Top Banner
A uthor:P rofBill Buchanan IncidentR esponse SIEM II Proxy VPN Eve Bob A lice
23

SIEM Part II - External Threat Analysis Tool

Feb 15, 2017

Download

Education

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: SIEM Part II - External Threat Analysis Tool

SIEM II

Author: Prof Bill Buchanan

Inci

dent

Res

pons

e

SIEM II

Proxy

VPN

Eve

Bob

Alice

Page 2: SIEM Part II - External Threat Analysis Tool

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill BuchananAuthor: Prof Bill Buchanan

Inci

dent

Res

pons

e

Data Sources/Timeline

Page 3: SIEM Part II - External Threat Analysis Tool

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Inci

dent

sIn

trodu

ctio

n

Author: Prof Bill Buchanan

Incidents

During IncidentBefore Incident After Incident

Intruder

Intrusion Detection

Page 4: SIEM Part II - External Threat Analysis Tool

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Dat

a st

ates

Inc.

Res

pons

e

Data in-motion, data in-use and data at-rest

Intrusion Detection System

Intrusion Detection System

Firewall

Internet

Switch

Router

Proxyserver

Emailserver

Webserver

DMZ

FTPserver

Firewall

Domain nameserver

Databaseserver

Bob

Alice

Eve

Data in-motion

Data at-rest

Data in-use Data at-

rest

Page 5: SIEM Part II - External Threat Analysis Tool

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Inci

dent

sIn

trodu

ctio

n

Author: Prof Bill Buchanan

Incidents

During IncidentBefore Incident After Incident

TimelineData At Rest

Data In-Motion

Data In-Process

Files, Directories, File Rights, Domain Rights, etc.

File changes, File CRUD (Create, Delete, Update,

Delete), Thumbprints

Network packet logs, Web logs, Security logs

Network scanners, Intrusion Detection Systems, Firewall

logs, etc

Processes, Threads, Memory, etc.

Security Log, Application Log, Registry, Domain Rights.

Intruder

Page 6: SIEM Part II - External Threat Analysis Tool

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Intro

duct

ion

Inc

Res

pons

e

Four Vs of Big Data

Intrusion Detection System

Firewall

Router

Proxyserver

Emailserver

Webserver

FTPserver

Switch

Alice

Management report

Sales analysis

Targeted marketing

Trending/Correlation

V- Volume[Scale of data]

V- Variety[Different forms of

data]

V- Velocity[Speed of data generation]

V- Veracity[Trustworthiness]

Incident Response

Eve

Bob

Page 7: SIEM Part II - External Threat Analysis Tool

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Intro

duct

ion

Inc

Res

pons

e

Data Capture

Webserver

IT Ops

Nagios.NetApp.

Cisco UCS.Apache.

IIS.

Web Services

Firewall

Router

Proxyserver

Emailserver

FTPserver

Switch

Eve

Bob

Microsoft Infrastructure

Active Directory.Exchange.SharePoint.

Structured Data

CSV.JSON.XML.

Database Sys

Oracle.My SQL.

Microsoft SQL.

Network/Security

Syslog/SNMP.Cisco NetFlow.

Snort.

Intrusion Detection System

Alice

Cloud

AWS Cloudtrail.Amazon S3.

Azure.

Application Serv

Weblogic.WebSphere.

Tomcat

Page 8: SIEM Part II - External Threat Analysis Tool

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Intro

duct

ion

Inc

Res

pons

e

Investigation sources

Webserver

Firewall

Router

Proxyserver

Emailserver

FTPserver

Bob

EveInternal systems

Cloud service providers

Communication service providers

Trusted partners

Page 9: SIEM Part II - External Threat Analysis Tool

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Intro

duct

ion

Inc

Res

pons

e

Security Operations Centre

EveEve

Logs/alerts

Bob

SIEM Package (Splunk)

News feeds

Security alerts

Page 10: SIEM Part II - External Threat Analysis Tool

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill BuchananAuthor: Prof Bill Buchanan

Inci

dent

Res

pons

e

Threat Analysis

Proxy

VPN

Eve

Bob

Alice

Page 11: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Data Fusion

Semi-structured

>10 million events

Select shape and type

text. Yellow handle

adjusts line spacing.

Data storage (2GB/day)

Context

Parsing/Normalisation

Processing

Rule based correlation.Statistical correlation.

Event priorization

SIEM

10,000 alerts1 incident

Aggregation

Page 12: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Security Operations Centres (SoC)

Page 13: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Logstalgia

Page 14: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Honeynet

Page 15: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Akamai.com

Page 16: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Trent Micro Threat Analysis

Page 17: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

DDoS Attack Map

Page 18: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

State of the Internet

Page 19: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

IPew Attack Map

Page 20: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

FORINET

Page 21: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

NORSE

Page 22: SIEM Part II - External Threat Analysis Tool

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Kaspersky Cyber Threat Map

Page 23: SIEM Part II - External Threat Analysis Tool

SIEM II

Author: Prof Bill Buchanan

Inci

dent

Res

pons

e

SIEM II

Proxy

VPN

Eve

Bob

Alice