SIEM II

Author: Prof Bill Buchanan

Inci

dent

Res

pons

e

SIEM II

Proxy

VPN

Eve

Bob

Alice

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill BuchananAuthor: Prof Bill Buchanan

Inci

dent

Res

pons

e

Data Sources/Timeline

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Inci

dent

sIn

trodu

ctio

n

Author: Prof Bill Buchanan

Incidents

During IncidentBefore Incident After Incident

Intruder

Intrusion Detection

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Dat

a st

ates

Inc.

Res

pons

e

Data in-motion, data in-use and data at-rest

Intrusion Detection System

Intrusion Detection System

Firewall

Internet

Switch

Router

Proxyserver

Emailserver

Webserver

DMZ

FTPserver

Firewall

Domain nameserver

Databaseserver

Bob

Alice

Eve

Data in-motion

Data at-rest

Data in-use Data at-

rest

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Inci

dent

sIn

trodu

ctio

n

Author: Prof Bill Buchanan

Incidents

During IncidentBefore Incident After Incident

TimelineData At Rest

Data In-Motion

Data In-Process

Files, Directories, File Rights, Domain Rights, etc.

File changes, File CRUD (Create, Delete, Update,

Delete), Thumbprints

Network packet logs, Web logs, Security logs

Network scanners, Intrusion Detection Systems, Firewall

logs, etc

Processes, Threads, Memory, etc.

Security Log, Application Log, Registry, Domain Rights.

Intruder

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Intro

duct

ion

Inc

Res

pons

e

Four Vs of Big Data

Intrusion Detection System

Firewall

Router

Proxyserver

Emailserver

Webserver

FTPserver

Switch

Alice

Management report

Sales analysis

Targeted marketing

Trending/Correlation

V- Volume[Scale of data]

V- Variety[Different forms of

data]

V- Velocity[Speed of data generation]

V- Veracity[Trustworthiness]

Incident Response

Eve

Bob

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Intro

duct

ion

Inc

Res

pons

e

Data Capture

Webserver

IT Ops

Nagios.NetApp.

Cisco UCS.Apache.

IIS.

Web Services

Firewall

Router

Proxyserver

Emailserver

FTPserver

Switch

Eve

Bob

Microsoft Infrastructure

Active Directory.Exchange.SharePoint.

Structured Data

CSV.JSON.XML.

Database Sys

Oracle.My SQL.

Microsoft SQL.

Network/Security

Syslog/SNMP.Cisco NetFlow.

Snort.

Intrusion Detection System

Alice

Cloud

AWS Cloudtrail.Amazon S3.

Azure.

Application Serv

Weblogic.WebSphere.

Tomcat

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Intro

duct

ion

Inc

Res

pons

e

Investigation sources

Webserver

Firewall

Router

Proxyserver

Emailserver

FTPserver

Bob

EveInternal systems

Cloud service providers

Communication service providers

Trusted partners

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill Buchanan

Intro

duct

ion

Inc

Res

pons

e

Security Operations Centre

EveEve

Logs/alerts

Bob

SIEM Package (Splunk)

News feeds

Security alerts

Aut

hor:

Bill

Buc

hana

nA

utho

r: B

ill B

ucha

nan

Sta

tefu

l fire

wal

lN

etw

ork

Sec

urity

Stateful firewall

PIX

/AS

A C

onfig

Net

wor

k S

ecur

ity

PIX/ ASA

Author: Prof Bill BuchananAuthor: Prof Bill Buchanan

Inci

dent

Res

pons

e

Threat Analysis

Proxy

VPN

Eve

Bob

Alice

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Data Fusion

Semi-structured

>10 million events

Select shape and type

text. Yellow handle

adjusts line spacing.

Data storage (2GB/day)

Context

Parsing/Normalisation

Processing

Rule based correlation.Statistical correlation.

Event priorization

SIEM

10,000 alerts1 incident

Aggregation

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Security Operations Centres (SoC)

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Logstalgia

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Honeynet

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Akamai.com

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Trent Micro Threat Analysis

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

DDoS Attack Map

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

State of the Internet

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

IPew Attack Map

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

FORINET

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

NORSE

SIE

MN

etw

ork

Sec

urity

SIEM

SIE

MN

etw

ork

Sec

urity

SIEM

Kaspersky Cyber Threat Map

SIEM II

Author: Prof Bill Buchanan

Inci

dent

Res

pons

e

SIEM II

Proxy

VPN

Eve

Bob

Alice