siem deck - blog
Post on 20-Feb-2018
216 Views
Preview:
TRANSCRIPT
-
7/23/2019 SIEM Deck - Blog
1/12
Security Information &Event Management (SIEM)
-
7/23/2019 SIEM Deck - Blog
2/12
Introducing SIEM
Security Information & Event Management (SIEM)
Security Event Management (SEM) Security information management (SIM)
SEM primarily provides:
Event Management Real-time Threat Analysis
Incident detection & Response
Basic Ticketing capabilities &
Security Operations
SIM primarily provides
Centralized Log Collection Long term Log Storage
Log Search & Reporting
Security Information & Event Management (SIEM) is an approach to security
management that seeks to provide a holistic view of an organizations information
technology (IT) security.
SIEM combines SIM(security information management) and SEM (security event
management) functions into one security management system.
-
7/23/2019 SIEM Deck - Blog
3/12
Why SIEM?
Security Requirement:
Security Information & Event Management (SIEM) is the core of a
Defense in depth Strategy
Every Attacker leaves behind a trace Logs, Logs, Logs!!!
Security Events provide insight into: Whenthe Event happened? Attack timestamp
Whathappened? Was a Vuln exploited? Was a privilege misused?
Whyit happened? Assists Infrastructure gap identification & remediation
Compliance Requirement:
Policy, Standards, Regulations etc. require Security monitoring, alerting,
reporting & management. PCI, SOX, HIPAA, TRMG, ISO27K1 etc.
-
7/23/2019 SIEM Deck - Blog
4/12
Anatomy of a Basic Attack
Attacker scans the perimeter defenses to find a hole in the network
Attacker bypasses the defenses and compromises the Web servers using a
Vulnerability exploit From the Web Server, the Attacker pivots to the DB server which holds
confidential data
Attacker installs malicious software which will open a backdoor for the attacker
to steal data
-
7/23/2019 SIEM Deck - Blog
5/12
How do you detect this attack?
1. Firewalls Logs will have events for Recon, Scanning etc.
2. IDS/IPS logs will have exploit signatures triggering (both behavior & anomaly)
3. Web/Application Server Logs (access, inbound/outbound traffic)4. Database Logs
Yes, you can detect the Attacks, if you have a SIEM solution
-
7/23/2019 SIEM Deck - Blog
6/12
SIEM provides a Holistic View
Insight into all the IT Components
Centrally Collect, Store & Analyze Logs
from Perimeter to End points
Monitor for Security Threats in real time
Quick Attack Detection, Containment &
Response
Holistic Security Reporting and
Compliance Management
-
7/23/2019 SIEM Deck - Blog
7/12
What capabilities does a SIEM have?
Log Collection capabilities Using an Agent based approach or Agentless
approach, out-of-the-box log collection support for 3rd
party commercial IT
products
Parsing & Normalization Collected logs will be parsed and normalized to
a standard format for easy storage, analysis & reporting
Correlation between Events of different type thereby helping in threat
identification. Example: If Event Ais followed or matched by Event B, take
an action
Real-time Notification & Alerting real-time alert on Security threats in
the IT environment based on analysis of collected logs
Security Incident Detection & Response Workflow Operations Workflow
for handling detected security incidents & threats
-
7/23/2019 SIEM Deck - Blog
8/12
SIEM Technology Space
SIEM market analysis of the last 3 years suggest:
Market consolidation of SIEM players (25 vendors in 2011 to 16 vendors in 2013) Only products with technology maturity and a strong road map have featured in leaders
quadrant.
HP ArcSight & IBM Q1 Labs have maintained leadership in SIEM industry with continued
technology upgrade
McAfee Nitro has strong product features & road map to challenge HP & IBM for leadership
-
7/23/2019 SIEM Deck - Blog
9/12
HP ArcSight
Strengths Weakness
Extensive Log collection support for commercial IT
products & applications
Complex deployment & configuration
Advanced support for Threat Management, Fraud
Management & Behavior Analysis
Mostly suited for Medium to Large Scale deployment
Mature Event Correlation, Categorization & Reporting Requires skilled resources to manage the solution
Tight integration with Big data Analytics platform like
Hadoop
Steep learning curve for Analysts & Operators
Highly customizable based on organizations
requirements
Highly Available & Scalable Architecture supporting
Multi-tier & Multi-tenancy
The ArcSight Enterprise Threat and Risk Management (ETRM) Platform is an integrated set of
products for collecting, analysing, and managing enterprise Security Event information.
ArcSight Enterprise Security Manager (ESM): Correlation and analysis engine used to
identify security threat in real-time
ArcSight Logger: Log storage and Search solution
ArcSight IdentityView: User Identity tracking/User activity monitoring
ArcSight Connectors: for data collection from a variety of data sources
ArcSight Auditor Applications: automated continuous controls monitoring for both mobile
& virtual environments
-
7/23/2019 SIEM Deck - Blog
10/12
IBM QRadar
Strengths Weakness
Very simple deployment & configuration Limited customizations capabilities
Integrated view of the threat environment using
Netflow data , IDS/IPS data & Event logs from the
environment
Limited Multi-tenancy support
Behavior & Anomaly Detection capabilities for both
Netflow & Log data
Limited capability to perform Advanced Use Case
development & analytics
Suited for small, medium & large enterprises
Highly Scalable & Available architecture
The QRadar Integrated Security Solutions (QRadar) Platform is an integrated set of products for
collecting, analysing, and managing enterprise Security Event information.
QRadar Log Manager turn key log management solution for Event log collection & storage QRadar SIEM Integrated Log, Threat & Risk Management solution
QRadar Risk Manager Predictive threat & risk modelling, impact analysis & simulation
QRadar QFlow Network Behaviour Analysis & Anomaly detection using network flow data
QRadar vFlow Application Layer monitoring for both Physical & Virtual environment
-
7/23/2019 SIEM Deck - Blog
11/12
McAfee Nitro
The McAfee Enterprise Security Management (formerly Nitro Security) Platform is an integrated
set of products for collecting, analysing, and managing enterprise Security Event information.
McAfee Enterprise Log Manager turn key log management solution for Event log
collection & storage McAfee Event Receiver collecting log data & native flow data
McAfee Database Event Monitor database transaction & Log monitoring
McAfee Application data Monitor application layer event monitoring
McAfee Advanced Correlation Engine advanced correlation engine for correlating events
both historical & real time
Strengths Weakness
Integrated Application Data monitoring & Deep Packet
Inspection
Very basic correlation capabilities when compared
with HP & IBM
Integrated Database monitoring without dependence
on native audit functions
Limitations in user interface when it concerns
navigation
High event collection rate suited for very large scale
deployment
Requires a lot of agent installs for Application &
database monitoring thereby increasing management
complexity
Efficient query performance in spite of high event
collection rate
No Analytics capability both Big Data & Risk based
Limited customization capabilities
Limited support for multi-tier & multi-tenancy
architecture
-
7/23/2019 SIEM Deck - Blog
12/12
Comparison Overview
In Essence, the decision to choose a SIEM product depends on the following key
factors:
* Based on Data from publicly available sources
top related