siem-plifying security monitoring: a different approach to security visibility

SIEM-plifying security monitoring: A different approach to security

visibility

Dave Shackleford, Voodoo Security and SANSJoe Schreiber, AlienVault

© 2014 The SANS™ Institute - www.sans.org

Introduction

• Many organizations are still experiencing data breaches– Attackers are more advanced– But…we’ve got preventive and

detective controls, right?• More proactive threat intelligence

and time on internal detection capabilities will help– But what do you need?– How can you succeed with limited

time and/or budget?

© 2014 The SANS™ Institute - www.sans.org 2

First…security intelligence

• Security/threat intelligence is all the rage these days…in theory

• Today, most organizations are gathering external threat intelligence from sources such as:– The SANS Internet Storm Center– Blog sites– Commercial feeds– ISACs and other public-private

collaboration groups

© 2014 The SANS™ Institute - www.sans.org 3

External Threat Intel Data

• Intel about attacks and attackers may include:– Source

IP/hostnames/domains

– Ports/services in use

– Source countries– Attack types– Packet traces– Malware– File names

• DNS entries that are or should be blacklisted

• Countries of origin with specific reputation criteria

• Types of events to look out for:– Application attacks– Ports and IP

addresses– Specific types of

malware detected• Vertical-specific

likelihood

© 2014 The SANS™ Institute - www.sans.org 4

Internal sources of threat intel data

• Baseline security controls:– Firewalls and router ACLs– IDS/IPS– Antivirus– Proxies and load balancers– Log management

• More advanced controls– SIEM– Host IDS/whitelisting– Malware sandboxing

• So why are we still getting hacked?!

© 2014 The SANS™ Institute - www.sans.org 5

Collaborative Threat Intelligence

• Diversity in Threat Intelligence limits attackers’ ability to isolate targets by industry, location, size, etc

• The AlienVault Open Threat ExchangeTM (OTX) is the world’s largest collaborative threat intelligence system

• AlienVault Labs validates threat data and contributes from their research

© 2014 The SANS™ Institute - www.sans.org 6

SIEM Challenges Abound

• Many SIEM users have had challenges getting needed insights

• Why?• A vast variety of issues can lead us

here:– Difficulty deploying– Lack of integration– Challenging UI and usability– No threat intelligence– Difficult correlation rules– Poor planning

© 2014 The SANS™ Institute - www.sans.org 7

© 2014 The SANS™ Institute - www.sans.org 8

Lessons Learned the Hard Way

• Situation: "Tribal" knowledge and a move to an MSSP– Lesson Learned: Improve

documentation and planning around internal data types and use cases

• Situation: “You are what you eat”– Lesson Learned: Review your data

sources before AND after your deployment

© 2014 The SANS™ Institute - www.sans.org 9

Getting More From a SIEM

• There are several important things organizations can do to improve SIEM success:– Assess integration with data/tools– Discuss outcomes/use cases– Assess ease-of-use and

implementation– Look for threat intelligence

integration - both external and internal

© 2014 The SANS™ Institute - www.sans.org 10

Fundamental SIEM Integration Points

• Asset discovery and inventory• Vulnerability assessment• Network packet/flow analysis

(packet capture)• Wireless intrusion detection (WIDS)• Host-based intrusion detection

(HIDS)• Network-based intrusion detection

(NIDS)• File Integrity Monitoring• Log management

© 2014 The SANS™ Institute - www.sans.org 11

Discuss Outcomes & Use Cases

• Every organization is different– Business use cases– Compliance/security priorities– Existing gaps

• Build technical rule implementations of business use cases– Identify & monitor privileged users– Build behavior profiles– Detect C&C channels more rapidly

© 2014 The SANS™ Institute - www.sans.org 12

Ease-of-use & Implementation

• Many SIEM solutions have been notoriously difficult to implement and use

• SIEM platforms should be:– Relatively simple to install– Intuitive for analysts using the GUI or other

tools– Easy to expand or upgrade– Understandable without a PhD

© 2014 The SANS™ Institute - www.sans.org 13

Questions for SIEM VendorsHint: Print this out for the next time they call you…

How long will it take to go from software installation to security insight? For reals.

How many staff members or outside consultants will I need for the integration work?

What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)?

What is the anticipated mix of licensing costs to consulting and implementation fees?

Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations?

© 2014 The SANS™ Institute - www.sans.org 14

Threat Intelligence: Questions to Ask

• What sources of threat intelligence are available?

• Are intelligence sources widely distributed, representing a range of organizations and technology?

• How is threat intelligence integrated with internal data sets?

• How can threat intelligence be shared securely?

© 2014 The SANS™ Institute - www.sans.org 15

Coordinated Analysis, Actionable Guidance

• 200-350,000 IPs validated daily

• 8,000 collection points

• 140 countries

Collaborative Threat Intelligence:

AlienVault Open Threat ExchangeTM (OTX)

Join OTX: www.alienvault.com/open-threat-exchange

Powered by

AV Labs Threat

Intelligence

AlienVault

USMTM

ASSET DISCOVERY

• Active Network Scanning

• Passive Network Scanning

• Asset Inventory

• Host-based Software

Inventory

VULNERABILITY ASSESSMENT

• Continuous

Vulnerability Monitoring

• Authenticated / Unauthenticated Active Scanning

BEHAVIORAL MONITORING

• Log Collection

• Netflow Analysis

• Service Availability Monitoring

THREAT DETECTION

• Network IDS

• Host IDS

• Wireless IDS

• File Integrity Monitoring

A Unified Approach

SECURITY INTELLIGENCE

• SIEM Event Correlation

• Incident Response

Conclusion

• Some organizations have traditionally been afraid of SIEM…– But do they need to be?

• SIEM platforms *can* be implemented and managed without horror stories

• They key is planning up front, and asking key questions of potential vendors

• A unified approach will prove more successful with limited resources

© 2014 The SANS™ Institute - www.sans.org 18

Questions?

Q@SANS.ORG

Thank You!

© 2014 The SANS™ Institute - www.sans.org 19

Three Ways to Test Drive AlienVault

USM

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo

http://www.alienvault.com/live-demo-site

Join us for a LIVE Demo!

http://www.alienvault.com/marketing/alienvault-usm-live-

demo