siem-plifying security monitoring: a different approach to security visibility

19
SIEM-plifying security monitoring: A different approach to security visibility Dave Shackleford, Voodoo Security and SANS Joe Schreiber, AlienVault © 2014 The SANS™ Institute - www.sans.org

Upload: alienvault

Post on 15-Jan-2015

552 views

Category:

Technology


1 download

DESCRIPTION

Despite investments in preventative security technology and teams, devastating data breaches continue to occur, and the threats we face only grow more advanced all the time. If even the largest companies are struggling to avoid breaches, how can teams with more limited security staff and budgets hope to avoid that same fate? Organizations need to invest more in detection and proactive threat intelligence. SIEM products have been widely deployed for this purpose, however much of the technology remains unwieldy and difficult to use. Join Dave Shackleford, founder of Voodoo Security and a Senior SANS Instructor, and Joe Schreiber, Solution Architect with AlienVault for this session covering: Key security intelligence insights you need to defend against modern threats "Tales from the trenches" of challenges getting the insights you need from SIEM Fundamentals for evaluating a security approach that will work for you, not against you. How a unified approach to security visibility can help you get from install to insight more quickly

TRANSCRIPT

Page 1: SIEM-plifying security monitoring: A different approach to security visibility

SIEM-plifying security monitoring: A different approach to security

visibility

Dave Shackleford, Voodoo Security and SANSJoe Schreiber, AlienVault

© 2014 The SANS™ Institute - www.sans.org

Page 2: SIEM-plifying security monitoring: A different approach to security visibility

Introduction

• Many organizations are still experiencing data breaches– Attackers are more advanced– But…we’ve got preventive and

detective controls, right?• More proactive threat intelligence

and time on internal detection capabilities will help– But what do you need?– How can you succeed with limited

time and/or budget?

© 2014 The SANS™ Institute - www.sans.org 2

Page 3: SIEM-plifying security monitoring: A different approach to security visibility

First…security intelligence

• Security/threat intelligence is all the rage these days…in theory

• Today, most organizations are gathering external threat intelligence from sources such as:– The SANS Internet Storm Center– Blog sites– Commercial feeds– ISACs and other public-private

collaboration groups

© 2014 The SANS™ Institute - www.sans.org 3

Page 4: SIEM-plifying security monitoring: A different approach to security visibility

External Threat Intel Data

• Intel about attacks and attackers may include:– Source

IP/hostnames/domains

– Ports/services in use

– Source countries– Attack types– Packet traces– Malware– File names

• DNS entries that are or should be blacklisted

• Countries of origin with specific reputation criteria

• Types of events to look out for:– Application attacks– Ports and IP

addresses– Specific types of

malware detected• Vertical-specific

likelihood

© 2014 The SANS™ Institute - www.sans.org 4

Page 5: SIEM-plifying security monitoring: A different approach to security visibility

Internal sources of threat intel data

• Baseline security controls:– Firewalls and router ACLs– IDS/IPS– Antivirus– Proxies and load balancers– Log management

• More advanced controls– SIEM– Host IDS/whitelisting– Malware sandboxing

• So why are we still getting hacked?!

© 2014 The SANS™ Institute - www.sans.org 5

Page 6: SIEM-plifying security monitoring: A different approach to security visibility

Collaborative Threat Intelligence

• Diversity in Threat Intelligence limits attackers’ ability to isolate targets by industry, location, size, etc

• The AlienVault Open Threat ExchangeTM (OTX) is the world’s largest collaborative threat intelligence system

• AlienVault Labs validates threat data and contributes from their research

© 2014 The SANS™ Institute - www.sans.org 6

Page 7: SIEM-plifying security monitoring: A different approach to security visibility

SIEM Challenges Abound

• Many SIEM users have had challenges getting needed insights

• Why?• A vast variety of issues can lead us

here:– Difficulty deploying– Lack of integration– Challenging UI and usability– No threat intelligence– Difficult correlation rules– Poor planning

© 2014 The SANS™ Institute - www.sans.org 7

Page 8: SIEM-plifying security monitoring: A different approach to security visibility

© 2014 The SANS™ Institute - www.sans.org 8

Page 9: SIEM-plifying security monitoring: A different approach to security visibility

Lessons Learned the Hard Way

• Situation: "Tribal" knowledge and a move to an MSSP– Lesson Learned: Improve

documentation and planning around internal data types and use cases

• Situation: “You are what you eat”– Lesson Learned: Review your data

sources before AND after your deployment

© 2014 The SANS™ Institute - www.sans.org 9

Page 10: SIEM-plifying security monitoring: A different approach to security visibility

Getting More From a SIEM

• There are several important things organizations can do to improve SIEM success:– Assess integration with data/tools– Discuss outcomes/use cases– Assess ease-of-use and

implementation– Look for threat intelligence

integration - both external and internal

© 2014 The SANS™ Institute - www.sans.org 10

Page 11: SIEM-plifying security monitoring: A different approach to security visibility

Fundamental SIEM Integration Points

• Asset discovery and inventory• Vulnerability assessment• Network packet/flow analysis

(packet capture)• Wireless intrusion detection (WIDS)• Host-based intrusion detection

(HIDS)• Network-based intrusion detection

(NIDS)• File Integrity Monitoring• Log management

© 2014 The SANS™ Institute - www.sans.org 11

Page 12: SIEM-plifying security monitoring: A different approach to security visibility

Discuss Outcomes & Use Cases

• Every organization is different– Business use cases– Compliance/security priorities– Existing gaps

• Build technical rule implementations of business use cases– Identify & monitor privileged users– Build behavior profiles– Detect C&C channels more rapidly

© 2014 The SANS™ Institute - www.sans.org 12

Page 13: SIEM-plifying security monitoring: A different approach to security visibility

Ease-of-use & Implementation

• Many SIEM solutions have been notoriously difficult to implement and use

• SIEM platforms should be:– Relatively simple to install– Intuitive for analysts using the GUI or other

tools– Easy to expand or upgrade– Understandable without a PhD

© 2014 The SANS™ Institute - www.sans.org 13

Page 14: SIEM-plifying security monitoring: A different approach to security visibility

Questions for SIEM VendorsHint: Print this out for the next time they call you…

How long will it take to go from software installation to security insight? For reals.

How many staff members or outside consultants will I need for the integration work?

What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, netflows, etc.)?

What is the anticipated mix of licensing costs to consulting and implementation fees?

Do your alerts provide step-by-step instructions for how to mitigate and respond to investigations?

© 2014 The SANS™ Institute - www.sans.org 14

Page 15: SIEM-plifying security monitoring: A different approach to security visibility

Threat Intelligence: Questions to Ask

• What sources of threat intelligence are available?

• Are intelligence sources widely distributed, representing a range of organizations and technology?

• How is threat intelligence integrated with internal data sets?

• How can threat intelligence be shared securely?

© 2014 The SANS™ Institute - www.sans.org 15

Page 16: SIEM-plifying security monitoring: A different approach to security visibility

Coordinated Analysis, Actionable Guidance

• 200-350,000 IPs validated daily

• 8,000 collection points

• 140 countries

Collaborative Threat Intelligence:

AlienVault Open Threat ExchangeTM (OTX)

Join OTX: www.alienvault.com/open-threat-exchange

Page 17: SIEM-plifying security monitoring: A different approach to security visibility

Powered by

AV Labs Threat

Intelligence

AlienVault

USMTM

ASSET DISCOVERY

• Active Network Scanning

• Passive Network Scanning

• Asset Inventory

• Host-based Software

Inventory

VULNERABILITY ASSESSMENT

• Continuous

Vulnerability Monitoring

• Authenticated / Unauthenticated Active Scanning

BEHAVIORAL MONITORING

• Log Collection

• Netflow Analysis

• Service Availability Monitoring

THREAT DETECTION

• Network IDS

• Host IDS

• Wireless IDS

• File Integrity Monitoring

A Unified Approach

SECURITY INTELLIGENCE

• SIEM Event Correlation

• Incident Response

Page 18: SIEM-plifying security monitoring: A different approach to security visibility

Conclusion

• Some organizations have traditionally been afraid of SIEM…– But do they need to be?

• SIEM platforms *can* be implemented and managed without horror stories

• They key is planning up front, and asking key questions of potential vendors

• A unified approach will prove more successful with limited resources

© 2014 The SANS™ Institute - www.sans.org 18

Page 19: SIEM-plifying security monitoring: A different approach to security visibility

Questions?

[email protected]

Thank You!

© 2014 The SANS™ Institute - www.sans.org 19

Three Ways to Test Drive AlienVault

USM

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo

http://www.alienvault.com/live-demo-site

Join us for a LIVE Demo!

http://www.alienvault.com/marketing/alienvault-usm-live-

demo