siem: the tangible and intangible roi trey ackerman director systems engineering, na...
TRANSCRIPT
![Page 1: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/1.jpg)
SIEM: The Tangible and Intangible ROI
Trey AckermanDirector Systems Engineering, NA
![Page 2: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/2.jpg)
What is a SIEM?
![Page 3: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/3.jpg)
Standard SIEM Deployment
Events
Assessment
Discovery
Detection
Monitoring
Alert
Incident Response
SIEM
![Page 4: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/4.jpg)
Security Automation
Assessment
Discovery
Detection
Monitoring
Two way flow of information
![Page 5: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/5.jpg)
Vulnerability discovered
Security Automation: Dynamic Event Validation
Attack observed
Was Attack Successful?
Any connections from the target machine to the attacker?
Alert
![Page 6: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/6.jpg)
Security Automation: IR Workflow Automation
Network Flow Analysis
Shellcode Analysis Vulnerability AssessmentFull Packet Analysis
Incident Response workflow automation starts with a click of a menu and provides …
Service Monitoring
![Page 7: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/7.jpg)
Security Research
![Page 8: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/8.jpg)
Start with a Robust and Powerful SIEM Platform
Analysis, Incident Management & Reporting• Event Normalization• Real-time Analysis & Correlation• Unified Management
Compliance Logging• Forensically secured• Highly scalable (SAN/NAS)• Rich query interface
SIEM
Basic Security Events• Network• Endpoint
![Page 9: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/9.jpg)
Extend the Monitoring and Contextual Input
Basic Security Events• Network• Endpoint• Wireless
Assessment Tools• Threats• Vulnerability
Detection Tools• IDS / IPS• Host IDS • FIM
Discovery Tools• Identity• Assets
SIEM
Monitoring Tools• Users/Data• Apps/
Services
![Page 10: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/10.jpg)
Generating that data requires expensive
sophisticated tools
Problem!
StandardSIEM
Assessment
Tools
DiscoveryTools
DetectionTools
Monitoring
Tools
Basic Security Events
![Page 11: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/11.jpg)
MonitoringInsight into
availability of services,
activities of users, and flow of data
AlienVault SIEM
SIEM
IDS/IPSWIDS
HIDS/ File Integrity
User & DataApplication & Services
Vulnerability Assessment
Threat Assessment
IdentityAsset
InventoryBasic Security Events
Solution: Unified Security Management
Detection
AssessmentSignature and
anomaly based intrusion protection
(Host, Network, Wireless)
Vulnerability and threat assessment
Discovery
An inventory of all security relevant assets under management
![Page 12: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/12.jpg)
Integration reduces time to visibility
1. Automatically inventories assets2. Assesses assets for vulnerabilities3. Analyzes behavior to detect
intrusions4. Monitors systems for disruptions5. Correlates for targeted
alerts• Full Visibility out of the box
• Assets• Network Activity• Vulnerabilities
What do I need to RIGHT NOW?
![Page 13: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/13.jpg)
There is No Security Without Visibility
What is happening?
Where is it happening?
What does that mean to my
business? (Am I going to get fired?)
“You cannot fight what you cannot see.”
![Page 14: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/14.jpg)
Technology is no longer the impediment …
• Licensing cost
• Staff to manage the deployment
• Time to make the products work together
![Page 15: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/15.jpg)
ROI for the IT Team
![Page 16: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/16.jpg)
For example, just PCI Compliance …
1.1.2 Network map1.1.5 Asset Inventory10.7 Log management11.1 Wireless IDS11.2 Vulnerability Assessment11.4 Intrusion Detection System (IDS)11.5 File Integrity Monitoring12.5.2 SIEM
The SIEM pulls it all together, but SIEM alone is not enough
![Page 17: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/17.jpg)
And it costs you more than just money …Product License Cost Hours to implement
Network Map $40,000 80
Asset Inventory $120,000 320
Log Management $120,000 640
Wireless IDS $80,000 80
Vulnerability Assessment $80,000 160
IDS $300,000 320
File Integrity Monitoring $120,000 320
SIEM $200,000 640
TOTAL $1,060,0002,520 hours (15 Months)
Estimated price based on consulting engagement for 200 node data center
![Page 18: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/18.jpg)
If you already have all of those security controls ….Product License Cost Hours to integrate
Network Map 0 40
Asset Inventory 0 160
Log Management 0 320
Wireless IDS 0 40
Vulnerability Assessment 0 80
IDS 0 160
File Integrity Monitoring 0 160
TOTAL $0960 hours
(6 Months)
Estimated price based on consulting engagement for 200 node data center
How long to make them SIEM Aware?
![Page 19: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/19.jpg)
Built-in security tools save money and time …Product License Cost Hours
Network Map Included Automated
Asset Inventory Included Automated
Log Management Included Automated
Wireless IDS Included Automated
Vulnerability Assessment Included Automated
IDS Included Automated
File Integrity Monitoring Included Automated
SIEM $200,000 320
TOTAL $200,000 2 Month
![Page 20: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/20.jpg)
ROI for the Executive Team
![Page 21: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/21.jpg)
ROI for the Executive Team
Basis of Model Summary of Costs
Breach Type Cost with Visibility
Cost without Visibility Savings
Distribution of Breaches
Basic Breach- Data Theft- Unauthorized Access $18,900 $126,000 $107,100 $42,840.00Breach Causing Damage to IT Assets- No law enforcement $56,700 $378,000 $321,300 $96,390.00Non-Public Breach- Law enforcement investigation $1,125,130 $4,002,432 $2,877,302 $834,417.70Public Breach- Law enforcement investigation $1,767,730 $7,152,432 $5,384,702 $53,847.02
Total Savings
$1,027,494.72
![Page 22: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/22.jpg)
Calculated Costs
Calculated CostsForensic
Consulting for Clean up
LegalFees
Internal Costs (IT
Systems & Staff)
Legal Exposure
Public Relation
CostFew systems compromised $25,000 $0 $0 $0 $0System performance degradation $75,000 $0 $0 $0 $0Non-Public Breach- Law enforcement investigation $100,000 $25,000 $0 $649,133 $20,000Public Breach- Law enforcement investigation $500,000 $150,000 $0 $649,133 $120,000
![Page 23: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/23.jpg)
Calculated Costs
Factors Cost Forensic for major incident $100,000.00 Work w/ forensic consulting organizationForensic for minor incident $25,000.00 Work w/ forensic consulting organizationReduction of forensic cost by visibility 0.5Months of Public Relation for non-public breach 1Months of PR for public breach 6Months of legal for non-public breach 1Months of legal for public breach 6
Cost per public record $214.00 Ponemon Institute 2011
Cost per corporate record $71.33 Derivative of public record costCost per business partner record $107.00 Derivative of public record cost
![Page 24: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/24.jpg)
AlienVault - Creators of Open Source SIM
A Little About Us
![Page 25: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/25.jpg)
![Page 26: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/26.jpg)
Our roots …• MSSP & Consultants
• Leverage open-source to provide best value
• Limited by time & resources
• Founded OSSIM• Started building in
best of breed open-source tools
• Provided unified management capabilities
• Focus on building-in open source security tools
• Focused on unified management for a small team
• Integrated controls & SIEM to reduce time to secure
• Priced for protection
![Page 27: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/27.jpg)
AlienVault Unified Security Management PlatformOver 30 essential security management tools built-in
Assessment
Asset Discovery
Open source in the box with ability to integrate best of breed commercial solutions as needed
USM
![Page 28: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/28.jpg)
Recent Headlines“A pernicious virus that infects the middleware of smart card readers is attacking users of U.S. Department of Defense (DoD) and Windows smart cards…The trojan, first identified by Alienvault Labs, appears targeted at a particular type of application”
AlienVault Nabs Seven Senior HP Security Execs
![Page 29: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/29.jpg)
Security ResearchAdditional Resources
![Page 30: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/30.jpg)
Sample Forensics Report Output
Forensic reports should include:
1. Incident Summary 2. Investigation Commenced 3. Investigative Steps
• Forensic/Network Analysis • Document Review • Interviews
4. Summary of Principal Findings 5. Forensic Analysis
Applicable PoliciesFactual Chronology
• Dates of Events
6. Findings & Conclusions
![Page 31: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/31.jpg)
Analysis and Research Resources
Malware Analysis Resources including:• PDF Analysis Tools• Sandbox Tools for Malware Analysis• Adobe Flash/Shockwave Analysis Tools• Online Scanner and Malware Analysis tools• http://t.co/i1p6zFRc
Nice egress testing tool: "Egress Buster"• https://www.secmaniac.com/blog/2012/02/29/new-tool-release-egress-buster-find-
outbound-ports/
10 SQL Injection Tools For Database Pwnage• http://t.co/3kFXzLrG
![Page 32: SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA trey@alienvault.com](https://reader038.vdocuments.net/reader038/viewer/2022102900/551940dc55034679738b45a2/html5/thumbnails/32.jpg)
Thank you