SIEM 101. Keith Stover, Solutions Delivery Manager. #HPProtect

Transcription

1 SIEM 101 Keith Stover, Solutions Delivery Manager #HPProtect

2 What is SIEM? Why is it important? SIEM = SIM + SEM SIM is the collection of log data into central repository for trend analysis. Today it is commonly referred to as Log Management. SEM is the ability to analyze the collected logs to highlight behaviors of interest from various sources, including network and security devices and applications. Why SIEM is important? Complex threat landscape Deployment and support simplicity Incident investigation 2

3 Three reasons for any project 1. Save the business $$$ Labor intensive process to manually aggregate and report on event data Aversion to penalties (PCI, SOC, FTC, etc.) Brand protection 2. Make the business $$$ MSSP Service Offerings 3. Compliance PCI, SOX, NIST, etc. 3

4 Tips to implementing 4 major areas of focus for a SIEM deployment Use cases People Process and procedures Architecture 4

5 Use cases It s all about the use cases!

6 Water to wine: The art of use cases Defining use cases Defining your use cases defines the event feeds Should be measureable (measuring = success) Align to business objectives Protect the perimeter, insider threat, user monitoring, compliance (Solution Packs) Associate to Risk Management (Enterprise View) Run use case workshops 6

7 People They make the magic happen!

8 Make the world go round People are the greatest resource Executive sponsorship bottom-up vs. top-down adoption Project management Resource constraints During planning through implementation Ongoing staffing Training Monitoring 8

9 Process and procedures Critical to provide direction once alert has occurred!

10 It isn t sexy, but just as important Give meaning to all that is done Well-defined Measured Reports Metrics Monitored for adherence Repeatable Closed loop 10

11 Architecture This can make or break a solution!

12 If you build it Measure twice, cut once! Future-proofing align with hardware refresh cycles Storage Sizing Event retention Physical locations How will you use the data? 12

13 How do I show value? Ensuring executive buy in after the purchase

14 Breaking down barriers Return on Security Investment (ROSI) SIEM seen as cost avoidance People and Tools currently used to handle/investigate security incidents can be simplified Staff currently involve in the capture, transfer, and storage of compliance related information is decreased How to show that value? Security Operations Compliance 14

15 Security Defense in layers

16 SIEM is the last line of defense How can I show value within Security? Decrease in helpdesk ticketing Reduction in fraud or theft of IP Without a SIEM what would go undetected? Delegate responsibility throughout the organization "Organizations need the latest in security research to effectively prevent, detect and combat the growing number of sophisticated threats," Art Gilliland, Senior Vice President and General Manager, Enterprise Security Products, HP Information security is one of the most significant corporate missions and continual challenges at this high-growth company Charles Kallenback, General Counsel and Chief legal Officer at Heartland Payment Systems 16

17 Operations Git-R-Done!

18 Doing more with less How to measure operations Efficiencies gain Time to resolution Alerts per day per analyst Alerts per shift Funnel reports Savings on reporting efforts Licensing People time Onboarding time for new event sources Monday Tuesday Wednesday Thursday Friday Analyst 1 Analyst 2 Analyst 3 18

19 Compliance SIEM alone does not make you compliant!

20 Filling in those check boxes SIEM s value toward compliance Helps secure resources with the most risk Assets Applications Reduces reporting effort Decrease LOE Simplify and standardize Remember that compliance is the baseline and not what security should strive towards 20

21 Common mistakes Been there, someone else has done that! Always comes down to people, process, technology

22 People People are the single greatest investment for an organization Training Care and feeding of a SIEM Fulfilling 10 use cases in an afternoon scenarios Who s doing what? SOC Operations Engineering Content authoring Real Total Cost of Ownership "To get something out of a tool you have to invest time, money and effort into people Bill Bradd, OTSIS U.S. Census Bureau "It's an investment in technology, but also people knowledgeable in maintaining and monitoring the system" Bill Bradd, OTSIS U.S. Census Bureau 22

23 Process Back to those darn use cases! Process is key! Recent data breaches show that technology isn t effective if there isn t a process in place Processes need to be closed loop Processes need to be measured and monitored Failure to define your use cases should not be an option Failing to define them leads to the previous slide No definable success criteria No way to show value back to the organization Conduct value assessments on existing use cases Document everything! 23

24 Technology Right idea, wrong application SIEM layers Connector, agent, receiver, etc. Log management Real-time correlation I m giving her all she s got! Storage Scaling going vertical or horizontal "Nobody has the perfect solution; these are complex problems and complex challenges" Chis Petersen, CTO LogRythmn Troubleshooting SIEM tools is generally no picnic, either" Eugene Schultz, Info Sec author 24

25 Parting thoughts: Baby steps! Use cases

26 Tonight s Newseum Enjoy food, drinks, company, and a private concert by Counting Crows Time 7:00 10: 00 pm Shuttles run between hotel s Porte Cochere (Terrace Level, by registration) and Newseum from 6:30-10:00 pm Questions? Please visit the Info Desk by registration 26

27 Please give me your feedback Session TB3258 Speaker Keith Stover Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 27

28 Thank you

29