Presentation on theme: "Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements."— Presentation transcript:
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements
SIEM Overview Why SIEM Implementations Fail? SIEM Strategies for Security, Audit and Compliance Recommended Events & Reports Q & A Outline
SIEM Overview Definition – “ SIEM technology is used to analyze security event data in real time for internal and external threat management, and to collect, store, analyze and report in log data for regulatory compliance and forensics ” Key Objectives Identify threats and possible breaches Collect audit logs for security and compliance Conduct investigations and provide evidence
Data Collection Extract Intelligent Information Add Value Presentation Dashboards & Reports SIEM Process Flow
System Inputs Event Data Operating Systems Applications Devices Databases Contextual Data Vulnerability Scans User Information Asset Information Threat Intelligence Data Collection Normalization Correlation Logic/Rules Aggregation SIEM System Outputs Analysis Reports Real Time Monitoring SIEM Architecture
Lack of Planning No defined scope Faulty Deployment Strategies Incoherent log management data collection High volume of irrelevant data can overload the system Operational Lack of management oversight Assume plug and play Why SIEM Implementations Fail?
Output-driven Log Management Strategy Collect events relevant for desired outcomes Other data Context data Log data High quality in High quality out Reduces costs and improves efficiency Requires upfront planning
Ability to interpret log and event data Capture critical information User name/ID Host name Station address (IP) Destination/target address Data Interpretation
Jan 5 16:50:38 OES3R1 sshd: Failed keyboard-interactive/pam for invalid user jsmith from 10.4.0.4 port 49384 ssh2 Jan 5 16:55:16 OES3R1 sshd: Accepted keyboard-interactive/pam for jsmith from 10.4.0.4 port 49379 ssh2 Jan 5 17:32:17 OES3R1 sudo: jsmith : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/home/jsmith ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd Examples of Data Interpretation
Examples of context Add geo-location information Get information from DNS servers Get User details (Full Name, Job Title & Description) Add context aids in identifying Access from foreign locations Suspect data transfer Adding Value or Context to data
Issue Tracking and Metrics Capability to create and track tickets on core assets Document and validate tickets are handled and processed to comply with organizational SLAs Track number of threats detected Case Management
Repeat Attacks (Brute force) 3 or more failed login attempts Network Attacks (Port scans, worm propagation) Numerous firewall drop/reject/deny events from a single source IP address Numerous IDS alerts from a single source Alert for multiple connections from a single host Application Attacks Cross-site scripting / SQL Injection Unauthorized file activity on We Servers Typical Events to Alert
User Activity Reports Track authentication activity (VPN, Active Directory, Access to devices (Firewalls, routers..) Track when users are created, deleted and modified Track access by privileged accounts Track usage of service accounts Track escalation of privileges Configuration Change Reports Changes made to operating system configurations Track device configuration changes Common Reports for Compliance
SIEM requires constant oversight to give value. Adopt "output-driven" SIEM approach. Look for data quality (interpreted data) Define/Refine incident response process. Conclusion
Your consent to our cookies if you continue to use this website.