Redefining SIEM to Real Time Security Intelligence September 18, 2012 David Osborne Security Architect
Redefining SIEM to
Real Time Security Intelligence
September 18, 2012
David Osborne
Security Architect
Its not paranoia if they really are out to get
you
• Malware
• Malicious Insiders
• Exploited Vulnerabilities
• Careless Employees
• Mobile Devices
• Social Networking
• Social Engineering
• Zero-Day Exploits
• Cloud Computing Security
Threats
• Cyber Espionage
Reality of Compliance • Audits happen quarterly or annually
• Effort and budget spent to get compliant
• Little focus or process to stay that way
SIEM – The Great Correlator
• Major SIEM Functions
– Collect
– Normalize
– Correlate
• Collect log and event data from systems across the network – Security devices, applications, OS, databases, end-point protections, etc.
• Normalize similar events across disparate data sources
– Login events from a VPN, OS, or Application are all ―authentication events‖
• Correlate multiple events into known attack vectors or policy violations
– ―Multiple failed logins followed by a success‖ indicates brute force access
– Eliminates the need for an analyst to try to ―piece together‖ the event
Redefining SIEM
• Security is a Process, not a Product
– Each stage supports the next
– A ―weak link‖ breaks the process
– Tools need to automate each stage
– Integration provides actionable intelligence
• Legacy SIEMs are Limited
– Risk Assessment — limited to VA scan data
– Threat Detection — limited to event correlation
– Incident Response — limited to log analysis
– Compliance Reporting — limited to canned reports
SIEM is Still Evolving…To
• SIEM Content Awareness (Next Generation
SIEM)
– Content Awareness is Understanding the Payload at the
Application Layer
• What is actually being Communicated, Transferred, and Shared
over the Network.
• Examples of ―Content‖ Awareness is the understanding of:
– Email contents, including the attachments
– Social, IM and P2P Network Communications
– Document Contents
– Application Relationships with Database Queries and
Responses
– Database Monitoring
– Data Leakage – Sensitive Information within chat, email,
printed, etc
Adding Context to Logs
Log record
What else happened at this time?
Near this time?
What is the time zone?
What is this service? What other
messages did it produce?
What other systems does it run on?
What is the hosts IP address?
Other names? Location on the
network/datacenter?
Who is the admin? Is this
system vulnerable to exploits?
What does this number
mean? Is this
documented somewhere?
Who is this user? What is the users
access-level? What is the users
real name, department, location?
What other events from this user? What is this port? Is this a
normal port for this
service? What else is this
service being used for?
DNS name, Windows name, Other names?
Whois info? Organization owner? Where does
the IP originate from (geo location info)? What
else happened on this host? Which other hosts
did this IP communicate with?
Broad Content and Context Correlation
Events from
Security Devices
Database
Transactions
OS events
Application
Contents
User
Identity
VA Scan
Data
Device & Application
Log Files
Authentication
& IAM
Location
Advanced
Threats
Exploits
Malware
Viruses
Trojans
Insider
Threats
SIEM and Situational Awareness • SIEM DOES NOT SOLVE APT, but Provides Situational Awareness
– THERE IS NO APT ―ALL IN ONE SOLUTION‖
• SIEM Can Help with Attacks – Determining the Scope of Attack
• What Systems or Devices were Involved
• What DATA was Compromised
• What Evasion Techniques were Utilized
• Timelines
• Toolsets Utilized
• Work Flows and Processes of Attackers
– Heuristics for Historical Correlation
• Even with SIEM, Security Expertise and Experience is REQUIRED – Well Trained Security Analysts, Highly Developed Security Policies and Procedures Combined with SIEM for
Situational Awareness is the BEST Strategy for dealing with Exploits, Low and Slow Attacks and APT
Scalability & Performance
• Unmatched Speed – Industry’s Fastest SIEM
– 100x to 1,000x faster than current solutions
– Queries, correlation and analysis in minutes, not hours
• Unmatched Scale – Collect all relevant data,
not selected sub-sets
– Analyze months and years of data, not weeks
– Include higher layer context and content information
– Scales easily to billions of data records
NitroView Overview
September 18, 2012 11
“Single Pane-of-Glass”
McAfee ADM
Application Data Monitor
Layer 7 Decode
Full Meta-Data Collection
Application Visibility 100s of applications and 500+ document types
Data Visibility Data traffic from leading databases
McAfee DEM
Database Activity Monitor
Database Log Generation
Session Audit
Risk Scoring Detect potential threats
Advanced Correlation
Risk-Based Correlation
Historical Correlation
McAfee ACE
Asset information/context
Vulnerability Information
Which assets are most at-risk
McAfee ESM
Unified Visibility & Analysis
Compliance & Reporting
Policy Management
McAfee Receiver
3rd Party Log/Event Collection
Network Flow Data Collection
VMware Receivers Available
McAfee ELM
Log Management
Compliant Log Storage
SAN/CIFS/NFS/Local Storage
Global Threat Intelligence (GTI)
September 18, 2012 12
ADM
Application Data Monitor
Layer 7 Decode
Full Meta-Data Collection
Application Visibility Data Visibility
DEM
Database Event Monitor
Database Log Generation
Session Audit
Risk Scoring
Advanced Correlation
Risk-Based Correlation
Historical Correlation
ACE
ESM
Unified Visibility & Analysis
Compliance & Reporting
Policy Management
Receiver
3rd Party Log/Event Collection
Network Flow Data Collection
VMware Receivers Available
ELM
Log Management
Compliant Log Storage
SAN/CIFS/NFS/Local Storage
Shared Threat Intelligence
• Reputation-based WW visibility into all types of cyber threats
• Automatic, push feed
• Today – Bad Actors/Dangerous IPs
• Additional GTI capabilities: • file, web, message & network connection reputation
• web categorization
How can SIEM help with MTTR?
• Advanced Correlation uses activity to determine Risk
How can SIEM help with MTTR?
• Baselines to determine deviations from normal activity
How can SIEM help with MTTR?
• Normalization of events into a common taxonomy
How can SIEM help with MTTR?
• Global Threat Intelligence to determine if I have any communication
with external known bad actors
17