What is SIEM? Security Information and Event Management. Comes in a software format or as an appliance.



 Security Information and Event Management

 _{Centralised security log}

management

 _{Long term storage, analysis}

and reporting

 _{Real-time monitoring, alerting,}

correlation and dashboards

 Comes in a software format or as an appliance.

What is SIEM ?



 Which security events and alerts require my attention?

 How do I obtain meaningful information from the events

collected from the ever-increasing number of devices across my enterprise?

Fundamentals

Collection Analysis Escalation

EVENTS ALERTS

Security Monitoring Process



 Where to look for Inspiration ?

 _{Industry Analysts and Market Observations}

 Within Gov’t and Private Sector with similar technology

 _{What do we really trying to achieve ?}

 _Requirements

 _{Who are we trying to satisfy?}

 Software vs Appliances ?

 Proof Of Concept

 _{Realistic– Multiple Log Sources and Use Cases}



Requirements

 Drivers

 _{Functional and Non-Functional Requirements}

 Log Sources

 _{Platforms, Systems and Applications}

 Deployment Scale

 Budget

 Resources



 SIEM Stakeholders are IT Security, Technical Operations, Audit, Compliance

 Functional requirements and Scalability must be known at Purchase time

 Road Map into the future

 Solution to match your capabilities

 Identify what you don’t know – services to cover capability gaps.

 Use Case development



 Event Collection and Management

 Monitoring, Analysis and Alerting

 Built-in Functionality

 Scalability and Storage

 Minimal Performance Impact

 _{Ease of Use with User Friendly Interface}  Support within Australia

 Software or Appliance



Revenue and Growth

400 800 1000 850 950 1000 1050 50 30 30 15 15 15 25 0 10 20 30 40 50 60 70 80 90 200 300 400 500 600 700 800 900 1000 1100 2006 2007 2008 2009 2010 2011 2012 P e r c e n t a g e G r o w t h M i l l i o n s $ Revenue Growth



Gartner Magic Quadrant

Niche Players

 _{Smaller or regional}

vendors

 _{More specific or narrow}

focus



Gartner Magic Quadrant

Challengers

 _{Well funded, good}



Gartner Magic Quadrant

Visionaries

 _{Good functional match}

to market requirements

 _{Lower execution}

capabilities, well funded



Gartner Magic Quadrant

Leaders

 _{Good functional match}

to market requirements

 _{Good installed base and}

revenue stream and growth

 Superior execution of



Retrospective Look

2008 2013



 _{ArcSight acquired in 2010}  _{ESM for large scale}

deployments

 _{Express appliance for}

midsized

 _{Connector and Logger}

appliances

 _{CORR replacing Oracle}  _{Feature rich but most}

complex

 _{Complete set of capabilities}

HP ArcSight

2008 2013



IBM QRadar

2008 2013

 IBM acquired Q1 Labs in late 2011

 Juniper appliances (STRM)

 Good general SIEM capabilities

 Straightforward to deploy and maintain

 _{Behaviour analysis for}

NetFlow and log events

2008



McAfee ESM

 Integration within Stable

 High-performance analytics under high-event-rates

 _{Network-based packet}



LogRhythm

 Appliances and software

 Scalability

 _{Light and Nimble}  Good fit for limited

deployment and support resources

 Wizards for fast deployment

2008 2013



Symantec SSIM

 Integrates with SEP

 DeepSight provides

threat and vulnerability data.

 Narrow Fit



EMC-RSA

 Early success

 Now most replaced

 _{EnVision to Security}

Analytics

 Based on NetWitness platform

 Watch this space !

2008

2013 2008



NetIQ Sentinel

2008 2013 ₂₀₀₈

2013

 _{Acquired Novell in late}

2010

 _{Based on Sentinel}  _{Agent and content}

technology from Security Manager

 _{Integration within Stable}  _{Large-scale processing in}



 Poor Log Management Predates SIEM

 Log Management Issues Still Exist

 _{Big Data Sets and Archival}  _{Incomplete captures}

 _{Auditing turned off}

 _{Log format standards and specifications}  _{Applications security logging}

 SIEM dependant upon Audit and Logging Regime



 Three layers of Architecture

 _{Event Collectors}

 _{Event Indexing and Storage}

 _{Processing/Mgt/Admin/Console}

 Collection/Storage is High Volume

 _{Ranging up to 100K EPS.}

 Event Processing against a subset

 _{Aggregation and Filtering consolidate to 10-20%}

 What you collect isn’t what you keep nor use !!

Distilling Events

Collection

Storage



 Built-In Support for Most Common Devices

 Poor Back-End Systems Capability (e.g. Mainframe)

 Custom Log Sources

 _{Cost and Expertise}

 Events Normalised into Proprietary Format

 _{Makes Migration Difficult}  _{Raw Logs Still Needed}

 Adoption of a Standard (CEF)



 Correlation Faster Against Known Bad Events

 Log Volumes Can Overwhelm SIEM systems

 SIEM licences often based on EPS

 Filtering at Source

 Best approach for Log Filtering  Control – know what you log

 _{Lower System Resources utilization}

 _{Filtering at Destination}

 _{Most practical and easiest to implement}  SIEM takes care of filtering

 Source Devices will be generating tons of logs

 Higher System Resources and Bandwidth Utilization





_{Correlation is a Vital and Powerful}

 _{Analysis of :}

 _{Attack Vectors}

 _{Threat Scenarios specific to You}

 Start with Built-In Rules

 Understand, Investigate, Tune and then Build



 SIEM is Only as Good as the Administrator

 Ecosystem Maintenance and Care

 Technical Skills

 _{Across ALL Platforms and Systems}  _{Across O/S and Applications}

 _{SIEM Itself}

 Training

 Mentoring

 Managed Service Offerings







_{…we can get rid of…}



_{…archiving native logs“}



_{…other ‘similar’ software, like Splunk”}



_{…alert me whenever fraud occurs”}



_{…generate Web Application Analytics Reports”}



_{…we can tick that Compliance box”}



 Uncompressed Syslog over NW

 DNS Lookups



 Beware, the colour, Red

 Default colours may send the wrong signals

 Dashboards MUST give

 _{Info at a Glance}  _{Clarity of Alerts}  _{Drive Behaviour}

 _{Not there to just look}

colourful !!



 Don’t be over-awed by Sheer Numbers !

 Forest and Trees Syndrome

 _{The Devil is often in the}

Detail



 Managing SIEM is Not Simple

 Poor People Investment = Poor Return

 SIEM is not a Silver Bullet

 _{Identifies security issues}  _{Needs Response and}

Remediation resources

SIEM is not about acquiring a tool, but about gaining intimacy with your logs and events, your configuration

and business goals, commensurate with your environment and requirements.