supercharging siem with change & configuration data
DESCRIPTION
Most organizations capture log data that could indicate a breach occurred. Yet not a single breach investigated in the Verizon 2011 Data Breach Investigation Report was detected through log analysis or review. Learn how adding Tripwire Enterprise change and configuration data makes all the difference in detecting critical events.TRANSCRIPT
Supercharging SIEM with Change & Configuration Data
Supercharging SIEM with Change & Configuration Data
Jason IlerEd Rarick
IT SECURITY & COMPLIANCE AUTOMATION
More Data. Fewer Results.
Existing approaches are falling short
0% Log analysis/review discovered no breaches
2011
IT SECURITY & COMPLIANCE AUTOMATION
More Data. Fewer Results. Change is Needed!
LimitedValue
Existing technology
isn’t providing
expected ROI,
is too expensive and
complex, and only
delivers data
Existing approaches are falling short
0% Log analysis/review discovered no breaches
2011
IT SECURITY & COMPLIANCE AUTOMATION
Problem: Data Deluge
VulnerabilityAssessment
Switches& RoutersFirewalls, IDS & IPSDatabasesApplications
Too much data!All of one type!
IT SECURITY & COMPLIANCE AUTOMATION
Result: It Takes Too Long To Find Trouble
IT SECURITY & COMPLIANCE AUTOMATION
Project Delays
Labor Intensive
Failed Audits
COMPLIANCE
Result: Time-to-Find Means Trouble for Everyone!
Branding
$$$$
Compromise
SECURITY
IT SECURITY & COMPLIANCE AUTOMATION
Project Delays
Labor Intensive
Failed Audits
COMPLIANCE
Result: Trouble for Everyone, Including Ops!
Branding
$$$$
Compromise
SECURITY
Budget Pressure
Unplanned Work
Longer MTTR
OPERATIONS
IT SECURITY & COMPLIANCE AUTOMATION
0%: Log analysis/review discovered no breaches
Capturing Data…. Is Not The Same As Knowing When
Something Bad Just Happened!
IT SECURITY & COMPLIANCE AUTOMATION
Log Analysis & SIEM Alerts Lack “Context of Change”
Login successful
10 failed logins
FTP Enabled
Were undesired changes made?Who made them?
Was compliance level lowered?Did changes enable SIEM events?
Or enable other events?
Host not generating events
Windows event log cleared
IT SECURITY & COMPLIANCE AUTOMATION
Log Analysis & SIEM Alerts Lack “Context of Change”
Login successful
10 failed logins
FTP Enabled
Logging turned off
Host not generating events
Windows event log cleared
Policy test fails
Were undesired changes made?Who made them?
Was compliance level lowered?Did changes enable SIEM events?
Or enable other events?
IT SECURITY & COMPLIANCE AUTOMATION
No Intelligence No ContextNo SecurityJust Data!
Raw Log Data
Report ChangeGood & Bad
Simple Change Detection Is Not Adequate
Detect Change Good & Bad
IT SECURITY & COMPLIANCE AUTOMATION
Configuration Policy Failures Change Policy Failures Change Authorization Failures = Changes of Interest!
Raw Log Data
Detect Change Good & Bad
Report & Alert
Change Intelligence Provides Essential “Context”
Dynamic Analysis Changes of Interest
IT SECURITY & COMPLIANCE AUTOMATION
Change + SIEM Provides Much Need Clarity
10 failed logins
Logging turned off
Host not generating events
Windows event log cleared
Login successful
Policy test fails
FTP Enabled
Changes of Interest correlated with
Log Events of Interest turn Raw Data into timely,
actionable Information
IT SECURITY & COMPLIANCE AUTOMATION
Event Integration Framework process
IT SECURITY & COMPLIANCE AUTOMATION
What Does This Give Us?
Enriches Change Audit data by sending User Audit data to TLC.• File ‘Sales_Forecast_2011.xls’ was changed on node ‘PROD_FINANCE’ by Ed Rarick.
Offers summarized changes by severity to provide greater manageability of data by operational teams.• There were 15 Medium Severity Changes on node ‘PROD_DC1’.
Can send compliance test result data to TLC.• Node ‘PROD_DC1’ had an additional 2 tests fail from policy ‘PCI 2.1’ after the last
scan. 15 tests passed and 30 failed.
Can send compliance scoring data to TLC.• Node ‘PROD_DC1’ decreased its score by 2.53 on policy ‘PCI 2.1’ after the last scan.
IT SECURITY & COMPLIANCE AUTOMATION
Assess & Achieve
Maintain
Non-stop monitoring & collectionDynamic analysis to find suspicious activitiesAlert on impact to policyRemediate options to speed remedy
Enforce IT Process. Increase Security. Maintain Compliance.
Des
ired
Sta
te
Time
IT SECURITY & COMPLIANCE AUTOMATION
Answers For Your Questions