SIEM: The Integralis Difference

January, 2013

Avoid the SIEM Pitfalls Get it right the first time

Common SIEM challenges

08/02/2013 2

• Maintaining staffing levels 24/7

• Blended skills set, continuous building of rules and logic

• Escalation of issues – to decentralized Network, Systems and

Application support teams

• Local knowledge of network infrastructure

• Reporting, trending, KPI and business reporting tasks

• Complex architecture required to provide relevant information - context

behind events

Common deployment challenges

08/02/2013 3

• Complex technical architecture

• Complex logic and integration between products

• Business process integration

• Phased implementation - combined with ongoing management

• Continual need for ongoing service improvement

• Skill set / resources to manage

• Ongoing network and business change

Event Funnel Modeling – What SIEM Vendors don’t tell you

196

Critical Events

91

Escalated Tickets

91 True Positive Escalations*

17,560 Viewable Events

2,000,000

Total Events Escalating When It Matters

5 minutes per Critical Event

16 Hours of Analysis

10 minutes per Ticket Escalation

15 Hours of Ticket Escalation

Doesn’t include Ticket Closure Time

77% of all escalations were true

positives

Vendor default signatures average 6%

3.79 True Positive every hour

Head Count Requirements – 24X7 – 7

FTE

Head Count Requirments - 9X6 – 4 FTE

SIEM Correlation,

Deduplication,

etc

Critical Events Per Day

“Potential Tickets”

SOC Analysis and

Investigation

Filling the gaps - Situational Awareness

• As defined by Gartner, a situational awareness capability requires organizations to collect, analyze, correlate, and report on all security data:

• Customers are at an inflection point in the market – Compliance driven projects Security driven projects

• Security point products (SIEM, configuration audit, NBA, etc.) do not meet these requirements by themselves!

“Situational Awareness is Needed by Government and Enterprise Security Organizations for Effective Threat Discovery and Risk Mitigation”

- Gartner, “Delivering Situational Awareness” (July, 2011)

Situational Awareness Capability `

SIEM Logs and other event-based data

Threat Intelligence Threat feeds and known countermeasures

Asset Vulnerability State Vulnerability assessment data

User Activity IDM/IAM and directory data

Connectivity State Performance and availability data

Asset Criticality Asset and inventory data

Configuration State System security configuration data

Forensics All security data

The Need for Situational Awareness: Threat Drivers

Time < 2000 > 2012

State- and

State-

Sponsored

Actors

Organized

Crime/

Monetization

Individual

Hit-and-Run

Thre

at S

ourc

e M

otivation a

nd A

ttack C

om

ple

xity

Hacking

Groups

Level of Security Intelligence Required to Detect, Protect and Respond to

Threats

DOS Attacks

DDOS Attacks

Virus/Trojans/Malware

Identity Theft

Wikileaks/Insider Threats

IP Theft

APTs

Bots

SIEMial Engineering

• Log

Aggregation

• Manual Log

Monitoring

• SIEM-based

security

monitoring

• Log and

vulnerability

data correlation

Log

Mgm

t.

SIEM

Situ

atio

na

l A

war

en

ess

• Correlation

across multiple

data types

• Collection,

normalization,

analysis,

alerting and

reporting on all

security data

• Asset inventory

and change

data

• Threat

intelligence

integration

• Advanced

profiling

Cyberterrorism

The Need for Situational Awareness: Compliance Drivers

Compliance Program Optimization TACTICAL STRATEGIC

Continuous

Monitoring

Reactive,

Post-Audit

Focused

Com

plia

nce P

rogra

m R

equirem

ents

Compliance Program Maturity and Optimization Requirements

NO TOOLS / MINIMAL TOOLS

• Incomplete, inconsistent data

• Unknown state of security

controls

• Substantial audit findings and

sanctions

SIEM / LOG MANAGEMENT

TOOLSET

• Standardized reporting

• Manual audits

• Multiple tools, often with

inconsistent and/or overlapping

data

• Extended audit periods

Eve

nt-

Dri

ven

Au

dit

-Dri

ven

Inte

grat

ed

Bu

sin

ess

Pro

cess

SITUATIONAL AWARENESS

TOOLSET

• Fully automated

• Single source of information for all

compliance-related attestation

and reporting

• Continuous monitoring across all

aspects of security data

• Historical trend analysis for

compliance reporting

• Fast, efficient audit periods

The Need for Integralis Situational Awareness

User Context

Asset Criticality

Threat Intelligence

System Configuration Monitoring

Network Behavioral Analysis

Log Monitoring and SIEM

File Integrity Monitoring

Pick essential security controls, put in place without

exception

Change default credentials, create unique passwords and don't

share them

Regularly review active accounts to make sure they are valid, necessary,

properly configured and given only appropriate privileges

Secure remote access services

Monitor and filter outbound traffic for suspicious communications

Define, monitor and alert on

anomalous network behavior

Implement effective monitoring for and

response to critical log data

Test applications, review

code and encourage

developers to write more

secure code

Regularly review basic breach indicators

Run regular incident tests and

practice responses Restrict and monitor privileged users

Increase awareness of SIEMial

engineering

Log Mgmt and

SIEM Tools

Configuration

Audit Tools

Sit

ua

tio

nal A

wa

ren

es

s

No

Ga

ps in

Se

cu

rity

Da

ta

Co

mp

lete

Co

nte

xt

Scope of Common Security Threats

Identified by 2012 Verizon Data Breach Incident Report (DBIR)

Hacking, e.g. Use of Stolen Credentials, Channel Exploitation

Malware, e.g. Backdoors, Rootkits, Command-and-Control

Physical Tampering

Keyloggers / Form Grabbers / Spyware

SIEMial Engineering (Pretexting)

Brute-Force Attacks

SQL Injection Attacks

Unauthorized Access via Default Credentials

Phishing / Spear Phishing / Vishing

2012 DBIR

Security Control

Recommendations

SIEM Operational Architecture - Integralis

Log Aggregation

Raw Log Viewing

Storage & HA

Data Mining

Forensic Apps

SIEM

Normalization

Correlation

SecPolicy Enforcement

Reporting

Incident Forensics

False Positive Analysis

SOC

Monitoring

Case Management

Reporting

GRC

Forensic Analysis

Staffing

Separation of Duties

SOC

SIEM

NAC

DLP

IT Tech & Deployment

OSCE Staff

APIs WMI

SDEE

RDEP

CPMI

dozens more

Protocols syslog

ssh

snmp MIB/trap

netflow

dozens more

Optional

Agent

native FIM

Directory monitor

Registry monitor

USB monitor

NA

TIV

E

CO

LL

EC

TIO

N Universal

Parser (UP)

new syslog

sources

ODBC sources

SDK any data

type, using

a simple

XML-based

API

Example

Sources

log mgmt tools

SIEM tools

config mgmt tools

NMCs

custom apps

SD

K

Achieving Situational Awareness with Integralis

IT Assets

Logs and Events

Known Vulnerabilities

Log Management or SIEM

Tools

Asset Inventory

Security Configuration

Settings

Configuration Audit

Tools

Netflow Data

NBA

Tools

Performance Metrics

SNMP

Tools

File Integrity

Data

FIM

Tools

Threat Intelligence

Data

Threat Intel

Tools

The Point Security Tool Approach

Problems with this Approach:

No Cross-Correlation = No Situational Awareness

Operational Inefficiency

No Compliance Automation

High TCO

The Integralis Situational Awareness Approach

and/or

Heavily indexed and optimized for ad hoc query

activity, and the long-term storage of historical

event, context and state data

UN

IFIE

D

DA

TA

MO

DE

L

Correlation

Database

Forensic

Database

Reporting

Database

UI Dashboards Reports Monitors Alerts Workflow Visualization Forensics

User Data

IDM/Directory

Tools

A New Approach to SIEM

• Integralis employs skilled Service Delivery Managers

and a business-savvy approach.

• SDMs are dedicated to your organization

– Establish an enterprise wide uniformity in responding and

addressing security incidents and events

– Understand legal, regulatory, and contractual requirements

– Review and develop SIEM policies and guidelines

– Increase efficiency through centralization and correlation

– Analyze and validate the true depth of enterprise security

visibility

– Develop a workable Incident Response Process

– Improve an existing SIEM implementation

How Do We Differentiate Our Service?

Typical Approach Integralis SDM Approach Assurances

2/8/2013

Integralis Proprietary and Confidential

Collect

Aggregate

Correlate

Asses Respond

Report

Audit

Collect

Index

Store

Report

Integralis SIEM Offerings

•SIEM Architecture & Product Selection

•Technology Deployment

•Policy Creation & Tuning

•SIEM Managed Services

•SIEM Program Review

•Policy Review

•Log Source Discovery & Assessment

•Report Creation

•SIEM Pre-Assessment & GAP Analysis

•SIEM Sizing, Risk Based Asset modeling

•SIEM Product Evaluation and competitive testing

Introductory Service

Advisory Services

Technology Services

Follow-Up Services

2/8/2013 Integralis Proprietary and Confidential - Page 13

Thank You & Questions?

Dale A. Tesch Jr

Director MaPs – NAC & SIEM Leader

Dale.tesch@integralis.com

http://www.linkedin.com/pub/dale-a-tesch-jr/1/194/85

http://www.ciscopress.com/bookstore/product.asp?isbn=1587052601