Presentation on theme: "SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA"— Presentation transcript:
SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA
What is a SIEM?
Standard SIEM Deployment Events Assessmen t Discovery Detection Monitoring Alert Incident Response SIEM
Security Automation Assessmen t Discovery Detection Monitoring Two way flow of information
Vulnerability discovered Security Automation: Dynamic Event Validation Attack observed Was Attack Successful ? Any connections from the target machine to the attacker? Alert
Security Automation: IR Workflow Automation Network Flow Analysis Shellcode AnalysisVulnerability AssessmentFull Packet Analysis Incident Response workflow automation starts with a click of a menu and provides … Service Monitoring
Generating that data requires expensive sophisticated tools Problem! Standard SIEM Standard SIEM A ssessmen t Tools D iscovery Tools D etection Tools M onitoring Tools Basic Security Events
M onitoring Insight into availability of services, activities of users, and flow of data AlienVaul t SIEM SIEM IDS/IPS WIDS HIDS/ File Integrity User & Data Application & Services Vulnerability Assessment Threat Assessment Identity Asset Inventory Basic Security Events Solution: Unified Security Management D etection A ssessment Signature and anomaly based intrusion protection (Host, Network, Wireless) Vulnerability and threat assessment D iscovery An inventory of all security relevant assets under management
Integration reduces time to visibility 1. Automatically inventories assets 2. Assesses assets for vulnerabilities 3. Analyzes behavior to detect intrusions 4. Monitors systems for disruptions 5. Correlates for targeted alerts Full Visibility out of the box Assets Network Activity Vulnerabilities What do I need to RIGHT NOW?
There is No Security Without Visibility What is happening? Where is it happening? What does that mean to my business? (Am I going to get fired?) You cannot fight what you cannot see.
Technology is no longer the impediment … Licensing cost Staff to manage the deployment Time to make the products work together
ROI for the IT Team
For example, just PCI Compliance … Network map Asset Inventory 10.7 Log management 11.1 Wireless IDS 11.2 Vulnerability Assessment 11.4 Intrusion Detection System (IDS) 11.5 File Integrity Monitoring SIEM The SIEM pulls it all together, but SIEM alone is not enough
And it costs you more than just money … ProductLicense CostHours to implement Network Map$40,00080 Asset Inventory$120, Log Management$120, Wireless IDS$80,00080 Vulnerability Assessment$80, IDS$300, File Integrity Monitoring$120, SIEM$200, TOTAL$1,060,000 2,520 hours (15 Months) Estimated price based on consulting engagement for 200 node data center
If you already have all of those security controls …. ProductLicense CostHours to integrate Network Map040 Asset Inventory0160 Log Management0320 Wireless IDS040 Vulnerability Assessment080 IDS0160 File Integrity Monitoring0160 TOTAL$0 960 hours (6 Months) Estimated price based on consulting engagement for 200 node data center How long to make them SIEM Aware?
Built-in security tools save money and time … ProductLicense CostHours Network MapIncludedAutomated Asset InventoryIncludedAutomated Log ManagementIncludedAutomated Wireless IDSIncludedAutomated Vulnerability AssessmentIncludedAutomated IDSIncludedAutomated File Integrity MonitoringIncludedAutomated SIEM$200, TOTAL$200,0002 Month
ROI for the Executive Team
Basis of model Summary of costs Value of a Unified SIEM Solution Provide necessary information for advanced detection of breaches. Allows for faster remediation of breaches and removal of the resulting malicious software. Without this ability to detect breaches then detection will occur when systems degrade to the point of performance issues OR the company will be alerted when their assets are used by criminals and a law enforcement agency comes to investigate. The organization's assets are used in a crime and become part of a ongoing investigation. Law enforcement engages the organization to freeze assets and the legal group within your organization is involved to minimize impact and exposure of the company to the investigation. Exposure to the investigation can result in unintended loses.
ROI for the Executive Team Basis of ModelSummary of Costs Breach Type Cost with Visibility Cost without VisibilitySavings Distribution of Breaches Basic Breach - Data Theft - Unauthorized Access $18,900$126,000$107,100$42, Breach Causing Damage to IT Assets - No law enforcement $56,700$378,000$321,300$96, Non-Public Breach - Law enforcement investigation $1,125,130$4,002,432$2,877,302$834, Public Breach - Law enforcement investigation $1,767,730$7,152,432$5,384,702$53, Total Savings $1,027,494.72
ROI for the Executive Team Company Factors What does 1 month of emergency Public Relations cost your organization? $20,000 What does 1 month of your legal counsel cost? $25,000 Approximately how many records of Personally Identifiable Information (customer & employee)? 2000 How many records of corporate confidential information? 100 How many records of business partner information? 2000 Breach Factors # of Attacks per week 14,000 % of attacks which are successful % Timeframe 36 Number of breaches 5.04 Percentage of breaches caught by having improved visibility 70%
Calculated Costs Forensic Consulting for Clean up Legal Fees Internal Costs (IT Systems & Staff) Legal Exposure Public Relation Cost Few systems compromised $25,000$0 System performance degradation $75,000$0 Non-Public Breach - Law enforcement investigation $100,000$25,000$0$649,133$20,000 Public Breach - Law enforcement investigation $500,000$150,000$0$649,133$120,000
Calculated Costs Breach CalculatorWith Visibility Without Visibility Percent of Breaches Basic Breach - Data Theft - Unauthorized Access $12,500$25,00040% Breach Causing Damage to IT Assets - No law enforcement $37,500$75,00030% Non-Public Breach - Law enforcement investigation $744,133$794,13329% Public Breach - Law enforcement investigation $1,169,133$1,419,1331%
Calculated Costs FactorsCost Forensic for major incident $100, Work w/ forensic consulting organization Forensic for minor incident $25, Work w/ forensic consulting organization Reduction of forensic cost by visibility 0.5 Months of Public Relation for non-public breach 1 Months of PR for public breach 6 Months of legal for non-public breach 1 Months of legal for public breach 6 Cost per public record $ Ponemon Institute 2011 Cost per corporate record $71.33 Derivative of public record cost Cost per business partner record $ Derivative of public record cost
AlienVault - Creators of Open Source SIM A Little About Us
Our roots … MSSP & Consultants Leverage open-source to provide best value Limited by time & resources Founded OSSIM Started building in best of breed open-source tools Provided unified management capabilities Focus on building-in open source security tools Focused on unified management for a small team Integrated controls & SIEM to reduce time to secure Priced for protection
AlienVault Unified Security Management Platform Over 30 essential security management tools built-in A ssessment A sset D iscovery Open source in the box with ability to integrate best of breed commercial solutions as needed USM
Recent Headlines A pernicious virus that infects the middleware of smart card readers is attacking users of U.S. Department of Defense (DoD) and Windows smart cards…The trojan, first identified by Alienvault Labs, appears targeted at a particular type of application AlienVault Nabs Seven Senior HP Security Execs
Security Research Additional Resources
Sample Forensics Report Output Forensic reports should include: 1.Incident Summary 2.Investigation Commenced 3.Investigative Steps Forensic/Network Analysis Document Review Interviews 4.Summary of Principal Findings 5.Forensic Analysis Applicable Policies Factual Chronology Dates of Events 6.Findings & Conclusions
Analysis and Research Resources Malware Analysis Resources including: PDF Analysis Tools Sandbox Tools for Malware Analysis Adobe Flash/Shockwave Analysis Tools Online Scanner and Malware Analysis tools Nice egress testing tool: "Egress Buster" https://www.secmaniac.com/blog/2012/02/29/new-tool-release-egress-buster-find-outbound-ports/ 10 SQL Injection Tools For Database Pwnage