection?

We need a uniform way how computer events are described, logged, and exchanged.


Agenda



• Use Cases


Perimeter Defence

Regulatorycompliance

Insider threat

Use Case Library

Use Case library


SIEM audit report


Security Operations


Event Management


Conclusions

• Carefully plan your SIEM migrations with business and operations!

• Make checklists, cheat sheets and technical notes to educate your security analysts on new evolutions.

• Keep a change log for SIEM content adaptations.

• Think out-of-the-box, SIEM has a lot of potential but KISS towards the outside.

• Request (simple) KPI’s on how your application/service is evolving.

• Use intake templates to facilitate the scoping exercise towards your client.

• Centralize your efforts, look for partners and create centre of excellence in your organization around security monitoring.


Questions?

[email protected]

http://www.linkedin.com/in/ictsecurity

http://www.twitter.com/securityworld


siem evolution

Technology

axis number

user account

axis eps

cases www

siem

www

services

ids ips